Slashdot Mirror
Theo De Raadt Says FreeBSD Is Just Catching Up On Security
An anonymous reader writes "The OpenBSD project has no reason to follow the steps taken by FreeBSD with regard to hardware-based cryptography because it has already been doing this for a decade, according to Theo de Raadt. 'FreeBSD has caught up to what OpenBSD has been doing for over 10 years,' the OpenBSD founder told iTWire. 'I see nothing new in their changes. Basically, it is 10 years of FreeBSD stupidity. They don't know a thing about security. They even ignore relevant research in all fields, not just from us, but from everyone.'"
...only OpenBSD would catch up in every OTHER category...
Good old Theo De Raadt.
Half human, half cunt.
"De Raadt has been criticized for having a somewhat abrasive personality..."
“He’s not deformed, he’s just drunk!”
As usual:
- Theo is a complete asshole, but also quite correct about most things. OpenBSD is rather behind the
times in general, but very good at what it does do. And their stance on BSD license and making BSD tools is great.
- FreeBSD really is stupid about some things.
Let's take for instance their complete refusal to implement any strong security in their distribution chain.
You can't verify their ISO's or packages back to their source in any way. Their repo is ancient svn, not
git or monotone, so they have no signable hashes in their repos. There's no deterministic builds. etc.
And when you bring it up, they just handwave about process and workflow as reasons to continue
doing the same. FreeBSD is pretty damn good as an OS, but their standing on these things is BULLSHIT.
to write your ipsec, thats the definition of security.
Exactly.
The NSA is the one you are protecting yourself against . Why would you EVER trust any cryptographic primitives designed by them at all?
Being able to fully trust the cryptographic primitives on a system is not a new thing though... those NSA guys have tainted so much everywhere simply because it is their job description to decrypt sensitive communications for the intelligence community.
Microsoft anyone?
The lot is cast into the lap, but its every decision is from the LORD.
God says, "do_you_get_a_cookie I_quit Venus application bring_it_on
how's_the_weather."
I don't know why people downvote you. We should just use your posts as a form of high entropy communication and use it for cryptography.
No one can predict what you will say....
aaa.... everywhere? just cause you are living under a rock, doesnt mean that everybody else is. dunno what os you're using right now, but chances are pretty high you're using a tool/technology/library developed by one of these bsd's.
windows - shitton of tools are taken verbatim from freebsd (network related)
mac - is a freebsd 5 clone, with improvements made to it (plus a ui) and backported from the main release. they have on payroll a fair few of the freebsd folks.
all of them (linux included): anything security related, that's openbsd. when they dont take from openbsd they do it wrong and they have holes.
...Why should I care? Where in the world is serious stuff being done on any of these platforms? Just asking...
When it comes to security, De Raadt is like House
So I guess it matters if you care about security. Then again, since we don't really use secure software or systems, that point is kind of moot.
You may want to pose that question to Netflix. They account for about 1/3 of the traffic on the internet and all that traffic is served from FreeBSD servers.
Also, Mac OS X is essentially a fork of FreeBSD.
The OS on all Juniper equipment is a modified version of FreeBSD.
The Playstation 3 and 4 OS are both modified FreeBSD.
Plus more.
A new 10x faster network stack is coming to Linux via FreeBSD, enjoy your 10gb routing speeds with a 1ghz cpu and in user mode, not kernel. Nginx, that's BSD, Varnish, that's BSD. Actually, most OS research is done on FreeBSD, then ported to Linux. Anecdotally, several large datacenters are claiming they're seeing a rise in BSD services and VMs and some major customers with millions invested, switching to BSD from Linux.
One corp claimed to have over 10,000 VMs and paid RedHat for enterprise support for those VMs with a 5 year contract. They're still locked into contract, but they switched to FreeBSD because they can cut down their number of VMs by 30% and get the same performance. They also found it easier to manage FreeBSD. They're paying for that contract, but not using it. I bet that was a fun sell to management.
Have a look at their donations page https://www.freebsdfoundation.org/donate/sponsors
Companies support this project because they are doing serious business with FreeBSD.
First thing I do with security is look at who I am protecting against, and throw resources at the most common things first:
1: Web browser and add-on compromise is an issue... thus AdBlock, NoScript, and other things, not to mention running all Web browsers in a VM, jail, or sandbox.
2: Theft is common, so I encrypt all my HDDs. That way, Jack Meth-head who grabs a computer will get... hardware. No data is on the black market for blackmail or extortion.
3: Backups are protected on the cloud, because even though so far, there has not been a single intrusion with a cloud provider, it is only a matter of time. When it does happen, I want encryption that uses no passwords, so brute-forcing has to be done against the entire AES-256 keyspace, not just the limited space from a passphrase. Thus, TrueCrypt with keyfiles, or storing data with private keys stashed in secure locations.
4: Legal security. Using NIST/FIPS approved stuff gets me past the auditors at work, and those guys need to be happy or else I'm out of a job, or perhaps facing criminal charges due to Sarbox, FERPA, HIPAA, or civil charges for pissing on PCI-DSS3.
5: Privacy. VPN services, running different Web browsers for different tasks, blocking beacons, all help here. I might be as Draconian as to say to ditch your iDevice if you value privacy since one can use Android to further block beacons, cookie sites and such on the device.
6: Foreign intel divisions. They get in, company gets shut down, just like the US solar industry got "mugged" and solar panels sold for cheaper than rare earths exported from China.
Then there is a lot of other stuff, internal things, APTs... in the entire scheme of things. NSA spying is not on my list to worry about.
Lets be real folks. Focus on the real threats, not boogeymen. Of course, this reasoning is different if not in the US, so substitute NSA for one's domestic intel crew.
To play devil's advocate for a second (and from someone who is as opposed to the NSA's spying as anyone), they job is also to prevent adversarial spying on us. That presumably applies much more to government functions than day-to-day ones, but if, say, the military or state department actually follows the NSA's suggestions, there's a decent chance that those suggestions are pretty close to as good as it gets.
Well, he did produce OpenBSD, which could be seen as constructive criticism in a sense (instead of just complaining, build something). But yeah, if you mean constructively criticizing things in text, that's not really his strong point.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
He's often "technically correct". What I mean is that OpenBSD is really secure in its default setup... because it doesn't do fuck-all. Security via turning off everything isn't really that impressive. When something is supposedly so much superior on a security front, yet seems to get very little usage, well, there's a reason.
Also, even if you are right, you shouldn't be a dick about it. Perception matters in the world and if you want to persuade people to your position, you need some empathy. If you act like a jerk all the time, it puts people off and makes them dislike you, and thus not consider the content of your claims.
Also, Mac OS X is essentially a fork of FreeBSD.
Bull-fucking-shit.
I know this is slashdot, but for fuck's sake you should still know better than that! And +5 informative too?
What the fuck is wrong with you people?
If I didn't need more throughput than a single CPU can provide, I'd still be on OpenVPN for everything. It's easier to configure, significantly easier to manage, and rock fricking solid in the face of network unreliability - none of which I can say for IPSEC.
Pedant fail. The basis for OS X was NeXTSTEP, and the basis for NeXTSTEP was BSD.
Have you considered switching to fucking decaf? Then you might notice that operating systems are more than just a kernel.
pretty sure they did but Navy shot it down?-D
world was created 5 seconds before this post as it is.
The biggest security hole in any operating system is the same in every operating system - the source of ID-10-T and PEBKAC errors (Idiot, and Problem Exists Between Keyboard and Chair) - the OS can be totally secure and hardened, but if it allows users to do stupid stuff then it is still going to be vulnerable.
Unless, of course, the system is totally locked down so that it resembles the IT version of a strait jacket, in which case users will spend as much time cursing the fact that the computer stops them working, and trying to get around your restrictions to see their lolcat pictures as they do actually working.