Slashdot Mirror

Quality of service contracts are going to be the make-or-break deciding factor for ASP's. OpenBSD can provide the uptime an applications provider will need to meet that contract; it's been through a year and a half security audit (which happened to close many software bugs as a side benefit), and uptimes in the hundreds of days are common.

OpenBSD 2.7 comes out next week, with integrated SSH2 and a large collection of packages and ports!

1. Disclaimer: I'm not affiliated with OpenBSD. I use it though =P

Quality of service contracts are going to be the make-or-break deciding factor for ASP's. OpenBSD can provide the uptime an applications provider will need to meet that contract; it's been through a year and a half security audit (which happened to close many software bugs as a side benefit), and uptimes in the hundreds of days are common.

OpenBSD 2.7 comes out next week, with integrated SSH2 and a large collection of packages and ports!

1. Disclaimer: I'm not affiliated with OpenBSD. I use it though =P

Quality of service contracts are going to be the make-or-break deciding factor for ASP's. OpenBSD can provide the uptime an applications provider will need to meet that contract; it's been through a year and a half security audit (which happened to close many software bugs as a side benefit), and uptimes in the hundreds of days are common.

OpenBSD 2.7 comes out next week, with integrated SSH2 and a large collection of packages and ports!

1. Disclaimer: I'm not affiliated with OpenBSD. I use it though =P

• Use qmail or postfix instead of Sendamil.
• Make sure you have all security patches for your system installed. Redhat users, for example, can find those patches here.
• Linux users can read Linux weekly news for security updates.
• Manage your SUIDs. Make sure you keep a close eye on all your suids. For example, I use this script to put all my suid in the directory /suid/bin:

  #!/bin/sh
  
  find / -type f -perm +6000 > /root/suids
  
  for a in `cat /root/suids` ; do
  

  mv $a /suid/bin
  ln -s /suid/bin/`echo $a | awk -F/ '{print $NF}'` $a
  

  
  done
  
• Obviously, turn off all unneeded network services in /etc/inetd.conf and (usually) /etc/rc.d/rc3.d. You can see what services are running on your machine with netstat -na.
• For a UNIX that is free and (hopefully) secure out of the box, check out OpenBSD or Trustix.

- Sam

But do not, under any circumstances, allow the Prince of Darkness onto your PC.

--

--

Dont forget that OpenSSH is also bundled as part of the forthcoming OpenBSD 2.7, which is due to be released on the 15th June.

I just installed OpenBSD-current for the first time from anoncvs to test it out, as part of a migration from Linux to OpenBSD, and it utterly rocks so far! The huge difference is just the fact that it is secure out of the box, and comes with a wealth of audit scripts that scan the box every day and mail you with automated changelogs and security alerts. I can easily believe their claim that they have not had any remote exploits for over 2 years.

Big kudos to the OpenSSH and OpenBSD teams .. I always had the impression of OpenBSD as lacking in features and friendliness compared to the other *nices, but after using Linux as a stepping stone to learn my way around, I cant wait to really sink my teeth into OpenBSD 2.7!

PS: No affiliation to openbsd myself; I visited the webpage for the first time 3 days ago :D

--
Anil Madhavapeddy, anil@recoil.org

"since when is being able to set a computer up to display applications running on another computer by default a bad thing? "

"Gee, boss, I don't know why that dialog with porn popped up in front of our CEO. Must've been some nasty vandals or something.."

There's a reason why things should be secure by default. OpenBSD is the only distribution of a free OS that I've seen that takes this into account (3 years without a remote root hole in the default setup, 2 years without a local root hole in the default setup, and audited applications all around!).
---

--

While some types of free-as-in-beer software may go IPO and make loads and loads (and charge loads and loads), there will always remain free-as-in-speech software, software that is so dedicated to being free-as-in-beer and open source that they'll never charge you for the software.

OpenBSD is a great example of this. Mozilla, while I'm not all up on it, seems to be dedicated to open source as well. Other systems are so global that it'd be impossible to charge for the next system, like XFree86.

Regardless, we can always fork off of old versions of formerly-open source projects. Like we talked about in a discussion of removal of Junkbuster-esque features from Mozilla, we can always just pick up where they left off.

So, as long as someone (like SourceForge.net ) is keeping CVSs of all this crap. I mean, there may be some hazy legal issues with SourceForge (IANAL), but the geek community tends to disregard most of those anyway. So, to answer your question: I wouldn't worry.

Then again, I'm 15. Erg.

PMIRC! My favorite client for a *LONG* time, till I ended up on X-Chat and Linux, OpenBSD, etc etc.

• Less time spend closing hole(!), following bugtrack, upgrading faulty software, etc.
  
• You spend more time setting up your server, but as a reward you get increased preemptive security, strong knowledge of your system and by derivation, a stronger ability to deal quickly and efficiently with incidents.
• You are more confident, less subject to stress, so you think better.
• Everything you learn is standard stuff, which will be usefull everywhere you go. Conversely, you stop cloggering your brain with lists of distribution dependent problems, exploits, holes...
• You have more time to develop your system and educate users.
• Your boss can boast to his peer (and competitors) when they go offline while he doesn't. That's what you want, right?
• You live longer.

People always whine about OpenBSD not having official ISO images available online. Think about it: If you are on a slow modem connection to the Internet, would you rather download a 650MB ISO image, or a custom created 100MB image that's exactly what you need? I thought so...Here's how to do it:

If you read the mkisofs man page, it's only a matter of setting up 2 options, one to point to the floppy disk image that you are going to boot from (for OpenBSD they are labeled *.fs, use cdrom26.fs for a CD) and then specify a _location_ destination for the boot.catalog.

So just set up the mkisofs like you would for any other CD, then use -b cdrom.fs and -c boot.catalog and you'll be fine. (the *.fs file path is relative to the other files). It couldn't be simpler.

Here's an example:

mkisofs -b cdrom26.fs -c boot.catalog -L -R -o openbsd.iso /path/to/openbsd/distribution/files

and cdrom26.fs is presumed to be at /path/to/openbsd/distribution/files/cdrom26.fs. (and yes there are other options, read the man page: http://www.openbsd.org's man page of mkisofs

If people would quit complaining, they'd realize that it's BETTER this way, as you can create customized cdroms. I make -current CDROMs for x86 and put every package and licensed file on there. It's great...

Oh and here's how you burn it:

cdrecord -v speed=4 dev=/dev/cd0c driver=mmc_cdr openbsd.iso

The cdrecord options are for either ATAPI or SCSI since we unified the driver in 2.6.

Give 2.7 a try, it's wonderful!! And DO buy the CDROMs, they help the project in so many ways...

"...does anyone make a "locked-down by default" distro based off Red Hat/Debian/*BSD?"

How 'bout OpenBSD? Three years without a remote hole in the default install. Works for me.

but does anyone make a "locked-down by default" distro based off Red Hat/Debian/*BSD?

OpenBSD is pretty well there in the world of "secure by default". You'll have to enable pretty much anything you want to use by yourself.

-Wintermute

Has anyone opened up a PIX? We had one at work once and opened the sucker up.. It's essentially a PC.. I think it had 4 PCI slots, with normal Intel NICs in them.. There was a flash card in place of a hard drive..

You can accomplish the same thing (better, baby!) with a PC, OpenBSD, and Zebra.

www.apache.org compromised; a windows virus spreads over the globe like a chain reaction on H2O (if such were possible). What's in common?

Users are not careful. Systems must be secure by default. For all intents and purposes, system administrators are the users of the software their systems consist of (again, see apache.org incident).

Here's listening to OpenBSD. For all their arrogance they have that one right.

This is something every distribution should be based on. Every OS and software distribution. Do not open possibilities of exploit. Is it that hard to think about?

We'll live in a pretty ugly world pretty soon unless this simple principle gets generally accepted.

There is nothing stopping someone using Windows automation exploits, DDoS and such for possibly worse purposes than random harrassment. For what? Play more Illuminati ;)

First of all the TrustedBSD project is not is own separate OS.
From the TrustedBSD site:

"TrustedBSD provides a set of trusted operating system extensions to the FreeBSD operating system, targeting the Common Criteria for Information Technology Security Evaluation (CC). This project is still under development, and much of the code is destined to make its way back into the base FreeBSD operating system.."

Secondly, its not Linux emulation as it appears you think it is when you said:

In this situation, you wouldn't want to be emulating another OS, you'd want to stay native. I have no idea if the linux emulation will take advantage of multiple processors, but if not, you could well be losing out

Its not emulation like runnning VirtualPC's software that allows Macs to run Windows. It is Linux compatible.

As see on FreeBSD site:http://www.freebsd.org/features.html

"Compatibility modules enable programs for other operating systems to run on FreeBSD, including programs for Linux, SCO, NetBSD, and BSDI.

Result: users will not have to recompile programs already compiled for one of the compatible OS's, and will have access to a greater selection of off-the-shelf software, like the Microsoft FrontPage Server extensions for BSDI or WordPerfect for SCO."

See also the OpenBSD man page for Linux compatiblity to get more info on another BSD's linux compat.

Doesn't this already happen with cryptography...

Open source projects like gnupg make sure that all of their content is created and distributed outside the U.S. The OpenBSD project and the OpenSSH project have their ftp servers outside the U.S. so they'll not have to deal with U.S. laws regarding encryption. Not really new news, just a new application what other people have been doing for a long time.

I was one of those someones, but I didn't think to post my reply here. You addressed pretty much the same points I did, except this one:

All the tools you need to build your own ISO is included in OpenBSD, anybody can make them. Yet nobody does. Think about that.

Actually, one company has, and charges $4.99 for it.

They instituted it due to popular demand.

If enough people wanted a cheap version on CD that they were willing to pay for it in sufficient quantities to make it economical for CheapBytes to pay to burn thousands of copies, how can anyone say there's no demand for the ISO image?

I guarantee you, if they provided an official free ISO, it'd be a major download on LinuxISO.org the day it made it to their site.

The other thing I addressed is *WHY* people want this thing in the first place.

One, as you said, is the download factor; you know you've got the whole thing if the ISO you downloaded is the same size on your HD as it is on the FTP site.

Another is, installing for somebody else, such as at an installfest at your local LUG. Whether you install it from floppies, from an FTP or NFS server, or even just by copying hard drives with Ghost or dd, it's still good to be able to hand the person a CD he can use to reinstall or fix or update or etc. later, when he doesn't have that high-speed connection available.

Another is, snaring people at events. If you can slap a disk in their hand, that's pretty cool. They're more likely to try it than if you just give them a card with http://www.openbsd.org on it.

Another is, businesses. I don't want to have to rely on the availability of another system for my install in some circumstances. In others, when I do use another system to power my install, I still don't want to be stuck *HAVING* to rely on it.

Another is, books and magazines. It's a lot easier for SysAdmin, or even Linux Journal, to justify including a CD if they don't have to burn the damn thing themselves.

McGraw Hill is publishing a series of Unix books right now that include CDs related to the various topics, such as Steve Maxwell's Unix Network Management Tools and the twice-as-long Red Hat Linux Network Managment Tools. Wouldn't you like to see something like "OpenBSD Network Management Tools"?

Or the inclusion of a CD with Building Linux and OpenBSD Firewalls?

Or the inclusion of OpenBSD instead of FreeBSD in some other book?

I would. Anybody who wants to see OpenBSD get used by more people should, too.

But leaving aside completely the question of an official ISO, they're accidentally (it appears) giving the impression that they're against that, when they claim to not be against it at all.

Look at this quote from the FAQ at LinuxISO.org's site:

4/26/00 - Lots of questions again about OpenBSD. Here is a link to OpenBSD's FAQ talking about ISO images. I feel it is a good idea to respect their wishes as the good folks there have given us a great OS. - billy

See, he interprets this (link to OpenBSD FAQ entry) to mean that they are opposed to people doing this.

They could fix this as simply as adding the following: "If you do create one, feel free to distribute it."

Or better, follow the above with: "If you do, and you're on a stable site that will be there for the long haul such as http://www.linuxiso.org or http://www.sourceforge.net, let us know and we'll link you in this FAQ."

That is, if those are their true intentions. But I see a lot the same old elitist attitude here. Their attitude seems to be: (this is not a quote, this is the impression I get)

"If people choose to misunderstand our FAQ, then that's their problem, not ours."

In reality, anyone who does computer support of any kind (which is what a FAQ is) can tell you:

If it isn't obvious to the reader/user, it isn't obvious.

Just change the FAQ, dudes. If that's too much work, let me know and I'll provide you with the new wording, guaranteed to make it clear that:

1) You encourage people to make ISOs available.
2) You don't do so yourself merely because you don't see the need.
3) You encourage people to buy from you if possible in order to support the project.

--

The file layout of the OpenBSD CD is copyrighted by Theo (the creator/packager of the OS) which makes copying, downloading and burning the CD illegal. This allows the group to support the project. If you really want it you gotta pay for it.

Actually, this isn't entirely correct.

The layout of their official CD is indeed copyright, and indeed proprietary and closed and just generally anti-open.

However, there is nothing stopping you from downloading the files, making your own ISO, and doing anything at all that you please with it.

They just don't make that very clear in their FAQ.

It's no wonder it's confusing. I'm trying to convince one of them (privately, I will not name names, except to say it's not Theo) to either change the FAQ, or let me change it. We'll see what happens.

I'm not confused, but lots of folks are. See the FAQ at LinuxISO.org for a perfect example; billy thinks it's the OpenBSD team's wishes that you don't create ISOs and distribute them, but that's neither my understanding from a careful reading of the OpenBSD FAQ, nor is it the view of the person with whom I'm corresponding.

It's just an unfortunate side effect of an elitist attitude that isn't at all uncommon in this segment of our industry.

It's the same attitude you see in the various arguments against improved Linux GUIs, user-friendly distributions, etc.

--

Well, uhhhh...if you like BSDish systems, why not just get BSD ? ;)

• FreeBSD
• NetBSD
• OpenBSD
• BSDi

The Linux "emulation" stuff works quite well with FreeBSD (have no experience with the others). However, yes, I agree that Slack is very cool and is the distro of choice if you are a Unix "purist"/BSD fan but must run Linux for whatever reason...

I don't see how a large vulnerability in a very popular piece of software that gets fixed counts as a victory for OSS. A victory is when the problem never arises, and is fixed before the source code is released. "Found during a review of Open Source code"? Security auditing should come as the code is being written - not as an afterthought. It's easier to secure a system up front than to have to duct tape barbed wire all over the outside of it later and hope no one figures out how to get in.

If you want *real* security, check out OpenBSD. OpenBSD's code is always being audited and problems are fixed before the code makes it out the door. If I remember correctly, OpenBSD has not had a security vulnerability posted to BUGTRAQ in over 2 years -- but every day I see a new eMail for a security problem in some GNU software or OS. OpenBSD, as with most of the other free BSD's, has a combined code-base -- all the software for the base system is integrated into one big release, so that it can all be checked for proper interoperability and security. GNU/Linux, however, seems to spread farther apart every day. The kernel, each piece of software, each driver, everything - all of them are 'Open Source' but none of them play nicely with eachother. The distribution vendors then download the software and try to wedge it all into the software box without anything getting out...

Another victory for Open Source?
Try 'Another stumbling block for Open Source'

(note - I've got nothing against GNU/Linux systems. but I know that this will be moderated and I'll have linux lovers eMailing me for a week because the views in here are not those shared by most Slashdot readers...)

-- jason

According to the copyright in the source, it was written in 1993. OpenBSD wasn't around until 1995... so, I doubt it was originally written for OpenBSD :) (wasn't imported into OpenBSD until 1996, BTW).

• Have there been any projects to build a completely secure OS?

Sure, OpenBSD. (Super simplified history coming up.) Several years ago, they took the FreeBSD source tree and began combing it for insecurities and weaknesses. It now ships very tightly closed up by default, with most daemons off, SSL and SSH included as part of the core OS, etc. They haven't gone to the lengths you describe (I don't think), mainly because they need to maintain POSIX compliance and source-level compatibility with other Unixes and *BSD's. Definitely worth looking into if security is your passion.

darren

It seems to me that the effort would have been better spent on OpenBSD. Does anyone know why they skipped OpenBSD?

Well, I'm certainly not pissy that OpenBSD has integrated my code (although it is a bit annoying that they credit Allen Briggs, when he wrote none of the code. I mean the first line of the thing even says it's copyright David Huang... Allen was the NetBSD/mac68k portmaster, and certainly answered a lot of my questions and was very helpful in general though.)

Anyways, I think it's great that people are using my code, and I haven't seen any other NetBSD folks complain that OpenBSD is taking NetBSD code. I do see some grumbling when OpenBSD takes NetBSD code and makes out like it's some new feature of theirs, but that's human nature. They're not against OpenBSD taking the code, they just want some credit for it. NetBSD folks don't like Theo for a reason... while I've never met him in person, based on email conversations with him and watching him on the NetBSD mailing lists (before he was banned), he's rude and quite abrasive. To be fair, some NetBSD folks can be too, but Theo seems like that all the time :)

Manual pages just aren't enough.

They can be, when they're good. For cases when they aren't the OpenBSD FAQ and the mailing list archive will solve nearly any problem.

And, they're all located at one place: http://www.openbsd.org

The HOWTO's aren't supplimentry anymore, they are *standard* documentation.
Only when "standard" means often outdated, scattered across a thousand websites, and lacking real detail on anything but the common case.

OpenBSD docs used to be spotty, but they made a real effort to bring them up to speed, and keep them there.

The Linux community has yet to make this effort.

The whole OpenSSH saga is sad. Unfortunately the only response I got from the OpenSSH/OpenBSD crew on my rebuttal/offer at org-vs-com was a changed index page at openssh.com.

But you need two to Tango as the saying goes ..

Your answer is OpenBSD. I'm not sure of the certification level, but here's a quote from a recent interview with OpenBSD's project head, Theo Deraadt:

"OpenBSD is so secure that it even got the attention of the U.S. Department of Justice, which stores and transmits top-secret data using 260 copies of the OS."

The full article is here.

--Bob

Linux is the true industry leader in regards to scalability and security

Linux is neither. UNIX like systems are arguably a poor choice for a secure operating system since they are so damn intent on providing service and flexibility. However, even amongst UNIXes Linux is no where _close_ to being the security leader. Try OpenBSD. Any mention of "security" that doesn't also include "openBSD is pretty much the most secure UNIX flavor in wide use" is at best unenlightened.

as far as scalability, see my earlier post. Linux does _not_ lead in scalability because of its poor SMP supprt and the poor scalability of the SMP hardware it can run on.

Finally, IRIX machines can and do stay up for long periods of time, and there are frankly a hell of alot more mission-critical multi-CPU irix machines than there are _total_ multi-cpu linux boxes.

God I love this one... Dude... you just made me laugh so hard I'm crying. Have you been that fucked you don't even know it any more?

Here's a tip: Go to www.openbsd.org

__

Thats the OpenBSD "theory" or way of doing it. They don't want to include applications you won't use, and make you install the ones you do want. Its more minimalistic and tailored to your needs. This may improve security somehow by removing the extra applications you don't need which could have a security issue or something. Some people don't like that or agree with that style at all. Thats ok, but its how OpenBSD does it. Here's a qoute from the OpenBSD site. Maybe it will help give you an idea of their philosophy.:

OpenBSD is a fairly complete system of its own, but still there is a lot of software that one might want see added. However there is the problem on where to draw the line as to what to include, as well as the occasional licensing and export restriction problems. As OpenBSD is supposed to be a small stand-alone UNIX-like operating system, some things just can't be shipped with the system.

Anyway, do check out the ports section if you haven't already. Its an easy way to install applications you want. I found it convienent.

While your at it, check out the Blowfish shirt, one of the more "cooler" computer shirts around. Any OS can use blowfish crypto so even Linux-only folks will like it.

Thats the OpenBSD "theory" or way of doing it. They don't want to include applications you won't use, and make you install the ones you do want. Its more minimalistic and tailored to your needs. This may improve security somehow by removing the extra applications you don't need which could have a security issue or something. Some people don't like that or agree with that style at all. Thats ok, but its how OpenBSD does it. Here's a qoute from the OpenBSD site. Maybe it will help give you an idea of their philosophy.:

OpenBSD is a fairly complete system of its own, but still there is a lot of software that one might want see added. However there is the problem on where to draw the line as to what to include, as well as the occasional licensing and export restriction problems. As OpenBSD is supposed to be a small stand-alone UNIX-like operating system, some things just can't be shipped with the system.

Anyway, do check out the ports section if you haven't already. Its an easy way to install applications you want. I found it convienent.

While your at it, check out the Blowfish shirt, one of the more "cooler" computer shirts around. Any OS can use blowfish crypto so even Linux-only folks will like it.

Thats the OpenBSD "theory" or way of doing it. They don't want to include applications you won't use, and make you install the ones you do want. Its more minimalistic and tailored to your needs. This may improve security somehow by removing the extra applications you don't need which could have a security issue or something. Some people don't like that or agree with that style at all. Thats ok, but its how OpenBSD does it. Here's a qoute from the OpenBSD site. Maybe it will help give you an idea of their philosophy.:

OpenBSD is a fairly complete system of its own, but still there is a lot of software that one might want see added. However there is the problem on where to draw the line as to what to include, as well as the occasional licensing and export restriction problems. As OpenBSD is supposed to be a small stand-alone UNIX-like operating system, some things just can't be shipped with the system.

Anyway, do check out the ports section if you haven't already. Its an easy way to install applications you want. I found it convienent.

While your at it, check out the Blowfish shirt, one of the more "cooler" computer shirts around. Any OS can use blowfish crypto so even Linux-only folks will like it.

Would someone point them to OpenBSD. It is far more secure than any current closed-source operating system. Ask anyone in security what OS they would use if they needed to protect something. Security through obscurity does not work; holes will be found, just ask Microsoft.

Are we likely to see another "RTM worm" incident in the next year or two? Probably. Now that broadband 7/24 connections are on the rise due to DSL and cable modems, the percentage of unsecured hosts will rise. And with the increase in opportunity will come an increase in exploits. However, as the RTM worm incident showed, writing a good, well-behaved worm isn't as easy as it sounds.

Haven't we already seen things like this? Remember the DDOS attacks on yahoo and friends? Those were mostly automated attacks, scanning for multiple vunlerabilities and attaching payloads.

They aren't quite as automated because it's hard to write a fully self-distributing worm, compared to a simple boot sector virus. But with buffer overflows in almost everything shipped on linux these days (Have you upgraded your FTPD lately? Did your distribution turn on IMAPd again?) it's real easy to hit machines remotely and pop in an egg of almost arbitrary size. And if you're smart, you can use them for anything from pingflooding yahoo to voting for your entry in a $500 price from x10.

Of course, you could run audited code...

It's just a matter of time. Meanwhile, you damn well better hope that your OS is secure.

If you're using Linux, you should check out Bastille Linux. If you're a BSD fan, I recommend you look at OpenBSD, although hopefully FreeBSD will catch up soon thanks to the FreeBSD Audit Project.
--
Brad Knowles

We're on the subject of FreeBSD and its newer security features, which I find very cool... but in the process of our conversations I've noticed quite a few errors in the posts tonight which covered FreeBSD's cousin, OpenBSD. Errors which could erroneously tarnish people's images of the OpenBSD system. I would really like to point to the OpenBSD website to get some correct facts. Unfortunately its so late in this article's life span, I doubt anyone will actually read this.

As seen somewhere in the posts:
>OpenBSD is more secure because 'they' say so.
>Now, why do 'they' say this?
>At one time, all the code was gone through line >by line looking for problems.

My response: (and other responses to other concerns follow. I qoute the OpenBSD website alot.)
Its not "at one time" as in past tense only concerning the security audit. Please read the security section-audit process of the OpenBSD website:

We have been auditing since the summer of 1996. The process we follow to increase security is simply a comprehensive file-by-file analysis of every critical software component. We are not so much looking for security holes, as we are looking for basic software bugs, and if years later someone discovers a the problem used to be a security issue, and we fixed it because it was just a bug, well, all the better. Flaws have been found in just about every area of the system. Entire new classes of security problems have been found during our audit, and often source code which had been audited earlier needs re-auditing with these new flaws in mind. Code often gets audited multiple times, and by multiple people with different auditing skills>.

The most intense part of our security auditing happened immediately before the OpenBSD 2.0 release and during the 2.0->2.1 transition, over the last third of 1996 and first half of 1997. Thousands (yes, thousands) of security issues were fixed rapidly over this year-long period; bugs like the standard buffer overflows, protocol implementation weaknesses, information gathering, and filesystem races. Hence most of the security problems that we encountered were fixed before our 2.1 release, and then a far smaller number needed fixing for our 2.2 release. We do not find as many problems anymore, it is simply a case of diminishing returns. Recently the security problems we find and fix tend to be significantly more obscure or complicated. Still we will persist for a number of reasons.

The auditing process is not over yet, and as you can see we continue to find and fix new security flaws.

Concerning comments about how OpenBSD doesn't install 100's extra non-vital programs by default (somehow making it bad), or have "xyz" service enabled - I go back to the OpenBSD website again:

To ensure that novice users of OpenBSD do not need to become security experts overnight (a viewpoint which other vendors seem to have), we ship the operating system in a Secure by Default mode. All non-essential services are disabled. As the user/administrator becomes more familiar with the system, he will discover that he has to enable daemons and other parts of the system. During the process of learning how to enable a new service, the novice is more likely to learn of security considerations.

So here's my thoughts.. If you want Foo app. Get it. Install it. Use the ports. The whole point of OpenBSD is to be secure and correct. Some of the philosophies which they use to achieve their goals may rub you the wrong way. Thats ok, don't use OpenBSD. Please just don't unnecesarrily disparrage it. I've just noticed an overall trend of a lack of understanding of the OS here on multiple posts and I wanted share a few concerns I had.

We're on the subject of FreeBSD and its newer security features, which I find very cool... but in the process of our conversations I've noticed quite a few errors in the posts tonight which covered FreeBSD's cousin, OpenBSD. Errors which could erroneously tarnish people's images of the OpenBSD system. I would really like to point to the OpenBSD website to get some correct facts. Unfortunately its so late in this article's life span, I doubt anyone will actually read this.

As seen somewhere in the posts:
>OpenBSD is more secure because 'they' say so.
>Now, why do 'they' say this?
>At one time, all the code was gone through line >by line looking for problems.

My response: (and other responses to other concerns follow. I qoute the OpenBSD website alot.)
Its not "at one time" as in past tense only concerning the security audit. Please read the security section-audit process of the OpenBSD website:

We have been auditing since the summer of 1996. The process we follow to increase security is simply a comprehensive file-by-file analysis of every critical software component. We are not so much looking for security holes, as we are looking for basic software bugs, and if years later someone discovers a the problem used to be a security issue, and we fixed it because it was just a bug, well, all the better. Flaws have been found in just about every area of the system. Entire new classes of security problems have been found during our audit, and often source code which had been audited earlier needs re-auditing with these new flaws in mind. Code often gets audited multiple times, and by multiple people with different auditing skills>.

The most intense part of our security auditing happened immediately before the OpenBSD 2.0 release and during the 2.0->2.1 transition, over the last third of 1996 and first half of 1997. Thousands (yes, thousands) of security issues were fixed rapidly over this year-long period; bugs like the standard buffer overflows, protocol implementation weaknesses, information gathering, and filesystem races. Hence most of the security problems that we encountered were fixed before our 2.1 release, and then a far smaller number needed fixing for our 2.2 release. We do not find as many problems anymore, it is simply a case of diminishing returns. Recently the security problems we find and fix tend to be significantly more obscure or complicated. Still we will persist for a number of reasons.

The auditing process is not over yet, and as you can see we continue to find and fix new security flaws.

Concerning comments about how OpenBSD doesn't install 100's extra non-vital programs by default (somehow making it bad), or have "xyz" service enabled - I go back to the OpenBSD website again:

To ensure that novice users of OpenBSD do not need to become security experts overnight (a viewpoint which other vendors seem to have), we ship the operating system in a Secure by Default mode. All non-essential services are disabled. As the user/administrator becomes more familiar with the system, he will discover that he has to enable daemons and other parts of the system. During the process of learning how to enable a new service, the novice is more likely to learn of security considerations.

So here's my thoughts.. If you want Foo app. Get it. Install it. Use the ports. The whole point of OpenBSD is to be secure and correct. Some of the philosophies which they use to achieve their goals may rub you the wrong way. Thats ok, don't use OpenBSD. Please just don't unnecesarrily disparrage it. I've just noticed an overall trend of a lack of understanding of the OS here on multiple posts and I wanted share a few concerns I had.

A leg up on OpenBSD?! OpenBSD already has OpenSSH and IPsec. And yes, during install you can choose the US or International crypto, but OpenBSD is done out of the US, so lame-laws need not directly hinder it. Its more an issue being a US business and wanting to pay or not pay RSA lisc. fees.
OpenBSD and its dev's played a big role in OpenSSH.

OpenBSD places alot of importance on security and doing it right. Read all about it and get facts.
http://www.OpenBSD.org
http://www.openssh.com

OpenBSD has traditionally differentiated itself by being way ahead on the security front. Hell, look at their cryptography pages - "because we can". And a damn good reason for doing something that is too. But, the world is changing now: FreeBSD has just sprouted a serious number of security enhancements, and the "because we can" argument is starting to look watered down.

So, maybe we can add to some of that "BSDi are integrating their code" good feeling by starting to patch things up with Theo and the OpenBSD crowd. Note that it's important to not underestimate the quality of work that has gone into OpenBSD - you're not going to buffer overrun that bastard, believe you me.

And please, no FreeBSD RULEZ! OpenBSD SUX! crap (or vice versa). It just seems like a great opportunity to make three great server OS's (BSDi, FreeBSD, OpenBSD) into one absurdly great server OS.

Dave :)

First, this is not a web-only service. We do like to provide web interfaces to as much as possible, but we do realize that for some things, program compliation and testing included, nothing can substitute for shell access.

A lot of people are asking about other hardware architectures and OS's. For now, the Compile Farm is i386 based, and contains several Linux distributions and FreeBSD. This does not mean that we have ruled out other possibilities. This is just another step in what we hope can be an expanding feature set for Open Source developers on SourceForge.

There is a lot of setup involved in something like this Compile Farm, not the least of which is having thousands of skilled Open Source developers with shell accounts on a set of boxes. We're attempting to keep things as secure as possible while also offering enough features to make this thing useful. One reason for the limited number of distributions/architectures/OS's now is the limitation of variables in a very complex system. Hopefully, we can work out the kinks in this system soon so that it can become a valuable resource to developers who might not otherwise have the capability of getting their hands on so many different machines.

Please be patient as we test this new system. We're definately open to criticism, but please also be constructive with it so that we can continue to improve these services. Thanks to all of the SourceForge users who have contributed patches, criticism, and helpful suggestions. Every day my confidence in the Open Source model increases...

To enhance stability, OpenBSD takes a more cautious disk write approach, which might slow down disk accesses some.

Specific information about tuning the disk subsystem for speed (and to eliminate above delay) can be found here.

Script Kittie

Other T-shirts

and the OpenBSD 2.6 CD-ROM

Script Kittie

Other T-shirts

and the OpenBSD 2.6 CD-ROM

Script Kittie

Other T-shirts

and the OpenBSD 2.6 CD-ROM

It's not complete, and it's not meant to be.

Maybe this will help make it more so: homepages for some of the software you discuss.

• OpenSSH - http://www.openssh.com/
• [Commercial] SSH - http://www.ssh.com/
• Kerberos Network Authentication - http://web.mit.edu/kerberos/www/
• ENskip - http://www.tik.ee.ethz.ch/~skip/
• Linux FreeS/WAN - http://www.xs4all.nl/~freeswan/

Anyone interested in the software mentioned above, or even just general UNIX security, would do good do take a gander at OpenBSD (http://www.openbsd.org). It's based on 4.4 BSD, like most of the Freenixes, and is designed with security foremost in mind. Think of it as FreeBSD after reading "1984". ;-)

It comes with OpenSSH. And Kerberos.

Ooh, and also... stickers! Put them on your box, and maybe the MiBs that break into your house while you're at work won't even bother trying to crack yer system.

Remember: paranoia is good. Anyone with doubts regarding the truth of that statement should check out the Echelon links that have been appearing here lately.

Ciao.

I am the Lord.

Now, is forcing someone to *only* allow logins when using a key really solving any problem? If you need to get in to your box from somewhere and you don't have time to do so otherwise, then login using password. If you have something so secure on your box that password is not acceptable (your paraniod and should never use ecom either 8-}) then just configure sshd so that it doesn't allow password logins.

Besides, in most systems, the cyrpto that you use for remote administration is surely the least of your worries. Why not switch to OpenBSD so that you can sleep at night?

OpenBSD: Secure by Default... Ships with SSH