Slashdot Mirror
OpenBSD 3.2 Readies For Release, pf Matures
An anonymous reader writes "Just over a year ago, OpenBSD creator Theo de Raadt ripped ipfilter out of the OpenBSD code leaving "the world's most secure OS" temporarily without a packet filter. Here's an interesting interview with Daniel Hartmeier, author of pf, the stateful packet filter developed as a replacement. Now just over a year old, it sounds like pf has already become a serious contendor in the world of stateful packet filtering. This interview is of particular relevance with OpenBSD 3.2 to be released on Friday, 11/1."
And it's coming back as a kernel zombie for Halloween!
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
First post!
Say my name, bitch.
Lameness filter encountered. Post aborted!
Reason: BSD is dying.
Is it me, or is this story confusing? They took ipfilter out, but there is pf, so how is it without packet filter?
And what's up with that "the most secure os" sarcasm? OpenBSD *is* secure.
I passed the Turing test.
Codswallop, January 11th is a Saturday!
If you open yourself to the foo, You and foo become one.
Dear Slashdotters,
I decided to save you the effort of replying to this article by summarizing all of the posts you are about to make.
1) BSD is dead poster: BSD is dead! Only 13 people use OpenBSD and they all live in their parent's basements!
2) Dumb Karma Whore: Packet filtering? What's that? Can somebody explain why pf is a better packet filter than the alternatives?
3) De Raadt Hater: Theo sucks! Burn in hell, Theo, you self-righteous prick. FreeBSD 0wnz!
Use FreeBSD instead. Or if its old and shitty and single processor, use NetBSD. OpenBSD is fucking hype. The only good thing about it is SSH. Its performance sucks and its the only non SMP BSD left.
Theo, you are a jerk, and no one likes working with you. The NetBSD guys were assholes to kick you out, but whine all you want about that, OpenBSD sucks. Sorry. I tried several times to give OpenBSD a chance. Sorry, pal, "secure" is a relative term even for you mist priv sep zealot (nice job hackin in privsep and causing a root exploit) and trojaned tarballs.
Good job, Rat. We dont care aboutn OpenBSD. FreeBSD or die.
One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming close on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.
FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a cockeyed miracle could save *BSD from its fate at this point in time. For all practical purposes, *BSD is dead.
Fact: *BSD is dying
Are you just posting this on the front page to try and prove that BSD isn't dying?
?-|||-----x<*))))><
Haven't you heard?
Does anyone know if anyone has ported the OpenBSD pf over to Debian?
That OpenBSD is the most secure OS in the world, but even though it dosent have it's precious packet filter, I still think it whips any other in the security area.
And why did you staple the trout to the RAM?
And here's why:
By default, every network service is turned off in an OpenBSD install. So of course it's going to be secure! There's no possible way for a machine not connected to the 'net to be hacked into! Contrast this with Microsoft's method of enabling every network service in the default install. This is the reason why so many NT boxes have been exploited; not because of inferior products, but because of the fact that tens of thousands of people are needlessly running remote access software on the desktop.
In my with securing servers, Mandrake 8.0 takes the least amount of effort to lock down while still providing a useful server after the default install. The BSD community should take a hint and start gearing toward usability rather than "superior" security.
Have you been stalked by Seth today?
I bought a casket for my Halloween costume. I'm going as *BSD.
I had never before done any kernel programming, but I knew C
Great... I'm going to recommend to my boss that we replace all our FreeBSD and Linux servers with OpenBSD! With that kind of kernel programming experience on the team, you know it's gonna be SOLID! Check it.. he didn't say he "heard of" C, or "dabbled in" C, or even "thought there was a language called" C, he KNEW C! Inside and out!
And hey, did you read the interview, the man owns TWO, count 'em, TWO cats! Between the three of them, they should hammer out some sweet packetfilter code.
(hey it's a joke. but I'm still not giving up FreeBSD)
...to see a successful fork of Linux progress to another version, especially now that IPTables has been ported over. The pairing of iptables with the PC-DOS derived TCP/IP stack makes OpenBSD a strong choice for any application, IMHO, especially if the daily announcement of a remote root exploit doesn't deter you.
Its already out there in the source tree... and has been for a while (beginning of october).
.tgzs from:i 386
/usr
You can grab the main
ftp.usa.openbsd.org/pub/OpenBSD/snapshots/
I'm pretty sure you can do this install by getting the floppys (.fs) files and selecting FTP install.
If you have 3.1 (or any other version) you can upgrade the source tree (this is how I did it)
set your cvsroot:
setenv CVSROOT anoncvs@anoncvs.usa.openbsd.org:/cvs
cd
cvs -q get -rOPENBSD_3_2 -P src
You can then follow along here:
http://www.openbsd.org/faq/upgrade-minifaq.html
Make sure you do all the steps,
Be especially sure you do 1.5, 1.8, 3.1.* before you do a make build..
(note: if you are doing it from something earlier than 3.1 you should do the other changes (3.0.* etc. etc.)
-- C
So, is this shit dying or what?!
this information is bad, as the 3.2 snapshots are now further ahead in development than the 3.2 release code. there is no supported method for backtracking from -current to -release.
for the impatient, the best method is to check out the 3.2 sources from cvs (as described) and build from source
I think the one thing that everyone absolutely always neglects to realize is that Open BSD is the absolute perfect firewall/router solution for any network. All serious networks I've ever seen or worked with use Open BSD as their router/firewall solution and for good reason, it's perfect. It's stable, secure, and BSD Free, what more could you possibly want. Open BSD is made for security and it does its job wonderfully.
Ignore the "p2p is theft" trolls, they're just uninformed
What mirror sites are available for these outdated packages?
It isn't the Most Secure OS... It had a recent remote exploit!
Meanwhile Mac OS 8.x and 9.x (not the unix OS X) has NEVER ever had a remote exploit.
Consult bugtraq if you doubt this!
Running MacOS and a commercial webserver and you are immune from remote exploits as evidenced by FACTS based on historical evidence.
No mac server in history is exploitable without first getting in through a local unix server or other means.
And the very few recent defecements attributed on macos were in fact Mac OS X, not the secure Mac OS.
lack of a root user, lack of a shell, usage of byte length specified "pascal style" strings, and other security choises and coincidences make macs the most secure OS.
OpenBSD had a recent exploit therefore the MAC OS (9.2.2 and earlier) wins the securtiy crown.
What I don't get is why don't these projects realize the kind of coup they could score by releasing a Mandrake/RedHatesque installer that even the average marketting drone could use to setup a fully operational installation. I'd love to use OpenBSD if I thought I could get it working. I'm still just a novice with *NIX though so some of this is a bit too hardcore for people like me right now. But still, getting OpenBSD an installer that **just works** for the average person would take it to a whole new level.
I'd hardly call pf mature. Hell, its only been in the CVS for less than a month. I commend OpenBSD as much as the next guy, but if Theo isn't careful he is going to end up with another root exploit in the default install.
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
Be careful. The 3.2 errata hasn't been commited to CVS. So while you're running the 3.2 RELEASE, 3.2 STABLE won't exist until the actual release.
If you really want an early 3.2, you need to port the relevant 3.1 errata to your 3.2 tree.
Actually I think the Net people hate him more.
Excellent interview and responses, a very educational read for anyone who deals with firewalls and packet filtering. It should become part of the pf docs.
He is very modest, but I like the sounds of some of the things he is doing. Here are some solid, specific things pf is doing that I dont think other packet filters are doing, ask your vendor how they are handling these same types of issues.
This is why pf sounds like it will be very good (direct quotes from the article):
Wax on, wax off baby!
I am a Computer Information Systems Professional at a major Fortune 500 corporation. Very recently the head of our IT department decided that we were going to switch every one of our networks over to Windows XP Professional. We had previously been running OpenBSD on all our quad processor Xeons. Some of them had had uptimes approaching a year! My personal favourite, Gerbil, had been running without a reboot for three years.
One day one of those Microsoft shills that you often read about on The Register came by for a visit. I grew very suspicious about what was going on when my boss and the Microsoft representative walked by my desk, and entered the server room. I could hear muffled voices through the closed door. The Microsoft representative was asking what we were running on our servers! My worst fears had come true. I sat at my desk for the rest of the day, silently awaiting the bad news. The news did not come until the next day. It was worse than I had feared. We were to be a Microsoft only shop from that day on! I could not believe it. The Microsoft representative had told my boss that the operating and support costs would actually go down. And my boss had fully bought into it, hook, line, and sinker.
Tough times hit our company in the last month, and we were forced to lay off a few of the less experienced IS/IT workers. One of them took this rather hard. As a last minute attempt at corporate sabotage, he decided to change all of the Computer Administrator passwords on a few of the XP Professional boxes sitting around in the server room. This caused absolute havoc, as Dell had failed to send along administrator passwords for the new boxes. Our company could not make use of these computers for three days. It took Dell that long to get us the administrator passwords. It is strictly because of Microsoft's poor implementation of a multi-user computing environment that our company lost three days of productivity.
Needless to say, I had our quad Xeons back running OpenBSD by the end of the week. Gerbil is back on its way to another glorious 3 years of uptime.
You must live in a white trash trailer park then and WalMart must be using OpenBSD. People use supported products in production. Have fun with those patches and your athlon with realtek cards ;p.
Comment removed based on user account deletion
I think the more important question is the Cisco Patent. Is there any way around it?
So why now? Why did *BSD fail? Once you get past the fact that *BSD is fragmented between a myriad of incompatible kernels, there is the historical record of failure and of failed operating systems. *BSD experienced moderate success about 15 years ago in academic circles. Since then it has been in steady decline. We all know *BSD keeps losing market share but why? Is it the problematic personalities of many of the key players? Or is it larger than their troubled personalities?
The record is clear on one thing: no operating system has ever come back from the grave. Efforts to resuscitate *BSD are one step away from spiritualists wishing to communicate with the dead. As the situation grows more desperate for the adherents of this doomed OS, the sorrow takes hold. An unremitting gloom hangs like a death shroud over a once hopeful *BSD community. The hope is gone; a mournful nostalgia has settled in. Now is the end time for *BSD.
Hey, although you might not be comfortable with the thought, most people agree that OpenBSD is dying. That is an honest assessment. You really can't argue with the truth, no matter how much the truth might hurt. Truth exists independent of your personal feelings. So suck it up, put your chin up and move on. The death of OpenBSD is not the end of the world. It certainly doesn't have to be the end of your world.
Here it is: a link to goatse.cx: Goatse Page. I am not lying, this is a link to a webpage with a picture of a man with a big hole. I would like for you to click this link while delusionally pretending that it is a link to something having to do with this headline. I am not lying. I would appreciate it if you clicked this link.
From there, /usr/ports makes available a tonne of software (some of which even works -- amazing!).
I'm speaking as a guy who hasn't installed X (tried once and mostly failed), but enjoys the commandline quite a bit. If you like working on the 'NIX commandline, or would like to learn, OBSD is a great system to play with.
khl
Or VMS which from what I heard is still being used by banks and such despite the fact that it was such a perverse OS and that TCP/IP was an optional package. Did that thing have any bugs at all !?
Suck my balls Mac fag. Even that homo Theo could kick the ass off Steve Jobs and all his 50 year old Birkenstock-wearing assclown programmers.
Wow.. you know you've been doing too much electronics homework when you look at "pF" and read it as "picoFarad" and wonder what that had to do with anything....
You can grab the main .tgzs from:i 386
ftp.usa.openbsd.org/pub/OpenBSD/snapshots/
Those are snapshots of 3.2-current, not of what will be released as 3.2.
....in an empty forest and nobody uses it, does anyone give a shit?
I didn't know Theo was a butt pirate!
The article is one of the best resumes I've ever seen.
Just disable the root account and install setuid programs or daemons to do specific functions for your administrator. If you have physical security, nobody will be able to actually login as root. Install an IP filter that only allows packets from priviliged ports if you don't want user's processes to user network directly. As for filesystem security, have users login to a chrooted account that only contains or mounts directories that they are supposed to access. How will this Unix installation be less secure than OSes you mentioned? Perhaps you mean that default UNIX distributions you saw are not very secure. Or that system calls supported by your OSes encourage secure application design. But it should be still easier to write a library for this purpose under Linux than to write a whole new OS. What am I missing?
[ed. note: in the following text, former FreeBSD developer Mike Smith gives his reasons for abandoning FreeBSD]
When I stood for election to the FreeBSD core team nearly two years ago, many of you will recall that it was after a long series of debates during which I maintained that too much organisation, too many rules and too much formality would be a bad thing for the project.
Today, as I read the latest discussions on the future of the FreeBSD project, I see the same problem; a few new faces and many of the old going over the same tired arguments and suggesting variations on the same worthless schemes. Frankly I'm sick of it.
FreeBSD used to be fun. It used to be about doing things the right way. It used to be something that you could sink your teeth into when the mundane chores of programming for a living got you down. It was something cool and exciting; a way to spend your spare time on an endeavour you loved that was at the same time wholesome and worthwhile.
It's not anymore. It's about bylaws and committees and reports and milestones, telling others what to do and doing what you're told. It's about who can rant the longest or shout the loudest or mislead the most people into a bloc in order to legitimise doing what they think is best. Individuals notwithstanding, the project as a whole has lost track of where it's going, and has instead become obsessed with process and mechanics.
So I'm leaving core. I don't want to feel like I should be "doing something" about a project that has lost interest in having something done for it. I don't have the energy to fight what has clearly become a losing battle; I have a life to live and a job to keep, and I won't achieve any of the goals I personally consider worthwhile if I remain obligated to care for the project.
Discussion
I'm sure that I've offended some people already; I'm sure that by the time I'm done here, I'll have offended more. If you feel a need to play to the crowd in your replies rather than make a sincere effort to address the problems I'm discussing here, please do us the courtesy of playing your politics openly.
From a technical perspective, the project faces a set of challenges that significantly outstrips our ability to deliver. Some of the resources that we need to address these challenges are tied up in the fruitless metadiscussions that have raged since we made the mistake of electing officers. Others have left in disgust, or been driven out by the culture of abuse and distraction that has grown up since then. More may well remain available to recruitment, but while the project is busy infighting our chances for successful outreach are sorely diminished.
There's no simple solution to this. For the project to move forward, one or the other of the warring philosophies must win out; either the project returns to its laid-back roots and gets on with the work, or it transforms into a super-organised engineering project and executes a brilliant plan to deliver what, ultimately, we all know we want.
Whatever path is chosen, whatever balance is struck, the choosing and the striking are the important parts. The current indecision and endless conflict are incompatible with any sort of progress.
Trying to dissect the above is far beyond the scope of any parting shot, no matter how distended. All I can really ask of you all is to let go of the minutiae for a moment and take a look at the big picture. What is the ultimate goal here? How can we get there with as little overhead as possible? How would you like to be treated by your fellow travellers?
Shouts
To the Slashdot "BSD is dying" crowd - big deal. Death is part of the cycle; take a look at your soft, pallid bodies and consider that right this very moment, parts of you are dying. See? It's not so bad.
To the bulk of the FreeBSD committerbase and the developer community at large - keep your eyes on the real goals. It's when you get distracted by the politickers that they sideline you. The tireless work that you perform keeping the system clean and building is what provides the platform for the obsessives and the prima donnas to have their moments in the sun. In the end, we need you all; in order to go forwards we must first avoid going backwards.
To the paranoid conspiracy theorists - yes, I work for Apple too. No, my resignation wasn't on Steve's direct orders, or in any way related to work I'm doing, may do, may not do, or indeed what was in the tea I had at lunchtime today. It's about real problems that the project faces, real problems that the project has brought upon itself. You can't escape them by inventing excuses about outside influence, the problem stems from within.
To the politically obsessed - give it a break, if you can. No, the project isn't a lemonade stand anymore, but it's not a world-spanning corporate juggernaut either and some of the more grandiose visions going around are in need of a solid dose of reality. Keep it simple, stupid.
To the grandstanders, the prima donnas, and anyone that thinks that they can hold the project to ransom for their own agenda - give it a break, if you can. When the current core were elected, we took a conscious stand against vigorous sanctions, and some of you have exploited that. A new core is going to have to decide whether to repeat this mistake or get tough. I hope they learn from our errors.
Future
I started work on FreeBSD because it was fun. If I'm going to continue, it has to be fun again. There are things I still feel obligated to do, and with any luck I'll find the time to meet those obligations.
However I don't feel an obligation to get involved in the political mess the project is in right now. I tried, I burnt out. I don't feel that my efforts were worthwhile. So I won't be standing for election, I won't be shouting from the sidelines, and I probably won't vote in the next round of ballots.
You could say I'm packing up my toys. I'm not going home just yet, but I'm not going to play unless you can work out how to make the project somewhere fun to be again.
= Mike
--
One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD continues to plummet, as market share has now dropped once again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.
FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.
Fact: *BSD is dying
the project is not commercial, and has no dreams of having millions of users. it only seeks to do what it does well - which it has for some time.
most of the users and all of the developers would probably scoff at the idea of upgrading the installer because development resources aren't cheap, and they feel the time would be better spent elsewhere since the installer does work just fine.
the 'rustic' install (complete with MANUAL PARTITIONING!!!) serves as a barrier to entry, keeping the mailing lists more clean of 'how do i mount a floppy?' questions.
The article is one of the best resumes I've ever seen.
Prospective employer: What have you done?
Daniel: I wrote the stateful firewall in OpenBSD. Here's a kerneltrap.org article.
Employer: (Silence while recovering from amazement.) What pay do you expect?
I hit a key accidentally, and Mozilla posted my comment above.
we prolly have the whole core team, including Theo, flaming off on everyone here tonite LOL
seriously though, it seems that attempting to discuss bsd here at slashdot is a difficult proposition at best, can anyone recommend some sites where there is some intelligent discussion of bsd news and issues, without the annoying "BSD is dying" crap? deadly.org is the only one i know of and its pretty slow.
any links / suggestions would be greatly appreciated, thanks!
The intergration. All of these features in a powerful package with an installer targetted at admins.
The only thing I would ever ask of them is to take some of the lessons learned from the Gentoo Portage System.
anyone else notice how its just one letters location that seperates a reference to the most insecure OS and the most secure OS?
OBSD
BSOD
ehh past my bedtime i think
yes, a great slash based bsd site is
/., but without much of the bsd bashing (I believe microsoft bashing is a religion there too though, but hey, I'm all for that)
daily.daemonnews.org
same thing as
-isolenz
Needless to say, I had our quad Xeons back running OpenBSD by the end of the week. Gerbil is back on its way to another glorious 3 years of uptime.
no you didn't. openbsd only runs on a single processor.
thank you, come again.
Yay! Just in time for my birthday. :-) Actually, I'll probably wait a bit...just finished my upgrade to 3.1 STABLE. I wish every OS upgrade was as smooth...cvs update, compile, then do some diffs of etc. Nothing to it.
..than gentoo. You would be braindamaged to think that cvsup and ports dont lead to a real, stable, coherent well documented productionable system and that Gentoo leads to ANY of those said qualities.
Gentoo is not stable, audited, coherent, documented and its certainly not production ready.
OpenBSD isnt even on the radar.
and my fear of change; but having worked on many unix and other firewalls: ipf has worked very well, I'm sure there are good reasons to add pf(ctl), but keep ipf for my sake! ;^)
"Failure of Windows operating systems is extremely rare. If it happens, it is usually due to operating system file c
What's your definition of an easy installer? I would rather have something functional over easy/GUI. When I first installed OpenBSD I had only used Debian since then (only for a year or so). I printed out the entire FAQ and read it back and forth whenever I had some free time. If you read it, you will notice that it walks you through the entire installation procedure. If I was able to install OpenBSD using their excellent text installer just by reading the documentation available on their site then I'm sure anyone (who's willing to do research) can. It also helps to have an old box to install on first, play around, install again.. rinse and repeat as required.
Support the OpenBSD developers by getting a 3.2 CD 3.2 CD $40 or for Europe EUR 45
The new new 3.2 poster is very nice too, get it for $10 US or EUR 14 in Europe
Cool Mac software that I found while looking for info: ssh and sftp for mac with SSH2 support. License? Well, there's a GNU head on the website :)
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@cordes ,
Theo has the best way to make BKL a bygone issue. NEVER SUPPORT SMP! I can't believe everyone hasn't thought of this first. My god. This is revolutionary
can anyone recommend some sites where there is some intelligent discussion of bsd news and issues
I prefer mailing lists. In fact, after signing up to some interesting OpenBSD lists (mostly just reading) I found I was reading OpenBSD a lot less and reading www.deadly.org a lot more (and wishing it had a lot more articles and discussion).
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
Bugger, sorry. That should read "I found I was reading /. a lot less and reading www.deadly.org a lot more".
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
http://uptime.netcraft.com/up/graph/?mode_u=on&mod e_w=on&site=www.openbsd.org
Operating System and Web Server for www.openbsd.org
The site www.openbsd.org is running Apache/1.3.26 (Unix) PHP/4.2.1 mod_perl/1.27 on Solaris.
Go to your slashdot preferences, the homepage tab, and on the lower part of the page is "Customize Slashboxes". Enable some of the bsd sites to see their headlines while reading slashdot.
Like Shanep said, OpenBSD Journal (at deadly.org) is a good one.
Got brain?
Not stable?
Try installing it and using it before you comment!
Gentoo 1.2, and then 1.4rc1, have been running my web/mail/shell server for months now, and it has NEVER not been stable. I never have to reboot it (apart from the very occasional kernel upgrade) and it never falters.
So i disagree with your uninformed comment completely!
your personal web/mail/shell server. i have been following gentoo since before you were probably aware of it. try loading that baby up. your personal web/mail server doesnt count. and if you are using that in production, whoooo-weeee. you are one risky kind of guy [aka reckless]
now, what was your max uptime, mr reboot the system to tinker the kernel? thats what I thought. "Gee, I havent left it up for more than 3 days at a time because Marcelo releases yet another broken 2.4.20[pre/rc] update!" Come to think of it, a k-tard like yourself would love something like Gentoo, its great for bored people looking for an excuse to reboot.
the whole fucking thing a half assed fork of NetBSD.
At least FreeBSD is original. (oh, and scalable, faster, more featured, has better ports, is secure -i dont know what the fuck or how the fuck SSH is better on OBSD, is coherent and respectful of 4.4BSD without being a fucking lunatic and keeping the shit that should have gone years ago there
Theo de Craap. He stole SSH from Tatu, OpenBSD from NetBSD, most of the drivers from FreeBSD. The pf/ipf series was probably inspired by work done elsewhere since he set a precedent for being incapable of being original, or better.
Although I'm looking forward to the release,
and will upgrade eventually, I'm *REALLY* looking
forward to the next song..
For every problem, there is at least one solution that is simple, neat, and wrong.
Said "Mac Attack" is ancient and only affects very old versions of Mac OS 9.
An embedded, dedicated solution?
Don't get me wrong, though I've personally not used a BSD as a firewall, I know people who have, and they're happy with it, completely happy. But I really prefer something which was built from the ground up to be a firewall and ONLY a firewall.
I've worked extensively with the Sonicwall devices, and I've also heard some good things about the WatchGuard Firebox series. Then again, if you want to go gung ho all out and out, you can get a Cisco PIX.
Basically, for me, it boils down to having a specific device for a specific job, as opposed to having a general purpose piece of software running on commodity hardware for a specific job.
And what's up with that "the most secure os" sarcasm? OpenBSD *is* secure.
.. 2 things:
This definition depends on what you call "secure".
Theo calls an OS with a very limited, trusted set of applications "secure" - however, running secure applications with root privileges has nothing to do with OS level security. That's application level security.
I'd call an OS secure, if you can only hack it by exploiting a bug inside the OS kernel. That means, there is no way of gaining 'root' privileges or something like that by hacking into some highly privileged daemon, provided that the system is configured properly.
To achieve this level of security, it is neccessary to have fine grained privilege and compartmentalization controls instead of the superuser/world distinction built into the OS kernel - and that's still missing in OpenBSD.
What means "secure"?
"[...] Put another way, "secure system" means safe enough to protect some real world information from some real world adversary that the information owner and/or user care about. [...]"
- SE Linux FAQ, NSA
-----
There are mainly two types of secure Operating Systems.
a) Everything up to the C2 level of security
b) Everything from B1 up to A1 (never ever reached by any OS)
The difference is information labeling.
You only get a B1 security certificate, if your OS has mandatory access controls. It must be able to automatically prevent users from mixing secret data with public data. This is often called a "Trusted OS".
Most people don't need information labeling/mandatory access control, because all their data has the same level of sensivity.
TCSEC C2 does not say much about how the OS has to handle privileges, so a C2-level OS can still be very insecure, but it can also be very secure - almost impenetrable - and it still can't ever become certified at B1 or above, because it simply can't handle multiple levels of sensivity.
-----
Let's look at NON-Trusted-OSs first, because most people don't need a Trusted OS:
OpenBSD lacks an uninterceptable audit trail and access control lists as required by TCSEC C2. It distinguishes between world and root privileges.
VMS has an audit trail, access control lists, and a privilege model.
AS/400s have an audit trail, access control lists, a privilege model, an object-based security model with type enforcement and hardware-supported pointer-in-memory-protection because of the single level storage address space, but that does not matter much (think about it as something which is similar to protect-mode on an x86, but based on objects and pointer to objects instead of segments and segment descriptors).
VMS is clearly superior to OpenBSD, mainly because of the privilege model. If a process does not have many privileges, then an attacker can't gain many privileges by hacking it. Simple, isn't it?
An AS/400 is (VMS users listen carefully) clearly superior to both, OpenBSD and VMS. It has a superset of the security features of VMS, and additionally it has object-based protection. Therefore, you can't write to a program object, and you can't execute a data file or things like that.
Now let's look at Trusted OSs:
SE-VMS has an audit trail, access control lists, a privilege model, information labeling and compartment mode.
Solaris with Argus Pitbull has an audit trail, access control lists, fine grained privilege controls plus inheritance rules (proxy privilege sets and so on), a trusted computing base, information labeling and compartment mode (mandatory access controls).
Both are clearly superior to the non-trusted OSs mentioned above, because applications can be totally separated from each other by putting them in separate compartments.
If someone hacks into an application in compartment A, then he/she still can't access an application in compartment B, so he/she is locked down into a jail.
Solaris with Pitbull is clearly superior to VMS, because of the much more sophisticated privilege model. It's more fine-grained and it has inheritance controls, so certain applications will only gain their privileges if they can inherit those privileges from another process. By default, executing another application always drops all privileges.
-----
What I'd like to say is
1. What about "OpenBSD is the world's most secure OS"? It has a pretty good verified kernel, but it's security mechanisms are simply not powerful enough. A bug-free kernel does not help alot, when you have to run things as root, because the kernel does not have appropriate security mechanisms like privilege controls or compartment mode...
2. What about "Unix can't be secure"? I get really bored by VMS users comparing Standard-Linux with VMS; maybe compare the most secure setup of either Operating System and then let's talk about security again.
HERE is TCSEC B3 certified Unix (Linux-compatible, too).
regards,
octogen
Following in Theo The Rats footsteps, I intend to write the most secure OS in the world. It will support no CPU's! It will be revolutionary! No executable stacks, no kernel buffer overflows, no race conditions, no starvation problems, no privelege escalations, nothing!
However, also like Theo The Rat, I can't code for shit, especially hard stuff like an Operating System, so I'll just wait for someone else to do it while I cross post to everyone elses mailing lists with flames. Guys?
Its due to the intended audience/market.
If the installer is too complex/confusing for you, then you are not the intended audience.
Not meant as an insult, just reality.
OBSD isn't intended for the 'average' person, but one slightly above that level.
---- Booth was a patriot ----
I live in my girlfriend's parents basement
and my openbsd server is humming along right beside me, can i be lucky #13?
Three keystrokes and WHOOPS! your fucking out of chroot. Big fucking deal.
BSD is dead, jack.
OpenBSD is dying, because Theo has a cold.
Heh...just kidding. But really, we're too dependant on him, and his whims. We need a less ego in the BSD world. Theo DeRaadt, Darren Reed, Dan Bernstein et al can be fine programmers but what's the damn point if they can't get along. OpenBSD's development has too much power concentrated in the hands of too few people. This leads to all sorts of boo-boos and the inability to maintain older code (3.0 just died...ugh!).
I think that licenses are important. They need to be unconfusing. Project developers should find an existing, popular, and well understood license that most closely suit their needs and put their work under that license, rather than create their own. Here is where I fault DJB and Reed for their licensing quirks.
What license is irritating me the most right now is PINE's.
Daniel has a mirror of the interview at his site.
Legalize the constitution. Think for yourself question authority.
--- or --
cluebat: Z-OS is otherwise known as IBM OS/390 and holds something like 80% of the world's business data.
Okay, who is the troll. Some fucking fool doesnt know what a mainframe OS is, or someone who rather politely points it out.
You are a fucking idiot. You are the troll. And an OpenBSD zealot asshole.
hi.
if he cleans stuff up so well why doesnt he submit patches back to the orginal "offenders?"
thats why i thought. he doesnt. so get back to trying to suck your own dick, jbolden cockeater.
Ahemmm! set[ug]id, both. Also, the addition of Provos' systrace(1), which has been coming along for some time is tres cool, man. Listen, read:
Provos' (the author) systrace webpage on the subject.CTS. Someone bitched about the installer, and how cooler it'd be, how more ``popular'' OBSD'd be if it came with a purdier installer, cotton candy, and power seats. This flies in the face of how OBSD developers feel about the audience of their OS. `Fuck popular! Popular only brings unwashed numbers and wastes time; they don't handhold anyone.' `Read gaddammit, read!' `If you wont read the fucking excellent manpages, or wont read other included documentation, if you wont search list archives for the same repeated questions (and they will be if you are that stupid) you're a fucking slacker, if you read them and don't understand them, you're a fucking luser.' Sound like an OS that gives a shit about being popular or tolerant of stupid newcomers? I don't think so.
If you're prepared to do the hard work, not expecting handholding and waste anyone's time, you'll be alright. Not for everyone, as it should be.
I have extra new copies of Official OpenBSD CDs, selling them for a song, too.They should really make you use blocks. If you can't convert blocks to megs, then you shouldn't be using OpenBSD.
So OpenBSD 3.2 is released today, where can I buy this from in London, UK?
the Smith & Wesson extraction method destroys the keys. If you need a copy of the clear data, and you're dealing with someone who maintains that "you can have my keys when you pry them from my cold, dead fingers", shooting them won't do you much good. You'll have to either use some sort of subterfuge to sneak off with a copy of the keys or break the keyholder's will with some form of duress.
...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k