openbsd.org · Domains · Slashdot Mirror

Re:This is a common problem for OSS by Anonymous Coward · 2009-09-18 12:24 · Score: 5, Informative · on Mozilla Firefox Not In Violation of US Export Rules

You're right. See their Crypto page. In fact, they build their binary releases only in Canada, Sweden, and Germany to avoid ITAR type restrictions.

Re:torrent? by Clover_Kicker · 2009-09-18 11:57 · Score: 1 · on DragonFly 2.4 Released

from the OpenBSD FAQ:

3.3 - Does OpenBSD provide an ISO image for download?
Starting with OpenBSD 4.2, for select platforms, yes!

Users of the alpha, amd64, hppa, i386, macppc, sparc and sparc64 platforms can now download and install ISO image which can be used to create a CD-ROM that can boot and install all of OpenBSD.

Note, this ISO is not the same as the official CD set. These images are for single platforms, and do not include any of the pre-compiled packages, stickers, or artwork that the official CD set does.

As before, however, ISO file installation is NOT the optimum installation method for many people. It is still usually faster and simpler to download the boot media and then install just the portions needed. However, for those who wish to do a number of installations, or can not figure out how to drop ten files on a CD-ROM or set up a local FTP server, ISOs are available.

The OpenBSD project does not make the ISO images used to master the official CDs available for download. The reason is simply that we would like you to buy the CD sets to help fund ongoing OpenBSD development. The official OpenBSD CD-ROM layout is copyright Theo de Raadt. Theo does not permit people to redistribute images of the official OpenBSD CDs. As an incentive for people to buy the CD set, some extras are included in the package as well (artwork, stickers etc).

Note that only the CD layout is copyrighted, OpenBSD itself is free. Nothing precludes someone else from downloading OpenBSD and making their own CD.

For those that need a bootable CD for their system, bootdisk ISO images (named cd45.iso) are available for a number of platforms which will then permit the rest of the system to be installed via FTP. These ISO images are only a few megabytes in size, and contain just the installation tools, not the actual file sets.

Re:Looking forward... by raddan · 2009-09-02 14:41 · Score: 1 · on Happy Birthday, Internet!

IP over IP, duh. Look, it's been lying dormant in BSD networking code for years! Below that, it's turtles all the way down.

Re:Common Problem by plopez · 2009-08-31 08:34 · Score: 2, Insightful · on The Myths of Security

Part of the problem is building it in from the beginning. There is much more fun and/or marketing appeal to build in eye candy, support the latest games, multi-media capabilities, mobile devices support etc. than to design in security.

A vendor or kernel programmer group should design it in from the ground up. But there isn't really any money in it for vendors and few programmers think of it as fun. With the exception of these guys maybe http://www.openbsd.org/security.html

So in other words, many people are dropping the ball for a variety of reasons, commercial interest, lack of skill or plain disinterest.

Security should be "plug and play". The user shouldn't have to think about it at all, other than put in the correct key (physical or virtual). Which I think is also part of your point.

Re:Windows Autorun by sowth · 2009-08-28 22:57 · Score: 1 · on Hackers (Or Pen-Testers) Hit Credit Unions With Malware On CD

"Secure by Default" is OpenBSD's claim, it is not from Linux. The previous poster didn't mention anything about Linux in his post. Nice of you to deliberately confuse the issue. Microsoft shill much?

Ah, the old days of slashdot, where at any mention of Linux, some bastard would morph the conversation to claim someone had said Linux is "bulletproof" "perfect" "impossible to hack", when in fact, no one had made any such claim at all.

Re:Security through Obscurity? by DMUTPeregrine · 2009-08-13 10:20 · Score: 1 · on Local Privilege Escalation On All Linux Kernels

Exactly. And it's not a claim that they have none, it's a claim that none have been found. From their own security faq:

We do not find as many problems anymore, it is simply a case of diminishing returns. Recently the security problems we find and fix tend to be significantly more obscure or complicated. Still we will persist for a number of reasons:

* Occasionally we find a simple problem we missed earlier. Doh!
* Security is like an arms race; the best attackers will continue to search for more complicated exploits, so we will too.
* Finding and fixing subtle flaws in complicated software is a lot of fun.

The auditing process is not over yet, and as you can see we continue to find and fix new security flaws.

That page has a list of security advisories in their releases. They're fixed in the current branch, but it proves that they acknowledge when they have holes & then fix them.

Re:Prior art by Anonymous Coward · 2009-08-05 07:39 · Score: 0 · on Twitter Faces Patent Infringement Lawsuit

The FreeBSD man page says "A wall command appeared in PWB UNIX" (my link), and the OpenBSD man page says "A wall command appeared in Version 7 AT&T UNIX" (again, my link).

So... mid- to late 70s at the latest.

Re:No critical bugs? BS. by mzs · 2009-07-17 03:36 · Score: 1 · on Why OpenBSD's Release Process Works

I think errata 013 and 014 fixed http://www.openbsd.org/errata31.html were the best examples of critical bugs making it in for at least 2.5 years of releases. Now of course they were not remote exploits so do not count for those two, but they led to the OpenBSD guys to carefully look for other possible signed/unsigned mistakes in a whole lot of code, and of course they were very serious bugs.

Re:No critical bugs? BS. by 1s44c · 2009-07-17 01:36 · Score: 1 · on Why OpenBSD's Release Process Works

While OpenBSD does have an outstanding security record, with good design & separation of privileges, they aren't perfect.

As they say on their website, "Only two remote holes in the default install, in a heck of a long time!"

Indeed you are correct, it is false to state that OpenBSD has never had critical bugs. However the 2 bugs mentioned on their website is an amazing statistic compared to the best serious software vendors like sun, HP, redhat, IBM, etc. have managed.

I am a Toro Fecundian by Mana+Mana · 2009-07-16 14:40 · Score: 2, Interesting · on Why OpenBSD's Release Process Works

but this is just plain wrong!

`` exactly on the date promised''

Lies! OBSD releases are regularly released a month early.

And, the canard that de Raadt is an asshole is plain wrong. To those who follow OBSD for anything other than a short period of time will know what his, the team's refrain is: We make this OS for us, not for you! Your benefit is an unintended consequence. We don't want to be the most popular, we make this OS for us, not for you! You want Linux. We don't talk, we code. We don't suggest bs features, we code. You want it, code it. But then you keep posting to the list, you've been told to help yourself, that we make this OS for us, not for you! So I will now tell you to fuck off, slacker.

It's simple, man. I've read Bruce Perens say he met the guy, extended his hand but the guy never acknowledged him, that he might be Aspergerish. I thought Bruce was off his rocker when I read that. He bats .400 most of the time, and some-times I say WTF is he drinking today?

Check out theo.c for a lot of laughs!!!

One list goodie went sort of like this years ago: Why are you posting to misc@. Why didn't you read the man pages, slacker. They're quality, this is not Linux. If you didn't bother you're an idler. If you read them and didn't understand them you're a lamer.

"you bring new meaning to the terms slackass. I will have to invent a new term." --Theo de Raadt

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mg/theo.c

Re:Summary? by tjohns · 2009-07-16 11:48 · Score: 5, Informative · on Why OpenBSD's Release Process Works

The slides are here: http://www.openbsd.org/papers/asiabsdcon2009-release_engineering/

No critical bugs? BS. by Anonymous Coward · 2009-07-16 11:46 · Score: 2, Informative · on Why OpenBSD's Release Process Works

While OpenBSD does have an outstanding security record, with good design & separation of privileges, they aren't perfect.

As they say on their website, "Only two remote holes in the default install, in a heck of a long time!"

The Best Solution by DaMattster · 2009-07-15 09:59 · Score: 4, Interesting · on 12% of E-mail Users Have Responded To Spam

Is the one developed by the hard working folks at the OpenBSD project whom have been studying spam for well over 5 years. They came up with something that is devlishly clever called OpenBSD Spamd. Spamd is basically a fake smtp engine that sets the TCP RWIN to 1. By doing this, it causes the transmission speed to slow to 1 byte per second. This can cause a backlog or even crash the spam spender. Fight back, don't filter! You can even create a serious of spam trap addresses, publish them, and reverse harvest the IP addresses of the spam senders. Check out http://www.openbsd.org/

Re:Breaking out of chroot for a non root user by mzs · 2009-07-14 06:31 · Score: 1 · on R.I.P. FTP

I forgot how good of an article that was, these were fixed in OpenBSD 3.1, they are errata 014 and 015.

http://www.openbsd.org/errata31.html

Re:Windows TCO by Martin+Foster · 2009-07-07 23:45 · Score: 1 · on PC Invader Costs a Kentucky County $415,000

When mounting a filesystem under OpenBSD you can specify that any file within that mount cannot be executed. I find that this is very much a valuable flag (noexec) when you are mounting /tmp and /home as it pretty much prevents execution of files outside of expected areas.

http://www.openbsd.org/cgi-bin/man.cgi?query=mount&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html

Of course if it is a script, nothing stops the person from calling the interpreter first. e.g. perl script.pl

The fundamental problem is sloppy code in Windows. by Futurepower(R) · 2009-07-04 03:55 · Score: 5, Informative · on Symantec Exec Warns Against Relying On Free Antivirus

Here's a problem with ESET's Nod32 discussed on March 9, 2009: NOD32 was deleting very critical and required Windows files.

The fundamental problem is that Microsoft makes more money if there are security problems in Windows.

OpenBSD doesn't require anti-virus and anti-spyware programs partly because it was written to be secure. Apple's Mac OS X is based on BSD, and users rarely have problems with that operating system being insecure.

Amazingly, Microsoft is not only supplying insecure software, it is charging for programs to fix the insecurities!!! See Windows Live OneCare.

Microsoft charges Microsoft Windows users $50 for software to fix problems in Windows! Windows Live OneCare has "Antivirus and antispyware all in one". More: "Two-way firewall helps stop hackers in their tracks". Hmmm, Microsoft, if Windows needs a "Two-way firewall", and it certainly does, why do you supply a one-way firewall with Windows???

See Windows Live OneCare Gripes. Quote: "Create the problem, then charge people money to solve it." Another quote: "Why should Microsoft profit from the plague of viruses and Spyware? Shouldn't it have designed Windows better to begin with? And if it has indeed found a way to protect Windows, isn't it a tad exploitative to charge for it? Microsoft has no convincing answer for these questions . . ."

Another quote: "McAfee, Symantec and Microsoft (with Windows Live OneCare) all set your credit card up for automatic renewals when you purchase their security software on-line. ... the gripe is that you can't opt out of this during the purchase. OneCare is the most difficult of the three to opt out of. In fact, you can't. Instead you must must cancel your subscription altogether by calling 866-663-2273."

To me, it seems like this: Testing... Testing... How much abuse will computer users accept?

OpenBSD's pf has some mitigation features by possible · 2009-06-19 02:39 · Score: 2, Informative · on Attack On a Significant Flaw In Apache Released

OpenBSD's pf firewall has some options that can help mitigate the "single attacker, single source IP" version of this attack. Of course if the attackers decide to spread the attack out over multiple source IPs like a DDoS, this becomes much harder to deal with until Apache has a patch.

Filter rules that create state entries can specify various options to control the behavior of the resulting state entry. The following options are available:

max number Limit the maximum number of state entries the rule can create to
number.
If the maximum is reached, packets that would normally create state
fail to match this rule until the number of existing states decreases
below the limit. no state Prevents the rule from automatically creating a state entry. source-track This option enables the tracking of number of states created per
source IP address.

The total number of source IP addresses tracked globally can be
controlled via the

src-nodes runtime option.

max-src-nodes number When the source-track option is used,
max-src-nodes will limit the number of source IP addresses that
can simultaneously create state.
This option can only be used with source-track rule. max-src-states number When the source-track option is used,
max-src-states will limit the number of simultaneous state
entries that can be created per source IP address.
The scope of this limit (i.e., states created by this rule only or
states created by all rules that use source-track) is dependent
on the source-track option specified.

Re:Get It While It's Hot by Anonymous Coward · 2009-05-22 02:54 · Score: 1, Insightful · on Adobe Uses DMCA On Protocol It Promised To Open

Source at:

ftp://ftp.usa.openbsd.org/pub/OpenBSD/distfiles/rtmpdump-v1.5.tar.gz

Can't find 1.6 tho.

Re:Games by raddan · 2009-05-18 05:49 · Score: 1 · on Why Linux Is Not Yet Ready For the Desktop

But since they're general drivers, they never archieve the same results as specific drivers made for Windows by the manufacturer.

OTOH, you also have OSS drivers that are better, where, e.g., you can use the same configuration utility to run your wireless card or the same configuration utility to manage your RAID.

Re:Games by raddan · 2009-05-18 05:49 · Score: 1 · on Why Linux Is Not Yet Ready For the Desktop

But since they're general drivers, they never archieve the same results as specific drivers made for Windows by the manufacturer.

OTOH, you also have OSS drivers that are better, where, e.g., you can use the same configuration utility to run your wireless card or the same configuration utility to manage your RAID.

Systrace by SgtChaireBourne · 2009-05-11 21:05 · Score: 1 · on NSA Wages Cyberwar Against US Armed Forces Teams

Does OpenBSD have any of the SELinux type security features?

systrace is a different kind of tool. It does allow you to set access policies, but for the system calls. Also, SE Linux is an add-on for the Linux kernels only. Systrace is available for Linux and the BSDs, which would include systrace for OpenBSD, You'll have to check if OS X is still covered.

Re:OpenBSD? by wandazulu · 2009-05-11 13:47 · Score: 1 · on NSA Wages Cyberwar Against US Armed Forces Teams

According to their website, it is built for security:

The first sentence under goal: OpenBSD believes in strong security. Our aspiration is to be NUMBER ONE in the industry for security (if we are not already there).

Re:Not like that... by daemonologist · 2009-05-01 05:21 · Score: 1 · on OpenBSD 4.5 Released

Actually the OpenBSD guys rewrote their pkg_* tools (in Perl) some time ago. See http://cvs.openbsd.org/papers/ven05-espie/index.html for more information. On FreeBSD you still have to use old pkg_* tools that are not so sophisticated. On the other hand in FreeBSD you have the portinstall/portupgrade stuff since FreeBSD software installation process is more focused on support for installation from source...

Re:Not like that... by Just+Some+Guy · 2009-05-01 02:48 · Score: 2, Interesting · on OpenBSD 4.5 Released

Keeping systems up-to-date, both base system and userspace stuff, is much easier on Debian-based systems, IMO.

I upgraded to 4.5 this morning, and the package upgrade instructions were to run pkg_add -ui -F update -F updatedepends. Now, I'm typing this on Ubuntu, and I use FreeBSD on most of "my" servers, but that just about as convenient as it gets.

Re:Old, but scrutinized. That's the point. by makomk · 2009-05-01 02:43 · Score: 2, Informative · on OpenBSD 4.5 Released

Except that - as someone pointed out in an earlier comment - the optional packages like Firefox and KDE don't get the auditing and code screening. Hell, allegedly they don't even get prompt security updates when upstream fixes something.

security and ports & packages by rs232 · 2009-05-01 00:48 · Score: 4, Informative · on OpenBSD 4.5 Released

"The one area where OpenBSD is let down on the security front is the packages/ports"

"The ports & packages collection does NOT go through the thorough security audit that the OpenBSD base system does. Although we strive to keep the quality of the packages collection high, we just do not have enough human resources to ensure the same level of robustness and security"

security related channel by rs232 · 2009-05-01 00:39 · Score: 2, Informative · on OpenBSD 4.5 Released

"I find it intimidating that the community is unable or unwilling to maintain proper information channels for security-related maintenance"

You could try looking over on the Bug Tracking System or the openbsd-bugs mailing list

Re:Doesn't really matter by synthespian · 2009-04-29 07:36 · Score: 2, Informative · on Is Apache Or GPL Better For Open-Source Business?

I'm in a business where we welcome GPL-licensed apps with open arms. Of course, we don't sell software, we sell services and expertise.

Well, many people sell service and expertise and they use non-GPL products. For instance, the URLs below will take to people who sell services and expertise in *BSD systems.

http://www.freebsd.org/commercial/consult.html
http://www.openbsd.org/support.html
http://www.netbsd.org/gallery/consultants.html
http://www.ixsystems.com/

Re:Physical Security is a big issue by jggimi · 2009-04-24 01:36 · Score: 1 · on Researchers Show How To Take Control of Windows 7

If you published a method for taking control of an OpenBSD system by having physical control of the hardware...

The method is already published in OpenBSD FAQ 8.1: I forgot my root password, what do I do now?

...In fact, I can tell you how to do that right now...

Your guidance is incorrect. No live media needed, and there is no such thing as /etc/shadow. OpenBSD is not Linux.

OpenBSD immune... again. by Anonymous Coward · 2009-04-22 08:14 · Score: 2, Interesting · on Intel Cache Poisoning Is Dangerously Easy On Linux

Yet again, OpenBSD shows foresight by having this bugginess fixed in 2003 long before the actual chips were available on which this can happen. Well done, lads.

Re:Lack of font? Design your own! by rtfa-troll · 2009-04-20 08:02 · Score: 1 · on A Secure OS For the Dalai Lama?

What version of OpenBSD are you referring to?

Stable. I refer the honorable gentleman to the BSD FAQ I gave previously. Actually, you might find that reading it will help you manage your BSD system effectively.

P.S. SELinux is not anti-virus software any more than PF is anti-virus software. Please have a look at some of the documentation. It's a quite interesting security framework which actually includes RBAC as a possible configuration. Possibly a bit complex to build; in RedHat it is almost user-transparent which means that it shouldn't be a problem. Please also note mellon's comments.

Re:Huh? by Anonymous Coward · 2009-04-19 00:42 · Score: 0 · on A Secure OS For the Dalai Lama?

There is a project called OpenBSD which does exactly what you suggest open source projects don't do: conduct security audits of their whole system.

Personally, I would trust OpenBSD much more than I would any closed-source vendor. Also, OpenBSD has a number of security features that limit the impact of any vulnerabilities not caught by the audit process.

Not to mention that going with OpenBSD hands them a huge PR opportunity and it likely to net some serious support from senior OpenBSD developers.

Re:Huh? by Anonymous Coward · 2009-04-19 00:42 · Score: 0 · on A Secure OS For the Dalai Lama?

There is a project called OpenBSD which does exactly what you suggest open source projects don't do: conduct security audits of their whole system.

Personally, I would trust OpenBSD much more than I would any closed-source vendor. Also, OpenBSD has a number of security features that limit the impact of any vulnerabilities not caught by the audit process.

Not to mention that going with OpenBSD hands them a huge PR opportunity and it likely to net some serious support from senior OpenBSD developers.

Re:Huh? by RAMMS+EIN · 2009-04-18 17:16 · Score: 5, Informative · on A Secure OS For the Dalai Lama?

I agree with you that Linux in general isn't a very safe bet when you want to be secure, especially not if you are worried about targeted attacks.

However, that does not mean that ``open source software, in it's current form, cannot defend against a concerted attack by any large groups of individuals. It can't be done.''

There is a project called OpenBSD which does exactly what you suggest open source projects don't do: conduct security audits of their whole system.

Personally, I would trust OpenBSD much more than I would any closed-source vendor. Also, OpenBSD has a number of security features that limit the impact of any vulnerabilities not caught by the audit process.

Also, Debian has an audit process that looks not only at the base system, but also at the packages that are included in the distribution. This does not cover all packages, but goes a whole lot further than what many vendors (particularly Microsoft) offer.

On the whole, I think you are being overly negative about security in the open source world, and too optimistic about security in the closed source world. From personal experience, I can tell you from personal experience that the idea that code in closed-source projects has to make it past "at least one code review" is simply wishful thinking. By contrast, the idea that code has to pass at least one review before being accepted is an actual reality in at least some open source projects (including Linux and OpenBSD).

So, while certainly not claiming that using Debian or even OpenBSD is a panacea for security, I have much more faith in those projects than in any closed source project.