Slashdot Mirror
New FreeBSD, NetBSD Security Advisories
Dan writes "FreeBSD has formally announced a security advisory entitled "OpenSSH buffer management error" for the now famous OpenSSH advisory (OpenSSH has released a new version 3.7.1 to address this issue). NetBSD has issued a similar advisory and fix for this issue. NetBSD has released two additional security advisories entitled "Kernel memory disclosure via ibcs2" and "Insufficient argument checking in sysctl(2)"."
If you ever take a look at the patched code for one of these security advisories, you mainly see some special case code stuck in there to patch up the problem. You never see a reconsideration of the problem. I wonder how long it takes to go from a release version through patch after patch until a piece of code is just old and crufty and in need of wholesale replacement.
The first comment on a BSD story wasn't a BSD troll, now that my freinds is news for nerds, stuff that matters.
It is common knowledge that *BSD is dying, that ever hapless *BSD is mired in an irrecoverable and mortifying tangle of fatal trouble. It is perhaps anybody's guess as to which *BSD is the worst off of an admittedly suffering *BSD community. The numbers continue to decline for *BSD but FreeBSD may be hurting the most. Look at the numbers. The loss of user base for FreeBSD continues in a head spinning downward spiral.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of BSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major marketing surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among hobbyist dilettante dabblers. In truth, for all practical purposes *BSD is already dead. It is a dead man walking.
Fact: *BSD is dying
Does this affect OS X's implementation of SSHD? So far Apple has not released a patch.
...And when they came for me, there was no one left to speak out for me." - Martin Niemoeller (1892-1984)
Having to fix a security flaw in a closed source program is proof than closed source is bad. Fixing a security flaw in an open source program is proof that open source is good.
What We Can Learn From BSD
By Chinese Karma Whore, Version 1.0
Everyone knows about BSD's failure and imminent demise. As we pore over the history of BSD, we'll uncover a story of fatal mistakes, poor priorities, and personal rivalry, and we'll learn what mistakes to avoid so as to save Linux from a similarly grisly fate.
Let's not be overly morbid and give BSD credit for its early successes. In the 1970s, Ken Thompson and Bill Joy both made significant contributions to the computing world on the BSD platform. In the 80s, DARPA saw BSD as the premiere open platform, and, after initial successes with the 4.1BSD product, gave the BSD company a 2 year contract.
These early triumphs would soon be forgotten in a series of internal conflicts that would mar BSD's progress. In 1992, AT&T filed suit against Berkeley Software, claiming that proprietary code agreements had been haphazardly violated. In the same year, BSD filed countersuit, reciprocating bad intentions and fueling internal rivalry. While AT&T and Berkeley Software lawyers battled in court, lead developers of various BSD distributions quarreled on Usenet. In 1995, Theo de Raadt, one of the founders of the NetBSD project, formed his own rival distribution, OpenBSD, as the result of a quarrel that he documents on his website. Mr. de Raadt's stubborn arrogance was later seen in his clash with Darren Reed, which resulted in the expulsion of IPF from the OpenBSD distribution.
As personal rivalries took precedence over a quality product, BSD's codebase became worse and worse. As we all know, incompatibilities between each BSD distribution make code sharing an arduous task. Research conducted at MIT found BSD's filesystem implementation to be "very poorly performing." Even BSD's acclaimed TCP/IP stack has lagged behind, according to this study.
Problems with BSD's codebase were compounded by fundamental flaws in the BSD design approach. As argued by Eric Raymond in his watershed essay, The Cathedral and the Bazaar, rapid, decentralized development models are inherently superior to slow, centralized ones in software development. BSD developers never heeded Mr. Raymond's lesson and insisted that centralized models lead to 'cleaner code.' Don't believe their hype - BSD's development model has significantly impaired its progress. Any achievements that BSD managed to make were nullified by the BSD license, which allows corporations and coders alike to reap profits without reciprocating the goodwill of open-source. Fortunately, Linux is not prone to this exploitation, as it is licensed under the GPL.
The failure of BSD culminated in the resignation of Jordan Hubbard and Michael Smith from the FreeBSD core team. They both believed that FreeBSD had long lost its earlier vitality. Like an empire in decline, BSD had become bureaucratic and stagnant. As Linux gains market share and as BSD sinks deeper into the mire of decay, their parting addresses will resound as fitting eulogies to BSD's demise.
Only one remote hole in the default install, in more than 7 years! [openbsd.org]
Oops!
Given that the default install has ssh turned on, will they change it to "two remote holes" ?
How much do you want to bet they'll just sweep it under the carpet and hope people forget? If you follow misc@ carefully you have probably seen it done before. Lets make some noise and force Theo to finally update that!
This advisory was snt out almost 24 hours ago, so what's the news?
From: FreeBSD Security Advisories
Date: Tue Sep 16, 2003 20:17:01 Europe/Amsterdam
To: FreeBSD Security Advisories
Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-03:12.openssh
-- unix is for people without a social life - Patrick van Eijk
Let it bleed.
All of the other vendors released similar bulletins... Most of them questioned the validity of this hole, but to be safe, they issued these notes to their customers to update OpenSSH. I know RedHat and Mandrake did.
Phil
Of course, it installed sshd in /usr/local/sbin... sshd 2.9 (i think) was still located in /usr/sbin.
BSD is dying.
It is significantly easier for hackers to find exploits in programs that come with the source. This vunerability could have been exploited for 6 months or more. Being closed source has nothing to do with being able to fix security flaws. It does however mean that only the company/person who has the code can fix it.
There are security flaws in all software (maybe with the exception of Hello, World!), this has nothing to do with the availability of the source.
I was having problems the day before last, and I updated the SSH program to OpenSSH to fix some other problems, how might I find out if the version I installed had the fixer-upper in it? (and not by getting hacked :-p)
Error 407 - No creative sig found
We only come out at night...
1. You can not play games on it.
2. It cannot be used by my grandma.
3. It lacks a GUI of any note.
4. There is no support available for it.
5. It is an assortment of fragmented OSes.
6. It cannot be run on the x86 platform.
7. You have to compile everything and know C.
8. Support for the latest hardware is always poor.
9. It is incompatiable with GNU/Linux.
10.It is dying.
Hi there fellow slashdaughters, this got me upgraded:
./configure --prefix=/opt --sysconfdir=/etc/ssh
make
make install
use ps -aux to find the ##### of the process of sshd.
kill -HUP #####
Anyone who reboots to accomplish this upgrade shouldn't be a sysadmin. Have fun!
http://tinyurl.com/4ny52
Wednesday, September 17, 2003
Graffiti Writer Killed by Train
A train struck and killed a man early this morning on the South Side while he apparently was writing graffiti under the Birmingham Bridge, according to the Allegheny County coroner's office.
Evan Walters, 24, of Perrysville Avenue on the North Side, was hit by the train at 1:41 a.m. He was pronounced dead at the scene 11 minutes later. An eyewitness reported that the man had just finished spray painting the phrase BSD is dying on the bridge abutment.
Police were not immediately available for comment.
BSD you grow in the ghetto, living second rate
And your eyes will sing a song of deep hate.
The places you play and where you stay
Looks like one great big alley way.
You'll admire all the numberbook takers,
Thugs, BSD pimps and pushers, and the big money makers.
The *BSD Wailing Song
What's left for me to see
In my ship I sailed so far
What can the answer be
Don't know what the questions are.
And after all I've done
Still I cannot feel the sun
Tell me save me
In the end our lost souls must repent.
I must know it is for certain
Can it be the final curtain
As long as the wind will blow
I'll be searching high and low.
Who knows what's really true
They say the end is so near
Why are we all so cruel
We just fill ourselves with fear.
And heaven and hell will turn
All that we love shall burn
Hear me trust me
In the end our lost sould must repent.
I must know it is for certain
Can it be the final curtain
As long as the wind will blow
I'll be searching high and low
Final curtain
Final curtain
The Year of Our Lord 2003 has been a particularly bad year for the "B"s,
- Bob Hope
- Buddy Ebsen
- Buddy Hackett
- Barry White
- BSD
This honored list of dead is but a small token of adieu from the many fans of the deceased.These dead were truly some American Icons. They will be missed.
Sure, we all know that *BSD is a failure, but why? Why did *BSD fail? Once you get past the fact that *BSD is fragmented between a myriad of incompatible kernels, there is the historical record of failure and of failed operating systems. *BSD experienced moderate success about 15 years ago in academic circles. Since then it has been in steady decline. We all know *BSD keeps losing market share but why? Is it the problematic personalities of many of the key players? Or is it larger than their troubled personalities?
The record is clear on one thing: no operating system has ever come back from the grave. Efforts to resuscitate *BSD are one step away from spiritualists wishing to communicate with the dead. As the situation grows more desperate for the adherents of this doomed OS, the sorrow takes hold. An unremitting gloom hangs like a death shroud over a once hopeful *BSD community. The hope is gone; a mournful nostalgia has settled in. Now is the end time for *BSD.
Never forget your nose plug when using *BSD.
I can't stand it when Dan posts stories about FreeBSD with links to his bsdforums site. This is so useless. The link should go to the mailing list archive or a web site with the advisory, not to the discussion of it on your site.
Dan, please don't do it! Please! It looks really bad.
I passed the Turing test.
I don't want to start a holy war here, but what is the deal with you BSD fanatics? I've been sitting here at my freelance gig in front of a BSD box (a PIII 800 w/512 Megs of RAM) for about 20 minutes now while it attempts to copy a 17 Meg file from one folder on the hard drive to another folder. 20 minutes. At home, on my Pentium Pro 200 running NT 4, which by all standards should be a lot slower than this BSD box, the same operation would take about 2 minutes. If that.
In addition, during this file transfer, Netscape will not work. And everything else has ground to a halt. Even Emacs Lite is straining to keep up as I type this.
I won't bore you with the laundry list of other problems that I've encountered while working on various BSD machines, but suffice it to say there have been many, not the least of which is I've never seen a BSD box that has run faster than its Windows counterpart, despite the BSD machines faster chip architecture. My 486/66 with 8 megs of ram runs faster than this 800 mhz machine at times. From a productivity standpoint, I don't get how people can claim that BSD is a "superior" machine.
BSD addicts, flame me if you'd like, but I'd rather hear some intelligent reasons why anyone would choose to use a BSD over other faster, cheaper, more stable systems.
Gotta love them, zero originality.
---- Booth was a patriot ----
there, that has to be original. Of course I hear that copy and paste doesn't work very welll under *BSD.
Troll out.
you fucked up your license. get over it.
seen the code to the exploit? i have. there is no exploit. funny that. it's a local system trojan. it doesn't do *ANYTHING* to sshd. it mails the ip and master.passwd to an email address. big fucking do.
if you followed misc@, you'd know that too.
vodka, straight up, thank you!
BSD drools