Slashdot Mirror
Remotely Crash OpenBSD
*no comment* writes "If you are running OpenBSD on your IPv6 install, it might be time to upgrade to -current. (just kidding) There is, however, a way to crash OpenBSD 3.4 with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Theo, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.
I'm thinking that if someone from Microsoft stated "It's just a crash" the editors here would be just a touch more sarcastic...
Maybe the next time Bashdork reports the new evil IE vulnerability that allows my desktop wallpaper to be changed by a hacker in Romania I'll se a quote like this one. "To quote [whomever], head of [whatever] at Microsoft, it's just a crash".
I'm sure.
I don't think the IPv6 install is the default. Even if it is, 'it's just a crash' not a remote hole. So, yes they can still boast.
A programmer is a machine for converting coffee into code.
Are you on an IP6 network? I'm betting you aren't....
But if you are just wait a little while for the fix.
Personally I don't like random people crashing my servers, so I'd call it a hole!
Fwiw, I wouldn't go into riot mode over four monosyllable words taken out of context be it from MS or OBSD. Of course, this is /. and that nice little blurb will most certainly cause a lot of banner hits as people will just have to comment. I can personally attest to 3 to get this post up.
I don't want knowledge. I want certainty. - Law, David Bowie
A non-serious cracker might have fun taking down OpenBSD a few times with an exploit like this. A more serious cracker would do this to try to convince some number of systems to stop running the most secure OS that's reasonably available and replace it with more vulnerable systems that aren't getting spanked a lot.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I'd find the OpenBSD crew's haughty "more secure than thou" attitude a lot more annoying if it weren't for the fact that their track record actually justifies it. The fact that you can still count the number of remote exploits using a two-bit register is pretty impressive.
I've read a bunch of posts comparing this "possible" hole in OpenBSD to those in MS. There's NO comparison! I bet Theo and the OpenBSD developers are already working on a fix. Actually, they probably already have one. With MS, it takes much, much longer! And sometimes, the "fixes" that MS so-called developers come up with break something else.
yes, when I saw this and noticed people commenting on the "Securer than tho" stance taken, my immediate thought was
"Hmm, well if we have gotten to the point where people have to roll their own net stack or patch a kernel to bring an issue to the for, then hasnt hte OpenBSD project succeeded in its goal?"
The day Microsoft has half the kind of security track record as OpenBSD, they'll be cut some slack.
OpenBSD had earned a little slack. MS still has a long way to go in system security/stability before they deserve the same treatment.
A "remote hole" doesn't have to just be obtaining root access. Being able to remotely crash a server is almost as bad. So no, they cannot boast.
As a sysadmin of a college network, "just a crash" *really* helped me.
I replaced all firewalls with OpenBSD filtering bridges. One rather persistent script kiddie (unfortuneately a legitimite $luser on the network) decided to send a few malformed packets here, there and everywhere. One of these crashed the filtering bridge at the edge of that particular subnet.
Immediately no packets enter or leave that subnet and I get about 40 phone calls "the internet is broken / my session crashed..." and go and deal with it.
Just a crash, saved several boxes. By contrast, accessible linux machines, privelege escalation - root exploit. All over.
Now if only the average windows box would *only* bluescreen in response to being cracked/ infection with the latest...rather than sending mal packets everywhere. Then infection would be self limiting and the world would be a better place.
Maybe because 6 bytes can't fit in address field which length is 4 bytes, you would trash the option-field or data :P
You don't know what you don't know.
ipv6 is a must-upgrade solution... it IS newer code, it does get rid of NAT(which is partially used for security) and ipv4 DOES have some hacks to make it scale higher... however, once all of china connects to the net, all of india, all of everyone, there just physically isn't enough. And NAT just ins't a clean solution when used with private addressing, it works, but it is a hack to an unavoidable fix.
ipv6 has security built into it, more addresses then particles in the universe, and eliminates the need for private addressing and nat... we should move to ipv6 if for no other reason than it is a cleaner, better solution to internet addressing.
Just because they fixed it before it was reported doesn't mean it never existed -- or that it was never quietly exploited. This sort of semantic game detracts from the hard work that goes into OpenBSD. It may be no worse than the sort of word games used to market other software, but in an area like security where trust is paramount it needlessly raises suspicion.
Now the specialist press, including web sites, who know of the existence of OpenBSD, are likely to treat this in much the same way. A BSD crash, any variant, is a rarity, 1000 times or more less likely to happen than a BSOD. Same sort of ratio fro security holes also. So, the same thing happens, the uncommon major event gets the attention, although it does far, far less harm overall than the very common everyday event.
Of course in this case the normal press remain in utter ignorance, some of them may know that Windoze is not the same as a MAC, a few will know of Linux, and very few indeed will know what BSD is, they probably think it is a shorter abbreviation for BSOD. So, the mainstream press will leave this well alone.
It is quite right and proper that crashes should be reported, and certainly it is only fair that a problem with a secure OS gets to be known, and fixed, but like the train crash, it needs to be kept in perspective.
I know that Theo allegedly has an attitude problem, however those who extrapolate from his remark that it is only a crash to suggest that he does not care are IMHO quite wrong. I think he was only putting the event in its true perspective, as being of slightly less importance than a security breach. I think he does care, very much, that "his" software works properly, that is what drives such people, who could earn much more financial reward elsewhere.
All of this is a matter of seeing the thing in its true perspective. If people did that, no-one at all would use the products of the Convicted Monopolist, and the world would be a very much safer place as regards computer security, and much more productive because there would probably be only one crash for 1000 or even 1000000 BSODs in inferior systems, which are riddled with fundamental design errors.
It does to me because that's how it's always been done with OBSD. Look, when someone says something, you have the opinion and right to look at the veracity or underlying premise of -what- is being said. It's been pretty clear for a couple of years what OBSD's standard for that statement is.
iow, if it doesn't make sense to you, that's completely fine. But it's not like OBSD is being hush hush, nudge wink with how they come up with their count.
imnsho, at least they have a standard or policy or rules or what have you for determining their remote hole count. Of all other OS makers, groups, and mfgs out there, I don't know of one other that keeps count, has a public statement of that count, gives publicly accessible rules for determining that count, and follows those rules. Linux sure doesn't--the sheer variation, number of distros, etc. has no one keeping a firm count. OBSD is more limited and applies it to their default install.
Personally, I like OBSD's claim and think it's valid, both in the areas of valid to make and valid as valuable to the OS user.
Compare them to other OS makers. When MS releases a security patch and months later, Melissa or some other virus comes along and exploits it because people were too lazy to plug up their systems, I don't say "That's MS's fault." I consider that on incompetent or lazy users. Now, I realize many here on this forum will blame MS, and they do get boatloads of blame, but they also patched the damn thing. Sometimes with these patches, the patch itself reveals the error and makes it widely known; virus or exploit writers then go about taking advantage of that, comparing differences between a patched and unpatched systems.
When Samba had that "caught in the wild" ecurity issue last year, I don't say "well that's been in the wild 5 years" and then count that one bug multiple times against them for every Samba version released since then, or every update. Why not? Because that would be ludicrous. Likewise with OBSD, I don't say "well, that was out there since release X when Y code was added, hence that counts for every release since X until current as a bug".
Note with the last, this also reveals that people and communities innately have their own idea or standards on how "bugs" are counted against to versions or releases. Most people would say Samba's bug they caught in the wild counts as 1 bug. And they'd be right. Not several via very Samba release since that code was written.
Same with OBSD. They have a standard, they found an issue, so does it apply to their policy for determining that count? No. Count doesn't go up.