Slashdot Mirror
OpenBSD: 4 Years Exploit Free
Teknoenie writes: "Upon a recent visit to the OpenBSD website http://www.openbsd.org i noticed a nifty change. 4 years without a remote exploit in default install. I have to dish out a big congrats to the OpenBSD team. Great job guys." It seems good to mention as well that now's a good time to order OpenBSD 2.9 if you're so inclined, since it's scheduled to ship in three weeks.
> I know of at least one remote SSH vulnerability that led to a root
> exploit in any OpenBSD version before 2.8.
teknoenie wrote:
> is this something that can be proven to the openbsd team.
Yes.
OpenBSD 2.7 was vulnerabile about remote root exploit with the default install. Please look at this advisory and compare it with the fix by openbsd.
cperciva wrote:
> I'm not sure about this, but I think what they mean is that there
> have been no vulnerabilities discovered before they were fixed
Actually above exploit is fixed by NetBSD people before OpenBSD. You can confirm this by the cvs log.
bolverk wrote:
> Well, we can force ssh _clients_ to do X11 forwarding... not a root
> flaw, and not remote... so on to the next.
The above problem is a remote root flaw. Due to the reason I don't know, this flaw is not listed in OpenBSD's security page. Perhaps OpenBSD people don't have an ability to know their security information unlike they claimed?
Anyway, the "4 Years Exploit Free" message is just wrong.
If that is the point that "4 years exploit free" means, then FreeBSD and NetBSD should be better than OpenBSD, because they are 8 years exploit free (i.e. security holes are fixed in FreeBSD-current and NetBSD-current before advisories are released).
Just because we havent heard of any exploits for OpenBSD, doesnt mean they dont exist.
I am just weary of the fact that there may be script kiddies out there with exploits for things that noone has found yet. This brings up the possibility of all OpenBSD releases being affected, purely because we dont know whats being exploited, and unless there are some extremely savvy systems administrators out there triple-checking their filesystems, and 24-hour surveilance ( overtime + ( time + 1/2 )! ), i doubt we'd know how.
Just food for thought, for the masses..
--- perl -e 'printf("%s\n", pack "H*", "7369670a676f6c677940676f6c67792e6e65740a2f736967")'
Score: -1 (Flamebait)
I really doubt that OpenBSD by default turns on any services that are useful...this is like saying MS-DOS is 15 years without a remote root exploit.
What I'd find interesting with OpenBSD: are there any remote non-root exploits, that can be escalated to root by a seperate exploit after normal user access is granted, in the last 4 years?
No, you get a decent workable machine with no extraneous crud in it.
That's the key, You pick what's right for you, rather than the RedHat "Kitchen Sink" approach.
It can run the vast majority of Linux, FreeBSD, NetBSD, and SVR4 binaries. OpenBSD just rocks.
grubbyTrolling is a art,
Oh for chrissakes, as someone who's had his ass kicked under suspicion of being homosexual (done once to a friend of mine who looked very similar to me as well), I never thought while reading that post that he meant "that homosexual fish".
-lx
So the claim only holds true if you're running the most current and patched version? In that case, there hasn't been a remote root hole in FreeBSD for years either, because they patch things after the vulnerability is reported. If you're running a current version, you're not vulnerable. I think it's pretty clear that the 4 year claim isn't true, as much as I like OpenBSD. Install 2.7, there's a remote root hole. That happened in the last 4 years.
-lx
First of all, really few need to have a disc
that is bootable on a sparc, that contains a
mac68k-kernel and have precompiled stuff for
pmax'es. Most people need the x86 files, and
those files are *easily* ftp:d from the main
ftp server, put on any cd9660 and then used from
the floppy install. There is no *real* need to
have the original ISO's if you want to grab
obsd-for-your-pc for free. Secondly, as many
will point out, it would be nice if you helped
the project out with few few bucks that a real
cd will cost you. Still, if you want to leech
openbsd for your single platform, you'd be silly
to download all other platforms. Noone ever
downloads debian for m68k on their pc's just
to have "the latest", do they? =)
-- I'm as unique as everyone else.
There are lettle or no exploits not only because OpenBSD is less used than Linux or Solaris but mostly because the are not holes to exploit. Read their claim: "Four years without a hole in the default install"
Huh?
OpenBSD 2.7 was the first to have OpenSSH (or _any_ SSH in the default install, and you said "prior to 2.8" so let's have a look at the errata page to see just how full of s--t you are.
Well, we can force ssh _clients_ to do X11 forwarding... not a root flaw, and not remote... so on to the next.
The non-default UseLogin feature can cause an exploit on other operating systems. Nope... no problem there.
And... the installer fails to set things up so ssh works at all on the m68k installer. So please, do tell... what the hell are you blabbering about?
I hear that. But consider, do you brag to people at parties that you drive happily along the highway in your volvo exactly on the speed limit when everyone else is speeding? Or do you just shut the hell up and heave spite on your reckless friends with your silence? Btw, I have OpenBSD on my laptop. It owns for way more reasons than just the security.
How we know is more important than what we know.
heh.. I like it.
How we know is more important than what we know.
That's the whole harddrive.
How we know is more important than what we know.
wow.. you must be a private detective.
How we know is more important than what we know.
It's like walking around in the street with a sign on your back saying "I havn't stolen anything in 4 years" or "I havn't shot a dog in 4 years".. so what? You're not supposed to. If you did (that's you Microsoft/Sun/Redhat/etc) you should feel guilty about it and never do it again, but I hardly see why someone who does the right thing should feel like they are something special.
How we know is more important than what we know.
The youngest OpenBSD hacker is a girl. Check that link .
{{.sig}}
linuxhelp.net has them. If you like it order one and support the effort, I do.
I love OpenBSD more than most people, (Shown Here and Here) but I know of at least one remote SSH vulnerability that led to a root exploit in any OpenBSD version before 2.8. It bothers me greatly that they'd put something I see as quite untrue on their front page.
IMO OpenBSD defines what security should be in all operating systems. Its OS is highly scrutinized prior to any version being released, and the team reacts quickly at the slightest whiff about a security issue.
After hanging out in #openbsd (/nick rwxr--r-- && sil) on the efnet for the past year or so, I've determined that most of the "hardcore" developers are extremely dedicated to making Open as secure as possible for the love of security strictly. I've met no troll developers looking to brag about getting OpenBSD to the level it is now.
Sadly however, many people tend to think that OpenBSD is a one man show (Theo) and turn their distaste for one person into an OpenBSD bashing session. Its ironic many will try to bash the OS for that "one" person, and fill a forum or email thread with useless words never once focusing on the fact that OpenBSD is unrootable on a default installation something which no other OS can claim.
greets to all the guys who work on the OS at their leisure their work is appreciated.
rwxr--r--
Want Root?
It would obviously not be as controversial, but I think that's a female fish...
You aren't the only person who has to struggle. I have suffered from abuse from pretty much my first day at school. You should perhaps try being Welsh in England, and see how far that gets. OK, as an adult you only get comments, but I spent years suffering things like being tied to a radiator (whilst turned on) and then beaten. Or smacked in the face by people who I thought were friends, just because other kids would laugh at the crying sheep shagger I still find the jokes made about welsh people funny, if they are funny.
Look, I've obviously touched a raw nerve here, but I really do think you are over-reacting. The comment was about the fish, using a word which has been hijacked from it's (also hijacked) current meaning. It was not about gays.
I also think that gays should also be game as the butt of jokes in the same way that straights are to gay comedians.
As to one of your earlier comments, I think you will find that there was quite a high percentage of gays amongst the Nazi party. I know that the SA was more gay than straight.
Find funky gifts
You really have some problems that need to be sorted out. For one, you need to get some perspective on things. You also need to be a bit less two-faced (I mean condemning violence against gays, and then daring me to have a go if I think I'm up to it).
Find funky gifts
I wasn't whinging. I was just pointing out to you that even though you think you are the most put upon person in the world, and a member of the most persecuted group in the world, the reality is that you aren't, and you most certainly aren't alone.
Also, calling a fish gay is not bigotry. At least no more than welshing on a bet is, and I've never complained about people using that phrase.
Find funky gifts
Nice to see that you're decent enough to apologise ;-)
Find funky gifts
More than two decades without a remote exploit in default install.
;).
:)
Similarly for MS-DOS
Link.
Maybe it wouldn't be politically correct, but would it be legal to re-distribute OpenBSD ISO's? For free? (I.e. one buys the disc and rips it and puts it on ftp)
If so, why isn't anyone doing? (Political thing?)
Daniel
i don't mind jokes. i do mind having my sexuality used as a general descriptor for everything that's seen as lame and pathetic in this world. there is a difference between humour and offensive bigotry
or perhaps you think that it's ok that people like me should feel hurt and humiliated by someone's comments just so long as people like you find the joke funny?
and i have a fucking life (now at least, i had to pretty much fight for it having grown up at a time when guys fucking guys was seen as pretty unthinkable).
=me= unclench? haha! (they don't call me slack alice for nothing mate)
=me= fuck off? brave words from a little boy on the other end of a network connection? i suggest you come here and make me fuck off if you really think you're up to it mate?
"i'm here to chew ass and kick bubble-gum. and i'm all out of bubble gum..."
red hat linux - now three and a half days without an exploit!
--saint----
Trolls throughout history:
Trolls throughout history:
Jonathan Swift
They sell the CD for $30 with helps them pay for some necessary costs. (They also throw in some stickers or something.) It's much easier to install by FTP than it is to use a CD anyway, wich they recomend if you don't want to purchase their CD.
I like that fish better than the Linux penguin. My wife likes the fish a lot also.
If OpenBSD hasn't had a remote hole in four years then how the hell did somebody break in and deface the site with that gay-looking fish?
And it takes a lot of work to make OpenBSD useful
:)
Yeah, you know... cd'ing to the ports section of the application you want and typing 'make install clean'. Phew. Hard work.
which in turn makes it more vulnerable
Uhm, third-party apps don't make OpenBSD itself more vulnerable. Its not like if you install wuftpd on an OpenBSD box, the internal crypto subsystem would stop working, or it would suddenly drop your kern.securelevel to -1. Its the job of the admin to check out any services they are running for known exploits, perhaps grep the code for insecure functions, and do some active penetration tests (standard overflows, format strings, etc).
And don't tell me I don't know what I am talking about
You don't know what you are talking about.
I am a consultant who has installed OpenBSD on over 40 machines in 14 clients of the years
Great, I have installed OpenBSD on over 200 boxen and converted more than 25 people who used to use other BSD's and other Unicies (Solaris, UnixWare).
I don't see it doing more than the most basic Internet-facing stuff
Ho ho ho... I don't know where to begin with this comment. For one, I don't understand how you see this stuff as basic. Have you ever looked at the core code in OpenBSD? I bet you've never written IPSEC code, or a mail server. Whatever you're doing, it's obviously wrong, because you can do anything on an OpenBSD box that you can do with a Linux box, with the exception of stuff like video games, but don't blame that on OpenBSD... blame that on video card companies and gaming companies for not porting their software to BSD.
because the attitude of many of the chief OpenBSD developers turns off others who might work on the project
I've talked with Theo on many occasions, whether it be a question about OpenBSD, or about drivers or donations, and he has been more than helpful, and has even included smiley faces in his email. Maybe youre the one coming off as an asshole?
---------------
As for their honesty, take the local root exploit in the default install recently discovered as an example. The problem was a format string error, and it had been noted and fixed in CVS before the exploit was discovered, however it was not considered a security problem, so no patch was issued. Upon discovery of the problem a patch was immediately issued. Anyone who updated immediately wasn't vulnerable. However, because a hole was discovered in the current release, they considered it a local root exploit and updated the claim accordingly.
If they had issued a patch before any vulnerability was discovered, they would not have considered it a blemish on the record. The claim is valid, and the iterpretation is sensible, although perhaps it is not the best possible interpretation.
Even Slashdot wants to hide some things
... There are only no exploits in the default install. There have been a number of OpenBSD exploits.
Do you like German cars?
not to be a troll or anything (I run OpenBSD on a few of my boxes), but OpenBSD is still affected by a large amount of root holes. A Linux box with OpenBSD's inetd.conf could be kept secure for years :) . Seriously, OpenBSD has done a great job of cleaning up security, but some big bugs still get through (in particular i remember the ftpd one-byte buffer overflow and the recent hole with glob(), and IPSec too). They may not be default, but basically all sites run more than the base system.