Slashdot Mirror
Theo De Raadt Says FreeBSD Is Just Catching Up On Security
An anonymous reader writes "The OpenBSD project has no reason to follow the steps taken by FreeBSD with regard to hardware-based cryptography because it has already been doing this for a decade, according to Theo de Raadt. 'FreeBSD has caught up to what OpenBSD has been doing for over 10 years,' the OpenBSD founder told iTWire. 'I see nothing new in their changes. Basically, it is 10 years of FreeBSD stupidity. They don't know a thing about security. They even ignore relevant research in all fields, not just from us, but from everyone.'"
...only OpenBSD would catch up in every OTHER category...
to write your ipsec, thats the definition of security.
Good old Theo De Raadt.
Half human, half cunt.
"De Raadt has been criticized for having a somewhat abrasive personality..."
“He’s not deformed, he’s just drunk!”
you're doing it wrong.
Anons need not reply. Questions end with a question mark.
As usual:
- Theo is a complete asshole, but also quite correct about most things. OpenBSD is rather behind the
times in general, but very good at what it does do. And their stance on BSD license and making BSD tools is great.
- FreeBSD really is stupid about some things.
Let's take for instance their complete refusal to implement any strong security in their distribution chain.
You can't verify their ISO's or packages back to their source in any way. Their repo is ancient svn, not
git or monotone, so they have no signable hashes in their repos. There's no deterministic builds. etc.
And when you bring it up, they just handwave about process and workflow as reasons to continue
doing the same. FreeBSD is pretty damn good as an OS, but their standing on these things is BULLSHIT.
Stay off his lawn!
The lot is cast into the lap, but its every decision is from the LORD.
God says, "do_you_get_a_cookie I_quit Venus application bring_it_on
how's_the_weather."
I don't know why people downvote you. We should just use your posts as a form of high entropy communication and use it for cryptography.
No one can predict what you will say....
aaa.... everywhere? just cause you are living under a rock, doesnt mean that everybody else is. dunno what os you're using right now, but chances are pretty high you're using a tool/technology/library developed by one of these bsd's.
windows - shitton of tools are taken verbatim from freebsd (network related)
mac - is a freebsd 5 clone, with improvements made to it (plus a ui) and backported from the main release. they have on payroll a fair few of the freebsd folks.
all of them (linux included): anything security related, that's openbsd. when they dont take from openbsd they do it wrong and they have holes.
...Why should I care? Where in the world is serious stuff being done on any of these platforms? Just asking...
When it comes to security, De Raadt is like House
So I guess it matters if you care about security. Then again, since we don't really use secure software or systems, that point is kind of moot.
yeah, i know, right?! who cares about openssh and the likes.
If you don't know, then the rest of us would prefer you stay away. Our professional-to-fanboy ratio is fairly high, especially compared to Linux and Windows, and we'd like to keep it that way.
You may want to pose that question to Netflix. They account for about 1/3 of the traffic on the internet and all that traffic is served from FreeBSD servers.
Also, Mac OS X is essentially a fork of FreeBSD.
The OS on all Juniper equipment is a modified version of FreeBSD.
The Playstation 3 and 4 OS are both modified FreeBSD.
Plus more.
A new 10x faster network stack is coming to Linux via FreeBSD, enjoy your 10gb routing speeds with a 1ghz cpu and in user mode, not kernel. Nginx, that's BSD, Varnish, that's BSD. Actually, most OS research is done on FreeBSD, then ported to Linux. Anecdotally, several large datacenters are claiming they're seeing a rise in BSD services and VMs and some major customers with millions invested, switching to BSD from Linux.
One corp claimed to have over 10,000 VMs and paid RedHat for enterprise support for those VMs with a 5 year contract. They're still locked into contract, but they switched to FreeBSD because they can cut down their number of VMs by 30% and get the same performance. They also found it easier to manage FreeBSD. They're paying for that contract, but not using it. I bet that was a fun sell to management.
Have a look at their donations page https://www.freebsdfoundation.org/donate/sponsors
Companies support this project because they are doing serious business with FreeBSD.
Because the SAME message has been randomly posted a bunch of times as replies to completely unrelated topics. I guess you are confirming that you at least spent the effort to copy and paste it? Bravo for you. But it's still spam.
Where in the world is serious stuff being done on any of these platforms? Just asking...
Firewall and NAS solutions are often based off of FreeBSD. See, for example, m0n0wall and its derivatives, as well as the popular FreeNAS.
One big advantage of BSD for NAS applications is that it can support ZFS. (Linux attempts have been half-assed, largely due to licensing conflicts.) You really want ZFS if you are building a robust, reliable NAS device.
Yeah, but working as an Internet server is easy. What do you need, a network card driver and some server software? That problem has been solved a long time ago and almost any OS can be used for the purpose.
Now, give me a cool, fast, usable and bug-free desktop and we will start talking.
More stable? Reliable? Secure? In all cases, anecdotes are not useful. Where's the evidence? Is it the license that matters?
The license, pf, and a reputation for networking speed.
Anecdotes do matter, though - Netflix works and is profitable, so if your use case is like Netflix's then FreeBSD probably will work for you.
Speaking of anecdotes, a trend that I've noticed is that linux fans will tend to use FreeBSD when it makes sense in a particular application, and FreeBSD fans will tend to use linux when hell freezes over.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
He's often "technically correct". What I mean is that OpenBSD is really secure in its default setup... because it doesn't do fuck-all. Security via turning off everything isn't really that impressive. When something is supposedly so much superior on a security front, yet seems to get very little usage, well, there's a reason.
Also, even if you are right, you shouldn't be a dick about it. Perception matters in the world and if you want to persuade people to your position, you need some empathy. If you act like a jerk all the time, it puts people off and makes them dislike you, and thus not consider the content of your claims.
... if, say, the military or state department actually follows the NSA's suggestions, there's a decent chance that those suggestions are pretty close to as good as it gets ...
Are you saying that NSA hasn't yet created enough havoc, that you wish the State Department and the Military to join NSA in making even more violations to our Constitutions ??
Muchas Gracias, Señor Edward Snowden !
How the fuck is it spam? There's no commercial content in it.
There are three definitions for the term "spam" which are used.
1. Originally, it was used to indicate a flood of data with no actual meaningful content.
2. At some point some politician passed a law defining it as "commercial solicitation".
3. Most laymen use the definition of "anything I don't want to see".
On slashdot, you usually see definitions 1 and 3 used.
If I put wheels on your metal office desk you can have a cool (temperature), fast (relative to otherwise stationary), usable (it's the top of a desk), and it will be bug (termite) free. That's all you get.
Working as an internet server is easy, sure, we've had Microsoft's IIS and Raspberry Pi's doing it. Working as a safe, stable, secure one is hard, and for that we have the BSD's.
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
yeah, and netmap on freebsd is pretty damn cool (finally) compared to that similar stuff linux has been trying to do. not to mention what, like 5 or 6 different linux firewall implementations over time now, lol.
i totally agree, freebsd is much easier to manage than linux.
linux has got so damn bloated with all the distros, and trying to abstract any and all form of raw unix iron away from the user into purty little GUI's, that it's a freaking wonder anyone in linux land has any clue about anything other than where the power button is. seriously. all those layers are just that bad. and when they break and even start stepping on each other's toes, the only fix is to reinstall.
i'm sorry to say it but the bsd's are sexy.
i'm never going back to linux.
I think you are talking to a Gospel Rock song generator. http://www.song-lyrics-generator.org.uk/
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Oh really? Theo said they took something from Linux...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Just to remind you, His Holiness Saint Jobs forbids reading about heretic technologies.
Then maybe he should've fired the folks responsible for Apple's Internet connection, given that it was, at least as of 2011, quite possible to read, and post to, Slashdot from Apple's corporate network.
Netapp, Juniper, Bluecoat, others.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Oh and of course. OS X, iOS.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Also Netapp, Juniper, Bluecoat...
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Anecdotes do matter, though - Netflix works and is profitable, so if your use case is like Netflix's then FreeBSD probably will work for you.
Sounds like cargo cult software engineering.
Also, Mac OS X is essentially a fork of FreeBSD.
Bull-fucking-shit.
I know this is slashdot, but for fuck's sake you should still know better than that! And +5 informative too?
What the fuck is wrong with you people?
So basically it means that OpenBSD never supported chips for encryption and that's why it is more secure? FreeBSD allows to disable acceleration, too, if you want to do such a dumb thing and slow everything down.
In my opinion security is an extra, not the primary target. First target is application support and FreeBSD performs extremely well here. Even better than many Linux distributions.
Second thing is that OpenBSD is not that secure as you think. Many dumbnesses there are resolved quietly without notifying the public about. Others are played down in their importance. Is this how Theo wants to build up trust? FreeBSD does it a lot better with their security mailing list! They notify in advance and don't need to watch any weird image about security.
4. Yummy meat in a can
Yes, they matter.
Even if nobody in the world would be using OpenBSD, it would still be worth doing it, because it is living proof that a secure Unix-based OS is possible if only its makers can be arsed to give a fuck about security and do the hard and not always exciting work required for it.
Assorted stuff I do sometimes: Lemuria.org
Of course they might share some stuff, but the parent post is talking about things like OpenSSH among others.
Yeah those lamerz at OpenBSD...
From Wikipedia:
Proprietary systems from several manufacturers are based on OpenBSD, including devices from Armorlogic (Profense web application firewall), Calyptix Security, GeNUA mbH, RTMX Inc,[5] and .vantronix GmbH.[6] Later versions of Microsoft's Services for UNIX, an extension to the Windows operating system which provides some Unix-like functionality, use much OpenBSD code included in the Interix interoperability suite, developed by Softway Systems Inc., which Microsoft acquired in 1999.[7][8] Core Force, a security product for Windows, is based on OpenBSD's pf firewall.[9]
Pedant fail. The basis for OS X was NeXTSTEP, and the basis for NeXTSTEP was BSD.
Have you considered switching to fucking decaf? Then you might notice that operating systems are more than just a kernel.
Netflix is a nice example, but if you use the Internet the first thing you probably do is use DNS. Verisign's root servers and the TLD servers that they run all use a 50:50 mix of FreeBSD and Linux (diversity is important, because if there's an exploit for one then they can just turn that one off until it's fixed. They also run different resolvers and so on).
I am TheRaven on Soylent News
And that's different from OpenBSD how?
I'm sure every OS-maker out there has something to learn from OpenBSD, but Theo De Raadt seems incapable of acknowledging that others may have different design criteria than OpenBSD. If they wish to support their customers and gain more business, Red Hat, Apple or Microsoft, for instance, cannot make security the only factor. They have to be quick at supporting some new hardware, provide ease-of-use features and add new features or be considered obsolete very quickly. The same goes for plenty of makers of hardware products.
If OpenBSD was capable of both extreme security and the quick development mentioned above, he'd have proper bragging rights for beating the other players. Otherwise he is simply playing a different game than them.
You don't know anythin about OpenBSD, do you?
Just read this and learn something: http://www.openbsd.org/papers/ru13-deraadt/mgp00001.html
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
I do know 'anythin' about OpenBSD. And yes, I was already aware of the things in the online presentation. But OpenBSD is not unique on this matter. Other OSes offer the same functionality. OpenBSD is quite unique on his strong focus on writing correct code. But that alone is not enough for being a 'secure OS'. OpenBSD has security features that other OSes lack, but the same counts for any other OS. If you call OpenBSD secure just because they focus on writing correct code, then you're missing the point about what good security is all about.
It doesn't have to be like this. All we need to do is make sure we keep talking.
The little picture at http://tech-beta.slashdot.org/story/13/12/16/0121213/theo-de-raadt-says-freebsd-is-just-catching-up-on-security nearly brought a tear to me e'e.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Well it's probably nicer than talking to Theo De Raadt...
At least Theo doesn't resort to cheap ad hominem attacks. The funny thing is you both try to cheaply attack his character in order to dismiss his intelligence (like a stupid "dick" or "cunt"), but take the politically-correct stance because you're sooo morally superior. What is it? So far your attack lacks intelligence and meaning, while being morally inferior.
WalMart's generic 'spam' is better than the real Hormel variety.
Cheaper, too.
The biggest security hole in any operating system is the same in every operating system - the source of ID-10-T and PEBKAC errors (Idiot, and Problem Exists Between Keyboard and Chair) - the OS can be totally secure and hardened, but if it allows users to do stupid stuff then it is still going to be vulnerable.
Unless, of course, the system is totally locked down so that it resembles the IT version of a strait jacket, in which case users will spend as much time cursing the fact that the computer stops them working, and trying to get around your restrictions to see their lolcat pictures as they do actually working.
Don't get so upset -- it's a common mistake on Slashdot to mistake Scientology for XNU.
>>"ad space available -- low rates!!!"
PARTS of BSD, it's a Hybrid with XNU and it's part monolithic and microkernal and they've developed Darwin beyond all recognition from that point.
To say it's FreeBSD or OpenBSD or your dad's BSD is to invite the wrath of people who drank too much coffee, and I think Odin. Because that's just the kind of thing that will get you punched in a mainframe computer center.
>>"ad space available -- low rates!!!"
Also, Mac OS X is essentially a fork of FreeBSD.
+5, Funny
0 1 - just my two bits
You may want to pose that question to Netflix. They account for about 1/3 of the traffic on the internet and all that traffic is served from FreeBSD servers.
Netflix may use freebsd internally, but the movies are stored on amazon s3 and served from there. So, no, freebsd doesn't account for 1/3 of the internet traffic.
I have nothing against freebsd and have used it extensively in business.
Do you have ESP?
Speaking of anecdotes, a trend that I've noticed is that linux fans will tend to use FreeBSD when it makes sense in a particular application, and FreeBSD fans will tend to use linux when hell freezes over.
This is me. I have tried numerous times to use FreeBSD as my home server OS and a few times as my desktop dual-boot, but always end up getting frustrated. Usually it's application management, as any of my home *nix boxes are used for experimentation with lots of stuff being installed and removed. I'm just so used to tools like aptitude and Synaptic that anything less pisses me off, and after a few days to weeks at most I end up reinstalling something from the Debian family tree. Same problem actually tends to happen with Red Hat style Linuxes, there doesn't seem to be an "aptitude" equal for the RPM world.
I use a FreeBSD-ish userland daily in the form of OS X, but don't usually have to deal with shitty management of *nix applications thanks to many having proper OS X .app packages available. Beyond that "homebrew" seems to be the current favorite analog to the "average" *nix packaging tools.
But my router/firewall has been FreeBSD for over a decade now, once m0n0wall but these days its more featureful derivative pfSense. pf is just superior to iptables. These things are rock solid and almost any change can be made online without affecting existing traffic, which is more than I can say for every Linux-based router/firewall I've used.
I used to get high on life, but I developed a tolerance. Now I need something stronger.
Features implemented specifically to be difficult to add to Linux are difficult to add to Linux. News at 11.
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
yet one BSD distro has the focus of hunting down and removing those pinholes.
TIL: OpenBSD is responsible for booting from encrypted volumes (incredible, since Windows and Linux have been capable of this for about a decade, and OpenBSD only started supporting it in 5.3!), MBR protection (aka secureboot), and ASLR (added to: OpenBSD-2008, Windows -2007, Linux - 2005).
I also learned that Truecrypt, BestCrypt, Bitlocker, and LUKS have all been doing it wrong for well over a decade.
Incredible!
The first Wikipedia article you linked to proves you wrong:
I'll grant that that probably isn't enough to call it a fork.
BSD what...4.2? 4.3? Far before FreeBSD.
After starting off as a patch to 386BSD, FreeBSD was based on BSD 4.3-Lite.
No, off by default is the right way for security. It reflects the correct way to think about security.
I'm not sure your statement about adoption forwards any logical point. Ease of use and security are generally considered to be a straight-line tradeoff. People don't use OpenBSD because they put other values (ease or use, more default packages, works with x, etc) above security. OpenBSD is a joy to use, until you find something that "just worked" in Linux and doesn't (easily) work in OpenBSD. Security isn't free.
I'm always amazed when people (especially other geeks) don't understand that many gifted computer people have weakness in other areas. Social skills being a prime example. Theo isn't some kind of demi-god, he's a person with one extreme strength and other weaknesses. Torvalds and Stallman aren't exactly the kings of diplomacy either. Being a bit anti-social is more of the norm for genius types.
Competition Good, Monopoly Bad.
Or you could just click the 'Slashdot Classic' link in the footer. :)
I've sent a correction to the FreeBSD docs folks, but to clear the record here:
PS3 was not based on FreeBSD. While it does use a variety of open source components from a lot of projects and does cite them, that doesn't mean it was "based on a modified version of FreeBSD."
PS4 certainly is, but not PS3.
The original question was why care and where is serious stuff being done. Are you disagreeing that putting together one of the largest content delivery networks ever is serious?
Netflix is doing really interesting stuff on their FreeBSD systems.
If you want very specific answers to why: The BSD port system is a huge reason. The main OS is developed in a release cycle where stability and security are the main goal. Riding on top of this is the ports system which all other software packages are built from. If you don't like one of the compile time flags in some software package you just make that change you want the first time you build from ports. You then have a custom package that you can deploy to all your other instances. The ports system also has the benefit of being much much more up-to-date than any linux distro except for Arch and Gentoo. Arch uses a rolling release development model and strives for everything being up-to-date. Gentoo uses the BSD ports system idea for their package management system portage.
The basics of it are that you get the stability of a regular release cycle and your installed software is always the current stable version.
You may want to revisit. The base tools for package management can be frustrating for someone who is learning them. Fortunately there are some newer tools that are in regular use probably after your last time using FreeBSD. The utility portmaster is most likely what you're looking for. It is able to control the ports system and package management very very very well. It has no external dependencies (it's actually just a huge shell script).
In addition to portmaster, the base system's package management has been completely rewritten in pkgng. You will find that it takes many good cues from debian apt.
All of these are command line tools. If you're a GUI type and shy away from command line, BSD's are not for you (yet).
You are absolutely right. The guy complaining about my statement is uninformed. If you run strings on command line utilities in older Mac OS X builds you will also see the comment string left by the code being checked into the FreeBSD CVS source tree. Those comments have the word "FreeBSD" and the revision of the code being checked in and the name of the FreeBSD developer that did the commit.
From the horses mouth: "The power and simplicity of Mac OS X Server are a reflection of Apple’s operating system strategy, one that favors open industry standards over proprietary technologies. It begins with a UNIX-based foundation with Mach 3, FreeBSD 4.8, and the latest advances from FreeBSD 5 at the core."
Also, why would Apple have hired the founder of FreeBSD, Jordan Hubbard?
http://www.apple.com/server/docs/MacOSX_Server_TO_300195.pdf
All of these are command line tools. If you're a GUI type and shy away from command line, BSD's are not for you (yet).
I'm a best-UI-for-the-job type who's at home in a CLI but doesn't turn down a good, functional GUI when one exists.
The Debian tool I'm a big fan of, aptitude, is a Ncurses based "TUI" package manager. (http://screenshots.debian.net/package/aptitude if you can't picture it) Synaptic is pretty much the same thing with a few more features in GTK form. These make it far easier to resolve package conflicts and such compared to the straight CLI tools.
It's not a major loss in a production system where the packages needed are known and mostly unchanging, but for personal machines where I install things I want to play with on a whim a good interface to actually browse the available packages is key.
I used to get high on life, but I developed a tolerance. Now I need something stronger.
I don't think this guy knows what he's talking about, but that's beside the point. There is absolutely no reason to argue against an operating system you DON'T use. That is the reason you use OpenBSD instead of FreeBSD right? Shit if you're that worried about security go play with Windows for an hour, and come back to see how secure FreeBSD actually is. /dev/random is supposed to become incrementally better with time, but FreeBSD is about tested stability. You're criticizing the project for not implementing a new technology and that is arrogant. Keep testing your chip-based crypto and when it's ready it will get used right away. For now software cryptography is perfectly fine.
More stable? Reliable? Secure? In all cases, anecdotes are not useful. Where's the evidence? Is it the license that matters?
The license, pf, and a reputation for networking speed.
Anecdotes do matter, though - Netflix works and is profitable, so if your use case is like Netflix's then FreeBSD probably will work for you.
Speaking of anecdotes, a trend that I've noticed is that linux fans will tend to use FreeBSD when it makes sense in a particular application, and FreeBSD fans will tend to use linux when hell freezes over.
So you're saying Linux/GNU fans that use FreeBSD aren't capable of being FreeBSD fans. There's a flaw in your argument.
Ops, I shuld have usd the prevuwe but in.
So you're saying Linux/GNU fans that use FreeBSD aren't capable of being FreeBSD fans. There's a flaw in your argument.
Remember, 'fan' is short for 'fanatic'. Logic isn't really part of it.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
So you're saying Linux/GNU fans that use FreeBSD aren't capable of being FreeBSD fans. There's a flaw in your argument.
Remember, 'fan' is short for 'fanatic'. Logic isn't really part of it.
So, FreeBSD fans refuse to use Linux for no logical reason. Ok, now I understand.
Ops, I shuld have usd the prevuwe but in.
So, FreeBSD fans refuse to use Linux for no logical reason. Ok, now I understand.
I wouldn't read too much into a hyperbolic anecdotal stereotype if I were you.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I get you, but I use the SVN repo here and the ports search here for doing all that. Then I use either pkg or portmaster to install what I want. The other great thing is that pkgng the package manager is supported by puppet, chef, cfengine, ansible, and salt. So installing packages and keeping everything up-to-date across all the variety of servers in a datacenter is a snap.