Slashdot Mirror

OpenBSD, while is very secure, does owe some, if not a lot, of it's security to security through obscurity.

Security through obscurity? What are you talking about? Name a better documented OS or distro.

New (and not so new) users are well-advised to keep the FAQs bookmarked, but the man pages shipped with the distribution are the most comprehensive I've ever seen. Terse, maybe, but complete, and the developers treat errors/omissions seriously.

Maybe you meant security due to small market share? Don't you think that every wannabe cracker out there wants to make a name for himself by rooting a properly configured OpenBSD box?

To follow up on my own post, they have a draft upgrade guide up it looks like (they recommend that it not be used yet though):
http://www.openbsd.org/faq/upgrade47.html

Looks like they include a utility to make life easier when upgrading... looks similar to what Gentoo Linux does when config files are upgraded... new configs are diff'd, and can be interactively merged, etc:
"OpenBSD now includes the sysmerge(8) utility, which helps administrators update configuration files after upgrading their system. Sysmerge(8) compares the current files on your system with the files that would have been installed with a new install, and gives you the option of keeping the old file, installing the new file, or assisting you in the manual merging of the old and new files, using sdiff. For past upgrades, we've presented a list of files that are usually copied over "as-is", and a list of files which should be changed, and a patch file that applies those changes to what might be in those files on your system. You may opt to use sysmerge to make the changes, or you may wish to use the patch file first, and then follow up with a sysmerge session to clean up any loose ends."

So it looks like they're at least making an effort to make it less painful

Are you kidding me? The upgrade process is for the administrator to manually merge the configuration files!?!?

And this is the improved version? Wow. Just... wow.

I can't believe people here whine about how the Windows 'registry' is somehow the root of all evil, even though the vast majority of Windows apps (and Windows itself) handle version upgrades automatically.

It's like I've time travelled back to the 70s.

So charge for an ISO download.

Can't one just download it and give a donation?

Problem solved.

To follow up on my own post, they have a draft upgrade guide up it looks like (they recommend that it not be used yet though):
http://www.openbsd.org/faq/upgrade47.html

Looks like they include a utility to make life easier when upgrading... looks similar to what Gentoo Linux does when config files are upgraded... new configs are diff'd, and can be interactively merged, etc:
"OpenBSD now includes the sysmerge(8) utility, which helps administrators update configuration files after upgrading their system. Sysmerge(8) compares the current files on your system with the files that would have been installed with a new install, and gives you the option of keeping the old file, installing the new file, or assisting you in the manual merging of the old and new files, using sdiff. For past upgrades, we've presented a list of files that are usually copied over "as-is", and a list of files which should be changed, and a patch file that applies those changes to what might be in those files on your system. You may opt to use sysmerge to make the changes, or you may wish to use the patch file first, and then follow up with a sysmerge session to clean up any loose ends."

So it looks like they're at least making an effort to make it less painful

See the upgrade guide for upgrading 4.5 to 4.6... it's a 280 line upgrade guide:
http://www.openbsd.org/faq/upgrade46.html
 
...on RedHat and CentOS, to go from RHEL 5.3 to RHEL 5.4 I did "yum -y update". That's it.

Can we get there with OpenBSD? At my current place of employment we were using OpenBSD, but the upgrade process was an argument that was made (by other members of my team) to move to RHEL...

Asserting that it doesn't work because "someone who knows this by heart" examined it is meaningless.

- well, I did get someone who knows by heart. A person of this list: openBSD commercial support, Russel.

Now, "asserting that it doesn't work because ... it doesn't work" - because it doesn't. I said something does not work, but it looks correct, logs are not showing problems, the configuration looks correct yet ftp cannot be reached from inside the network. Does it work? No. Did I say "openBSD doesn't work"? No. I said it's not working, whatever the cause is and it looks correct.

well, shit, as I said, I paid for help, not from someone off the street. http://openbsd.org/support.html#Canada - search for the name Russel. He is listed at OpenBSD site. In his words he could not see anything wrong with the configuration and I configured it before he looked. So am I trolling? Obviously something is not right, but if someone off bsd official commercial support list couldn't help, well then, what can I say, something is broken but it does not look broken. You want to fix it?

• Any sign it's been reviewed by competent cryptographers.
• Any discussion of weaknesses, implementation errors to avoid, etc.
• Any plausible arguments that the extra lines of code needed for X.509 really outweigh the benefits of 22 years of review and practice.

Use at your own risk.

They've also added a nice feature called expiretables that keeps the "bruteforce" table small & efficient by expiring entries that haven't seen any hits after a definable period of time.

FWIW, there's also an entry in the official PF FAQ on this...

Thanks for mentioning the tuturial, but actually expiretable is no longer necessary. On anything with PF equal to OpenBSD 4.1 or newer a simple

pfctl -t bruteforce -T expire 86400

will expire table entries that have not had their statistics updated for the last 24 hours (86400 seconds)

I really should reverse the sequence at that page. expiretable likely still works, but it is no longer necessary to install a separate package to get table expiry.

The tutorial that explains what all this does is here. They've also added a nice feature called expiretables that keeps the "bruteforce" table small & efficient by expiring entries that haven't seen any hits after a definable period of time.

FWIW, there's also an entry in the official PF FAQ on this...

What do you know... we actually use that at work. Indirectly, anyways, through OpenBSD's gzipped mirror in conjunction with spamd.

Thanks for the work you put into it! Because of spamd (and lists like yours, Beck's traplist, and so on) we're wasting over 1100 hours of spammer time every day.

Viva OpenBSD

[1] http://www.openbsd.org/crypto.html

VRRP, philosophically,
must ipso facto standard be
But standard it
needs to be free
vis a vis
the IETF
you see?

But can VRRP
be said to be
or not to be
a standard, see,
when VRRP can not be free,
due to some Cisco patentry..

Singing...

La Dee Dee, 1, 2, 3.
VRRP ain't free.
O P E N B S D
CARP is free

http://www.openbsd.org/lyrics.html#35

Software patents stifle innovation.
Yet they are still around.

Many of us hate software patents. (myself included).
They limit what we can do, so we have to find innovative ways to avoid them.

That they are only a problem when abused. If company X develops some new way of sorting data that allows them to produce a better database, then they deserve an opportunity to profit from their work, just as an inventor deserves a chance to profit from an invention. The fact that company X's invention is not embedded within a specific piece of hardware doesn't change the fact that they have contributed something.

(And, unlike copyrights, software patents have a chance of dying before the product being patented becomes obsolete).

Besides litigation, how do software patents benefit their holders?

Besides paying for your hospital bills, how does health insurance benefit you? Litigation, or the threat of litigation, is the main benefit for patent holders. If somebody steals your idea, you have a legal recourse against them. That's the only good thing that comes from patent law, but it is sufficient.

Software patents stifle innovation.
Yet they are still around.

Many of us hate software patents. (myself included).
They limit what we can do, so we have to find innovative ways to avoid them.
Meanwhile we are happy when some large companies get bitten by patents.

Besides litigation, how do software patents benefit their holders?

OpenBSD 3.3 hasn't had any security updates since 2004. Ubuntu 9.04 was released in April 2009. This is the user's only post.

Obvious troll is obvious.

OpenBSD has been used as a router in enterprise environments. Check out http://www.openbsd.org/ or their OpenOSPF and OpenBGP implementations. They strive to be lean, standards compliant, and meet the broadest set of routing criteria. Coincidentally, OpenBSD has an incredibly easy to configure IPSEC stack as well as tools for router redundancy called CARP.

Does it have to be Linux?

Why not try OpenBSD and its excellent BGP implementation OpenBGP! It powers some pretty hefty businesses and ISPs.

-

And - let's face it - neither can most of /.'s users. I remember setting up an OpenBSD firewall back in the late 90s, and I did most of my firewall rules configuration by copying someone else's rules.

If you can write a shell script, you can write a good, stateful firewall with OpenBSD. Its "pf.conf" has the cleanest, most straightforward syntax I've ever seen for such things. I struggled for weeks setting up a good firewall with FreeBSD's ipfw back in the day, but my non-network-admin coworkers have no trouble hacking around in OpenBSD's config.

The consequences of fixing a problem while it's being exploited are usually much more severe than not having the problem in the first place. Proactive security is the way to go. That's why BUGTRAQ is peppered with statements like, "This problem was fixed in OpenBSD about 6 months ago"

Run spamd on OpenBSD or other OS that supports it. Works beautifully.

http://www.openbsd.org/cgi-bin/man.cgi?query=spamd&sektion=8
http://www.openbsd.org/cgi-bin/man.cgi?query=spamd-setup&sektion=8
http://www.openbsd.org/cgi-bin/man.cgi?query=spamd.conf&sektion=5
http://www.linux.com/archive/feature/61103

By default, email gets greylisted. In other words, the first two tries are rejected with a temporary failure message, the third try gets through. Real mail servers will retry, spammers often won't. Mail that gets through is whitelisted for that combination of sender, recipient, and IP for a month or so. You can also up-front blacklist IPs by whatever criteria you want -- published blacklists, country IP ranges, and so on. You can specify specific email addresses as spam traps, so you setup fromlamespammer@example.com on your mail server and put that as a hidden mailto link on your home page, and anyone who emails that obviously harvested it and their IP gets blacklisted.

Combine that with Bob Beck's greyscanner (google for it) which looks for individual IPs trying to send from multiple domains and blacklists them for a period of about a month. I've found it eliminates about 99% of all spam. You should still do things like proactively whitelist clients and mail servers which send from a pool of servers (otherwise it'll get delayed quite a bit). And the occasional spam that gets through should get its IP address blacklisted.

It has the additional benefit that if you run a busy mail server, running this in front significantly reduces the load on the mail server. So you end up with less spam, less wasted storage space, and a snappier mail server.

Run spamd on OpenBSD or other OS that supports it. Works beautifully.

http://www.openbsd.org/cgi-bin/man.cgi?query=spamd&sektion=8
http://www.openbsd.org/cgi-bin/man.cgi?query=spamd-setup&sektion=8
http://www.openbsd.org/cgi-bin/man.cgi?query=spamd.conf&sektion=5
http://www.linux.com/archive/feature/61103

By default, email gets greylisted. In other words, the first two tries are rejected with a temporary failure message, the third try gets through. Real mail servers will retry, spammers often won't. Mail that gets through is whitelisted for that combination of sender, recipient, and IP for a month or so. You can also up-front blacklist IPs by whatever criteria you want -- published blacklists, country IP ranges, and so on. You can specify specific email addresses as spam traps, so you setup fromlamespammer@example.com on your mail server and put that as a hidden mailto link on your home page, and anyone who emails that obviously harvested it and their IP gets blacklisted.

Combine that with Bob Beck's greyscanner (google for it) which looks for individual IPs trying to send from multiple domains and blacklists them for a period of about a month. I've found it eliminates about 99% of all spam. You should still do things like proactively whitelist clients and mail servers which send from a pool of servers (otherwise it'll get delayed quite a bit). And the occasional spam that gets through should get its IP address blacklisted.

It has the additional benefit that if you run a busy mail server, running this in front significantly reduces the load on the mail server. So you end up with less spam, less wasted storage space, and a snappier mail server.

Run spamd on OpenBSD or other OS that supports it. Works beautifully.

http://www.openbsd.org/cgi-bin/man.cgi?query=spamd&sektion=8
http://www.openbsd.org/cgi-bin/man.cgi?query=spamd-setup&sektion=8
http://www.openbsd.org/cgi-bin/man.cgi?query=spamd.conf&sektion=5
http://www.linux.com/archive/feature/61103

By default, email gets greylisted. In other words, the first two tries are rejected with a temporary failure message, the third try gets through. Real mail servers will retry, spammers often won't. Mail that gets through is whitelisted for that combination of sender, recipient, and IP for a month or so. You can also up-front blacklist IPs by whatever criteria you want -- published blacklists, country IP ranges, and so on. You can specify specific email addresses as spam traps, so you setup fromlamespammer@example.com on your mail server and put that as a hidden mailto link on your home page, and anyone who emails that obviously harvested it and their IP gets blacklisted.

Combine that with Bob Beck's greyscanner (google for it) which looks for individual IPs trying to send from multiple domains and blacklists them for a period of about a month. I've found it eliminates about 99% of all spam. You should still do things like proactively whitelist clients and mail servers which send from a pool of servers (otherwise it'll get delayed quite a bit). And the occasional spam that gets through should get its IP address blacklisted.

It has the additional benefit that if you run a busy mail server, running this in front significantly reduces the load on the mail server. So you end up with less spam, less wasted storage space, and a snappier mail server.

Instead, we seem to be witnessing the birth of a new hybrid stack -- open source underneath, and proprietary on top.

Gee, it's not like anyone's done that before...

There's nothing at all wrong with proprietary layers somewhere in the next - in theory all open source is preferable for a lot of reasons, but there's no denying a dedicated force of people can add a really polished layer that OS projects may take much longer to come up with, if ever.

Did you seriously expect most Android apps to be open source? Come on!

Yes, because there are no open source, non-GPL'd, kernels around. They'd obviously have to start completely from scratch.

Good catch, I thought DNS only used TCP for zone transfers and similar.

TCP DNS query with dig:
dig +tcp @8.8.8.8 www.slashdot.org

Linux /etc/resolv.conf seems not to be able to do DNS queries over TCP. However, *BSD can:

http://www.openbsd.org/cgi-bin/man.cgi?query=resolv.conf&sektion=5

=== cut /etc/resolv.conf ===
nameserver 8.8.8.8
options tcp

Still, most of free WiFi hotspots block every f**king port except 80 and 443. I didn't check but if Google is answering DNS queries on 80 and 443 then it is a good thing :)

Obviously, nobody wants to spend thousands of hours creating something then letting someone else (a corporation) sell it without royalties. Or letting people download it for free off the internet.

Linux.
Firefox.
MySQL.
Apache.
Gnome.
KDE.

And if you're going to redefine your original statement so that GPL counts as payment, I give you:

Chromium (browser and OS)
Open BSD
Free BSD

Hey Pirates, you think you aren't stealing?

Do we HAVE to go over this again?

I don't see request for Tor by default in Ubuntu. What about other distros or other onion routers? That would increase the base. Amnesty or Human Rights Watch or The Democracy Center all have a stake in onion routing. To take the thread in the same direction, but further, the group that backed Bush may have left the top offices in the administration, but it has not entirely left power. And the voting machine problem is not yet solved. Those are still under their sphere of influence.

Phil Zimmermann's Why I Wrote PGP and OpenSSH's SSH FAQ are two works that come to mind first about privacy. Most countries recognize the natural right to peaceable assembly. Do the corporations that now have larger budgets and more political clout than some small countries also those rights? You know the answer. The price of freedom is not just eternal vigilance, the cost also includes acting to proactively resolve threats to that freedom.

Do you suggest I do the same thing?

At my company, we downloaded all of our software for free off of the Internet. The software titles include: OpenBSD, Inkscape, Komodo, and Gimp.

I'm torn because the owner openly and brazenly brags about this.

Be a good citizen and tar pit. It only costs a few cycles...

The problem here seems to be badly maintained blacklists. After seeing way too many false positives on various blacklists out there, the only lists I would use are ones that expire their entries in a matter of days or hours. The good ones that I use are uatraps (greytrapping generated, 24 hour expiry) and nixspam (IIRC max 4 days after last seen spam activity). Then of course I maintain my own greytrap list (see the traplist homepage and the traplist ethics pagefor details).

The point is, you need to expire entries aggressively. Keeping entries around because somebody received a spam from somewhere in that general direction four years ago is just silly. And don't get me started on blacklisting domains. If there is one thing we know with almost total certainty, it is that spammers never use From: or Reply-to: addresses that have anything vaguely to do with the real senders.

Check the hardware support list, but looking at it, it supports DX2s/DX4s. AFAIK UNIX was never ported to i386 before the addition of the FPU, although I could be wrong about that.

The reason why I'm suggesting this is because, as well as being a particularly compact, high quality codebase, OpenBSD is, as you probably know, specifically oriented towards security. A firewall or software router is one of the only uses I can think of for a 486 these days.

If you were going to install NetBSD, you could possibly mess around with using the CPU as a controller for something weird, especially if you know how to actually rip the motherboard out and attach it to a robot chassis. ;)

OpenBSD's internal fork of X is probably very tight I'm guessing as well, so you will possibly be able to run that. You almost certainly won't be able to play mp3s on it, and personally I wouldn't even try Dillo on it, either; use links.

The DX4 was the first machine with video playback, if memory serves.

Good luck with it, and have fun. If you can find a tight enough system for it, you'd probably be surprised at the number of uses you could find for it. It'll run ash, ed/vi, sed, and grep, at least; and who really needs more than that anyway, right? ;)

Any of the BSDs. OpenBSD might be another choice. http://www.openbsd.org/ I've installed it on several older computers to keep them going.

You want relayd, also previously known as hoststated.

I have used earlier versions of OpenBSD as a guest on VMWare ESX 3.5 and it behaved just fine, FWIW. There are ways to put the VMWare tools on it. (You should be able to download a virtual appliance with them preinstalled if you just want to test.)

Security and stability are OpenBSD's strengths. That helps it considerably with availability, of course. (Though it sounds like you have redundancy handled in other ways, check out CARP.) Performance you'd want to test in your environment; OpenBSD's overhead is really low so it rocks on low end hardware, but whether that translates well to your high-end environment is a big "it depends".

The story points to plus46.html which isn't useful for a general distribution announcement like this. Here's a much better choice (which includes a link to the plus46.html page):

http://www.openbsd.org/46.html

or

http://www.sigmasoft.com/~openbsd/archives/html/openbsd-announce/2009-10/msg00001.html

for the record, i submitted it with different links. plus46.html was originally linked from the text "and lots more." they "improved" the links in the story before they published it.

Yes. See http://www.openbsd.org/cgi-bin/man.cgi?query=softraid&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html

The story points to plus46.html which isn't useful for a general distribution announcement like this. Here's a much better choice (which includes a link to the plus46.html page):

http://www.openbsd.org/46.html

or

http://www.sigmasoft.com/~openbsd/archives/html/openbsd-announce/2009-10/msg00001.html

Now if mdadm only had the ease use gmirror/geom does in freebsd, then it might be more widely adopted.

mdadm is a perfectly functional package, but it's setup is quite awkward. gmirror however is a breeze to setup, and it's performance kicks the crap out of most hardware controllers I've tried(admittedly few). I imagine OpenBSD implementation is also a good performer as software raid. This states a 30% speedup for certain cases. http://www.openbsd.org/plus.html

OpenBSD's FAQ explains their choices regarding ISO images.

I like to install OpenBSD from a floppy image - only 1.44 MB! I then choose an FTP mirror and install whatever parts I want on the fly.

OpenBSD's FAQ explains their choices regarding ISO images.

I like to install OpenBSD from a floppy image - only 1.44 MB! I then choose an FTP mirror and install whatever parts I want on the fly.

Except if you're following installation directions (and for some reason not using bsd.rd, etc, to install), you would be downloading the 6MB cd64.iso, not the 200MB install46.iso. http://www.openbsd.org/faq/faq3.html#ISO

Right here: http://openbsd.org/lyrics.html#46

Where's the song? There was supposed to be an earth-shattering song!

Sure you can.

http://www.openbsd.org/faq/pf/pools.html

One simple example. Plenty of other options available with other software. As long as you load-balance per connection instead of per packet there aren't many issues with this, and those often don't apply outside of special use cases.

Is the open source solution close enough to the needs of the Ontario government that, as the article alleges, all you need to do is buy some servers and set it up and there are negligible other costs? I seriously doubt it. I would be willing to bet heavily against it. Anyone who thinks otherwise probably hasn't spent much time developing software for government.

I haven't, no...but what are said needs?

I'm assuming that the main component of a record system is going to be a database. You'll also need a usable system and interface for entering and retrieving said records into the DB. You're also going to want to do SQL dumps and periodic offsite backups, so that if anything goes wrong, you can get the data back.

Of course, it will also be very important to ensure that the operating system the database is hosted on, is as robust as possible, to minimise the possibility of crashes; as well as a strong filesystem for times when you need to make a lot of queries at once. Even though that system is meant for servers, you can still make it user friendly for your administrative staff as well, if you need to.

If you're going to want the records accessible from outside the hospital, you'll probably also want to make sure that they are protected by a couple of very secure firewalls, as well, since it could potentially mean the loss of someone's life if they get cracked.

Finally, they will need to make sure that whoever puts the network together does so according to sound administration principles, as well.

OpenSSH is developed by OpenBSD. They accept PayPal donations via the link on this page.

The best way to stop malware is to audit code so that it doesn't have vulnerabilities. The OpenBSD volunteers have been doing that for many years.

In my opinion, and the opinion of many others, the vulnerability of Microsoft products to malware is a result of Microsoft managers not allowing Microsoft programmers to finish their jobs.

When people have problems with their computer, they often buy a new computer. Then Microsoft sells another copy of Windows, which, of course, still has huge security risks. For examples, see the New York Times article Corrupted PC's Find New Home in the Dumpster. Vulnerability to malware is very profitable for Microsoft and its main customers, who are computer manufacturers.

Solving the problems with malware will not be fully successful if Microsoft managers do not want it to be successful. Vulnerabilities are profitable when a company has a virtual monopoly.

MOD PARENT UP. It is apparently correct to be skeptical.

The Serenity Project in the European Union is using the same approach. They call it "Ambient Intelligence(AmI)." The level of intelligence in the Serenity project may be indicated by the fact that, at present, 2009-09-26, 02:47 PDT, there is no space before "(AmI)". The Ambient Intelligence in the Serenity Project is very low, apparently.

Someone who worked for SAP Labs France told me the SAP Labs France part of the Serenity Project is so poorly managed that smart people leave as soon as they can find other jobs.

Apparently the only way of providing security that actually works is the Open BSD method: Audit the code. No number of "ants" can provide the security of audited code.

Want more biological humor? Read about SAP's customer-focused ecosystem. It supposedly fosters "... an ideal environment for ongoing innovation and value creation..." Biological references are apparently the hot new thing in corporate-speak. Biological references concerning computers are very useful to people who have no technical knowledge and don't want any, because they are so vague the speaker can never be found wrong.

Does the OpenBSD armish port not work on the OpenRD board?