Slashdot Mirror

... facts are facts. ;)

FreeBSD:
FreeBSD, Stealth-Growth Open Source Project (Jun 2004)
"FreeBSD has dramatically increased its market penetration over the last year."
Nearly 2.5 Million Active Sites running FreeBSD (Jun 2004)
"[FreeBSD] has secured a strong foothold with the hosting community and continues to grow, gaining over a million hostnames and half a million active sites since July 2003."
What's New in the FreeBSD Network Stack (Sep 2004)
"FreeBSD can now route 1Mpps on a 2.8GHz Xeon whilst Linux can't do much more than 100kpps."

NetBSD:
NetBSD, for When Portability and Stability Matter (Oct 2004)
NetBSD sets Internet2 Land Speed World Record (May 2004)
NetBSD again sets Internet2 Land Speed World Record (Sep 2004)

OpenBSD:
OpenBSD Widens Its Scope (Nov 2004)
Review: OpenBSD 3.6 shows steady improvement (Nov 2004)
OpenSSH (OpenBSD subproject) has become a de facto Internet standard.

*BSD in general:
Deep study: The world's safest computing environment (Nov 2004)
"The world's safest and most secure 24/7 online computing environment - operating system plus applications - is proving to be the Open Source platform of BSD (Berkeley Software Distribution) and the Mac OS X based on Darwin."
BSD Success Stories (O'Reilly, 2004) (pdf) ~ from Onlamp BSD DevCenter
"The BSDs - FreeBSD, OpenBSD, NetBSD, Darwin, and others - have earned a reputation for stability, security, performance, and ease of administration."
..and last but not least, we have the cutest mascot as well - undisputedly. ;)

--
Being able to read *other people's* source code is a nice thing, not a 'fundamental freedom'.

... facts are facts. ;)

FreeBSD:
FreeBSD, Stealth-Growth Open Source Project (Jun 2004)
"FreeBSD has dramatically increased its market penetration over the last year."
Nearly 2.5 Million Active Sites running FreeBSD (Jun 2004)
"[FreeBSD] has secured a strong foothold with the hosting community and continues to grow, gaining over a million hostnames and half a million active sites since July 2003."
W hat's New in the FreeBSD Network Stack (Sep 2004)
"FreeBSD can now route 1Mpps on a 2.8GHz Xeon whilst Linux can't do much more than 100kpps."

NetBSD:
NetBSD, for When Portability and Stability Matter (Oct 2004)
NetBSD sets Internet2 Land Speed World Record (May 2004)
NetBSD again sets Internet2 Land Speed World Record (Sep 2004)

OpenBSD:
OpenBSD Widens Its Scope (Nov 2004)
Review: OpenBSD 3.6 shows steady improvement (Nov 2004)
OpenSSH (OpenBSD subproject) has become a de facto Internet standard.

*BSD in general:
Deep study: The world's safest computing environment (Nov 2004)
"The world's safest and most secure 24/7 online computing environment - operating system plus applications - is proving to be the Open Source platform of BSD (Berkeley Software Distribution) and the Mac OS X based on Darwin."
BSD Success Stories (O'Reilly, 2004) (pdf) ~ from Onlamp BSD DevCenter
"The BSDs - FreeBSD, OpenBSD, NetBSD, Darwin, and others - have earned a reputation for stability, security, performance, and ease of administration."
..and last but not least, we have the cutest mascot as well - undisputedly. ;)

--
Being able to read *other people's* source code is a nice thing, not a 'fundamental freedom'.

... facts are facts. ;)

FreeBSD:
FreeBSD, Stealth-Growth Open Source Project (Jun 2004)
"FreeBSD has dramatically increased its market penetration over the last year."
Nearly 2.5 Million Active Sites running FreeBSD (Jun 2004)
"[FreeBSD] has secured a strong foothold with the hosting community and continues to grow, gaining over a million hostnames and half a million active sites since July 2003."
What's New in the FreeBSD Network Stack (Sep 2004)
"FreeBSD can now route 1Mpps on a 2.8GHz Xeon whilst Linux can't do much more than 100kpps."

NetBSD:
NetBSD, for When Portability and Stability Matter (Oct 2004)
NetBSD sets Internet2 Land Speed World Record (May 2004)
NetBSD again sets Internet2 Land Speed World Record (Sep 2004)

OpenBSD:
OpenBSD Widens Its Scope (Nov 2004)
Review: OpenBSD 3.6 shows steady improvement (Nov 2004)
OpenSSH (OpenBSD subproject) has become a de facto Internet standard.

*BSD in general:
Deep study: The world's safest computing environment (Nov 2004)
"The world's safest and most secure 24/7 online computing environment - operating system plus applications - is proving to be the Open Source platform of BSD (Berkeley Software Distribution) and the Mac OS X based on Darwin."
BSD Success Stories (O'Reilly, 2004) (pdf) ~ from Onlamp BSD DevCenter
"The BSDs - FreeBSD, OpenBSD, NetBSD, Darwin, and others - have earned a reputation for stability, security, performance, and ease of administration."
..and last but not least, we have the cutest mascot as well - undisputedly. ;)

--
Being able to read *other people's* source code is a nice thing, not a 'fundamental freedom'.

... facts are facts. ;)

FreeBSD:
FreeBSD, Stealth-Growth Open Source Project (Jun 2004)
"FreeBSD has dramatically increased its market penetration over the last year."
Nearly 2.5 Million Active Sites running FreeBSD (Jun 2004)
"[FreeBSD] has secured a strong foothold with the hosting community and continues to grow, gaining over a million hostnames and half a million active sites since July 2003."
What's New in the FreeBSD Network Stack (Sep 2004)
"FreeBSD can now route 1Mpps on a 2.8GHz Xeon whilst Linux can't do much more than 100kpps."

NetBSD:
NetBSD sets Internet2 Land Speed World Record (May 2004)
NetBSD again sets Internet2 Land Speed World Record (30 Sep 2004)

OpenBSD:
OpenBSD Widens Its Scope (Nov 2004)
Review: OpenBSD 3.6 shows steady improvement (Nov 2004)
OpenSSH (OpenBSD subproject) has become a de facto Internet standard.

*BSD in general:
Deep study: The world's safest computing environment (Nov 2004)
"The world's safest and most secure 24/7 online computing environment - operating system plus applications - is proving to be the Open Source platform of BSD (Berkeley Software Distribution) and the Mac OS X based on Darwin."
..and last but not least, we have the cutest mascot as well - undisputedly. ;)

--
Being able to read *other people's* source code is a nice thing, not a 'fundamental freedom'.

the openbsd team has branched off quite a few projects where they saw the security and/or license was insufficient and needed to be redone.

OpenSSH, who's box doesn't have this?
OpenNTPD, a network time protocol daemon and server, recently released.
OpenBGPD, the border gateway protocol daemon.
They were pioneers in the use of stack protection software on the i386 platform (kernel and compiler), as well as privilage seperated daemons (it's in your sshd now), and randomized library linking locations.
(i think i'm missing a few, anyone care to fill them in?)

they have implemented (a far better implementation over the old one that they didn't write) their i.p. filter, PF (which has now made it into netbsd, freebsd, and hopefully linux soon enough). this includes INSANE amounts of configurability options, with integrated routing and traffic shaping.

many people grumble about how the project is run and its priorities. but we all benefit from their efforts. i think i'm going to buy a cd even though i am not an openbsd user. these sales help keep these projects going.

I don't have a chance to dig up links for these, but diagnostic tools are a must if you really want to lock stuff down. First, generate and read logfiles whenever possible. Check things out with nmap, tcpdump, ActivePorts, Look@Lan, Kiwi syslog Daemon, Portlistener XP, Bazooka Spyware Utility, Spybot Search and Destroy, Socketlock ... the list goes on. Generally try any tool you can and you'll get a feel for what is actually to your tastes and useful.

Things licensed as Open Source do better on "just the facts" vs hype. Maybe it's because their audiences would take them to task if they did otherwise, but description of things such as GCC, Wikipedia , the Linux kernel, the GIMP, to name just a few, are completely factual. Not entirely free of marketing but tolerable are the Linux site's description of Linux, OpenSSH, bzip2, Project Gutenberg, and an XWindows organization X.org.

Particularly note Wikipedia and Google. The description of Wikipedia was made and chosen by the users. I can't think of a better testament that what users really want is just the facts. And Google understood that the last thing a person wants to do when anxious to find something quick is be forced to wait for a bunch of pointless graphics and generic ads to load. Really aggravating when on dial-up. Before Google, I got to where I knew just when to hit the stop button when loading Yahoo's main search page so I'd get the text input line and search button and miss all the extra crap they used to put on their main page.

Of course open source isn't totally above marketing. FreeBSD, Mozilla Firefox, KDE, Apache, OpenOffice all lay it on. They can point to all kinds of statistics to justify their hype, but the hype is still irritating when it catches my attention. These are easy to accept in spite of the marketspeak because I've heard from elsewhere that they're good.

Bad though some of those are, Microsoft is worse. Maybe what MS does should be called extreme marketing? In a few moments of searching, I was unable to find even a badly overblown description of just what Windows XP or MS Office is and during the search was wading through hype about MS's latest whatever: "Try the new digital music experience from Microsoft. You'll love it!"

As for throwing out the baby with the bathwater, I will spend a little time trying not to do that, but when it does happen I hope it clues the promoters in to realizing they made the waters too murky. Accepting something in spite of murk is not the way to persuade them to clean up. I like to tell them about it too. You never know when commentary might actually be heeded. I'm sorry if a good thing gets short shrift, but when time is limited, books will be judged by covers. People are often asked to try to word emails so spam filters will pass them. I feel I'm not asking too much of marketing to do the analogous.

Just in case his site gets /.'ed, here is his impressive list of links. - Jonah Hex in non-karma whore mode.
Downloads
Linux Wipe Tools: Three shell scripts for securely wiping all data from the swap partition, wiping unused disk space on the root partition, or wiping an entire disk, by Thomas C. Greene.

No Messenger: A batch file that eliminates Windows Messenger and fixes the problem of Outlook Express loading slowly when Messenger is absent, by an anonymous friend of The Register.

FileCheck MD5: A free, simple, lightweight MD5 utility for Windows, courtesy of Brandon Staggs.

Errata: A text file containing my various blunders and ommissions in the book (right-click and "save as," or view as HTML). Last updated 6 June 2004.

Links to Other Goodies
Mozilla: A free, open source Web browser and e-mail client for Linux and Windows, feature rich and far more secure than Internet Explorer and Outlook Express. Recommended for novices.

Firefox: A free, open source, stand-alone Web browser for Linux and Windows. Very light and fast. Recommended for intermediate users.

Thunderbird: A free, open source e-mail and news client for Linux and Windows. Recommended for intermediate users.

GnuPG: Gnu Privacy Guard; a free, open source replacement for PGP, for Windows and Linux.

WinPT: Windows Privacy Tools; a free, open source GUI frontend to GnuPG for Windows.

Anonymizer: Various services for anonymous Web surfing, e-mail, chat, etc.

OpenSSH: A free, open source SSH (Secure Shell) client and server for Windows and Linux.

PuTTY: A free, open source GUI frontend to OpenSSH for Windows.

Ethereal: A free, open source network traffic analyzer for Windows and Linux. Windows users will need to install WinPcap before installing Ethereal.

Ad-Aware: A free, closed source adware/spyware scanner for Windows.

SpyBot Search & Destroy: A free, closed source adware/spyware scanner for Windows.

Sam Spade: CGI gateways to numerous online tools, such as whois, traceroute, etc.

SourceForge: A vast repository of open-source software for Windows and Linux. The site can be overwhelming, but it has a search engine to help users locate packages.

GNU Project: The home base of the open source movement. A repository of open source products, chiefly for UNIX-compatible systems.

Security Information
About Internet/Network Security: An informative and useful site dealing with computer and Internet security, with reviews of security products and books, practical howtos and tips, and links to numerous tools and information resources, geared toward beginners and intermediate users.

SANS Institute: An educational and research organization with a vast archive of security research documents, news, and advisories, geared toward intermediate and advanced users.

CERT/CC: Computer Emergency Response Team Coordination Cente

With screen and ssh.

Thanks to my $25 a month broadband connection (that I would pay for anyway), I can scp my calandar to wherever I happen to be. scp not installed? That's a problem I won't deal with because all of my computers come with openssh preinstalled.

Macs own.

• OpenSSL - support program
• OpenSSH - connections in and out
• Mutt - email
• nmap - scanning tool
• libpcap - support library
• Ethereal - network sniffer
• mtr (Matt's TraceRoute) - trace problems
• whois (ARIN compatible) - find where the problems are
• tf (tinyfugue) - BBS client
• mangband - multiplayer ascii game

Let's dump DCC (which isn't that bad, except for the TCP ports) and FTP, and come up with a decent transfer file replacement One that doesn't need 10,000 free ports, special firewall tuning, works through a layer of encryption without problems, but still doesn't generate a lot of overhead.

hey! you are talking about ssh - sftp!

We already have. It is called SCP

Would OSS have to be writen entirely by licensed developers to be considered secure?

I'm sure glad the DHS steps in and prevents all those 1ee7 uncontrolled hackers from creating evil unlicensed, software that aren't secure.

Why do I always picture half-drunken bar patrons reinventing the world in front of a beer when I hear about the DHS talking about things they don't have much of a clue about?

Since the office buildings are distant, chances are that there is untrusted connection between them. Don't forget to send data through secure tunnels (eg: ssh tunnel).

I have really no idea why it was modded as Funny. I had nothing but great experience with dd(1), especially the version from GNU Fileutils. If you are stuck with MS Windows and cannot use Knoppix then check out Cygwin. One of the great advantages of dd(1) is the ability to use good old Unix-style anonymous pipes, so with Netcat or SSH it can really do miracles with filesystems cloning across the network, be it LAN (with nc(1)) or the Internet (with ssh(1) as nc(1) sends data as unencrypted).

From the OpenSSH website: "OpenSSH is primarily developed by the OpenBSD Project," ... "Managing the distribution of OpenSSH is split into two teams. One team does strictly OpenBSD-based development, aiming to produce code that is as clean, simple, and secure as possible. " ... " The other team then takes the clean version and makes it portable, by adding the portability "goop" so that it will run on many operating systems (these are known as the p releases, and named like "OpenSSH 3.7.1p1"). "

From Portable OpenSSH

Normal OpenSSH development produces a very small, secure, and easy to maintain version for the OpenBSD project. The OpenSSH Portability Team takes that pure version and adds portability code so that OpenSSH can run on many other operating systems (Unfortunately, in particular since OpenSSH does authentication, it runs into a *lot* of differences between Unix operating systems). ...

If you are trying to compile on OpenBSD 3.3 or older (e.g just about every OpenBSD box out there), note that before doing the build you need to:

1.) Unpack the OpenSSH 3.7 source
2.) Apply a patch available here

If you don't apply the patch, "make" will fail. See the instructions here.

Ole

Oh! And SSH. Don't forget SSH. Or free, at OpenSSH.org.

Gnutella
Bit Torrent
Freenet
Reiserfs
Linux Kernel
Open SSH
Encrypted Filesystems
GnuPG

At least in my opinion p2p and crypto are the edges in coding right now. Both can be hugely successful if you succeed in writing them properly. They can also be a huge failure if done improperly. Personally, I'm amazed that there aren't more p2p worms/remote exploits out there. Every now and then there are a few breaks in crypto from a weird angle, but in general they have been very successful as well.

3. If you MUST provide your address on a web page or Usenet posting, slightly obfuscating it (i.e. "user at domain dot com") is, for now, 100% effective against fooling the spambots. Which frankly I find amazing, because that trick has been around for years.

While this might have been a wise thing to do at some time in the past, it wouldn't be anywhere near 100% effective at the moment: my website has been up for years with my primary e-mail address on it, and I've made Usenet postings from time to time. I can't change my address either, because my primary e-mail address is based on the ID issued by my university for their computer-systems. For my own part, I have a simple procmail-based filter, and from time to time I decide to react to a particularly egregious or vulnerable piece of spam.

Just yesterday I got an advertisement with
To: AOL.Users@pilot.msu.edu
in the header. The funny thing is that I can't find any webpages (either with Google or by scanning my web directories) that refer to my address '@pilot.msu.edu', even though it still works; I might have publically used such an address more that a year ago, but not since. MSU has also changed their primary mailserver to be the cluster sysXX.mail.msu.edu, and this message went there first. I don't use AOL, either, except to open up a SecSH session from my parent's house.

Is the U.S. Department of Homeland Security also going to try and take care of software developed internationally?

For example, it seems that a lot of OpenSSH development is done in Canada and Germany. And the server is run out of Canada.

The OpenSSL team looks primarily international too (UK, Germany, Sweden, New Zealand). There server is managed by Brits and Swedes.

Actually... I think you'll find that a lot of crypto software is based outside the US. Probably due to constraints placed on crypto development in the last decade.

Huh? Many of the software packages I use are configured via plaintext files and perform extremely well, and are very easy to maintain in an enterprise enviroment.

1. describes the usual file-copying mechanisms, such as scp;
   
2. says ``Zone transfers are an archaic alternative mechanism for copying DNS information'' and explains the problems with zone transfers;
   
3. says ``There has been some work on improving the zone-transfer protocol'' and describes that work; and
   
4. concludes with a comparison table showing eleven disadvantages of (improved) zone transfers.
   

• quotes #2 out of context and claims, incorrectly, that I'm ignoring the work on improving the zone-transfer protocol;
  
• claims, incorrectly, that BIND's implementation of the experimental IXFR mechanism works (and has worked ``for years'') with hand-modified zone files;
  
• claims, incorrectly, that the DNSSEC architecture works without centralized key management;
  
• claims, incorrectly, that scp et al. are proprietary;
  
• claims, incorrectly, that TSIG is ``compatible'' and IPSEC isn't; and
  
• says that some of the disadvantages of zone transfers aren't issues for him, as if this meant that they don't matter to anybody.
  

FACT: rlogin, rsh, rexec, and all other remote access utilities that do not perform cryptographically strong authentication and offer at least the option to encrypt the session are OBSOLETE.

Then how does one remotely connect to a machine to install OpenSSH? And what about those systems to which OpenSSH has not yet been ported?

That's true. But consider that what www.OpenSS.org lists on its website at the top of it's page for alternative operating systems Windows & Mac.

The following "free" clients are recommended for interoperating with OpenSSH from Windows machines:

* PuTTY is an SSH1+SSH2 implementation. PSCP, an scp-style program for Windows, is also available.

PuTTY is available under the MIT licence (BSD-like).

"PuTTY is a free implementation of Telnet and SSH for Win32 platforms, written and maintained primarily by Simon Tatham, who lives in Great Britain."



If you're going to recommend it, then why not right up front, give some pointers on how to get it up and running.

Regards.... S

Find the GNU page here. It's the VT100 equivalent of the "Antidesktop" -- check it out.

Who needs web-based email?

Toolkit for doing things that you aren't supposed to do at work:

• ssh
• screen
• lynx
• mutt
• epic
• ncftp

SSH to Linux box at home and "screen -r -d".

The best thing is it's all text, so it's indistinguishable from actual work to most people. And it's all encrypted.

I raised this via the mailing list a few months back - some emails were traded but nothing has come of it.

Many packages are signed these days - it virtually guarantees that the code you are downloading has not been modified by any third parties. You all remember the irssi , BitchX and openssh incidents right?

Trojaned gcc, anyone?

Forget KVM switches, VNC, RDP, or anything else that takes you away from a shell prompt. OpenSSH is your friend. Your keyboard. Your display. Your $ prompt. Available at web sites while source code lasts.

Check out http://www.openssh.org/txt/trojan.adv

"Turn off all services except ssh."

That's a way to do it, just make sure you're running openssh version 3.4 with privilege separation.

According to this it is starting with Solaris 9 but sneakily renamed SunSSH. Maybe they will even give OpenSSH credit for it creating OpenSSH?

You mean the "very similar to the Netcraft Web Server Survey" done by the OpenSSH people?

Couldn't find anything at Netcraft, so I assumed this is what you were talking about.

If you want a "industry proven and supported" product that supports SSH protocols, then the original SSH is what you want, but you'll (obviously) have to pay.

http://www.openssh.org/usage/index.html

The OpenSSH team has put together a great page with a number of different usage statistics for SSH.

I am shocked that people think that SSH (OpenSSH) is not a industry standard. Here is a good client for windows. And of course you can get the server for free here.

~Shane

this has probably already been said, but i'll say it anyway :) for my file sharing needs i have one machine between my router and internal firewall that i can ssh(openssh.org) to and use the rsync or scp utils to get data off of there. My internal mp3 machine is WinXP so i use smbmount(samba.org) from the DMZ to mount the shared DIR if i need to get to an Mp3 from the outside, same goes for any other win/linux machines on my internal network, all internal *nix machines run samba i've never had a problem or thought that this was inefficient, so it works for me.

Without knowing more about the type of data you're storing, I would recommend putting it in a database. I like PostgreSQL 7.x myself.

For the software, I would organize it in a directory structure and use rsync+ssh to mirror it as needed.

For backup software, use Amanda.

For file sharing, use Samba.

'Nuff said.

Last night I installed RH 6.2 on an old P75 I picked up somewhere, and ended up installing an old version of openssh on it (along with a bunch of other older stuff) to save disk space.

Yeah, not like there are any other examples of open source software based on proprietry software.

tlhf

xxx

Also, your linked article talks about a compiler which compiles itself. IE, GCC recognising GCC. Having GCC regocnise BCC, VC++, et al would be insanly difficult. Even more so in this case as Mono is being released after the Microsoft compiler.

The OpenSSH Website does not make mention of this exploit and the need for users to upgrade.
They do mention the release of 3.1 (3/7/02), but it never says that it addresses security issues.
Although, I am much happier to see a patch than an updated website. :)

Snowdog

And I thought it was just about time to go home too. Now I'm warming up my compiler... :-(

Why the hell would you use telnet on a firewall? Anyone with a sniffer can see your raw, unencrypted password.

OpenSSH.

It's funny that you got modded as "interesting" despite your blatant disregard for security.

Somehow, it is quite hard to _really_ initiate a secure communication without much work.

not having the standard BSD unix tools by default really annoys me to no end ( ftp, telnet, and many others were not installed

That's because ftp and telnet have no security and shouldn't be used. Particularly when openssh and scp work so well.

Perhaps instead of running the bleeding edge on your p200, you should go with something more appropriate. I've been running Mandrake 7.0 (with upgraded kernel, apache, ssh, etc.) on my p233 for over 20 months now, and I've got 5 minutes of unintentional downtime.

As far as using rpms... Use the source Luke, I've never run into problems when going this route. rpms have only caused massive confusion for me when I've tried to install (most notably on redhat systems).

With Jon Katz it always have to do with Your Rights Online [tm], doesn't it? If you're concerned about your online communications being monitored, use encryption, like

• SSL
• PGP
• ssh

And if you're concerned that the government can break those, start supporting research for stronger encryption.

I think every packet that goes into the Internet should be monitored, and I know it can. If there's something I want private, I'll keep it private myself, and I expect everybody to do the same. Expecting the law to protect you when you use insecure technology is somewhat like those who expect the law to protect them when they use insecure encryption on DVDs. Pick up the slack yourself and quit asking the government to do it.