OpenBSD 3.5 Released

pgilman writes "The word just hit the announce@openbsd.org mailing list: "We are pleased to announce the official release of OpenBSD 3.5. We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install. As in our previous releases, 3.5 provides significant improvements, including new features, in nearly all areas of the system" including security, hardware support, software ports, and lots more. Support the project if you can by ordering the cds, or grab it from the net (use a mirror!). Thanks to Theo and the whole team!"

Argh

[LooseChanj]

Didn't even need /.'ing this time...

Re:Argh

[dhartmei]

There's an inofficial Bittorrent link, just make sure you verify MD5 checksums against those listed on the official ftp server.

Excellent

[mastergoon]

I use Linux on almost all my systems, but nothing can cut the security I get using OpenBSD on my firewalls and routers. I can't wait for SMP support to be working.

Re:Excellent

>> I use Linux on almost all my systems, but nothing can cut the security I get using OpenBSD on my firewalls and routers.

what about www.grsecurity.net? IMHO, I think grsecurity is much more a better solution especially if it were ever integrated into 2.6 kernels. Face it, what other patch/modification/os could potentially protect you from flaws in the kernel itself??

Re:Excellent

[gnuman99]

chroot in OpenBSD is a joke - under grsecurity you at least can't easily get out of it. chroot restrictions are essential for a secure system.

well, this is at least my 2 cents

Re:Excellent

firewalls in Linux is a joke - under OpenBSD you at least can't easily configure and manage it. Firewalls/iptables under linux are a mess to manage when compared to an ACL based config, like PF.

well, this is at least my 2 cents

Re:Excellent

[Lord+Kano]

How much traffic are you handling if you really need SMP on a firewall/router?

LK

Re:Excellent

[mastergoon]

Probably not so much that it matters...but all my boxes are SMP, so why not take advantage of it when you can :)

Re:Excellent

That's the story in general with Linux. It's not well designed...

Re:Excellent

firewalls in Linux is a joke - under OpenBSD you at least can't easily configure and manage it. Firewalls/iptables under linux are a mess to manage when compared to an ACL based config, like PF.

So you think not being able to easily configure and manage something is a good thing? Well OK.

Another thing, if Linux's "iptables" interface to netfilter challenges you, then you have no business using computers at all.

If anyone really wanted pf syntax for Linux it wouldn't be difficult to implement.

Re:Excellent

[DashEvil]

He never said it challenged him. He said that it was a mess. One would obviously prefer the easier to manage solution when the end result is the same. That is his point.

Re:Excellent

Then use a GUI front end to creating an IP tables script, like Firewall Builder.

Re:Excellent

OpenBSD can. The kernel is compiled with propolice.

Re:Excellent

[Cecil]

No. Lack of security holes are essential for a secure system.

If I write a daemon that prints "Hello World" it does not need to be chrooted to be secure. So should all daemons be. If a network-accessible program is accessing files, especially user-specified files, it needs to be god damned careful about it. End of story.

Chroot is a poor kludge of an attempt to turn a non-secure program into a secure one. I would prefer if it weren't in OpenBSD at all, it gives people a false sense of security. Even a perfect chroot leaves you open to all sorts of other vulnerabilities.

Re:Excellent

If the value of your comments is any indication, then your 2 cents is pretty much worthless in comparison to an openbsd cent. In other words, you're wrong.

Re:Excellent

Exact same attitute that appears whenever someone trys to advance the state of the art in Unix "secuirty". chroot is a joke, it should never had been sold as a security feature. Its simply a halfassed hack done because it was easy.

If people like you were running the show, we would still be using non-shadowed passwords.

Re:Excellent

[klasikahl]

I think you're forgetting about the NSA funded SELinux project. It's also a kernel level MAC security patch. I prefer SELinux over GrSec for many reasons, one of which is the fact a team of well trained NSA kernel hackers coded SELinux. (As opposed to GrSec whose head coder and inventor is a punk who uses his security knowledge to keep his exploits as 0days. Sounds pretty fishy to me; I won't trust anything that has his name on it.) SELinux is in the official 2.6 kernel branch. Check it out here.

Re:Excellent

[Triumph+The+Insult+C]

Another thing, if Linux's "iptables" interface to netfilter challenges you, then you have no business using computers at all.

that is absolute bullshit. when software is easy to use, it leads to fewer mistakes

hmm ... edit a text file (using a syntax that is almost like reading english) and tell the firewall software to re-read it, or, memorize a half-dozen of command line switches

Re:Excellent

...and it's completely useless given that it takes a single information leaking bug (of which OpenBSD has a few, albeit apparently unknown to you and many others) to learn __guard then every bug that ssp would have prevented becomes trivially exploitable. come again? ;-)

Re:Excellent

aha, so that's how you convert personal likes/dislikes into secure/insecure software. and after so many years your well-trained kernel hackers have still managed to overlook such trivial bugs as http://marc.theaimsgroup.com/?t=105490094300001&r= 1&w=2 . but yeah, selinux rulez, grsec sucks, all logical now.

Re:Excellent

[Homology]

what about www.grsecurity.net [grsecurity.net]? IMHO, I think grsecurity is much more a better solution especially if it were ever integrated into 2.6 kernels. Face it, what other patch/modification/os could potentially protect you from flaws in the kernel itself??

I'm sure grsecurity is nice, but today it exists as a set of patches to the vanilla kernel only. The only distros that supports it is Adamantix and Gentoo (part of Hardened Gentoo). Other widely used distros like RedHat, SuSE and Mandrake does not.

As long as this state of affair exists, GRsecurity will not be a viable option for the majority of Linux users.

On OpenBSD you have similar technology integrated with the OS. No need for patches or other stuff to use it.

Re:Excellent

[amix]

Dont' think so mainstream. Think exotic:

• VIA C3 (C5P core). Has double-RNG and AES hardware integrated. Perfect for VPN and WLAN.
• At 1.2GHz it is not very fast (due to architecture) but consumes very (!) low energy and is coolable passive. Perfect for a home-server, that is 24/7 and in your living-room
• is SMP capable

a 3x PCI 0x AGP SMP ATX board would make the perfect Home-Server. It would offer possibility for a WLAN card, a 4ch S-ATA RAID controller and a 2nd NIC, maybe with embedded firewall.

While one CPU is serving the net and procmailing, the other one could compress some tarbz2 for the backup.

Well, I am aware, this is a server and not firewall/router, but why not combine it, especially since the firewall is a spearate system here. So yes, OpenBSD should really have SMP. Too bad VIA does not plan the C5P as So370 version and matching mobo, but in future such things might come. Why not ?

Re:Excellent

iptables -A wan-in -m state --state INVALID RETARDED -j DROP

iptables does have ACL style packet filtering, check out the -I flag.

Re:Excellent

If you know of bugs, send in bug reports. I think that's how this open source/free software thing is supposed to work.

Re:Excellent

[pe1chl]

"Every security alert or audit contains the IP of the person that caused the event"

That sure is impressive!
I did not even know a person had an IP.

Or do they mean "Intellectual Property"???

Re:Excellent

If you know the bug, report it.

Otherwise you're just talking out of your ass.

Re:Excellent

[sir_cello]

> I can't wait for SMP support to be working.

I would rather the OpenBSD team concentrated on things other than SMP. For the large proportion of cost-effective routing/firewall systems, SMP isn't a priority.

What is a priority is (a) continual stripping out of GNU licensed artifacts, (b) continual code "securisation", (c) continual security features (i.e. CARP, etc).

SMP sounds like a nice bit of candy: but I'd prefer the healthy food first.

Re:Excellent

With dual-core CPUs possibly on the way from AMD, and the proliferation of other SMP or HyperThreading technologies, SMP is slowly becoming a priority.

Something changed Theo's mind about it (maybe it was just Niklaus volunteering), so it's probably worth looking into.

Re:Excellent

Does grsecurity audit all the code that comes with a Linux distribution?

Re:Excellent

OK, I'll take the bait, for all of us misled by hype from OpenBSD please let us in on the much better (even secure!) alternatives...

OS/400? MVS? VMS? XP? what?

I assume from your depth of understanding of obscure OpenBSD security bugs, you would have made a welll informed choice.

Re:Excellent

does openbsd audit all the code that comes with it? hint, ports are explicitly not audited due to lack of manpower. apples to oranges we like, don't we? ;-)

Re:Excellent

Hint, the stuff in ports doesn't come with OpenBSD, it is installed separately.

My point is that grsecurity may have some very nice security features, but one of the main reasons OpenBSD is so secure is that it has people going through the code auditing it. Security is a process, not a patch.

Re:Excellent

grsec: From 1.2.3.4: use of CAP_SYS_ADMIN denied for (dmesg:2244) UID(0) EUID(0), parent (bash:20629) UID(0) EUID(0)

Re:Excellent

Um... so just patch the kernel?

If you don't know how to do that, you probably don't care much about security anyway.

And uh.. yeah, what's wrong with the vanilla kernel?

Re:Excellent

[retrev]

Actually, I belive he's saying that a certain amount of trust and strength of character is required when dealing with security of this level. If the guy is a known h4x0r, how do we know he doesn't exploid holes weeks before he decides to fix them in his grsec code?

Re:Excellent

Why waste time sitting there patching something that doesn't need patching? Do you understand waste of time?

Re:Excellent

[drinkypoo]

My firewall system is a network engines roadster lx with a celeron chip in it (a 466 or something, I forget) and it runs gentoo. (I have in the past used openbsd, but I decided to stick with linux since it runs on damn near everything, and I wasn't really interested in using netbsd.) It manages to handle VPN for my (one) WiFi client and still kick out a couple megabits to that user, which is to say, my girlfriend. Her network wire went bad a while ago and I haven't felt like climbing into the attic without a ladder again, last time I did that I think I hosed up one of the studs in the closet trying to chimney my way up.

Anyway this same system also provides distcc cross-compiling for my Indy running Gentoo/MIPS and various other services to certain trusted users, like sftp and so on. There's no reason for the system to do only one thing.

SMP is great for anything which must meet demands for its resources rapidly.

Now on to the disagreement stage: You really don't want C3 to go PGA, that's a big fat waste of money in both packaging and mounting departments. It would be better if they just made a board with two soldered Nehemiah-core CPUs, with big fat heat sinks, in an atx form factor (not itx) so you could put it in a normal case. The small boards are fantastic for most of the purposes to which you would like to put them but if you want to make a more general purpose server you're likely going to need a larger case than the mini-itx stuff.

Re:Excellent

[krunk7]

Another thing, if Linux's "iptables" interface to netfilter challenges you, then you have no business using computers at all.

Congratulations! You've won "The 1337ist Statement of the Day Award"!!

Re:Excellent

[EvilAlien]

Using the 2.6 kernel on a system with security as the primary goal isn't wise anyways. Part of having a well-secured system is staying away from the insufficiently audited and tested code, i.e. the new stuff.

Mandrake has been very good about using grsecurity in their secure kernels, and include it within the sets of patches in their kernel source packages. That is one of the things that has always attracted me to Mandrake. Their attention to security is often overlooked amidst all the attention they get for easy of use and "newbie friendly" features.

Re:Excellent

how do you know the NSA doesn't do it? see, that damn coin always has two sides...

Re:Excellent

I was not aware it was the grsecurity's author responsibility to go out of his way and fix every hole that exists.
You also can't even try to compare selinux to grsec they clearly have different goals. Try reading the documentation some time.

Get a clue kids.

Re:Excellent

[geefunk]

I'm sure grsecurity is nice, but today it exists as a set of patches to the vanilla kernel only. The only distros that supports it is Adamantix and Gentoo (part of Hardened Gentoo). Other widely used distros like RedHat, SuSE and Mandrake does not.

Actually, Mandrake ships a kernel rpm with grsecurity.
Mandrake security
Just look for the kernel-secure-* rpms. Debian provides the grsecurity patches for their kernels, as well.

Re:Excellent

How does grsecurity compare to selinux? are they comaptible? (didn't read to much on the site, just interested...)

Re:Excellent

[Homology]

Mandrake has been very good about using grsecurity in their secure kernels, and include it within the sets of patches in their kernel source packages. That is one of the things that has always attracted me to Mandrake. Their attention to security is often overlooked amidst all the attention they get for easy of use and "newbie friendly" features.

I was not aware of the secure kernel part of Mandrake, and as another poster said, this is overlooked by many. Nice to know, though. Kodus to Mandrake.

Re:Excellent

[Homology]

Urk, should not be so hasty to push that "submit button.

Re:Excellent

[klasikahl]

Actually, I was stating that he intentionally does not release the source code to his exploits nor does he tell the developers. He does this so that he can exploit the boxes for his own evil. This is called blackhat hacking. Get a clue.

Re:Excellent

[nocomment]

Forgive the karma whoring, but this got so buried nobody will find it...just a torrent link.

Re:Excellent

[amix]

"Now on to the disagreement stage: You really don't want C3 to go PGA, that's a big fat waste of money in both packaging and mounting departments.

Well, I don't want one. You are right.

I already have one ! [C3 Nehemiah 1GHz on VIA C3M266-L uATX, So370]

It would be better if they just made a board with two soldered Nehemiah-core CPUs, with big fat heat sinks, in an atx form factor (not itx)

Well, I see what you mean. But I do not agree. What if I can get a faster CPU within 12 months ? I need to exchange the whole CPU+Mobo, along with possible incompatibility/stability issues with the hardware, that I already purchased for that mobo. No no, I do not care for those few extra bucks, but get a "real" system instead. So the above stands:
I want a dual C5P So370 system on CM400 chipset in uATX FF. No more, no less. But, as I know, it won't happen. :-(

Re:Excellent

You are all over the place with that post, mind narrowing it down to a clear, concise argument? Are you stating that OpenBSD isn't secure? Are you stating that grsecurity removes the need for code reviews? If you aren't stating either of these things, then you aren't disagreeing with me.

Re:Excellent

[drinkypoo]

If they scaled the price reasonably for the cost of the components, it would probably be about the same price to just buy a new board with the new CPUs (since you have to buy two CPUs with expensive packages anyway) as it would be to buy the two new processors. I think it really makes more sense for the single chip boards to have a socketed-cpu flavor than the hypothetical duals.

Re:Excellent

[maximilln]

What do you do if you can sense that there's a bug but you don't have the time or in-depth knowledge to track it to its source? Web=browser vulns come to mind. Firewall vulns come to mind. Heck, any low-level vuln that requires sorting through source code and piecing together all of the relevant buffers come to mind.

A bug report that consists of an empirical observation is much more likely to be dismissed (at best) or openly ridiculed if there isn't a definitive trace back to the source code.

Re:Excellent

SSP "never reported a bug"?

Hmm.

Amazingly, yes

It does.

Re:Amazingly, yes

Don't want to start a flame war here... but,
while PF may be one of those tools that adds more
security than it takes away, that means *nothing*
if the underlying platform is swiss cheese.

OpenBSD is a philosophy, not just another
operating systems and that's something you may
well want to consider before just bandying about
PF for whatever operating system catches your
fancy this week.

Re:Amazingly, Yes

Hello everyone!
You may know me as the "troll" that posts the "BSD IS DEAD" and all of the "FACTS" to every BSD story on Slashdot. Many pe ople wonder why I do it. The answer is that BSD is detrimental to the open source community.

As a Linux advocate, I have taken upon myself the duty to convince Slashdot readers that BSD is dead and that Linux is the future. If BS D were to gain a bigger marketshare, corporations such as IBM, Oracle, and Sun may be distracted from their interest in Linux.

If you know any BSD users, you must convince them to convert to Linux. These people are slowing down open source developement because de velopers are distracted from working on Linux programs to make them work with BSD. Imagine how great Gnome/KDE, Mozilla, and Apache woul d be if the developers didn't have to waste precious time writing code so that it would run on BSD. We need the entire open source comm unity to get behind a single operating system so that developers can focus on achieving our goal, OS dominance.

We can all agree that Microsoft has to go. We cannot allow any other proprietary operating system to take it's place. That narrows it do wn to the open source operating systems, of which the 2 major options are Linux and BSD. Since Linux already has the larger marketshare, we need to kill off BSD. Once we convert all the BSD developers to Linux, we will have a stronger army.

So what can you do to help? Easy. Find BSD users and developers and convince them to switch to Linux. Do so by any means necessary. You can start out being nice, but be persistent. Don't give up. In the end, they will thank you for enlightening them.

After we destroy BSD, we will need to focus on a single Linux distribution, Fedora. The other Linux distributions are wasting time and causing confusion. We need everyone to focus on Fedora so that it can be made the best operating system ever!

As a great man once said, "Let us never forget the duty, which we have taken upon ourselves."

Security

The ports & packages collection does NOT go through the thorough security audit that OpenBSD follows

So if I want optimal security, how do I choose which packages to use?

Re:Security

Chose only the packages you will be using, not the ones you might use some day but aren't absolutely needing it. Usually a port that has an absolutely horrible track record might not make it in, or if it has a gaping security problem it might be marked as BROKEN.

Use common sense, chose packages of software you have faith in to not suck.

Re:Security

[evilviper]

Chose only the packages you will be using, not the ones you might use some day but aren't absolutely needing it.

This is lowsy advice. You can have all the programs you want installed, and it won't make your system any less safe.

The only exception is suid/sgid programs.

It always drives me insane when I read another "security" tutorial on the web that suggest deleting unused programs, or your compiler, will make your system more secure, somehow.

Incidentally, ports do include patches, and most maintainers will include a patch that fixes a bug in the code if they notice it while they are porting... So, while ports aren't really audited, it IS safer to use the OpenBSD port of a program, than to compile the vanilla source yourself.

Use common sense, chose packages of software you have faith in to not suck.

Always good advice.

Re:Security

[kasperd]

The only exception is suid/sgid programs.

That is almost what I would have said. But it still is a bit too simplified. Yes, suid/sgid programs can be insecure, but how insecure of course depends on the owner user/group. For example if you install a game, and the executable is sgid to a special game group to get permission to write to a highscore file, I don't consider that particular insecure. Of course there is the theoretical problem that one user might exploit a bug in the game to be able to overwrite the highscore file with some garbage. This is even worse, if he can exploit another bug in the program to take control of the game when it reads a corrupt highscore file, and that way take control of another user's account. But a bug that can be exploited by a corrupt file could exist in any program also if it was not suid/sgid, and it will only affect users who run the program.

Of course suid root executables are always dangerous, and shouldn't be installed unless you need them. But that is not all. A package can potentially be dangerous even if it does not contain suid/sgid executables. For example device inodes with wrong permissions could be a problem. Device inodes should only be installed by the base system, I would stay far away from any other package installing one. Finally there are a few directories in which installing files can be dangerous, because you automatically load files from those directories. I don't know about BSD, but Linux will automatically load drivers from /lib/modules when needed. So any package installing object files in /lib/modules could be a security problem, even if they are just drivers for a device you don't have on your system. Another example would be if a package installed something in your PATH, which you might run when you didn't intend to. Imagine if a package installed a /usr/bin/ls file, which you executed when you intended to use /bin/ls.

It would be nice with a tool that could check a package for potentially dangerous things, and tell you if it was perfectly safe to install or if it could potentially be a problem. Still I'm afraid if such a tool was created, people would put too much faith in it and expect it to even warn them about potential trojans, which is an entirely different story.

Re:Security

[evilviper]

A package can potentially be dangerous even if it does not contain suid/sgid executables. For example device inodes with wrong permissions could be a problem.

I wasn't trying to provide a complete list of potential security problems... I say SUID/SGID programs, because nothing you can do would fix a security hole in them.

Permissions ARE something you can handle yourself. A device isn't the only problem... If you have a program in /usr/bin with global write permission, you also have a serious problem. However, a quick chmod will make sure all the programs in /usr/bin are not writeable by anyone... Nothing similar can be done for SUID/SGID programs.

Incidentally, SUID/SGID programs aren't always a problem. For each privlidged program a user might need to run, I create a group for the program, add only the users that need the program to that group, and make sure the program cannot be executed by anyone outside that group. It's not as fool-proof as removing all suid/sgid programs, but it significantly lessens your risk in the even that somebody gets user-level privlidges.

The same thing can be done, only even more securely, with systrace privlidge escalation.

Still, as I said, I wasn't trying to write a full book on security, so I left out the details. My point is that you really don't have anything to worry about from 99% of installed programs, and removing them is pointless.

Re:Security

[kasperd]

My point is that you really don't have anything to worry about from 99% of installed programs, and removing them is pointless.

I agree with that. So if we just knew how to identify the last 1%.

Re:Security

[evilviper]

So if we just knew how to identify the last 1%.

We do... find / -perm -2000 -or -perm -4000

Then you just need to make sure permissions of everything on your file-system are sane.

chmod -R a-w /usr

It's not too difficult.

pfsync/CARP

[ArbitraryConstant]

OpenBSD is the Cisco killer.

It's now suitable for replacing a lot of the Cisco gear out there.

Re:pfsync/CARP

[astrashe]

Isn't a lot of Cisco's appeal on the hardware side?

I haven't had a router in a few years, but when I did have a couple, they were rock solid. I always assumed that a big part of it was the fact that they didn't have any moving parts.

Wouldn't the computer architecture make an OpenBSD router less stable?

Re:pfsync/CARP

[PatJensen]

When you can do the following, OpenBSD will be a Cisco IOS killer.

• Configure, maintain and secure your routing protocols and interfaces in one easy to read and edit configuration file.
• Store the configuration in solid-state flash memory.
• Upgrade the entire OS by TFTP'ing a single file.
• Provide support for many types of LAN and WAN interfaces (DSx, hardware accelerated ATM segmentation and reassembly, etc.)
• Provide support for layer 2/3 QoS packet tagging in hardware (on ALL WAN interface types i.e. ATM, Frame, DSx) to reduce CPU load on distribution routers.
• Handle IPv4 traffic routing in hardware, with the OS just maintaining flow state information.
• Provide support for the plethora of legacy protocols that are on corporate networks (DLSw, X.25, etc.)

When the only tool you have is a hammer, everything looks like a nail.

-Pat

Re:pfsync/CARP

[ArbitraryConstant]

I haven't had a router in a few years, but when I did have a couple, they were rock solid. I always assumed that a big part of it was the fact that they didn't have any moving parts.

OpenBSD (and all the rest) don't need moving parts, except for the power supply fan. VIA Eden chips can run without a fan, and there are other chips from other architechtures with similar specs. The hard drive can be replaced by a flash IDE drive if your space requirements are small enough.

Cisco still wins on speed when all you're doing is routing, and in many other situations, but the firewall isn't that impressive.

Wouldn't the computer architecture make an OpenBSD router less stable?

Not necessarily, it runs on a lot of different architectures... Xeon's, Opterons, PowerPC, MIPS, etc. If you didn't have to patch, uptimes of years wouldn't be a problem.

Re:pfsync/CARP

Here's a little surprise for you:

I have a cisco 2600 gathering dust in the corner
because I could't get the TAC to provide me with
their "free" IOS upgrade for the last couple
disclosures.

Guess what's shuffeling packets in it's place?

That hardware/NVRAM equation is not such a hard
nut to crack. Even a modest amount of cisco
equipment uses PCMICA cards to store their IOS.
Take a *CLOSE* look at the latest VIA EISA
offerings.

The fact that I have a well understood underlying
BSD operating systems with thousands of dedicated
fanitical BSD hackers working on upto the moment
solutions for me is nothing more than *GRAVY* and
make the solution space for standard off the shelf
packet shuffeling problems extremely obvious.

Stick that in your 50x earnings pipe and smoke it.

Re:pfsync/CARP

[ATomkins]

Yeah, OpenBSD needs a few more of these, too!

Everybody knows that security flaws are what makes a system popular.

Re:pfsync/CARP

[Schubert]

When the only tool you have is an axe, everything looks like fun. :-)

Re:pfsync/CARP

www.soekris.com / www.opensoekris.com

Re:pfsync/CARP

[mistermark]

>Wouldn't the computer architecture make an OpenBSD router less stable? Well, choose a stable computerarchitecture :-) I use a (in other terms) obsolete Sun Ultra1 on OpenBSD/Sparc64, runs like a dream ... hardwarecost: $40 softwarecost: $0 (though I should buy the CDs, just for the stickers!) It feels criminal, so much quality for so less money, even beats the cheaper craprouters...

Re:pfsync/CARP

i dont know much about cisco or openbsd.
but half of those look like they would ONLY be in a hardware based router.

so thats basically impossible, and immaterial if openbsd to have.

if you want a cisco, get a cisco.
but openbsd works for other people and has quite a large feature set.

Re:pfsync/CARP

[mrchaotica]

OpenBSD (and all the rest) don't need moving parts, except for the power supply fan. VIA Eden chips can run without a fan, and there are other chips from other architechtures with similar specs. The hard drive can be replaced by a flash IDE drive if your space requirements are small enough.

They don't even need a power supply fan; My epia system has a 12VDC -> ATX power board that plugs into an external AC/DC converter (power brick). It supplies plenty of power (60 watts; plenty for an epia at least) and it's small (the same length as the epia itself, and a little over an inch wide). Depending on which epia you have, it's possible to plug it's ATX out straight into the Epia's ATX in without a cable.

So, an Eden Epia + 12VDC power board + Flash Drive = no moving parts at all. And it's more flexible and cheaper than a Cisco router!

Re:pfsync/CARP

[cpghost]

So, an Eden Epia + 12VDC power board + Flash Drive = no moving parts at all. And it's more flexible and cheaper than a Cisco router!

It is also the ultimate silent multipurpose computer! Doing maintenance work in a machine room full of these would be a dream!

Re:pfsync/CARP

[pacman+on+prozac]

IPv4 routing in Cisco is done by software not hardware.

This already is a Cisco killer for one simple reason, VSRP is crap.

Re:pfsync/CARP

[pacman+on+prozac]

HSRP even (hot standby router protocol)

Re:pfsync/CARP

[pe1chl]

Actually I think that keeping everything as monolytic as it is now is finally going to kill Cisco.
You have to select an IOS version that includes all the features you need, fits in the memory you have, and does not have any of the bugs that are blocking to you. This is becoming increasingly difficult.
A more modular approach (a base kernel with drivers and features loaded as modules) will be required to be able to move forward without keeping all that archaic stuff forever.

Re:pfsync/CARP

[pe1chl]

>Cisco still wins on speed when all you're doing is routing, and in many other situations, but the firewall isn't that impressive.

All but the high-end Cisco boxes are very short of central processor power. Look at boxes in the 1700, 2600 and 3700 lines. They need additional co-processor cards to help with tasks like encryption and compression, where a PC could perform these easily without any help.

And when you need only little bandwidth but need a nontrivial amount of interfaces, you are forced to buy quite a large box. (the 1700 series accomodates only 2 interfaces, and on the 2600 series there is the possibility of 4 interfaces but only for Voice, not for Data. so very quickly you will need a 3725, for applications where a PC could still easlily handle the load)

Re:pfsync/CARP

[kfg]

When the only tool you have is an axe, everything looks like fun. :-)

Yeah, they made us shout that in group before trust building exercises at the Borden Institute of Family Relationships.

KFG

Re:pfsync/CARP

[sir_cello]

OpenBSD is only a cisco killer in SOHO and SME type environments. Even then, part of the problem is that it still requires expertise to setup - there are a lot of CCIE/CCNE out there, and no so many pf/carp/openbsd experts.

The thing for the OpenBSD guys to do is make OpenBSD an attractive platform to OEM's who will build more user friendly solutions onto it.

Re:pfsync/CARP

If I recall correctly, they are moving to a modular IOS to correct this.

Re:pfsync/CARP

Configure, maintain and secure your routing protocols and interfaces in one easy to read and edit configuration file.
One file, more files, what is the difference? If the config files are well organized, which they are, there is no reason to have it all in one file.

Store the configuration in solid-state flash memory.
Get a CompactFlash card and a CF-to-IDE adapter.

Upgrade the entire OS by TFTP'ing a single file.
Could be done, you would need twice as much disk (CF) space as you need for a single installation, then download the new OS, unpack it on a free partition, swich default partition for booting, reboot. Ok, perhaps noone has done this until now. Perhaps it's because noone really needs it, not even the people who use OpenBSD on all their routers.

Provide support for many types of LAN and WAN interfaces (DSx, hardware accelerated ATM segmentation and reassembly, etc.)
Provide support for layer 2/3 QoS packet tagging in hardware (on ALL WAN interface types i.e. ATM, Frame, DSx) to reduce CPU load on distribution routers.
Handle IPv4 traffic routing in hardware, with the OS just maintaining flow state information.
Why do you need to do all this in hardware? Most of this stuff can be done in software a strong enough CPU and IO. The rest that can't be done in software is probably not used by majority of Cisco users (see below for more).
Really, you are building these requirements in such a way that OpenBSD cannot comply. It's a bit like saying that OpenOffice will replace MS Office if the third submenu in the 'File' menu is 'Open', when you click on it, go 102 pixels down and 53 pixels left, click, select the third option, and it reads 'Microsoft Word (.doc)'. What you really need is that it opens a .doc file, no matter how it is done.

Provide support for the plethora of legacy protocols that are on corporate networks (DLSw, X.25, etc.)
Not everyone needs those, and the majority who do not can use OpenBSD. The rest will probably use Cisco anyway, but it may just not be enough for Cisco to survive. Thus "Cisco killer".

In fact I don't think this will happen, as the strong Cisco feature is that they sell everything in one package, unpack and plug and play :). And they have some tech support, too.

Re:pfsync/CARP

"Isn't a lot of Cisco's appeal on the hardware side?"

Ask the anti-GPL trolls.

"Cisco can't possibly open-source their software even if they nick bits of GPL code to put in it, because cisco stuff is all about the software, and without their custom software, it would just be a plain old PC"

(or such like)

repeat as necessary for any other hardware company accused of illegally using GPL code.

Re:pfsync/CARP

[drinkypoo]

The sad part is, that the Cisco stuff ain't all that stable. Plus, the fact that they have been known to offload some of the work into firmware on the chassis means that sometimes something needs to be upgraded and it can't be, or they won't do it - and since it's (obviously) not open source, you can't fix it either. For instance, the catalyst 5000 switches (but not 5500s) are not considered Y2K compliant with any supervisor module, even a III.

The only really special thing about Cisco hardware as compared to a PC is that their backplane has traditionally been much faster than anything a PC has had to offer, and they have offered network cards (or blades in the Cisco parlance) with more ports (since they are larger) and with additional processors on the cards which do routing themselves. (Layer 3 switch blades, for example.) It's nothing you couldn't do on a PC, though, there just hasn't been a reason to. The most modern PCs have an extremely fast bus however, in the form of 66MHz/64 bit PCI, and now PCI-Express is coming along and the wider versions of that are even faster from what I understand.

Anyway, since when do routers not have moving parts? Every Cisco product beyond the SOHO level has at least one cooling fan. A cat5k (I pick on it a lot because it's what I have most experience with) has, like, eight plus one per power supply. Meanwhile, there are PCs without any moving parts - A cisco PIX 520 would be one of these, if it didn't have a power supply fan, because it's just a PC in a custom rack case, with an expansion card with a flash ram disk on it, and some Intel EEPro 100/B Management Adapters in it. (Someone told me once that tulips work too, as they were used in older pix 520s, but I've never seen that before.)

So the short form is "no", the computer architecture won't make an OpenBSD router less stable than a Cisco one. The only thing that might would be OpenBSD itself.

Re:pfsync/CARP

I disagree. The only tool I have is a hammer, and to me every problem looks like a thumb.

Re:pfsync/CARP

[evilviper]

OpenBSD (and all the rest) don't need moving parts, except for the power supply fan.

There are fan-less power supplies, too.

The hard drive can be replaced by a flash IDE drive if your space requirements are small enough.

Why would anyone need a lot of space for a router/firewall? I was using a 32MB PCMCIA card for mine.

Cisco still wins on speed when all you're doing is routing, and in many other situations, but the firewall isn't that impressive.

What other situations? With years of Cisco experience, custom hardware that speeds up network processing is the only advantage I can think of. Everything else can be done with a computer...

Mark my words, once somebody make a network card that does all the processing on-board (3com, are you listening?) Cisco will find most of their market slipping out from under them. Until then, tulip cards are great (man do I miss DEC) and even an old 200MHz system can handle multiple maxed-out 100Mbps interfaces.

If you didn't have to patch, uptimes of years wouldn't be a problem.

And when you are just running PF, with no local users, the need to patch the kernel isn't very common...

(Everything but the kernel can be patched/upgraded without rebooting.)

Re:pfsync/CARP

[evilviper]

Configure, maintain and secure your routing protocols and interfaces in one easy to read and edit configuration file.

This is bull. Cisco routers do not have text editors, and transfering a config file to/from a cisco router every time you need to make a change is quite cumbersome.

I used to be annoyed that different Unix config files have different syntaxes, until I used Cisco... There, each different option (hundreds, if not thousands in each config) may have it's own syntax, that you really have to memorize, or look-up to get right.

Store the configuration in solid-state flash memory.

Not a problem at all. I had a router running solely on a 32MB PCMCIA card several years ago.

Upgrade the entire OS by TFTP'ing a single file.

Now that's pretty stupid. First, I've seen many routers corrupted because TFTP is so very hit-or-miss... The fact that most Cisco routers are only able to use TFTP is a serious drawback, not an advantage.

As for the single file... OpenBSD's base system is spread across about 5 tar.gz files... If it makes you feel better, I could very quickly whip up a script that will combine them into one tgz file. Better?

Provide support for layer 2/3 QoS packet tagging in hardware

QoS is supported by PF. It's not in hardware, but that's no real concern.

When the only tool you have is a hammer, everything looks like a nail.

When you only own stock in Cisco, everything else must be inferior.

Re:pfsync/CARP

[ModernGeek]

With only one remote hole in 8 years, you don't have to patch

Re:pfsync/CARP

[ArbitraryConstant]

There are holes that have been discovered long after the version in question was obsolete. But if you were to leave such a version in production, it would be vulnerable.

Re:pfsync/CARP

[ArbitraryConstant]

There are fan-less power supplies, too.

So I'm told. I stand corrected.

Why would anyone need a lot of space for a router/firewall? I was using a 32MB PCMCIA card for mine.

It would be hard to cram it all into 32 mb. I'm more comfortable with a system that can build itself from source for patches and upgrades. I don't have other systems available that can build it from source, and it's just a home network, so I don't think I'm ever going to.

Mark my words, once somebody make a network card that does all the processing on-board (3com, are you listening?) Cisco will find most of their market slipping out from under them. Until then, tulip cards are great (man do I miss DEC) and even an old 200MHz system can handle multiple maxed-out 100Mbps interfaces.

nVidia has this feature in their new Athlon 64 chipset. It gets pretty close to wire speed on a gigabit network. They're not releasing the docs for it, so it won't be supported.

I also think that those features would be incompatible with PF.

Re:pfsync/CARP

[pyite]

Yea, the whole "no fan" thing is pretty much irrelevant. Even 1U Cisco switches have fans. We were moving around one of our test network's Catalyst 6513s yesterday and I was kind of laughing at the fact that the damned thing has 15 fans on the side. Then again, the 12000s still win since they have AIR FILTERS on them. I was not aware of a Y2K problem on a 5K. I find that kind of fishy unless you're running REALLY old code. I mean, I have a 2926 as one of my personal switches (has a Cat5K SUP) and it's running super old code and it doesn't have Y2K problems that I know of.

Re:pfsync/CARP

[drinkypoo]

When I worked as a lab admin intern for Cisco in Santa Cruz - after I had done a short stint as a somewhat talentless noob of a systems and network administrator, and a longer haul working for Tivoli doing level 2 phone support (I went to developer meetings and shit like that, whee, the beer bashes frequently had as much technical exchange as the meetings though) we took something like five of the 5-slot 5000s, are those 5005s? anyway, we took them out of service and moved them into the QA lab, and put sup 3s in them, as well as gigabit fiber, so people upstairs could test cable modem hardware downstairs. Anyway we took them out because of y2k compliance issues which apparently were not fixed by a sup 3 with the latest code. So either my supervisor (and I don't mean the card in slot 1) at cisco was clueless, or there's something wrong with that vintage of switch.

I forget what we put in to replace the 5000s, something much much better. The 5000s were there from the days when the building belonged to TGV, which is to say before TGV belonged to Cisco, and weren't really doing the job any more anyway.

Re:pfsync/CARP

[harikiri]

Not that I'm cluey on the actual technology, but from what I hear at work about what MPLS can offer larger networks - I'm yet to see any of that functionality present in OpenBSD.

Yes, OpenBSD (in fact most of the open source operating systems) can be tailored to be an embedded routing solution, as in fact some vendors have been doing for a few years, but I don't see it hitting enterprise level except in niche areas.

Cisco still remains the best networking vendor in terms of support (they seem to be the Sun Microsystems of the routing world), and overall network devices - notwithstanding recent security issues that have been discovered.

PS, I'm not a Cisco fanboy. I haven't done conf t on IOS for about 3-4 years. ;)

Re:pfsync/CARP

[SphericalCrusher]

I don't think there will ever be a Cisco killer until we start getting some smarter people in this world. The day that one single person cannot be social engineered is the day when we can finally throw Cisco Certification out...

What?

"The word just hit the announce@openbsd.org mailing list..." You act as if this is big news. New versions are always released in May and Nov.

Monty Python clone??? wtf?

[Billly+Gates]

Eagerly, awaiting the openbsd 3.5 theme song I ftped into one of the mirrors.

Anyway I downloaded the 3.5 song and found it about a protest on cisco patents on rundantant firewalling and vrp in a monty python format.

Strange but somewhat ammusing to say the least. Go download it.

Re:Monty Python clone??? wtf?

[PygmySurfer]

You're late :)

Re:Monty Python clone??? wtf?

Use a mirror, you insensitive clod.

yea

seems main ftp server is down. remember there are the mirrors if you guys want to get it. http://openbsd.org/ftp.html

and OpenBSD Rocks!

Re:Every Hacker's Wet Dream

From what I understand, Earthlink has a lot of OpenBSD machines that are currently in production.

my favorite comment from the changelog

[imac.usr]

- Enable bus mastering on fxp(4). Oh yes.

I don't know what it means, but I approve.

Re:my favorite comment from the changelog

[Deraj+DeZine]

Asked for comment, the Kool-Aid Man responded: "OH YEAH!!!!"

Re:my favorite comment from the changelog

[Gogo+Dodo]

fxp is the driver for the Intel PRO/100 Ethernet adapters.

Re:my favorite comment from the changelog

Apparently, bus mastering is the technique of writing directly to memory and bypassing the motherboard's CPU which is used by video cards (overlay), nics, etc. So I think it's a speed thing.

Re:my favorite comment from the changelog

OpenBSD has full hardware support for a 8 year old card. oh yes.

Re:my favorite comment from the changelog

[ostiguy]

Intel has generally been on their (*%*$list for not providing technical documents. I would tend to expect that they had to completely figure this out of their own

Re:my favorite comment from the changelog

Yeah, datasheets for things like Ethernet controllers are real hard to get from Intel. Those poor BSD coders, they've only got the complete databook without any NDA conditions attached to work from!

Re:my favorite comment from the changelog

If it's not terribly inconvenient, please explain a little bit about the naming convention for BSDs drivers and devices.

Having a Linux background, I have found the names for devices to be unintuitive, and I haven't found anywhere a systematic account for them or even a comprehensive list.

Re:my favorite comment from the changelog

[lcde]

Bus Mastering
PCI bus mastering

Happy user since 2.7

[Daimaou]

I would like to offer my thanks to the OpenBSD team here on Slashdot, where it will promptly be lost in hundereds of other posts.

I have used OpenBSD since 2.7 as a firewall, a web server, and a file server. There are a lot of unix-like operating systems out there, but for me, nothing can beat the simplicity and security of OpenBSD in these areas.

I'm also extremely happy with the ease of applying patches on OpenBSD. It makes remote management the easiest thing in the world (well, from a unix perspective anyway).

If you haven't tried OpenBSD, and are looking for an excellent server OS, I highly recommend giving it a try. I would recommend supporting the effort by buying a CD too.

Re:Happy user since 2.7

[timmarhy]

your posting as anonymous coward, hence your opinion does not matter

Re:Happy user since 2.7

[trewornan]

No real help is given to new users and such an elitest attitude is suicide.

A number of the reviews and guides I looked at before deciding on OpenBSD warned me about the communities attitude to this. But, firstly - I guess it's an understandable attitude if you aren't really concerned about promoting your OS and just want to be able to run it yourself, let's face it most of us are really freeloaders (I can't hack kernel code can you?). Secondly, the only time I've ever asked for help was on bsdforums and I got two quick and helpful replies, without any abuse at all so I'm not sure their reputation is entirely justified (but then I did RTFM first).

Re:Happy user since 2.7

A few things:

1) I'm a long time Open and Free BSD user

2) Posting anonymously does not in and of itself make one's comments or opinions have zero value

3) Posting with a name you assigned yourself is little different than posting anonymously. You chose your own nickname and there is no way to guarantee a direct association between your self chosen online name and your real world self. Thus, you too, are anonymous.

4) There are plenty of so-called non-anonymous posters on this site and elsewhere on the net who have absolutely nothing of value to say. Knowing who they are or who they might be does not add any weight to their opinions. Their opinion and 4 bucks gets you a cup of coffee.

5) By dismissing someone's comments simply for lack of having their self assigned name you are launching an ad hominen attack which is the weakest form of debate. When intelligent and educated people see such an attack they usually grant more weight, not less weight, to the statements of the person being attacked. Afterall, if you can't refute their arguments, but instead must attack the person making them, it appears to others as if you have nothing to refute their statements, thus they are either more likely to be correct or you are more likely to be easily dismissed in the future, or both.

6) Lastly, there are many situations in the real world and online where one might have something worth saying but the cost of being known is too high. I prefer a world where we can know the truth about what is going on even if we don't know the source of the truth. Truth is universal. It doesn't matter who the source is as long as it is true. For example, in a repressive state or in a dangerous work environment, one can be executed, jailed, fined, or fired for telling others what is going on. I *want* to know if the nearby nuclear power plant is soon to explode and I don't care if the informant is an anonymous employee. The same is true for human rights abuses around the world. This person may be someone important in some company or organization who doesn't want to risk their career to simply express their opinion on the net. They should be able to do so without being flat out dismissed because *you* want them to associate some fake self created name to their comments to make you feel as if you really know who it is. You're just as anonymous as they are except they're not pretending.

7) Given all of the above, I understand that the post was intended to cause a flame fest and hence is trolling. However! There are numerous accurate statements and several opinions expressed which I and many others agree with. There is little in this post which is flat out incorrect. It is the tone which is begging for flames which makes it a troll, not the factual statements or valid opinions expressed. Just because the poster is trolling, doesn't mean they're wrong.

Think about it.

Have a nice day,
Anonymous, but not a coward

Mascot

[Zardus]

Isn't that the wrong mascott in the slashdot story?

Re:Every Hacker's Wet Dream

[no+reason+to+be+here]

my formerly slackware-lovin', now debian-lovin' former roommater, despite his love of Tux and all things penguin, has started using OpenBSD for his router/firewall. If he's using it, i imagine their must be at least another dozen out there that use it. :)

seriously though, just check netcraft. there are lots of sites hosted on OpenBSD.

2 Remote Holes in 8 years

We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install.

There was obvioulsy a remote hole when they started the 8 year run as well.

Re:2 Remote Holes in 8 years

[Mycroft_VIII]

And how old is OpenBSD? Eight years sounds about right, but I don't really know.
If it's only 8 years old then it really could be just one remote hole in it's entire lifespan.
Well I'm shure quite a few people here know how old OpenBSD is and will chime up, I'd be curious to see if my guess is right

Mycroft

Re:2 Remote Holes in 8 years

[bluGill]

The official split was apparently 1995/10/18 (When the new CVS tree was created), with about 7 months of development before then.

I was able to find mailing list archives back to December 1995 with a little searching.

"single remote hole"

[tunesmith]

What was it?

Re:"single remote hole"

[cperciva]

What was it?

OpenSSH.

Re:"single remote hole"

[Indy1]

it was a bug in openssh, which if i remember correctly, would of been tricky to exploit in the first place.

Re:"single remote hole"

my ex-wife.

Re:"single remote hole"

[Tony-A]

Something very tricky with one-time passwords, IIRC. Seems like all Linux and most OpenBSD users would have been unaffected.
It seems to me that the design level of OpenBSD is remote administration of the box where an intervening router is owned by a competent enemy.

Re:"single remote hole"

Tough enough that no one thought it was exploitable until Gobbles was asked to look at it. By that point, there was a work around (priv sep) and a patch on the way.

Re:"single remote hole"

[RPoet]

Yes, it would of been hard, but I bet it could of been done. I of no idea if anyone of done it yet, but yes, they could of.

Of a nice day.

Re:"single remote hole"

[Ithika]

Oh for god's sake, the word is *have*.

Re:"single remote hole"

[Beryllium+Sphere(tm)]

http://www.securityfocus.com/infocus/1656

An exploit made it into the wild. It seems to have been rarely used. The author of the SecurityFocus article left a vulnerable OpenBSD machine on line as a honeypot and it went six weeks before someone rooted it.

Re:"single remote hole"

> An exploit made it into the wild

Yep... pretty much immedately after upgrading to 3.4, I saw an attempt from a Korea grade school network in my logs.

Re:"single remote hole"

[evilviper]

It wasn't difficult to exploit, per-se, it's just that it relied on a bug in S/Key... I can't speak for the rest of the world, but I disable all unneeded features of OpenSSH before I network a machine.

If OpenBSD had just distributed ssh_conf with s/key commented-out, it would still be "0 holes in the default install".

OpenBSD

[foo+fighter]

We who are about to be rooted salute you!

Re:OpenBSD

"we"? ...you mean Linux users?

Re:Every Hacker's Wet Dream

[a+whoabot]

My comrade uses it for a combo router and webserver. And that's the only person I know who runs a server, or uses anything other than those D-Link or Linksys things as a router.

never-been-rooted claims getting sillier

[SuperBanana]

We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install.

Prediction for OpenBSD 6.0 announcement:

"We remain proud of OpenBSD's record of 15 years with only a single remote hole on a 986, executed from a windows system over a local network by a person under the age of 18. On tuesday. During a full moon. At low tide."

Re:never-been-rooted claims getting sillier

[0racle]

How is it getting sillier? Because they increment it once a year when there wasn't a hole that year, or are you just so used to using something else that you just cant believe that something goes longer then a month without a catastrophic security hole.

Re:never-been-rooted claims getting sillier

... under a ladder, while a black cat crossed the server's path and a shards of a broken mirror lay nearby.

Re:never-been-rooted claims getting sillier

[mentin]

The funny part is that OpenBSD dudes
1) only count remote vulnurabilities, ignoring any local ones
2) only count default install, i.e. ignoring vulnurabilities in anything that makes system minimally interesting (web, ftp server, XWindows, routing apps)
3) ignore denial of service attacks - even remote ones and even those that allow you to remotely crash system (although they don't explicitly mention it)

Re:never-been-rooted claims getting sillier

[nuintari]

1. They only count the remote ones in that exact statement, they fix all the bugs they find, and critical bugs have been few and far between.
2. The stock install comes with apache, an ftp server, X, and routing software.
3. No, every recent DoS attack that has effected obsd has been fixed. I would hardly call, same day patches as "ignoring".

Re:never-been-rooted claims getting sillier

That's all stated in the comment. The comment has been basically unchanged (except for number of years) since the 1 remote root hole incident. It basically stated the same thing before the incident.

They have been consistent. What more do you want?

Re:never-been-rooted claims getting sillier

[mentin]

2. The stock install comes with apache, an ftp server, X, and routing software
... turned off, so they don't count any exploits in it.

3. No, every recent DoS attack that has effected obsd has been fixed. I would hardly call, same day patches as "ignoring".
I did not say it was not fixed, the discussion was about that stupid claim "8 years..." - they don't count any DoS attacks there.

Re:never-been-rooted claims getting sillier

[aking137]

Actually, there's evidence to suggest otherwise: it appears that they're incrementing it at a rate of more than one per year.

If we look now, in 2004, they claim "Only remote hole in the default install, in more than 8 years!" However, if we use the wayback machine to look back three years ago to 2001, they then only claimed to have three years.

All the same, I find that OpenBSD is fantastic: well documented, simple, very paranoid about security, and very easy to update.

Fast AES

[atrus]

I found this part of the release notes particulary interesting:

OpenSSL now directly uses the new AES instructions some VIA C3 processors provide, increasing AES to 780MBytes/second (so you get to see a fan-less cpu performing AES more than 10x faster than the fastest cpu currently sold).

I don't know if the fanless assertion is right (the AES instruction is available in the newer (step 8?) Nehemiah processors, which I don't think there is a fanless version yet on the market.) Of course someone will prove me wrong.

Now all VIA needs to do is make a network centric Nano-ITX board (drop the video, audio, firewire, usb, etc etc, and add in two more good ethernet ports), and this could be a serious IPsec/VPN platform.

Re:Fast AES

[CTho9305]

Why waste all the power on a Via C3 (multiple watts) when you could use an AMD Alchemy Au1550, which consumes less than 1 watt? The development board is MUCH smaller than any uATX-like form factor.

Re:Fast AES

[atrus]

The AMD Alchemy is smaller, but with the C3+chipset being Intel/PC compatible, there already is a large base of software available for the C3. By extension, there are many more people familiar with programming things on PC operating systems, which makes the C3 an appealing choice. The Alchemy is more custom. While I'm sure the development kit for the Alchemy is good, it can't match the available software base of PCs. Need to add a DNS server? There are numerous ones available which meet different needs. While you probably could port one of the DNS servers to run on the Alchemy, this is a time consuming operation.

Re:Fast AES

We've gone over this time and time again. Send the OpenBSD developers free boards and plenty of documentation, and it will be supported. Sell them to Joe Q Public, and chances are (if the documentation is accessible) it will be supported. Hire a developer to port OpenBSD, and it will be supported. ;)

There used to be a MIPS port, so I'm guessing porting to that wouldn't be toooooo hard.

Re:Fast AES

[Flower]

Ok, I'll volunteer to prove you wrong. :)
Here is a case which uses a heatpipe to replace the fan on a EPIA M motherboard. Honestly though, if I wasn't tracking the mini|nano-itx stuff I wouldn't have known.

Re:Fast AES

[leov211]

Yes, the new 600MHz version of Nehemiah runs fanless on the new CL6000 mini-itx server board.

Re:Fast AES

[BiggerIsBetter]

Cost and availability. When my boxed set of OpenBSD 3.5 arrives in a week or so, I can go out and buy a Mini-ITX board and box for a few hundred dollars off the shelf. I can have a reasonable firewall device up and running the afternoon the CDs arrive. And even better, it's not using overpriced development components, it's in full volume production. The AMD product is interesting, but unless they get real product on shelves at reasonable prices, it's not worth my time to chase what is effectively vapour-ware.

BTW, your mention of "uATX-like" is way off base. Mini-ITX is sgnificantly smaller, and VIA has released it's even smaller Nano-ITX range as well.

Re:Fast AES

[mst76]

I believe the 600mhz fanless boards (ME 6000, CL 6000) also include the hardware AES accellerator.

Re:Fast AES

[evilviper]

this could be a serious IPsec/VPN platform.

This really isn't that big of a deal.

In reality, you can get a PCI crypto card (supported by OpenBSD) for $100, and get insanely fast 3DES, AES, a random number generator, etc.

This is only a step-up if you happen to have that processor already. If you're making a VPN box, you can just get a good crypto card.

Re:Fast AES

[evilviper]

It's unfortunate that I can't find those boards cheaper, otherwise I'd be using it as my firewall right now.

Sky-high electric bills suck, and even worse is the heat... Here in the desert, anything that produces additional heat is a very very bad thing.

Re:For the trolls, out there...

[Zork+the+Almighty]

Where is ??? - profit ?

HEY MODS, RTFA (Scoré: 5, Informative)

RTFA

Re:Every Hacker's Wet Dream

[TheHonestTruth]

Be at the Burlington Mall in Burlington, MA tomorrow, in the Food Court near Quiznos at 5 PM EDT. I'll be the guy shaking your hand. Then we can end this "I never met anyone IRL that runs this" farce.

-truth

Isn't it about time...

[AvantLegion]

... for remote hole #2?

Re:Isn't it about time...

Doubtful. People just LOVE to make fun of OpenBSD when it gets a remote hole yet the people who are doing the laughing aren't exactly people who can claim similiar track records.

Re:Isn't it about time...

wow, an obscure Yes tune sig....

Re:Isn't it about time...

[Quaryon]

Fantastic sig!

(Based on Yes' Close To The Edge in case anyone was wondering..)

Q.

Re:Isn't it about time...

[TheRaven64]

It's open source. That means you can write your own and submit it as a patch, or even fork the entire project and include your remote hole. Since it's BSD licensed, you don't even have to release the source code...

Re:Isn't it about time...

[gnu-generation-one]

"Isn't it about time for remote hole #2?"

They're lagging. Windows has had 4 just in April...

Re:Isn't it about time...

I'll say one thing... Linux certianly is on top in the number of remote holes. I guess OpenBSD is having a hard time catching up.

Re:Isn't it about time...

[grub]

People just LOVE to make fun of OpenBSD when it gets a remote hole

Also note that if/when there is a remote OpenBSD hole, it's news, not just "oops, patch, business as usual". They take these things very seriously.

Re:Isn't it about time...

Sure. Bend over.

k, troll, I'll bite....

[TheHonestTruth]

I am a Computer Information Systems Professional at a major Fortune 500 corporation.

ok....

Very recently the head of our IT department decided that we were going to switch every one of our networks over to Windows XP Professional.

Hmmm.... ok. I guess that's possible.

We had previously been running OpenBSD on all our quad processor Xeons.

*bzzzzzt* You are either lying or dumb. Why install OpenBSD, which I admittedly love and am not biased against, on a quad processor system when SMP is in like alpha stage, beta at best? Because you're trolling or have no idea what you are doing. Next!

-truth

Re:Every Hacker's Wet Dream

[Monistat7]

I prefer the chinese food places bbq pork... but I suppose I need to use up this coupon for a free sandwich after they jacked up my order. See ya there. ;) haha and that mall sux... just moved out here and its pathetic.

Downloadable ISO?

So is there a bootable ISO that one can download and install from? What's the easiest way to get this OS onto a new hard drive?

Re:Downloadable ISO?

[NynexNinja]

Theo is too BSD to give away ISO's.

Re:Downloadable ISO?

[roka]

$ mkdir -p OpenBSD/3.5/i386
$ cd OpenBSD/3.5/i386

Then get the following files from a mirror:
CKSUM
MD5
base35.tgz
bsd
bsd.rd
bsd. rd-a.out
cdrom35.fs
comp35.tgz
etc35.tgz
game3 5.tgz
man35.tgz
misc35.tgz
xbase35.tgz
xfont35 .tgz
xserv35.tgz
xshare35.tgz

$ cd ..

And optionally also fetch these files:

ports.tar.gz
src.tar.gz
sys.tar.gz

$ cd ..
$ mkisofs -J -r -T -V "OpenBSD_3.5" -b 3.5/i386/cdrom35.fs -c boot.catalog -o ../OpenBSD-3.5.iso .

Re:Downloadable ISO?

[incabulos]

There are unofficial ISO complilations of OpenBSD available is you want to search around for a bit. Or you could buy the official 3 CD pack and support the project that way.

I think the easiest way to do an installation ( I ran 3.5 up on an old p-166 this evening ) is to download the arch-specific install files ( ie everything under /i386 for run of the mill x86 cpus ), and set them up on a local web or ftp server. 'dd' the boot floppy image to a spare disk ( floppy35.fs will suit 90% of cases ), boot up with this on the system, and simply follow the prompts for the ftp/http install. Or you could simply do a ftp install from a local OpenBSD mirror across the internet.

For detailed info on the install, see the FAQ.

The Errata page should be checked regularly too. Unlike the 3.4 release that had a number of bugfixes that needed to be applied as soon as it was officially released, 3.5 has no need for further patching at this point in time.

Here's all you need to know

BSD versus Linux

Re:My success with OpenBSD

[GregChant]

I am a Computer Information Systems Professional at a major Fortune 500 corporation.

For the rest of us, please read as; 'I am a systems support analyst for a company that doesn't know any better.'

Not all mirrors have 3.5 yet...

[b00m3rang]

I've found that ftp.sunet.se does, however.

Re:Not all mirrors have 3.5 yet...

It is common knowledge that *BSD is dying. *BSD is mired in a mortifying tangle of fatal trouble. It is perhaps anybody's guess as to which *BSD is the worst off of an admittedly suffering *BSD community. The numbers continue to decline for *BSD but NetBSD is hurting the most. Look at the numbers. The loss of user base for NetBSD continues in a head spinning downward spiral.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Major marketing surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyists (i.e. those who dabble with Minix, Xinu, etc). *BSD is already dead. It is a dead man walking.

Re:Every Hacker's Wet Dream

[Fnkmaster]

Dude, the Quiznos rocks the crappy Chinese food in Burlington, don't let anyone say otherwise. Anyway, don't go there anymore since I don't work in Lexington these days. But my memories of the Food Court are fond indeed.

A firewall should /require/ a GUI?

[b00m3rang]

Why don't you just run Windows?

Re:A firewall should /require/ a GUI?

[artson]

" Why don't you just run Windows?" .

Shilling for Microsoft Corporation are we?

Remarks like this ensure the Linux/Unix discussion area's reputation for unfriendliness and add to the mistrust and dislike that the general computer using population feel.

Well done! Now go see Chairman Bill and collect your pay check.

In case google is broken, which it's not

[b00m3rang]

http://www.openbsd.org/faq/faq4.html

Re:Every Hacker's Wet Dream

[manifest37]

http://uptime.netcraft.com/up/today/top.avg.html
The sites with the longest uptime run OpenBSD
thats who uses it

Clue me in, why is he such a bumscag?

n/t

Re:Clue me in, why is he such a bumscag?

[TheHonestTruth]

google for "Theo de Raadt netbsd darren reed" or some combination thereof. Theo doesn't play nicely with others. At all.

-truth

I'll bite too...

Let's begin hacking this one apart :P

1) Devry... nice.. :P not.
2) A company capable of buying quad xeon hardware doesn't sound like the kind of cmopany that needs to resort to running a workstation OS--XP Professional--on a server. Plus, Windows XP will only use 2 CPUs maximum.
3) Like mentioned before, you'd never run OpenBSD on an SMP box in a production scenario
4) What kind of password? The Windows XP password has nothing to do with Dell. If you mean the BIOS password, that has nothing to do with Windows.
5) Microsoft's multi-user computing (read: NT Domains/Active Directory) is actually quite good.
6) If your server had three years of uptime, there was probably (I'm sure there wasn't but I don't want to be wrong) no OpenBSD SMP support (not even beta) 3 years ago... I wonder how your boss feels about a server having 75% of its computing power being unused.

There's more wrong with your post, but why bohter...

FREE SPEECH

Deal with it.

Re:FREE SPEECH

What kind of pinko hippie are you? Free speech is only for those who believe Fox News.

My addition

[bobtheheadless]

Everybody has their OpenBSD quips, so I may as well add mine.

I've been using OpenBSD since 2.8 and have loved it since. It was the first UNIX-like OS I used. I currently use it on one box for my firewall, but have switched to gentoo for the web & mail servers.

Thats not the best part though. I have some friends who needed a residential gateway, and I set them up with an old box running obsd 3.1, and its been running non-stop (aside from power outages) since, with no problems. I keep telling them I should upgrade them, but it really isn't required.

Anyway, thats my addition. I wonder if anybody will have the paitence to read this far down in the comments. Hmmmm...

Re:My addition

[SaDan]

Wow. That is friggin' amazing. You installed an operating system on a machine, used it as a "residential gateway", and never patched it in all this time?

You sir, are an original.

Re:My addition

[bobtheheadless]

Wow, I'm just surprised that somebody cared enough about my post to respond to it. I should post more useless stuff so that more people can respond, and thus have something to do with the obviously extra time they have during the day.

Re:My addition

You installed an operating system on a machine, used it as a "residential gateway", and never patched it in all this time?

That's not too suprising. My home gateway was running an old version of OpenBSD for a couple of years. What "saved" me was the fact that I only allowed SSH connections from inside and from a VPN tunnel running to work. The world never saw an open port and I wasn't in a hurry to upgrade a machine that sat there passing packets all day.

Re:My addition

[SaDan]

Wow... I'm surprised that you're surprised that someone replied to a post you made on Slashdot that you consider useless.

Re:My addition

[bobtheheadless]

Good, then we agree.

Re:My addition

[SaDan]

Yes, yes... I think we can both agree to agree on this one.

Your should be pissed at your command, not Theo

"He said something I don't agree with.. OUT LOUD! You can't do that in America. Now I just can't trust his operating system, even though it's open source. It's gotta have some kind of commiehole in there somewhere. Look at me, I'm smart!

Re:Your should be pissed at your command, not Theo

Exactly!

What's his point? He can only use stuff that is coming from people he agrees with? Even if it is inferior?

Re:Your should be pissed at your command, not Theo

He said something I don't agree with.. OUT LOUD! You can't do that in America

Actually he said it out loud in Canada. The Rumsfeld and Bush will soon declare Canada part of the axis of evil for daring to not toe the line.

Re:For the trolls, out there...

[FrYGuY101]

Damn... knew I forgot one!

God forbid you download only what you need.

I forgot, these days it's "cool" to buy, download, or otherwise procure 10 times more of everything than you'll ever use, so that you can throw the rest away. Conservation of resources is for those who don't respect the homeland, and what it stands for.

Re:God forbid you download only what you need.

OpenBSD CD == Two weeks Ramen for Theo.

Re:Was anyone else pissed when...

[Cyno01]

I really dont think sidewinders should be replaced with OpenBSD, maybe AMRAMs, but not sidewinders...

Re:Every Hacker's Wet Dream

[prockcore]

http://uptime.netcraft.com/up/today/top.avg.html
The sites with the longest uptime run OpenBSD
thats who uses it

That's not a valid list.

$ uname -sr
SunOS 5.7
$ uptime
12:11am up 1585 day(s), 8:41, 1 user, load average: 0.27, 0.27, 0.26

That puts us in the top 10, and we're not the only ones. The problem is the uptime solaris reports to netcraft rolls over every 495 days.

No, not silly.

[Tony-A]

That single remote hole (as opposed to no remote hole) means that security does matter and cannot be taken for granted.
Uber secure? I'd grant them that.
Secure? Probably not, but they're working on that.
Secure means that I can run unpatched vulnerable software with impunity.
Security does not mean that I have to try playing catch-up with the latest security "fixes".

Re:No, not silly.

if OpenBSD gives that level of security ("can run unpatched vulnerable software with impunity") then why are they afraid of enabling some useful services by default? oh, i think i know, maybe that claim wouldn't last long then? ;-)

heh... burlington does suck

[TheHonestTruth]

The mall does suck. Quizznos and the Indian food place are the only decent eats in that place. :-)

-truth

ps, I won't really be there tomorrow. Need to study for finals, but I really do libe only 15 minutes away.<g>

Re:heh... burlington does suck

[Russellkhan]

I used to be pretty close myself - off of Old Billerica Rd in Bedford. Is there still a Bel Canto restaurant in Lexington? That's probably my favorite pizza I've had anywhere with the possbile exception of some homemade. (I live in California now - there is no pizza worth eating here, pity me).

I admire your fortitude...

[TheHonestTruth]

I couldn't get past the third sentence.

-truth

Re:I admire your fortitude...

I couldn't get past the third sentence.

You seem to have a very short attention span.

Now wait just a second....

[Ghostx13]

According to all those knowledgeable folks on slashdot *BSD is dying...

Re:Now wait just a second....

This is why even people with registered accounts should start with a score of zero...

Pffftt! Theo.

What does a canuck know?

One remote whole...

[gnu-sucks]

We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install.

I love OpenBSD as much as anyone serious about security, but this quote is completely full of shit.

If you look at the release 3.4 errata list, there's at least three or four root exploits waiting to happen. And 3.3 and 3.2 aren't any better.

And YES, sendmail was in the default install. As well as many programs based off the lately bad libc-6.

OpenBSD is the most secure, and secure-oriented, but its not perfect by any means.

And yes, I run OpenBSD on a few servers, and one desktop!

Re:One remote whole...

[DA-MAN]

We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install.

I love OpenBSD as much as anyone serious about security, but this quote is completely full of shit.

Ok Ok, well I got one that's completely true and an even longer timeframe.

MS-DOS: 0 Remote Root Exploits in over 20 years

Re:One remote whole...

[nuintari]

You have to take into account OpenBSD has privsep, stack protection, W^X memory, and a myriad of other security features not present in most other *nix systems.

Taken together, a large chunck of potential remote exploits become much less serious problems because the exploit isn't capable of root'ing an OpenBSD box. Sure, a DoS vulnerability is nothing to sneeze at, but it sure beats getting rooted. Same vulnerability will that will root a linux box, will often only annoy the living hell out of an Open box, and you'll still see a patch faster for OpenBSD.

Re:One remote whole...

[Triumph+The+Insult+C]

and in the default install, sendmail only listens on localhost ...

Re:One remote whole...

Sure sendmail is in there, but it isn't turned on as a dameon in the default install.

Re:One remote whole...

[evilviper]

this quote is completely full of shit.

I have to say, I think it's your post that's full of shit.

If you look at the release 3.4 errata list, there's at least three or four root exploits waiting to happen.

I went through that list again, just to make sure there aren't any I didn't already know about. The only ones I've seen that could potentially be root exploits, were local bugs, not remote.

The rest are pure DoS attacks. That's standard fare for OpenBSD. Most bugs aren't enough to provide a root hole on their own... Usually it's a matter of two overlaping bugs being used to get root (eg, on that can write data to memory, and one that can cause the code in memory to be executed), so it's very common for OpenBSD to be secure against root exploits, even though they have the unfortunate side effect of DoS possibilities.

OpenBSD also has other security features like Propolice, W^X, etc.

And 3.3 and 3.2 aren't any better.

Better than perfect? No, I wouldn't expect they would be.

And yes, I run OpenBSD on a few servers

For somebody who runs OpenBSD, you don't seem to know much about it.

and one desktop!

You act like it's a big deal that you use OpenBSD as a desktop... I've got multiple desktop machines that I run OpenBSD on, and I have ever since about 2.8 (that's about 4 years).

That was back when finding a supported soundcard was difficult, and you had to install XF86 and make some changes to the kernel yourself to get most videocards to work.

Re:One remote whole...

"As well as many programs based off the lately bad libc-6."

huh? wtf is that supposed to mean?

Re:One remote whole...

[gnu-sucks]

1) I'm not full of shit.
2) Theo and the gang typically take far longer than Apple, and even red hat, to release patches.
3) Actually, I do know quite a lot about openbsd. And thats why I use it. But claiming "Only one remote hole in the default install, in more than 8 years!" is laughable.
4) Maybe you haven't noticed, but most people who run OpenBSD are not running it as a desktop system. Thats why I pointed it out.

Re:One remote whole...

[gnu-sucks]

And,

MS-DOS: 0 Remote anything in over 20 years

Of course, if you add enough third party software, DOS can do a fair amount. But then, you open yourself to attack, etc. Then it isn't all that secure.

Re:One remote whole...

[gnu-sucks]

And what about SSH? I'm not completely certain, but I think that was on by default in 3.2, and when the issues came about, Theo said something like, "well, nobody's tried that on OpenBSD" so it wasn't considered a security hole.

Re:One remote whole...

[DA-MAN]

MS-DOS: 0 Remote anything in over 20 years

Of course, if you add enough third party software, DOS can do a fair amount. But then, you open yourself to attack, etc. Then it isn't all that secure.

To be honest, a default OpenBSD install doesn't even include a graphical text editor. DOS at least has EDIT.COM, functionality wise I would say OpenBSD edges DOS out just because of networking capabilities though....

Re:One remote whole...

[tyler_larson]

We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install.

I love OpenBSD as much as anyone serious about security, but this quote is completely full of shit.

The key to the statement is that the remote services are disabled by default. So, though the software might be vulnerable, the box isn't.

Sure, its a bunch of vacuous marketing, but it's technically accurate.

Re:One remote whole...

It is common knowledge that *BSD is dying. We all know that *BSD is mired in a mortifying tangle of fatal trouble. It is perhaps anybody's guess as to which *BSD is the worst off of an admittedly suffering *BSD community. The numbers continue to decline for *BSD but NetBSD is hurting the most. Look at the numbers. The loss of user base for NetBSD continues in a head spinning downward spiral.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Major marketing surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyists (i.e. those who dabble with Minix, Xinu, etc). *BSD is already dead. It is a dead man walking.

Re:One remote whole...

uunnnhhhh

you lost me there

edit.com? graphical? Is my memory of edit.com completely, well, wrong?

ex?

Re:One remote whole...

[akira_kinada]

I was just going to say that :-). Big difference from, oh..I don't know, SOLARIS. Which ships with sendmail running as an open relay listening on outside NICS.

Re:Every Hacker's Wet Dream

[dedazo]

I thought you were going to say

I'll be the guy with a pirate hat, bad teeth and fur singing i love the quizno suub. they have a pepper bar. the quizno sub is tasty sub....

Perfect Timing

[alexhmit01]

Ironically, I just finished installing 2 OpenBSD machines in the past couple of days, just finished up one about 5 minutes ago. Unfortunately, while they get the software up on a mirror quickly, everytime we buy the CDs they don't ship out for weeks after the downloaders grabbed them... makes it a bit discouraging to buy the CDs, which we used to do (several copies) each release...

But now that OpenBSD is only on Firewalls, no webservers, it's less pressing.

Re:Perfect Timing

[evilviper]

Unfortunately, while they get the software up on a mirror quickly, everytime we buy the CDs they don't ship out for weeks after the downloaders grabbed them...

If you order the CDs before the release date, you will recieve them before the distro is even available via FTP.

Pretty well-known fact.

Re:Perfect Timing

[mzipay]

i've ordered 3.0 and 3.5 on CD, both 2-3 weeks before the release date. i didn't get 3.0 until a week after it was available via ftp.

and today's the 3rd... still no 3.5 yet...

Re:Perfect Timing

[BdosError]

I've ordered the last 3 releases at least a month in advance (when the "pre-orders now available" shows up on the web site) and always received it at least 1 week before it was downloadable.

Just my data point.

Re:Perfect Timing

[mzipay]

and those are standard orders through openbsd.org?

even in my order receipt, it clearly states:

>> Your order currently is:
>> -> 1 OpenBSD 3.5 CD @ USD $40.00
>> -> Total: USD $40.00 + Shipping.
>> NOTE: Orders containing Pre-ordered OpenBSD 3.5
>> CD's Shirts, and Posters will not ship before May 1 2004

so how could they possibly arrive prior to May 1? is there some special shipping option or something that i forgot to check?

Re:Perfect Timing

[BdosError]

Yes, I ordered through openbsd.org. I'm pretty sure my receipt said that too. Maybe I'm just lucky. Maybe it's because I'm in the same province, I couldn't say.

no torrents

Why the heck don't they have any BitTorrents listed?

about security holes

Yes, lack of security holes makes anything secure, this is quite obvious. However, how can you know you don't have any security holes? The answer is simple: you cannot.

If you call chroot a poor kludge, you're obviously not a security guy. Granted, it's not perfect, but it does help a little. Ever heard of the principle of the least privilege? The idea, that programs shouldn't be allowed to do anything except what they need to do? Well, taken to the extreme, this would mean:

- Program should declare what syscalls it uses, what libraries it needs, etc, and no other syscalls/libraries would be allowed.
- Program should declare what kind of access it needs to the filesystem to function. No other parts of the "real" filesystem should be visible in the program's namespace at all.
- Same for every other resource such as sockets, etc...

This could be achieved through a manifest file of some sort, which the kernel would read and interpret. It could be part of the program image itself. This would be truly beautiful, however anything that implements any of the above is a GOOD thing.

You're saying chroot is giving a false sense of security. So, shouldn't the people be educated about what it solves and what it doesn't, then? Obviously it's a good feature, it just isn't intended to be a solution to everything. Just a solution to one problem: filesystem namespace visibility.

Re:about security holes

- Program should declare what syscalls it uses, what libraries it needs, etc, and no other syscalls/libraries would be allowed.
- Program should declare what kind of access it needs to the filesystem to function. No other parts of the "real" filesystem should be visible in the program's namespace at all.
- Same for every other resource such as sockets, etc...

You mean like systrace? ;)

Re:about security holes

[jhealy1024]

- Program should declare what kind of access it needs to the filesystem to function. No other parts of the "real" filesystem should be visible in the program's namespace at all.
- Same for every other resource such as sockets, etc...

This could be achieved through a manifest file of some sort, which the kernel would read and interpret. It could be part of the program image itself. This would be truly beautiful, however anything that implements any of the above is a GOOD thing.

Isn't this what the Java security framework does? Applets get "sandboxed" and can only access the files, directories, sockets, etc that are explicitly granted to it.

I haven't read up much on the recent versions of the security model, so I don't know if this can apply to applications (or just applets), but it seems that's just what you're looking for...

Re:about security holes

[geniusj]

This can usually be achieved through Mandatory Access Control (MAC). I know FreeBSD 5.x has a MAC implementation, though I haven't used it myself. There are or have also been various linux MAC implementations available. Something to get used to though is that generally with MAC, there is no such thing as 'root'.

Re:about security holes

[Geekboy(Wizard)]

- Program should declare what syscalls it uses, what libraries it needs, etc, and no other syscalls/libraries would be allowed.
- Program should declare what kind of access it needs to the filesystem to function. No other parts of the "real" filesystem should be visible in the program's namespace at all.
- Same for every other resource such as sockets, etc...

systrace(1)

Re:about security holes

If you call chroot a poor kludge, you're obviously not a security guy.

chroot is a poor kludge.

You know the Monty Python sketch with the guy hunting mosquitos? That's chroot. But it still kills the mosquitos.

Re:about security holes

[evilviper]

If you call chroot a poor kludge, you're obviously not a security guy.

Not true, I'm "a security guy", and I'd say he's right (although I would phrase that differently).

Granted, it's not perfect, but it does help a little.

From everything I've seen, it hurts more than it helps in 99% of cases.

Ever heard of the principle of the least privilege? The idea, that programs shouldn't be allowed to do anything except what they need to do?

Yes, and Chroot seems to be prevnting people from actually doing that.

The huge majority of network services do not need to be root, except to open a port <1024... If it was not for that, most programs could run as an unprivlidged user, and NEVER need root access.

Remember, with chroot, you have to trust your program to only do what it needs to do as root, and be secure about it. Then you have to trust that it is dropping privlidges as soon as possible. You have to trust it is setting up the chroot correctly, and that it is dropping privlidges correctly. There have been several instances where services have been exploitable because they did not properly drop privlidges. (IIRC, samba was one of them)

So, shouldn't the people be educated about what it solves and what it doesn't, then?

Okay, everyone, chroot solves nothing. You use it only if no other security measure are possible, such as is the case with OpenSSH.

Just a solution to one problem: filesystem namespace visibility.

It is not a solution to that. First off, access to any of the files on a system (except for suid/sgid files) is not a security risk AT ALL.

Second, and most importantly, it is possible to break out of a chroot, so it's not providing much security.

Re:about security holes

> First off, access to any of the files on a system (except for suid/sgid files) is not a security risk AT ALL.

uhm, mind posting your /etc/shadow?

Re:about security holes

[evilviper]

Yes, you can make anything sound bad if you take it completely out of context...

Re:about security holes

[the+chao+goes+mu]

If I recall correctly, proftpd used a rather draconian chroot scheme, yet it had a number of security holes. (This was appx. 1 year ago). It seems to argue that chroot may be a bit dangerous by promising a false security it can't always deliver.

Re:For the trolls, out there...

[lupin_sansei]

1) Find security exploit in BSD
2) ???
3) Profit

Ah, Mr MCSE...

...your envy is showing...

I realise you are discussing the C3.

But we use the VIA EPIA V 533MHz Eden CPUs for our remote weather stations. These little passively-cooled 4-5 Watt units are solar powered and run smooth as silk. When we ran Athlons, as quick as they are, they're hell on the batteries, and generate so much heat that they melted the snow and ice before it could even build up on the cases (which saved me the job of clearing it off!), but required mega-cooling in summer. I'm usually quite hard to impress, but the Edens impressed me.

Of course it's out

[Russellkhan]

I just downloaded 3.4 yesterday.

Re:Of course it's out

[roka]

So, what will you be doing October 31?

Re:Of course it's out

Why is this their fault? There was an announcement on the front page for months that 3.5 would be released on May 1st, 2004.

If you don't read the site, I have no sympathy for you.

Re:Of course it's out

[evilviper]

You certainly can't claim this took you by surprise. The release date has been set for about 2 months now, and even before then, the 6-month release cycle would tell you that now is about the time it's usually released.

In fact, before the release goes live, you can see the 3.5 directory on the FTP server (you don't have permissions to it until release date, but it's listed in there).

A couple moderators find your comment funny, but nobody who has used OpenBSD does.

Re:Of course it's out

"A couple moderators find your comment funny, but nobody who has used OpenBSD does"

Translation: I'm jealous! Somebody thought he was funny, nobody ever thinks I'm funny! I'd better make it a 'geek pride' thing, maybe then somebody will side with me!

Re:Of course it's out

[evilviper]

Yeah, of course "nobody ever thinks I'm funny!"

http://slashdot.org/comments.pl?sid=87296&cid=75 78 167
http://developers.slashdot.org/comments.pl?si d=587 69&cid=5616302
http://slashdot.org/comments.pl?si d=62113&cid=5816 948
http://slashdot.org/comments.pl?sid=42314&cid =4450 218
http://slashdot.org/articles/02/11/02/2041205 .shtm l?tid=172
http://developers.slashdot.org/comments .pl?sid=420 95&cid=4436206
http://slashdot.org/comments.pl?si d=102278&cid=872 2223
http://games.slashdot.org/comments.pl?sid=66 967&ci d=6151662

Next troll...

Re:Of course it's out

Holy god, there hasn't been such a conglomeration of unfunny in one place since Gallagher and Carrot Top went on the road together. Also, HTML isn't really that hard, maybe you should learn it. There's nothing more useless than links that DON'T FUCKING LINK ANYWHERE. Except for you, as a human being.

Re:Hahaha. Idiot.

So, how does it feel to know that you'll be a virgin forever? I guess I'd become a troll too if I knew it was the only gratification I'd ever get out of life. Oh, and go put some ointment or something on those zits of yours.

Documentation

[Alioth]

What I really like about OpenBSD is that I don't have to google for a HOWTO on configuring pf and altq. The manual page is clearly written, has good examples, and provides the information you need.

I run Linux on my main workstation (and having been a Linux user since the 0.12 kernel days, Linux is close to my heart), but I'm increasingly impressed with OpenBSD as a firewall - the documentation is light-years ahead of Linux iptables documentation for a start, and then there's the new capabilities of pf with 3.5. It's not far off challenging the big boys like CheckPoint FireWall-1 (whose only advantage for our particular network is a pretty GUI configuration tool). With OpenBSD 3.5 with carp and pfsync, the CheckPoint box's days are numbered - I can get better reliability/redundancy with OpenBSD now. The OpenBSD documentation is better. The mailing lists for OpenBSD are more informative than the CheckPoint ones. The hardware is a lot less expensive, and you don't have to pay annual software rental like you do with FW-1.

Re:Documentation

[lemonjelo]

What I really like about OpenBSD is that I don't have to google for a HOWTO on configuring pf and altq.

I'd also throw in that the file system layout is very consistant with OpenBSD. There's even a hier(7) man page describing the layout. When I'm working on another OS I find myself digging around, even for configuration files, way too often.

Re:Documentation

[ImpTech]

Hear hear! I *still* can't really do iptables all that well, but I picked up pf in virtually no time. Its not only the better documentation, its that pf is so much less cumbersome to work with. Though I guess I should say I've never bothered to learn the new-fangled iptables-save/iptables-restore system, but why bother when I can just use OpenBSD on the firewall box?

Um, no.....

[tomasdore]

From the netcraft FAQ
"Operating systems that do not provide uptime information include;

• NetBSD/OpenBSD"

FreeBSD and OpenBSD

[Dionysus]

How does FreeBSD compare to OpenBSD? I realize that OpenBSD has a security focus, but I was thinking more from a user point of view. If a program runs on FreeBSD, does it automatically run on OpenBSD (without recompile) etc?

Does FreeBSD support more hardware? What's the difference?

Re:FreeBSD and OpenBSD

[lyberth]

While i haven't run FreeBSD that much i have been running OpenBSD for a while. While not all freebsd programs will run on OpenBSD automatically, most will ether by compiling it on OpenBSD or through the excelent binary emulation. So go try it out (all normal things like apache, perl, sendmail, postfix, samba kde, mozilla, joe, vi, emacs, and a lot more will run on openbsd). go go go

Re:FreeBSD and OpenBSD

[grub]

I use OpenBSD on my desktop at work. There's a FreeBSD and Linux (among others) binary compatibility option which work great for me. I use the Linux Citrix client binary to connect to a Citrix server across the country just fine. I don't think I've ever run a FreeBSD binary but I install from ports usually so the port-meister of that particular software takes care of issues.

OpenBSD supports a load of different architectures, far more than FreeBSD. However I think you're really asking about supported hardware on i386. In that area FreeBSD is ahead but most stock hardware runs OpenBSD just fine.

Jump in, the water's fine!

Re:FreeBSD and OpenBSD

[ArbitraryConstant]

FreeBSD supports a bit more hardware, and usually sooner. Performance is no comparison (favors FreeBSD), neither is ease of use (favors OpenBSD).

OpenBSD supports binary emulation of FreeBSD binaries, and I believe FreeBSD supports binary emulation of OpenBSD binaries. They should be almost completely source compatible. In practice you'll usually install something from ports and you won't care where it came from.

OpenBSD is missing a lot, which is why it tends to get used for firewalls that operate transparently. I don't think it's suitable as a general purpose OS. It's my favorite OS, but it's not good at everything.

FreeBSD is heading towards the ultimate webserver/workstation platform. OpenBSD is heading towards the ultimate router/firewall platform. In a lot of ways, these goals are mutually exclusive. They're both very well documented and easy to learn, so it's worth it to try them both out. I went from no experience to moderately skilled expert in about 4 hours on both of them, significantly less time than it took me for any Linux I've tried.

Re:Every Hacker's Wet Dream

[ModernGeek]

I run it here: http://www.moderngeek.com

Looks like an excellent release!

[ninjaz]

I picked up OpenBSD with version 2.3 and started using it seriously with version 2.5. During that time, it has gone from being an audited and secure (but otherwise fairly plain) OS to a compelling system with a wide range of complementary features.

The ones that stand out for me are -

Chrooting and dropping privileges for BIND by default (kept me feeling fairly safe through a few vulnerabilities, and without the extra work of maintaining my own bind built for chroot)

Picking up ssh and releasing a good, free version

Coming up with the nicest firewall I've used, taking it from nothing to ready for release within 6 months (That still amazes me!)

spamd - After breaking 400 spam messages a day directed at my inbox, wiring Spamhaus SBL into the firewall and tarpitting a good portion of the traffic is a nice bonus. Noticing a week after setting that up that OpenBSD 3.5 has graylisting is a nice surprise.

Propolice stack protection built into the OS and integrated for the long haul

Now with CARP, I can feel comfortable getting all this in any environment - I think failover support really opens up a lot of possibilities for the future of OpenBSD.

All in all, OpenBSD has all the attributes I like in an OS -

regular 6 month releases (production quality doesn't have to mean stale),

cohesiveness (no waiting for glibc to catch up to a new kernel feature, or vice-versa),

a real commitment to free software (as demonstrated with OpenSSH, pf, and now CARP)

really delivering - as opposed to various Linux security projects that I've seen integrated with mainstream distros, then apparently forgotten about or relegated to a special option marked with a warning label, OpenBSD is a real tested system.

As a system, it can progress toward its goals through every aspect of the system (eg., the pervasive privilege separation), rather than a patchset to a mainstream distro, which has inherent lag time and may be working at cross-purposes to that distro or the numerous projects that make up the distro it's trying to secure. I've seen a few patchsets come and go over the years, too, while OpenBSD keeps adding to the foundation they've built.

Thanks, OpenBSD team, for all the great releases... (and all the fish ;)

Now I'm off to explore my new OpenBSD 3.5 system, where make build just finished. :-)

Re:Looks like an excellent release!

[evilviper]

During that time, it has gone from being an audited and secure (but otherwise fairly plain) OS

I have to say, I think you've got it backwards. I was using OpenBSD back in the day myself, and from the first install, it was impressive. Unlike all the other OSes, any hardware you had installed would just work, with absolutely no user intervention (assuming it was supported). You could shutdown, swap your soundcard with something completely different, reboot, and with no changes at all, your new soundcard would work.

More than that, though, was the elegance of the whole system.

On Linux you have a huge bundle of programs designed very differently, and thousands of configuration scripts all over the system.

With FreeBSD, the situation isn't as complex and unintuitive as Linux, but there is still dozens of individual scripts you may need to edit for even a small configuration change... Programs in the base system don't always work consitently, or at all (I can't remember the last time 'cu' worked right).

With OpenBSD, you have rc.conf, which is very simple to edit, and features 95% of the configuration you might want to change. The other 5% is in only a handful of other configuration files, so any system change is much simpler in OpenBSD than any other OS I've ever used. The programs all work very well, and consitently. Throughout the whole base system, the same varibles work on all the different programs... Any command arg that does the same thing in different programs is almost always the exact same string for all of them.

In my opinion, the best things about the system have been around from the beginning. The majority of the significant changes over the past 3 years have been added hardware support, more ported programs, and additional security. There have been a few significant changes, like the addition of PF, but significant changes like that one have been relatively uncommon over the past ~3 years.

debian vs. openbsd

How is it that openbsd can release a stable secure os every 6 months or so (including kernel development) while the debian people cannot make a release once every 2 years? Debian doesn't even do any kernel development they just take other people's software and stuff it in packages!

if you could spare the time.....

[zogger]

...... I would be interested in seeing a description/specs of this system. I am always interested in alternative energy and "samller and more functional". Stuff like the PVpanel, charge controller, batteries, enclosures, the computer itself like how the sensors are inputed and whatnot, etc.
thanks in advance!

Re:Every Hacker's Wet Dream

if you look at the sites, most of them are*.jp...
i wonder why.. is BSD so common over there, or is it just they have better admins....:)

Re:Every Hacker's Wet Dream

[cscx]

BZZZT. What you see there is Wind River's BSD/OS, which may be OOP, I believe. It's a non-free OS.

Re:Every Hacker's Wet Dream

but...... For how long?

live cd

[Knights+who+say+'INT]

Hey, why don't you come up with a live-cd that can be installed to hard-drive with one command like Knoppix and that FreeBSD project?

Really, I only use Linux because it was the easier way to get me a KDE desktop. I couldn't give a damn about what kernel I'm running, I just want to have the best desktop environment available today.

Of course, I _could_ use better performance.

Re:My success with OpenBSD

Very recently the head of our IT department decided that we were going to switch every one of our networks over to Windows XP Professional.

Wow, ripping out all that cat5 and fiber and all those switches and routers to put PCs running XP? That's a smart migration path...

Not there yet?

[Epistax]

I'm looking at all the USA mirrors. The few that do have a 3.5 directory seem to have an empty i386 under it. Does anyone know of a mirror that's ready?

Re:Not there yet?

[Kevitt]

ftp://ftp3.usa.openbsd.org/pub/OpenBSD/3.5/

Re:Every Hacker's Wet Dream

[trewornan]

how many people use OpenBSD

I don't know, all I know is - I use it . . . and I'm not a real "hacker" or professional sysadmin so I'd imagine there must be quite a lot of people using it. I use it on my home "server" and use linux (mandrake) on my laptop.

I really like OpenBSD it's got an absolutely rock solid and professional "feel" to it which I've never got from any Linux distribution (and I've tried quite a few). It's also reassuring to know that you're using a notoriously secure OS, of course I assume that "anything is hackable".

I've been looking through the documentation to see if there's an easy upgrade method but haven't found anything really helpful so if anybody can give me a pointer I'd be grateful (I don't fancy a full re-install!).

We don't need no steenking moving parts

[Dammital]

Build your OBSD firewall in a Soekris box. Low power, low noise, runs from a CF card (or boots via PXE). Some models accept power-over-ethernet. And Soekris directly supports FreeBSD, OpenBSD, NetBSD and Linux.

Re:Every Hacker's Wet Dream

[Transcendent]

From my openBSD machine:

% uptime
8:54AM up 2859 days, 1:15, 1 user, load averages: 0.22, 0.12, 0.09

Anyone can BS that...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Mod grandparent up!

[sreeram]

Everything the grandparent said is true. The parent is just skipping around the truth.

For the record, I love OpenBSD. Apart from Windows (required by my employer and for some games), my OS of choice is OpenBSD. It runs my server, and I also use it a desktop as much as I can, even at work. I have also put my money where my mouth is (i.e., bought their CDs and donated).

However, the claim of "8 years with only one remote hole" is highly misleading. The "default install" counts only those services that are on by default. Ftpd, httpd, X and pf are all turned off. Yes, they are installed, but they are off. They are not counted. Sendmail is enabled, but listens only on the loopback interface (so no "remote" holes in sendmail, how convenient!).

In fact, the only service that listens on the network by default is sshd. And, as you would expect, it had a remote hole, and they had to finally admit it.

They have learnt from that experience. Now, for the first time (in this 3.5 release), the installation asks you whether to disable sshd. Great! Now you can have a "default install" which has absolutely nothing listening on the network, thus ensuring that the "no remote hole" claim will be valid forever. Bah!

Re:Mod grandparent up!

[rosie_bhjp]

As opposed to a Windows XP box that is vulnerable the very second you install it. The difference being, and this is explicitly mentioned on the OpenBSD website, is that OpenBSD strives to have very sane defaults so the system is NOT vulnerable the second the machine comes up from its initial install. Thus allowing the knowledgable system administrator to patch the services *before enabling them* and having a reasonably high degree of confidence that the system has not been rooted before the first patch goes on. SSHD being the only service enabled by default would be removed if it wasn't so depended upon for remote installs/management.

Now it is incumbent upon the system administrator to understand exactly what he/she is enabling and ensuring that they have applied all known patches for that particular service.

It really isn't rocket science and I don't know why everybody gets into such a fit over it.

My personal biggest issue with the OpenBSD group is that I cannot find an authoritative list of key fingerprints for their mirrors, so when I go to do a cvsup using ssh, I have no idea if I am talking to who I think I am or not. Which is surprising because OpenBSDs earliest claim to fame was "strong crypto -- everywhere".

Re:Mod grandparent up!

I remember being asked for a while if I wanted SSH... Maybe that was just snapshots though. Anyways, atleast get the quote right: Only one remote hole in the default install, in more than 8 years!

Upgrade Mini-FAQ

[Mysteray]

Upgrade Mini-FAQ

Re:Hahaha. Idiot.

[TheHonestTruth]

IWT. IW. STFU.

Thank you

[TheHonestTruth]

I wondered where the hell that commercial came from. Now I know.

Breaking backward compatibility?

[sudog]

Does OpenBSD 3.5 break backward compatibility with all previous releases, like every other OpenBSD release does?

I've always wondered if they did this on purpose or not.. Keeping up with the version game (and trying to support old users who can't afford the time and effort to upgrade) is somewhat difficult.

Re:Breaking backward compatibility?

Does OpenBSD 3.5 break backward compatibility with all previous releases, like every other OpenBSD release does?

That's utter bullshit. Read the upgrade mini-FAQ, FOLLOW IT and nothing should break. I've updated remote machines that I've never been within 2000 KM from and have never had a problem.

Re:Breaking backward compatibility?

[sudog]

I'm talking about 3rd party binaries, built to target a specific OpenBSD version, breaking when the next version of OpenBSD becomes available. I'm NOT talking about in-place binary upgrades of the system.

NetBSD has Kernel options "COMPAT_16" or "COMPAT_15" so the kernel itself will support binaries which are targetted at older releases and thus can run software from (decades?) ago without much more than installing the older libraries it was linked against.

OpenBSD, as I recall, has no such functionality to speak of. Or does it now?

(English.. do you speak it?)

Os with *ZERO* remote holes since longer ago....

[Junta]

Their claim of one remote hole in the default install is lame, *I* run a platform that has *never* had a remote hole in its default install...DOS!

Two months and counting...

he last "editon" of ezine.daemonnews.org is from march. Think they'll manage to put one out by july?

Guys, why don't you change the url to quarterly.daemonnews.org --hell, beat the rush and skip to yearly.daemonnews.org if you like.

But BSD isn't dying. Remember that, folks, that's crucial. And OpenBSD rocks--because security always beats functionality.

yeah.

... how about load balancing? CARP do that yet?

[sudog]

I understand there's some kind of arpbalance program which allows two machines to answer to the same arp request, and by doing so the hope is that some clients will see one arp, and some clients the other;

However, I was wondering if there's anything whereby the firewalls themselves load balance outgoing connections?

For those of us who have more than one internet link into their home, and who currently have to manually switch between one route and the other, this kind of functionality would be an absolute godsend. :)

Anyway, congrats to the OpenBSD team, it's always good to see another BSD that doesn't buy into the "How many times can we bump the version to make it look good to the users" game.

Re:... how about load balancing? CARP do that yet?

[mexnix]

how about this? PF Users Guide

Re:Os with *ZERO* remote holes since longer ago...

That's like saying a guy born without legs has never suffered a broken foot.

Ok., who has a free iso

[nurb432]

Since he doesnt allow direct downloads.... who has a torrent of the 'real thing'...

Re:Ok., who has a free iso

[nocomment]

Since he doesnt allow direct downloads.... who has a torrent of the 'real thing'...

Torrent, and Source torrent.

Re:About Time

Hello everyone!
You may know me as the "troll" that posts the "BSD IS DEAD" and all of th e "FACTS" to every BSD story on Slashdot. Many people wonder why I do it. The answer is that BSD is detrimental to the open source community.

As a Linux advocate, I have taken upon myself the duty to convince Slashdot read ers that BSD is dead and that Linux is the future. If BSD were to gain a bigger marketshare, corporations such as IBM, Oracle, and Sun may be distracted from th eir interest in Linux.

If you know any BSD users, you must convince them to convert to Linux. These peo ple are slowing down open source developement because developers are distracted from working on Linux programs to make them work with BSD. Imagine how great Gno me/KDE, Mozilla, and Apache would be if the developers didn't have to waste prec ious time writing code so that it would run on BSD. We need the entire open sou rce community to get behind a single operating system so that developers can foc us on achieving our goal, OS dominance.

So what can you do to help? Easy. Find BSD users and developers and convince the m to switch to Linux. Do so by any means necessary. You can start out being nice , but be persistent. Don't give up. In the end, they will thank you for enlight ening them.

After we destroy BSD, we will need to focus on a single Linux distribution, Fedo ra. The other Linux distributions are wasting time and causing confusion. We n eed everyone to focus on Fedora so that it can be made the best operating system ever!

There can be only one open source operating system. Divided we fall. Toge ther we shall rule.
As a great man once said, "Let us never forget the duty, which we have taken upon ourselves."

Re:BSD IS DEAD/LINUX ADVOCACY

[golem1313]

You would have been great in the gestapo.

You Have Been Trolled

YHBT YHL HAND

BSD/Python: This OS is dead, it is no more

[veg]

...it's a stiff...bereft of life it rests in peace, it's climbed up the curtain and joined the choir invisibule etc ad nausium...

Only a matter of time before someone says it...

Re:BSD/Python: This OS is dead, it is no more

[Billly+Gates]

Its not dead.... its just sleeping

It's called sarcasm

[b00m3rang]

The parent (I meant to post as a reply to the existing reply) implied that they concede the fact that firewall rulesets with Linux and iptables are so unwieldy that a GUI interface is required, but still asserted that this is superior to pf which is easily manageable via a text session.

I don't honestly believe you think I was advocating replacing an OpenBSD firewall with a Windows machine under any circumstances. Windows ISA Server is by far the worst firewall I've ever had the misfortune of deploying.

would of

would of been tricky

Would *HAVE* been tricky, you fucking retard.

Re:Every Hacker's Wet Dream

do you have any proof, or did you make that up?

Most mirrors are not yet updated.

[Nonesuch]

ftp://ftp3.usa.openbsd.org/pub/OpenBSD/3.5/.

Actually, that appears to be the only US mirror that is ready with a complete i386 directory.

My best guess is that all of the hardcore OpenBSD users already have a 3.4 installation and only need to do a source upgrade, so the mirror sites focus on getting a fresh copy of the sources, then take their time about the binary install sets for various platforms.

Re:Hahaha. Idiot.

[shis-ka-bob]

Hey, why do you want to perpetuate the acne/geek stereotype? I had some severe acne as a teen; it diqualified me from military service. There are better things to joke about.

Re:Was anyone else pissed when...

[shis-ka-bob]

Sidewinders are rattlesnakes. OpenBSD's Puffy is a blowfish, which has a much more effective posion than snake venom. Go Puffy! Down with rattlesnakes.

Bug in PerlMagick still not fixed

Ever since 3.4 I have the same problem as this guy with ImageMagick. Strangely with 3.3 I had no problems whatsoever ?_?

Re:Bug in PerlMagick still not fixed

Oh well, at least someone provided information on how to fix that..

Cisco Killer? Depends...

Replying from airport - so, anon. coward - perspective is required, folks - *BSD, *nix, etc may replace lower end Cisco (or many other vendors) devices (1700, 2600 etc), but the PC architechture or 'software only' implementations are insufficient for OC-48 or OC-192 interfaces, Packet Over SONET implementations, etc - excluding layer 3 switches, most switches almost exclusively use ASICs for a very good reason, folks - don't forget that Cisco's core competency has always been routers, hence the purchase (and still ongoing) 'absorption' by Cisco of the Catalyst, PIX, Aironet, etc product lines and/or companies, with all the attendant flaws of the 'purchase and integrate' model - nor am I a Cisco fanatic as my pref (cost/performance ratio, functionality, support, reliability, etc.) is for Juniper routers and Foundry switches in the large enterprise while a plethora of options exist for smaller organizations, including *BSD or *nix. Before screaming 'Cisco killer' (or '[any_vendor] killer'), always look at the purpose of the system - don't allow evangelism to cloud judgement, or else you'll be confused with a televangelist.

Cool, Thanks

[nurb432]

Thanks much.. thou the source torrent link isnt right..

Ive sent $ to theo before, i really dont see why he doesnt offer ISO's like everyone else.

Or SELLS them...

[alexhmit01]

Charge me the same $400 as RHEL-ES, and let me download an ISO that day and get my "media kit" in the mail...

Instead of just CDs that ship out two weeks later, charge for an "Enterprise" edition, $200 so it is reasonable, that includes the ability to download the ISOs, get a kit in a mail, and some extra stickers. :)

Alex

Re:Every Hacker's Wet Dream

[bsd_usr]

Alot of BSD hackers are Japanes. Ever heard of the KAME project? I guess it's because the Japs are good at taking something originally American (BSD in this case) and making it better.

Re:Every Hacker's Wet Dream

[dzimmerm]

I use OpenBSD as a firewall and NAT box.

Weird

The only thing which is weird about OpenBSD is that the load is always at least something like 0.1

And it's really too bad that the filesystem is so slow :(

Ignorant

You've told all /. readers the fact that you're an ignorant. Great!
First of all, the *BSDs are being used as a server OS, desktop OS, etc.
Many software is being developed in *BSD (FreeBSD especially) and is being ported to many Linux distributions. Apache was born in FreeBSD and is being developed in that OS as well.
It seems you want to do something Microsoft-like with Fedora; killing the competition by all means. You're not understanding Free Software/Open source software; you're free to use it without restrictions (well, in some cases, GPL restrictions apply). No one is wasting time porting apps from one OS to another. So please tell the REAL facts not the IMAGINARY ones. Thanks.

Debian: a bunch of older apt-gettable holes

That's funny, isn't it?
Besides, Debian has lots of security advisories in their stable release (aka Woody) [more than any other Linux distro - even more than Fedora Core].
OpenBSD has few security advisories, FreeBSD a few more than OpenBSD, Slackware Linux a few more than FreeBSD, ...

OpenBSD, hooray

[lapierre]

You OpenBSD guys are a continual inspiration to others like me who have to work with other platforms. In today's times we need software that actually works. We need operating systems that actually work, too. We need all of the features to work, and we need documentation that is correct. You OpenBSD guys are doing more to get it right than anyone else. Thank you for your work and your inspiration.