Slashdot Mirror

Microsoft goes Gold for 2018!

The OpenBSD Foundation is happy to announce that Microsoft has increased its support level from Silver to Gold for 2018.

This is the fourth consecutive year that Microsoft has made a contribution to the OpenBSD Foundation and we are grateful for their continuing support.

Well I guess there is a reason OpenBSD folks did this:

https://arstechnica.com/civis/...

The change that you cite doesn't prevent SpectreRSB. But just today the OpenBSD developers introduced new mitigations that specifcally address SpectreRSB:

http://www.undeadly.org/cgi?action=article;sid=20180724072257

The current release of OpenBSD, version 6.3, has issued a total of 10 patches against base since release on April 15th. Four of these are security-related, and six are reliability bug fixes.

Oracle / Red Hat Linux in that time has issued 50 security-related patches, and hundreds more that are classed as bug fixes or enhancements.

Linux is strong because it scales up and down very well, it exploits CPU features for speed to make applications run very fast, it is friendly to new features, and it has the most market share in the POSIX realm. Linux is weak because it has sacrificed security for speed in many cases, and we have Dirty Cow, Towelroot, and many similar problems in userspace - this makes Linux a bad choice for systems that will not receive patches (i.e. phones, IoT devices, embedded systems, etc.).

OpenBSD prioritizes security over speed and flexibility. It does not implement fine-grained SMP due to security concerns, and has a "big kernel lock" that Linux left behind in 2.2. It ignores many well-known standards (i.e. NFSv4). There are many things that you cannot do on OpenBSD, but what you can do is magnitudes safer than Linux.

Android politely stole OpenBSD's entire libc implementation (and then ignored it for several years), and IIRC the OpenBSD code is the largest contribution outside of the kernel itself.

OpenBSD is also the home of OpenSSH, which itself is quite secure.

I trust the opinions of the OpenBSD kernel architects, and I will look forward to their patch.

The summary is a bit misleading, which is probably why there's so much confusion on this thread. No, support for hyperthreading is not being removed. Rather, an option is being added to OpenBSD to disable hyperthreading. That option will be set to disabled by default on Intel CPUs. https://undeadly.org/cgi?actio...

HT can't be disabled in all BIOSes apparently. OpenBSD isn't dropping HT support, it's merely turning it off by default on Intel CPUs. https://undeadly.org/cgi?actio...

It's an option disabled by default that can be enabled if you want it to be enabled. https://undeadly.org/cgi?actio...

OpenBSD is adding a control to turn off hyper-threading (because some BIOSes these days don't have such a control), and is turning it off by default on Intel CPUs. But it can be turned on again. So OpenBSD is providing control, not taking it away. Read for yourself. https://undeadly.org/cgi?actio...

Were you also aware that an open source software developer, Theo de Raadt, had already registered the domain name openbsd.org on October 12th, 1995 and created a public source code repo called OpenBSD on October 18th, 1995?

Excuse me, but I'm pretty sure that (despite occasional drama) Theo is not a woman in tech.

He therefore does not count.

Please report to the reeducation camp immediately.

Since you thought of the term 'open source' on February 2nd, 1998, were you aware that someone else had already registered the OpenSource.com domain name on January 8th, 1998?

Were you also aware that an open source software developer, Theo de Raadt, had already registered the domain name openbsd.org on October 12th, 1995 and created a public source code repo called OpenBSD on October 18th, 1995?

And if not, do you still believe you can claim you coined that term 'open source' when it was clearly in use for published source code several years before 1998?

And for that whirlwind tour of what's good in that system, take a peek at my OpenBSD and you slides.

And for that whirlwind tour of what's good in that system, take a peek at my OpenBSD and you slides.

And for that whirlwind tour of what's good in that system, take a peek at my OpenBSD and you slides.

On the scale of sandbox quality, Chrome should dump their model and adopt the SSH techniques - the rendering engine should be chroot() to /var/empty. That improves the software and kills the patent violation in one stroke. http://undeadly.org/cgi?action... "First of all, on the positive side, privileges separation, chrooting and the message passing design have proven fairly efficient at protecting us from a complete disaster. [The] Worst attacks resulted in [the] unprivileged process being compromised, the privileged process remained untouched, so did the queue process which runs as a separate user too, preventing data loss... This is good news, we're not perfect and bugs will creep in, but we know that these lines of defense work, and they do reduce considerably how we will suffer from a bug, turning a bug into a nuisance rather than a full catastrophe. No root were harmed during this audit as far as we know."

Second, BSD can taken... and re-copyrighted... and is no longer free.

No, BSD code can be distributed under a different licence, but it cannot be re-copyrighted nor cannot it be re-licensed without the copyright holder's approval.

The last bit was what happened with the Atheros driver thing in Linux. Someone thought they could strip the BSD licence off the files and replace it with GPL.

(Also, you're spreading that lie where BSD code can be 'closed' -- the original copy still remains open and free, does it not?)

No, it "only leads to other errors".

Funny, I haven't heard of any showstopper bugs in OpenBSD libc - not this year, not ever. And it's ubiquitous, since I'm running it on my phone.

This bug, after ghost, would be a good opportunity to take a step back for a serious assessment of what must be removed for a secure system.

"Microsoft becomes OpenBSD's first gold contributor"

July 9, 2015 -- 12:14 GMT (13:14 BST)

http://www.zdnet.com/article/m...

#

http://undeadly.org/cgi?action...

Microsoft Now OpenBSD Foundation Gold Contributor
Contributed by tbert on Tue Jul 7 16:03:41 2015 (GMT)

"Thats funny. Reminds me story with Darpa, when everyone was surprised like an infant after what happened.

Now, after fighting with closed drivers world and producing hours of pro-freedom songs - make a contract with Microsoft.

Hilarious :)" - by bluszcz (83.49.0.115) on Thu Jul 9 15:08:57 2015 (GMT)

"I just hope it's not another Microsoft "Embrace, Extend and Crush" move." - by Anonymous Coward (24.138.98.109) on Thu Jul 9 00:28:33 2015 (GMT)

Go read http://undeadly.org/cgi?action... and https://www.qualys.com/2016/01... Come back and maybe (just maybe) you'll find what exactly is wrong in your post.

How portable is the shim? I'd welcome backports of some contemporary Linux daemons to run on older Linux systems without systemd.

I already asked that question on OpenBSD Journal. The answer was interesting and detailed.

How portable is the shim? I'd welcome backports of some contemporary Linux daemons to run on older Linux systems without systemd.

I already asked that question on OpenBSD Journal. The answer was interesting and detailed.

OTOH, OpenBSD's kernel is about 10X the size of Xen (where the BSD mantra of 'correctness' has a much tighter focus). As isolation mechanisms go, I trust Xen before any monolithic kernel. The upshot is that Xen also gives me the rich features (incl. drivers) of Linux and Windows.

Awwwww, you are so cute. You trust Xen more than kernel xyz? Really?

First of all, please read this.
Then take a look at this.

There are, let's see... right now, 35 CVEs assigned to the Xen project, in 2015 alone? 40 CVEs in 2014?

Compare and contrast with the number of CVEs published for OpenBSD. And the number of patches available for the latest version (5.8) of OpenBSD.. Here is a hint: 99% of these patches do not imply your machine is going to be ''owned'' by someone exploiting the bugs found. Yes, even the OpenSMTPD patches are pretty mild.

You can keep your Qubes OS, thank you very much, I'll stick to OpenBSD, despite all its defaults and warts.

Words of wisdom to meditate:

You've been smoking something really mind altering, and I think you should share it.

x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit.

You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.

(Source.)

Say what you will of this guy, he has got a point. Virtualization is great, but not for security. Period.

I do. The store. Specifically, the store which was previously known as OpenBSD Europe, which has the new status of being the only official outlet of new OpenBSD merchandise. This new status was granted with version 5.6. Besides upping the price for any American, comments on the following hyperlinked pages show that they've managed to:

* release broken code (OpenBSD 5.6 Pre-Orders page mentions numerous problems)
* be unresponsive to help (OpenBSD 5.7 Release)
* when they've been unable to fulfill orders (OpenBSD 5.7 Delayed)
* and made automated communication unpleasant ("The new ordering system is appalling." OpenBSD 5.8 Release).

Yeah, it's not part of the operating system, but this store is their officially endorsed way of being able to show some financial support by being able to purchase anything, which means that this crummy service is an OpenBSD offering, qualifying to match the description you provided.

I do. The store. Specifically, the store which was previously known as OpenBSD Europe, which has the new status of being the only official outlet of new OpenBSD merchandise. This new status was granted with version 5.6. Besides upping the price for any American, comments on the following hyperlinked pages show that they've managed to:

* release broken code (OpenBSD 5.6 Pre-Orders page mentions numerous problems)
* be unresponsive to help (OpenBSD 5.7 Release)
* when they've been unable to fulfill orders (OpenBSD 5.7 Delayed)
* and made automated communication unpleasant ("The new ordering system is appalling." OpenBSD 5.8 Release).

Yeah, it's not part of the operating system, but this store is their officially endorsed way of being able to show some financial support by being able to purchase anything, which means that this crummy service is an OpenBSD offering, qualifying to match the description you provided.

I do. The store. Specifically, the store which was previously known as OpenBSD Europe, which has the new status of being the only official outlet of new OpenBSD merchandise. This new status was granted with version 5.6. Besides upping the price for any American, comments on the following hyperlinked pages show that they've managed to:

* release broken code (OpenBSD 5.6 Pre-Orders page mentions numerous problems)
* be unresponsive to help (OpenBSD 5.7 Release)
* when they've been unable to fulfill orders (OpenBSD 5.7 Delayed)
* and made automated communication unpleasant ("The new ordering system is appalling." OpenBSD 5.8 Release).

Yeah, it's not part of the operating system, but this store is their officially endorsed way of being able to show some financial support by being able to purchase anything, which means that this crummy service is an OpenBSD offering, qualifying to match the description you provided.

I do. The store. Specifically, the store which was previously known as OpenBSD Europe, which has the new status of being the only official outlet of new OpenBSD merchandise. This new status was granted with version 5.6. Besides upping the price for any American, comments on the following hyperlinked pages show that they've managed to:

* release broken code (OpenBSD 5.6 Pre-Orders page mentions numerous problems)
* be unresponsive to help (OpenBSD 5.7 Release)
* when they've been unable to fulfill orders (OpenBSD 5.7 Delayed)
* and made automated communication unpleasant ("The new ordering system is appalling." OpenBSD 5.8 Release).

Yeah, it's not part of the operating system, but this store is their officially endorsed way of being able to show some financial support by being able to purchase anything, which means that this crummy service is an OpenBSD offering, qualifying to match the description you provided.

Yup, I have the feeling that LibreSSL is going to replace OpenSSL like OpenSSH replaced SSH as ''the'' standard.

The fact that both LibreSSL and OpenSSH are OpenBSD project is not a coincidence...

More details on Undeadly.

LibreSSL is a great project, but they ripped out portability along the way.

Excuse me??!! Just like OpenSSH, they release a portable version, and the official release note says:

This release also includes a binary package for convenience integrating LibreSSL on Windows platforms, and the latest source tarball is signed with GPG and signify for easier integration into existing build systems.

We are talking about Windows, here... Sure, if you are into Windows 3.11 and VMS, LibreSSL is less portable than OpenSSL. But seriously, who even uses these two anymore??!!

OK, I'll grant you that LibreSSL is not a complete replacement for OpenSSL just yet. OpenBSD devs prefer working on their favourite OS, and I can't blame them. This being said, I would not be surprised if, in a couple of years, the rest of the world has switched to LibreSSL and forgotten the older version -- just take a look at OpenSSH... ;-)

Oh, really? A trainwreck?

Explain this, then: [Source is here]

The following CVEs were fixed in earlier LibreSSL releases:
              CVE-2015-0206 - Memory leak handling repeated DLTS records
              CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites.

            The following CVEs did not apply to LibreSSL:
              CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record
              CVE-2014-3569 - no-ssl3 configuration sets method to NULL
              CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA

Let's see... 5 CVE were either fixed in LibreSSL or did not apply to it. That's not too bad for a "trainwreck".

And what about that little dig at NetBSD? Hmmmm... You mean some people take stuff from OpenBSD and make it less secure? The plot thickens.

Oh, and by the way, that OpenSSH thingie? Yup, it came from the last "open source" version of SSH, the commercial software. In other words, OpenBSD devs took something already existing and made it better. Hmmm... I think you just don't know what you are talking about...

Listen, you can find OpenBSD programmers annoying and even call them "masturbating monkeys", but they know their stuff. Period. Calling what they do a "trainwreck" is hyperbole at best and just plain untrue at worst.

This being said, to get back on topic, auditing OpenSSL is not a bad idea. Far from it.

Loving OpenBSD on a laptop. 15 minutes of futzing with configs and a beautiful desktop environment of your choice. I haven't loved this much since Solaris 8. (Oh and that Android is linux bsbs... Google doesn't use glibc for android, they use OpenBSD's libc)

That is complete bullshit. Have you even looked at the source code of launchd and systemd?

Launchd actually is POSIX compatible which is why it has already been ported to FreeBSD. Systemd does not even consider POSIX compatability something to be desired.

If anything, porting GNOME will be a royal pain in the ass now. In fact many opensource projects like OpenBSD are writing shim layers to insure "systemd comptability" in order to facility cross compilation of Gnome Desktop.

When open source projects have to provide an emulation layer for an init system in order to port open source software there is something terribly wrong.

http://undeadly.org/cgi?action...

And Unix is defined by being simple. Which Linux, it no longer is.

They should worry less about authenticating who contributes, and then finding the scapegoat to blame for the mess ups, but instead they should try to go back to core principles, and clear up the mess and establish a system where mess ups are impossible. It's not the individual programmers who are messing up, but the leadership at the top who fails to implement core principles, who have allowed themselves to stray far from them, under the pressure of features, and patching the patches that patch the patches that patched we don't even remember what anymore. The herd simply just follows the command of the shepherd through his dogs. You can't blame the ewe. You can't blame the dogs. If both the ewe and the dogs each follow command as they are supposed to. That's how a military works. Chain of command. Battle of Jutland is a good read on military and controlling chaos into musical and dance-like order. Jellicoe's formation of the ships, where they almost hit each other while assuming positions, "flying" by each other at only a few miles per hour. Battle about turn to starboard, by Scheer, a motion by complete mess-prone chaotic-prone beings executing it in unison, from prior practice. That is the way to beat down chaos, in middle of a messy battle, which by definition is chaos itself. Top down chain of command, following orders, everyone moving in unison.

The basic problem with Linux is complexity. I've stopped using Linux ever since kernel 2.6.26 or so, anything new that boots does just way way too much. It's obvious what a hopeless mess it is just from the boot up messages. Damn Small Linux is trying to get back to core principles, but it's hopeless with the present code size of the kernel. The basic principle of Unix is the KISS principle. Quoting from the Wikipedia page:

The principle most likely finds its origins in similar concepts, such as Occam's razor, Leonardo da Vinci's "Simplicity is the ultimate sophistication", Mies Van Der Rohe's "Less is more", or Antoine de Saint Exupéry's "It seems that perfection is reached not when there is nothing left to add, but when there is nothing left to take away". Colin Chapman, the founder of Lotus Cars, urged his designers to "Simplify, and add lightness". Rube Goldberg's machines, intentionally overly-complex solutions to simple tasks or problems, are humorous examples of "non-KISS" solutions.

An alternative view - "Make everything as simple as possible, but not simpler." - is attributed to Albert Einstein.
That is a warning that even the KISS principle should not be abused, though maximized as much as possible.

I did a google search on "core principles of unix," and I came up with this:
http://www.faqs.org/docs/artu/...
http://undeadly.org/cgi?action...
http://people.fas.harvard.edu/...
etc, etc.

In all of them the basic principle of Unix is simplicity, clarity, modularity, human readability, beating complexity down with a club anywhere you can, if you can find clever ways to get something accomplish, forget about it, it's too complex, do it cleanly, neatly, simply, and even brute force. Don't be clever, be stupid, and expect everyone to be stupid. In Unix, every program does one thing, and does it extremely well. If you need features, you write a different program. Then these programs come together and interact through extremely simple interfaces, and this soup of experts interacting simply to accomplish any needed complex task in the world is what you call Unix. The swiss army knife of software. Which also goes for C, as C and Unix are the same thing.

The first thing the Linux developers have to accomplish is to beat down the complexity mess they've created, to gut the whole thing to bare bones, throw awa

Yes, really. Here I provide you a summary of some regular release dates:

Gnome - March (version number increases by .2)
Ubuntu - towards end of April (LTS if this is an even-numbered year)
OpenBSD - May 1st (or, historically and occasionally, May 19th)
GNOME - September (version number increases by .2)
Ubuntu - towards end of October (hence why version numbers end with "10", it is the 10th month)
OpenBSD - November 1st

Firefox: New release every whenever-they-feel-like-it not-very-long
Debian: New release every whenever-they-feel-like-it yes-very-long

I'm sure there are other projects with regular schedules... I'd appreciate any reply comments about other major projects with known regular release dates.

Some notes related to Ubuntu:
Ubuntu has a history of releasing very 6 months. Mark Shuttleworth of Canonical (who releases Ubuntu) has expressed desire to synchronize with other projects:
Mark Shuttleworth: The Art of Release
More recently, he may have drunk some of Mozilla's Kool Aid, though
Mark Shuttleworth: Let's Go Faster...
discusses possibly turning Ubuntu into a "rolling release" cycle.

Anyway, getting back to OpenBSD, Theo seems quite dedicated to releasing the software when it is expected, and describes it as a result of their carefully controlled development process. (Even before their semi-annual release schedule, they had an annual release on December 1st. So, when they did change their schedule to release on November 1st, they were ahead of their old schedule.) So, they have demonstrated that they are carefully able to release on time. Slashdot Article on OpenBSD release process, Discussion on OpenBSD release cycle. Development is also discussed in the video at BSDNow.tv: Doing It de Raadt Way (which interviews de Raadt starting about 8min7sec into the show).

So, they stick to their schedule well. But why a semi-annual schedule? In Kernel Trap interview with Theo, Theo says, "We have a six month cycle for many reasons. First off, and most important to me personally, it is just the right length so that I do not kill myself."

LibreSSL will indeed, by used by OpenSSH.

See here for more details: http://undeadly.org/cgi?action...

Changes so far to OpenSSL 1.0.1g since the 11th include:

• Splitting up libcrypto and libssl build directories
• Fixing a use-after-free bug
• Removal of ancient MacOS, Netware, OS/2, VMS and Windows build junk
• Removal of “bugs” directory, benchmarks, INSTALL files, and shared library goo for lame platforms
• Removal of most (all?) backend engines, some of which didn’t even have appropriate licensing
• Ripping out some windows-specific cruft
• Removal of various wrappers for things like sockets, snprintf, opendir, etc. to actually expose real return values
• KNF of most C files
• Removal of weak entropy additions
• Removal of all heartbeat functionality which resulted in Heartbleed

See also:

Do not feed RSA private key information to the random subsystem as entropy. It might be fed to a pluggable random subsystem.... What were they thinking?!

So far as all the "won't this introduce more bugs than it fixes" comments go, this is a recurring argument I have at work. I am of the "clean as you go", "refactor now" school.
Everyone else says "If it works don't fix it"(IIWDFI), "don't rock the boat" etc.
Heartbleed is what happens when the IIWDFI attitude wins. Bugs lurk under layers of cruft, simple changes become nightmares of wading through a lava flow of wrappers around hacks around bodges.
Whenever anyone says IIWDFI, remind them that testing can only find a small proportion of possible bugs, so if you can't see whether it has bugs or not by reading the code, then no matter how many test cases it passes, it DOESN'T WORK.

I oversimplified the explanation a bit...

Here it is in nicm@'s words:
"In particular, being able to share a single window between multiple terminals, with other windows in the same session but entirely separate. Adding this to screen was implausible"

http://undeadly.org/cgi?action...

Theo claims OpenBSD is unaffected. http://undeadly.org/cgi?action...

Theo claims OpenSSH is unaffected, because it isn't. OpenSSL, even on OpenBSD, is quite affected.

OpenSSH uses OpenSSL. If it uses an unpatched version of OpenSSL than it very well could be affected.

That said, it also implements the SSH protocol which may not make use of the TLS functionality in OpenSSL, which is probably what is being noted.

Theo claims OpenBSD is unaffected. http://undeadly.org/cgi?action...

Theo claims OpenSSH is unaffected, because it isn't. OpenSSL, even on OpenBSD, is quite affected.

Theo claims OpenBSD is unaffected. http://undeadly.org/cgi?action...

See BinpatchNG from m:tier. They've solved what you're asking for.

A really good reason to run OpenBSD on sparc64 hardware is that the logical domain support is stable now, so you can use the processor's built-in virtualization framework: http://undeadly.org/cgi?action=article&sid=20121214153413

A really good reason to run OpenBSD on sparc64 hardware is that the logical domain support is stable now, so you can use the processor's built-in virtualization framework: http://undeadly.org/cgi?action=article&sid=20121214153413

OpenBSD now has mature support for sparc64 logical domains: http://undeadly.org/cgi?action=article&sid=20121214153413

Alright, here's my shtick... It's a great race between two open source software ecosystems: copyLEFT and copyFREE.

The copyFREE side is a more amicable pacifist bunch, with more freedoms and more choices, and it has been gaining ground in the last decade in all software categories but one - the kernels. The copyLEFT side was founded by a bunch of militant hippies trying to destroy capitalism, and it had several years' head start, so its viral licenses were grandfathered into some of the most important pieces of open source software. The OS projects within each team like to share code, and the copyLEFT team can also mooch copyFREE code as well, but not the other way around...

This race is contested on many fronts, and one obscure comparison (that I just came up with) is: while running the race forward, to still maintain support for the 80386 platform. Only UNIX systems (sorry, sorry, sorry) that can run on a 80386 PC (sorry, sorry) with actively maintained current versions (sorry) are to be included. Let's see how the two teams compare:

THE COPYLEFT TEAM:

(1) Linux - now i486, as mentioned in this article.

THE COPYFREE TEAM:

(1) FreeBSD - i486 since 2005.

(2) OpenBSD - i486 since 2007.

(3) NetBSD - i486, "80386 support removed" in 2007.

(4) MINIX 3 - i586, 32mb RAM, 635mb HD.

So it looks like the copyLEFT camp had this little "current UNIX on 80386" advantage, and now lost it...

--libman

No, this isn't 'Interresting', rather mod as 'Blathering'.

Well, there is no point denying that Theo isn't the most malleable person. But, as has been said here on /. before: while he comes through as whining most of the time, he's also correct most of the time. Many people tries to interpret his statements from the common commercial viewpoint (like in, how to develop a successful software product and make PROFIT, or at least achieve world domination), but rather his goal is quite simple: develop a free, fast and secure Unix OS. That's all. No grand plans of IPOs or commercial success. Theo is quite happy getting by on selling those CDs, living in his little house, and occasionally traveling around the world climbing mountains and hacking Unix. You gotta read goal.html and observe him and the project for a few years to really understand that.

Theo, ranting, is why he got kicked off the NetBSD project.

While this is true, the history also proved him correct on many things (Charles Hannum was on the core team that did the kicking).

Theo, ranting, is why OpenBSD's drivers for Broadcom chipsets stink. (Look up how the original author tried to resolve the licensing problems of sticking his GPL drivers in an OpenBSD kernel and was ignored, then screamed at by Theo for making the issue public.)

That whole mess sucked. The OpenBSD developer that made the port (which was supposed to be a re-implemenation) f*cked up big time and imported GPL-files into the tree. The only thing positive in the whole affair is perhaps Theo's unconditional backing of his developer.

Theo, ranting, is why OpenBSD doesn't properly handle booting from software RAID.

It does (I believe the kernel must be on a non-RAID slice/disk, but that's no different to most other implementations).

Theo, ranting, is why the OpenBSD installer works like the UNIX crap I learned to loath back in 1985 and can't store the state of what you've already selected or go back, you just have to start over from scratch.

Actually, the very minimalistic installer is often hailed as one of the best and fastest in the industry. I don't think that there are that many installers where you can do the install by repeatedly pressing enter (and writing the hostname once) in that short time. And well, it's doesn't remember the state, but then again, you can restart it (a shell script) and start over without rebooting - that can't be said about many others.

Theo, ranting, is why OpenSSH has no built-in support for chroot cages.

This seems to disprove that. Unless you have different definition of 'chroot cage'.

Theo, ranting, is why OpenBSD has no virtualization server capability.

In many aspects virtualization contradicts the goal of security. Also, most VM solutions are proprietary, thus does not run on OpenBSD.

Theo, ranting, is why OpenSSH still stores both host keys and by default, user private keys in clear text with no expiration, and has no plans to fix this.

Yes, in clear text. Do you propose they should be encrypted? And where should the crypto key be placed? Perhaps... on disk? Hashed? If you are paranoid - use whole disk encryption. Because physical security is the key issue here as I see it. The keyfile is supposed to be user-readable only...

What is a reasonable default expiration time? No, there is no plan because the feature doesn't improve anything.

Theo, ranting, is why the "compatiblity chart" is a list of chipsets that don't match the actual chipsets published by the manufacturer, and usually are from chipsets at least 4 years old.

Uhmm, wha

The article mentioned manageability problems with Linux on the desktop and I disagree. Check out puppet for helping to manage systems. I have a soft spot for open source, particularly CentOS and OpenBSD. Again, from the article, if the Chester County Cat Hospital in the Greater Philadelphia area can deploy Linux on the desktop and server, then just about anyone can. I was amazed that anyone could find an open source practice management system. Generally, I think this article was not too well written but I am impressed at the research done to discover the Chester County Cat Hospital. I actually know of that practice and used to live in the area. Additionally, here is an article written about a company specializing in open source usage in business. A company by the name of MTier has done it, and in the process, is able to basically architect a system that is so secure that it would probably surpass standard auditing requirements by a wide margin: A Puffy in the corporate aquarium

Wrong.

http://www.undeadly.org/cgi?action=article&sid=20070829001634

Yes. http://www.undeadly.org/cgi?action=article&sid=20100729233638

I'm trigger happy today..

Read: This Article and scroll down to where it shows the "tr '\000' '\377'" dd command

Wrong, wrong, wrong. Flash doesn't store its data in "zeros", but rather in "ones"

Read this: Undeadly Article

Go down to the part that reads:

One of the tricks you can try is erasing the flash device entirely, but you need to realize the "erased state" for flash is when it is filled with all 1's. People regularly make the mistake of filling flash based storage devices with all zeros (as is typically done with real disks) without every realizing what they are doing.

Site is Slashdotted.

And this is the reason why you shouldn't use CGI scripts these days - the interface sucks and forking a process for each request is very expensive.

undeadly.org seems to do fine with CGI.