OpenBSD 3.2 Available

fredrikv writes "Right on time, the files defining OpenBSD 3.2 have moved away from "snapshots" to the 3.2 directory of the OpenBSD mirrors. It is well known as the world's most secure operating system and now sports chroot'd Apache, fewer suid binaries, cool pictures for xdm-logins, a brilliant "antispoof" packet filtering rule and as usual includes lots of small updates and fixes. The files are there. What are you waiting for?"

FreeBSD

[drxenos]

I've always been a fan of FreeBSD. How does OpenBSD compare?

Re:FreeBSD

[hdw]

OpenBSD is secure, stable and easy to maintain.
I use it for a lot of stuff:

at home, as firewalls, Wlan gateway, fileserver, software development, videograbbing and asorted stuff.

at my friends' and siblings' homes, as firewalls and gateways.

at small business, as firewalls, fileservers, proxies, apacheservers.

at the large telco that pays my salary, as firewalls, security gateways, proxies, MS-VPN servers, radius servers.
In short, I'm a dedicated OpenBSD fanatic, and I'm quite convinced that Theo can walk on water without getting his feet wet, or at least cross shallow ponds with only damp socks.

But this doesn't change the fact that there's several things stopping me from trying to replace the OS on every box I can find.

There's alot software that doesn't install and run clean on OpenBSD.

There's a lot of software that has to be cuddled with a bit before it works.

And from a maintain/support view there's a lot more people trained on various (GNU)/Linuxes, making it much easier (and cheaper) to hire support and contractors.

There's also the lack of stable SMP support, and the lack of support for less common hardware.
Will OpenBSD rule the world? No, I still se it a "targeted" product.
It doesn't promise world domination like Linux.
It doesn't promise maximum portability and support for obscure hardware like NetBSD.
It doesn't aim for maximum software support like FreeBSD.

It promises security and stability, and it delivers.

OpenBSD questions

1. What advantage does pf have over netfilter? Any links to performance comparisons between the two?
2. Are the fsn.hu isos kosher?

Most Secure OS

[SirGeek]

According to this article the most secure OS were SCO Unix, Mac OS and Tru 64.

Re:Most Secure OS

[Daleks]

This pattern is mirrored by the overt digital attack data collected for 2002, which demonstrates this has been the worst year on record with 57,977 attacks having already taken place. The most attacked operating system in 2002 has been Microsoft Windows with 31,431 attacks (54%) followed by Linux with 17,218 attacks (30%), BSD (6%) and Solaris (5%). Apple Mac's OS suffered only 31 overt digital attacks, ie, 0.05% of all attacks in 2002 although Apple Mac has roughly 3% of the world's computer market share. SCO Unix suffered 165 digital attacks (0.2%) and Compaq Tru64 suffered 10 attacks (0.02%).

The above uses attacks per overall attacks as the rating for the OS. What should be done is OS specific attacks per installed machines running the particular OS.

MA -- machine attacks
TA -- total attacks
MI -- machines installed
TI -- total installed

The article gives MA/TA, but we want MA/MI. MA/MI gives the vulnerability of a particular OS seperated from the quantity of attacks. I don't know the total number of installed computers, but say it's 10,000,000. Then the MA/MI for Mac's is:

10,000,000 * 0.03 = 300,000
31/300,000 = 0.000103

So about 0.0103%. By contract look at the Windows numbers. Suppose Windows has 75% market share.

10,000,000 * 0.75 = 7,500,000
31,431/7,500,000 = 0.0041908

So about 0.41908%. These numbers show what percentage of installed machines will be affected instead of what portion of all attacks they represent. Another way to think about it is say you have 1 machine running CrappyOS and that machine is attacked. It will only represent 1/57,978 hacks performed in 2002. By contrast MA/MI will be 100%, meaning that every single machine running CrappyOS was hacked.

Numbers don't lie, people do.

OpenBSD based floppy firewall?

[minipunk]

Anyone know if one exists? Please send URL!

Please provide .iso's

[dazdaz]

People always get annoyed with this, however we would like .iso's of OpenBSD. I believe the philosophy is flawed in that .iso's are not made available so people have to purchase the cd's which helpds fund the project. However this limits the distribution of OpenBSD. If anyone could download an .iso, become familiar with OpenBSD, the userbase would be larger and therefore more people would purchase the official CD's.

What do others think?

Re:Please provide .iso's

[aschlemm]

Seems like all those users that whine about there not being ISO images can't even bother to go visit the OpenBSD website and read any of the online documentation that is available there. I've done several FTP based installs myself and it only required me to make a boot floppy. Once you have a running system you can download all of the source via AnonCVS and compile your own OpenBSD release and burn your own CDROMs of it if you want.

One thing that is different about OpenBSD is that the patches are released in source code form and so you have to compile the system yourself to keep it up to date. I keep an up to date source code tree of the latest OpenBSD stable release and with a couple of shell scripts that automate the process I've been building my own OpenBSD releases for a while now. I even put together a old PPro 200 system that I use as a dedicated build system. I download the created tarballs from my build system and use them to update my live BSD systems when I need to.

Re:OpenBSD use.

[rplacd]

OpenBSD has been a solid firewall, router, bridge, MX, DNS server, NIS, NFS, Web, SSH/SCP/SFTP machine with nary a GUI to be seen.

(emphasis mine)

Some would count the lack of a GUI as a downside. Don't knock GUIs -- even web-based ones. They can really help out with the easy stuff. And since it's a Unix, you can always pop up a shell window to do the more complicated stuff.

Check out Mac OS X for an example of this.

Re:Same horrible fdisk and disklable process?

[be-fan]

It's also been overrun be newbie users who are trying to turn it into Windows. I'm not saying that new users are bad, and I think it's good that Linux has become succesful, but I just wish that new Linux users would take some time to understand the culture attached OS before trying to change it. It's like they say, when in Rome, do as the Roman's do. Instead, many people are just acting like so-called ugly-Americans.

Re:I DO think so....

[evilviper]

Well, keep laughing... Ever heard of chroot, privlidge seperation, and systrace?

OpenBSD is what you make of it... If you set everything SUID it's certainly not going to be very secure, but you can secure an OpenBSD system extremely well if you want to do so.

Stick that in your VMS pipe and smoke it!

Signed files? MD5s?

[piranha(jpl)]

I appreciate OpenBSD a lot; I use it on one system at home, and plan to do two more OpenBSD installations. There are some really cool things, like systrace, that aren't available for Linux yet.

That said, how can I trust that my copy of the "world's most secure operating system" hasn't been tampered with? OpenBSD does not sign their files with PGP, GnuPG, or OpenSSL (yes, the latter has been suggested on lists). OpenSSH does. Why can't OpenBSD?

The ports tree, the kernel source, and the rest of the base source (ports.tar.gz, srcsys.tar.gz, and src.tar.gz) don't even have published MD5 hashes (but the archetecture-specific binaries do). The source matters, because (aside from using potentially unstable snapshots binaries) you need the source to apply security patches as security issues are discovered.

For an OS with such a focus on cryptography "because we can", I don't see it being used where it counts. (I've written to the misc list, and only received one response. I've filed a bug report and have received none.)