Slashdot Mirror
OpenBSD, Security, and Theo de Raadt
AdamK writes "Here's a very interesting article on security and OpenBSD. It also briefly mentions Linux, comparing the two." A quote from the story: "OpenBSD is so secure that it even got the attention of the U.S. Department of Justice, which stores and transmits top-secret data using 260 copies of the OS."
> I can't say I like BSD's init style much. I much prefer the SYSV style with the different runlevels and the directory structure.
:-)
I prefer BSD's rc-files and really *HATE* those dozens directories and files, SYS V needs to boot up, that's just too complicated and confusing.
> It is much more logical IMHO.
Depends on your logic.
> BSD disk labels (somewhat like an alternate method of an extended partition on a PC, not really)
:-).
No, not at all. BSD labels work completly independent, because the design of BSD label is older than Microsoft's weird partition scheme, Linux uses as well (on i386 at least). I guess, the only reason Linux uses them, because it's easier to install it as 2nd operating system besides Windows.
BTW: All my f(uck)disk partition table look like this:
Partition table:
0:
1:
2:
3: sysid 169 (NetBSD)
start 0, size 16 (0 MB), flag 0x80
beg: cylinder 0, head 0, sector 1
end: cylinder 0, head 0, sector 16
As you can see, NetBSD doesn't make much use of them
IMHO disklabels are far superior than Microsoft partition tables.
> For people who don't think much of package management (you Slackware guys), you might prefer NetBSD.
Get your facts right: NetBSD has a package system for over a year now.
I've used OpenBSD for some time now. It has worked very well for me. I've had a couple of problems with stability, but they were due to misconfiguration on my part. The only real problem I had was that 2.4 refused to work with my PCI ne2k (those realtek 8029 pieces of crap)... I reported the bug and got a fix within hours. It's nice to actually get help from the developers. One of my favorite things in OpenBSD is the installer. It's so simple. RedHat should take some notes. I also like the way that you can rebuild the entire source tree. (it's the same in Net and FreeBSD)
this is probably due to a misconfiguration. In any case, if you reported the problem to the developers I'm sure the issue would have been resolved.
yes, the possibility of getting root access is still there but the chances of you getting root are decreased CONSIDERABLY (100x) over any other OS out there.
I posted the "It works" comment above.
In light of this post showing the cracking behavior I have to reconsider my position.
What a hell of a shame, not least because I finally have OBSD doing actual stuff I need done.
You can require a password in single user mode..your right about that. Also i beleive you can use securelevel to make it so you cannot edit the password file. I haven't used securelevel really so i don't know what level that is (the ranges are from 0-3).
BSD cracked at hotmail bigtime.
None of the BSD's are any different than Linux in this respect. Even w/ the /etc/shadow file, its easy enough to just chmod it to writable and remove the root password once you've booted off a floppy ("root" by default). Under most un*x'es these days, you need the root password to even get into single-user mode... but under all of them (solaris, bsd's, linux) if you boot off the install media you can mount the harddrive's root filesystem and modify it (or reload it - face it, this is how the install process works in the first place!). There is *NO* security if there is no physical security. Even if you could prevent the system from being booted w/o a password... if your system is in a location where I can just waltz in, super-glue your tape drive, smash your backups, and 80G drop-shock your spinning harddrives (a good hammer would do)... bye bye data. Or, if I owned a gun (I don't) I could just walk in and "go postal" on your servers... At work, all of our critical company systems are in a cipher-locked server room (the old mainframe disk farm.. raised floor & A/C) which is on alarm (rings the security guards) outside of normal working hours. Backup tapes are stored in a seperate fire-proof tape vault room, also cipher locked & alarmed, and we send monthly/quarterly backups to an offsite storage facility. OpenBSD is more secure than Linux from a networking/password/encryption standpoint... but that in no way means that *any* system is more secure than another from the physical-security standpoint.
A Secure And Open Society Calgary-based developer and free software evangelist works to make OpenBSD hacker-proof By Michael MacMillan ComputerWorld Canada Considering that as a youth, Theo de Raadt routinely gave away software written on his Commodore Amiga PC, it's hardly surprising that he has since become both a force in the free software movement and a hacker's nightmare. de Raadt, a 31-year University of Calgary computer science graduate who came to Canada from South Africa as a child, has invested the last six years of his life and spent $30,000 of his own money heading the OpenBSD project. The operating system is a free, ultra-secure variant of the Unix-like BSD 4.4 - and it's a project de Raadt founded. Though he's a tried-and-true computer and software junkie -- de Raadt proudly recalls working on his Commodore Vic20 and claims his Amiga's serial number was around 1000 - he said no single event sparked his later work with OpenBSD. Looking back, however, a lot of the interest stems from a systems administration job he took at University of Calgary while he attended classes. It was then that the extent of OS source-code flaws took hold of him. In particular, he remembers how, after much legal and financial wrangling, U of C managed to finally get its hands on the Sun Microsystems Inc. Unix source code -- the quality of which varied "significantly," de Raadt said. "We'd read the source code, find out what the problems were and think, 'Gee, it just did some weird thing because some weird packet came across the net and it wasn't expecting it. What would happen if someone decided to do that?' And this really scared us." de Raadt started devoting more time to his passion, and as he progressed it became clear to him that certain programming mistakes turned up time and again in different software packages. Two years later, in 1993, de Raadt and three others founded the NetBSD project. But "political kerfuffles" eventually led de Raadt to branch off and form the OpenBSD effort. The main difference between the two was in the developer focus. In the case of OpenBSD, the emphasis is on security. de Raadt's goals haven't changed since then -- to make OpenBSD the most secure platform in the world. OpenBSD let de Raadt take bug fixing to a whole new level. The problem with professional programmers is not a lack of ability, but lack of attention to detail, he said. That's why he says the OpenBSD development process is unlike any other. "Ten years of being in the software industry, and I've never seen anybody doing what we're doing here," he explained. The secret is straightforward - de Raadt and his peers assume that every single bug found in the code occurs elsewhere. de Raadt admits it sounds simple, but just rooting security bugs out of the entire source tree took 10 full-time developers one and a half years to complete. "It's a hell of a lot of work...and I think that explains why it hasn't been done by many people," he said. But it's this kind of nit-picking that has made OpenBSD one of the most hacker-proof platforms available - that and the fact it ships with cryptography (Kerberos IV and support for IPsec) already built-in. "There hasn't been a single remote security hole found in OpenBSD in two and a half years, in the default install. So that means if you want your machine cracked, you're going to have to misconfigure it," he said. In fact, one reason why OpenBSD is configured and shipped from Canada is so de Raadt doesn't have to contend with tough U.S. cryptography export laws. This has allowed him to integrate cryptography elements from several European countries. OpenBSD is so secure that it even got the attention of the U.S. Department of Justice, which stores and transmits top-secret data using 260 copies of the OS. As well, one of the largest ISPs in the state of Washington, pacifier.com, runs part of its operations on OpenBSD. Today de Raadt oversees a community of 90 volunteer developers who make changes to the source tree. He also takes tips and suggestions from thousands of other OpenBSD enthusiasts from around the world. Comparisons with Linus Torvalds and his Unix-variant, Linux, are inevitable, and de Raadt doesn't mind. From a user perspective, there's very little difference between the two. But he is critical of the Linux development model, particularly of the way the larger Linux distributors, like Red Hat Software Inc. and Caldera Inc., assemble their products. "Some of them are doing a better job of...looking for bugs in the latest versions," he said. "It comes down to (whether) the people who are actually packaging the software know what they're doing." He credits German vendor SuSE GmbH for being the most diligent. A typical day for de Raadt includes three or four hour stints at his computer, broken up by sleep and a bike ride - a far cry from the 14 to 16 hour days he used to put in. But how many people actually use OpenBSD, and for what, doesn't concern de Raadt. Though he makes his living selling OpenBSD CDs, he insists he has no desire to expand the business. He's even hired a Calgary-based businessman to sell the CDs on his behalf, just so he can avoid dealing with money issues. "I'm not interested in getting into business. I really like the way this works right now, and I'm having a lot of fun...I'm just perfectly happy accepting the status quo of how many people use BSD right now," he said. OpenBSD has cost de Raadt a lot of time and money, but, looking back, he said he wouldn't do anything differently. "I work a little less than [I used to], and I spread it out a bit more. But I really enjoy what I'm doing. This is fabulous. I wouldn't want to be doing anything else." ©1999 LTI. All rights reserved. Copyright Information
If you have physical access to the machines, disabling floppy bootup and installing a BIOS password won't work. One could just take out the HDD and mount it in another machine which one has complete access to.
(sob)
Ouch! The site has been Slashdotted.
Is quoting four-year old results somehow relevant?
FreeBSD 1.5 was envolved 4.4BSD-lite and quite mature because of
that.
Linux would have been somewhere in the 1.0-1.3 range depending
on when you did your test.
You were running and Intel optimized version of 4.4BSD against
a version 1.x product. I'm not surprised FreeBSD won back then.
Just don't make the mistake of believing that those four-year old
results are menaingful today.
Uhh, wouldn't you have to be root to load a module anyway dumbshit.
8) s/BSD/GNU/ ?
I use Debian GNU/Linux potato.
If you pass the kernel an argument like init=/bin/sh, it will give you a root shell. sulogin for single user mode on Debian is cute, but so trivially bypassed that I don't blame RedHat for omitting it.
AC
s/BSD/GNU/ && s/Linux/BSD/
Did I forget anything ?
:)
Yes. After the doors are auto-hermetically sealed, the pumps come on to evacuate the room of air.
But seriously, those precautions won't stop someone who has total physical access. Instead (or in addition to) one should use a cryptographic or steganographic file system if the data on their computer is valuable enough.
Unfortunately, you don't even need to open the case to reset the BIOS password on most machines, since they ship with backdoors...
If you have physical access to the machine, the game is mostly over. With linux, you can do something like: lilo: linux initrd=/bin/sh With most bsd's, you can do something like: boot -s Both of which can be trivially fixed, but then you just pull the drive out and mount it somewhere else.
: 5. Slightly faster modem speeds - in general, I get maybe .3-.5 kb : faster download speeds. It doesn't sound like much, but the phone : lines to my house were installed in the 50's, and I'm lucky if I get : 28.8 (with my 56k modem :-( ). Uh, how is this possible? The OS shouldn't determine modem speed at all - the bottleneck should be completely the modem (unless you're on a 386). Unless you just have your modem misconfigured under Linux?
- Generally, GPL software is minimized For me this is an advantage; I believe in free software, and the BSD license is a whole lot more free than GPL. The license, in short, says you may do whatever you want with this, just give us credit.
- The OS sticks to a minimal base install Frequently in linux, I get a little bothered because most vendors insist on shipping everything (including the kitchen sink) with the OS. Most 4.4BSD based systems take a more minimal approach.
- Integrated source Tree Have you seen how most linux distributions handle sources? Have you seen how BSD handles sources? If you compare the two, it is just no contest. If I want the latest version of
/usr/bin/froblitz in linux, what do I do? In BSD, I can just cvs get src/usr.bin/froblitz. In linux, i'm forced to determine which source tarball it is in, and then find the latest version of that package; this is not always a simple task. - Merged kernel and userland All the BSD systems maintain their OS. By OS I don't mean they maintain the kernel and if you have problems with userland, that's your problem. They maintain both userland and the kernel. This has a number of benefits as anyone who has been bitten by libc upgrades in linux can attest to, no doubt.
- Simplified bug reporting All the BSDs I have used have had a built in bug reporting system to report bugs of any sort with the operating system proper. This is helpful, since you do not need to know who to main, the bug filing system (usually gnats) will do it for you.
- Better for hackers If you want to learn kernel internals, nothing can beat 4.4BSD. Many UNIX internals books are influenced by 4.4BSD, and there is the landmark Design & Implementation of the 4.4BSD operating system book (also a 4.3 book, which is no longer published). This is one of the best kernel books, far better than the linux alternatives like 'Linux Kernel Internals' (beck, bohm, dziadzka, kunitz, magnus, and verworner).
These are a few reasons I use 4.4BSD. There are a number of other ones, mostly due to my dissatisfaction with linux in a number of ways, however I do think the more free unix the better.Perhaps u don't no humor when u see it.
Xah
xah@best.com
http://www.best.com/~xah/PageTwo_dir/more.html
I'm not sure I agree with your entire line of reasoning. First off, to my knowledge, the Sun CMW was never evaluated at all. It was designed with B2 in mind, but was not evaluated as such. Secondly, orangebook might not directly address modern software flaws, but it indirectly does. I don't see how a buffer overflow could be used to go from ring 3 to ring 0. You would need a number of successive buffer overflows. On a Multilevel Secure machine, things are a little different, and not quite as good in my opinion, but on single level trusted boxes, this is really difficult to occur (at the b3 and b2 levels, anyways). I have a lot less confidence in the B1 credentials. Redbook addresses networked machines, and when I left Wang, they were completing orangebook evaluation of their product, which was almost exclusively network based.
Isn't it?
;)
But clever hackers have a nice equipment:
eeprom-programmer
Frank
Actually, a lot of Canadian sites are dog-slow (well, slow as dogs until they hear the rustle of the kibble bag). I was told (by a sysadmin at a Canadian company) that this was because peering between the two major Canadian backbones was incredibly poor, largely because the technical staff disliked each other. Odd. He was used to complaints from Americans about the ftp speeds for firmware updates and had gone ahead and checked out why. So, this may be more of an issue. Pity. Canada, while being too expensive (for me), does tend to be a nice place.
hahaha
The simple fact of the matter is logs dont make something true. At jkh's insistance, the fbi investigated, and found that theo did nothing wrong. nothing. FreeBSD has been the source of numerous attacks on openbsd.org, but theo doesnt blame jkh for those attacks. As for theo destroying netbsd, that is a matter subject to much interpretation. There is bad feeling on both side of the fence. At this point in time, who is to say who was in the wrong. All the free unixes serve, to a large degree, the same commonality. I don't speak for openbsd, but mr. deraadt cares nothing for the hacker element prevelant in the unix community. He wants to make his os secure, that's all. Even before openbsd, he was finding and reporting bugs to vendors, as far back as sunos 4.0.3. This is not the history of a 'skript kiddie'. I use and like openbsd. I also use and like netbsd and freebsd. I even use linux. I don't think the myosrules-yourossucks theme is of use to anyone at all.
well, I usually don't respond to this type of thing, but I must say you are missing the point. They're not bragging about supporting more hardware. In fact, you'll find that hte reason they don't have every driver under the sun, is that they only include the ones that are well written, no hodge-podge allowd! This is one of the things I've come to really like about the system.. It may not have all the doodads or drivers that linux has, but what it does have is very well written, and well designed. This is what makes it such an excellent system.
... and have a case-breach-sensor, which triggers deletion of all HDDs... Why not just have the case-breach-sensor wired to some plasitic explosive and skip all the other security features that the still alive intruder might be able to bypass.
That's right, just type
linux init=/bin/bash
at the lilo prompt, and then remount the drive read/write.
You can't break into a BSD box using this method;
if you forget the root password, a boot floppy
is your only friend (or boot in single-user mode)
--Anonymous Hacker
I agree that FreeBSD is dying. And while FreeBSD is beset with its own internal strife, it is not the only BSD to be affected by this cancer. NetBSD and OpenBSD are dying too.
I read that T.Deraadt email thread when I first looked at OpenBSD, and my initial impression was that Theo had a real baaaaadddd attitude. I do know for a fact that a lot of the NetBSD folks were upset to see him leave and fork off his own version of the OS, and to lose him as a developer. But in reading his email he obviously has a problem with taking any criticism, and had no problem with jumping down someone's throat with a flamethrower and foul language. Denial, its not just a river in Egypt...
Not that I wouldn't use OpenBSD, or any other operating system that met my technical needs, whatever the personality of the people involved. I've dealt with enough bad attitudes from commercial OS vendors in my years in the industry to be able to deal with it if I have to. It just seems that *BSD has an extra heaping helping of bad attitudes that make commercial vendors look like pikers.
If you *really* read that email thread, you would see the attitude loud and clear. "We don't think that it helps anything for you to tell someone he's a f**khead when he's posting a message trying to help with the OS development." "F**K YOU, *I* want control of the source and if you don't like it I'll fork my own off!"
That's my impression of it... He sounded like an immature little upset kid to me. The development of any of the O.S. OS's is a group effort, and having one person think they have all the answers and have to be the one in control is dead wrong. So, now he *has* control of his own fork of BSD, and lost the ability to maintain many of the various platform ports because he has no developers. Thus, the OpenBSD page says that for a Vax port, for instance, "support can be easily ported over from NetBSD". Why these problems are so prevalent under FreeBSD/OpenBSD/NetBSD remains something of a mystery. These systems seem to be self selective in their attraction to weirdos and big egos.
The split had nothing to do with the quality of his coding work, and everything to do with his nasty attitude towards people... and NOT just the people of NetBSD Core, but other people who were just civilians trying to help out, or looking for help. No wonder BSD is on the skids. Which BSD will be first to go under is anyone's guess but The culling has already begun.
...and locked the case.
The case is inside a reinforced wraparound steel box,
with a good pick-proof padlock keeping it shut.
Parallel and serial ports have been duly LARTed
(AT - unplug the flyleads from the motherboard,
ATX - cut the PCB traces on the motherboard)
so the only ways in are the console (for NOC staff
to perform emergency shutdowns) and the Ethernet card(s)
What are the alternative boot methods now?
With a large, copper nail where the fuse used to be, just to make sure that a lot of juice gets through ...
Even if you set your bios to boot from HD only and set a bios password if I have physical access to your system I can switch that little bios jumper to reset your password, set the boot seq to A: C: and mount your disks rw. Lock your systems in a secure room.
I tried FreeBSD about eight or nine months ago, because several people at work use *BSD. I used both for a month and a half, then deleted the contents of my Linux partition.
.3-.5 kb faster download speeds. It doesn't sound like much, but the phone lines to my house were installed in the 50's, and I'm lucky if I get 28.8 (with my 56k modem :-( ).
It had nothing to do w/ licenses, marketing, hype, or anything else. I just liked FreeBSD better, for these reasons:
1. Single point of distribution - I don't have to worry about things like "is this source code compatible w/ glibc x.y?" or "will this new library break my older programs?"
2. Regular release schedule - everything is released all at once. I no longer suffer from latest-versionitis, as in "Oh wow, the 2.2.x kernel is out now, I gotta have it!!! Why don't I get the new Gimp release, too, and {insert program here}". I used to waste so many hours messing w/ stuff like that I can't believe it.
3. FreeBSD is a very clean implementation - everything is in a particular place, and there's no guessing where it is.
4. Great documentation.
5. Slightly faster modem speeds - in general, I get maybe
6. Ports system - very cool. You've probably seen it mentioned elsewhere.
These are about all of my reasons, in addition to the stock reasons you hear - compatability w/ Linux binaries, for example.
Be warned, however - if you use linuxconf or something like that, you won't like FreeBSD. There are no config tools at all - you do everything by hand. There is no nice, simple install screen, either. You partition, format, and install everything by hand. Frankly, however, I like it that way.
Odd.. I'm here in Canada and it seems the reverse. American sites seem dog-slow while Canadian and European sites are extremely fast. Probably an issue with the 2 backbones that travel between the two countries. Canada now actually has one of the fastest backbones in the world.
I've used Linux, FreeBSD, and OpenBSD in demanding workplace environments. They are all excellent operating systems and for most common network server tasks (file/print, WWW, email) they hold their own against commercial Unixen like Solaris (on SPARC; Solaris/x86 is a pathetic joke), HP-UX, and AIX; and are without a doubt superior to Windows NT (not just gratuitous MS bashing; I'm talking about overall benefits which include having a flexible Unix-like system at the core).
/tmp races become serious considerations, Linux would be at the bottom of my list, with OpenBSD at the top and FreeBSD a close second.
The system that is best for you will depend on what you want to accomplish. Linux is my preference (and recommendation) for a general Unix workstation because it works with most of the weird hardware I throw at it and because of better overall application availability (CivCTP!).
Security for single-user workstations or no-login network servers is mostly a function of capable administration. However, for a multi-user Unix server with potentially hostile users (like an ISP or school computing lab offering Unix shell access) in which things like buffer overruns in user apps and
I haven't had the opportunity to work with NetBSD yet but I would probably rank it along with the other BSDs based on what I've heard about it and the talk given by the NetBSD team at USENIX '98 (missed '99, sad to say). (I was actually very impressed by the NetBSD folks but they need cooler T-shirts!)
As for licensing, I agree with the BSD folks that the GPL isn't really "free" in the sense that theirs is, but that's why I prefer the GPL. I think it is right and proper to charge the "fee" of all derived works being under the GPL, for the overall benefit of the community. To me, free software != freeloading. But that's my point of view and only pertains to development-- it has absolutely nothing to do with what software I'll use.
But hey, they're all free (as in beer) to download or cheap if you buy the CDs so why not try them all and see which ones you like?
PS -- As someone already mentioned, OpenBSD's NAT feature is extremely cool!
Why even bother with trying to override the password mechanism. If you have physical access to the box, just boot from installation disk, mount the / filesystem (maybe /usr too, depending on which flavor of unix you're dealing with) and replace the "login" binary (/bin/login, /sbin/login or wherever it lives) with a statically linked /bin/sh binary. Reboot the machine from it's own disks and instead of a login prompt, you get a shell prompt! This is standard fare that any unix admin worth his weight in dirt should know for recovery of munged systems or else he really has no business being a unix admin in the first place. This method had probably already been posted here today too. Duh.
the loser wrote:
1) BSD Sucks
bull shit. just stupid.
2) Linux is best
well, use it. i tried it several times and i think it sucks as hell.
3) BSD is too fragmented
bull shit. linux is much more fragmented. heh, even kernel development is separated from userland! sometimes it causes kewl desynches. free BSD systems count just three: Open, Net, Free. and how many linux'es there are?
4) BSD is dying
bull shit again. are you awarded bull shit generator? i could write big letter but i just don't want to. you don't seem to be a person with whom it would worth to debate.
5) There is no software for BSD
heh, it's the b.s. as well, you're amazing! there're tons of soft for BSD. any soft written to be comaptible with POSIX compiles and runs with no probs. yep, there're linux "gurus" which write kewl appz with "#include ". yeah, they rawk, don't they? OTOH, i successfully run many software compiled for linux with OpenBSD linux binary emulation, worx cool...
6) There is no hardware support for BSD.
phrase "bull shit" gets too frequent in this message, doesn't it? is there any specifical h/w for linux? have you ever tried to think before you say/write smth? it would be very good, if you added "huh huh yeah" to your message, really. yep, there're more drivers for linux than for BSD, but hey, any h/w i had here perfectly runs with BSD. number of drivers grows from day to day, and i remember time when linux didn't have floppy drive driver, so fscking what?
another loser added: 7) it has all caps and caps suck
well, TCP/IP, BIND, SMTP/POP/IMAP, HTTP/HTML must suck as well. so, the world sucks because it still uses all these? right? and Linux is cool! as cool as Windows is, they have just 1 caps! COOOOOOOOOOOL!
-- /usr/games/fortune
Forgive your enemies, but don't forget their names! --
- X crashed (yes, I applied RedHat updates/no way I'm compiling XFree86 on 40Mhz machine)
- Occasional (frequent!) NMIs would oops and drop me back to the eeprom prompt.
- This occured on both the standard RedHat kernel, the newer build from redhat/updates, (both 2.2.5) and 2.2.10 which I compiled myself.
OpenBSD works. It runs X great, and no kernel crashes. Linux is great, I'm much more familiar with linux than BSD... However, if I were setting up a standalone server for a client, BSD would definitely be a good option. There's a lot of stuff out of the box, fewer worries that I'll have to go back to make an upgrade, and built-in security scripts, etc would make it almost turn-key.I can't say I like BSD's init style much. I much prefer the SYSV style with the different runlevels and the directory structure. It is much more logical IMHO.
Well gee... I was a TCSEC specialist on a b2 project... involving mls 1.1.4 and have handled same for 3 companies in the valley... first of all... TCSEC/Orange Book DOESNT apply to modern systems, as to ONE example... Sun CMW... a caveat in the sysadm ref says that "the security classification of the machine is downgraqded if ANY other os is connected into the same network...) Orange Book didnt even have a concept of buffer overflows or heap overflows..(hint after the RTM worm cam out in the mid -80's I sucessfully attacked in over 100 different ways the ATT MLS code... NONE of the orange book recommendations covered ANY of the attacks.. and DONT even get me started on b2 firewalls I actually did thos experiments for Sun ...kernel auditing firewalls can be tricked even easier than none auditing firewalls(hint to the clueless kernel auditing is NO the same as a code audit and instead used to describe a certain functionality of the "secure" OS being used... as in trace EVERY sysint :(performance truly blows chunks...) This not withstanding those idiots from 'fortified networks"... Orange Book is basically dead at this point in time... certain concepts have instead migrated into the mainstream... As to those fools like me who spent 10+ years doing this crapola??? well most security "gurus" from the TCSEC community I have met have been pathological idiots...(and thats the real reason why SO many government networks INCLUDING SIPRNET have been penetrated..." a "former Orange Book idiot"
Your answer is bullshit. One tool isn't best for everything. Sometime oBSD is the best answer, sometime Linux or something else is. Just whacking on something cause it isn't Linux just shows how narrow a scope you have. People like you sooner or later end up trying to hammer down a nail with your fist cause thats the tool you usually use.
The cool part is where you have it set to auto-delete the hard drives. That sounds more like a problem than a solution.
Is this a James Bond movie or what?
OpenBSD's kernel AND userland have undergone extensive code auditing, not only to correct buffer overflows (and other trivial fixes), but also to correct protocol vulnerabilities (e.g. randomizing RPC xid's, randomizing DNS query IDs, etc.). AND - OpenBSD DOES audit third-party software, which is why the software in their ports collection (/usr/ports) includes SECURITY READMEs which describe the audit that was done, and includes patches which are automatically applied to correct any problems found. So yes, OpenBSD *is* significantly more secure by default - you have to *actively* screw things up to get burned. :-)
So the guy breaking it really just wants to take the system down. He taps it with a little hammer. He chuckles as he ducks away from the shrapnel.
Surely, there _has_ to be a way to get a root prompt when you have access to the actual hardware. You don't want to lose all data if for some reason the passwd file gets corrupted, or if the only person who knows the root password dies of cancer (happened here).
Many people, when they use the term 'secure' mean that the data should be protected.
Data that gets blown up because somebody on the floor above the machine sneezed is not protected.
Aside from that, you're having fun, so keep at it.
um, how exactly would the absence of a floppy drive, and the locked case, stop you from booting from a floppy . . . .
The answer is left as an excercise for the reader.
With a Linux system, you just edit the /etc/inittab file so that hitting control-alt-delete just triggers wavplay to say "hey! cut that out, stupid!" and it goes on it's merry way.
/etc/inittab.
On my one remaining Linux box (they were all so happy when I gave them NetBSD instead!) I have that entry halting the machine. It's a Slackware machine. I assume RedHat has managed to screw that up and make it so seventeen Python scripts own
I run OpenBSD 2.5 as do many others and I'm sure all of us say "WTF crackhead" when they read your statement about uncrackable. UGH...of course nothing is uncrackable.
Could you *TRY* and tell us something we don't know?
And no...OBSD will always be secure no matter how many people try and crack it because the number and skill of the developers will always be greater than the skill of the lame ass crackers.
Site is /.ed?? Error Occurred While Processing Request Error Diagnostic Information Unknown error reading from pipe. Probably not running OpenBSD..:)
The other is performance. On both 2.4 & 2.5 the performance with many processes is awful. Very sluggish. Even if the processes are sitting in memory, no disk I/O (I was running some simulations).
Try this under OpenBSD: remake the kernel as 'make -j 2' Now try under Linux. Much faster. Now FreeBSD. Much much faster. This is why I use FreeBSD over OpenBSD, although I do like the security features of OpenBSD and wanted to learn more about them - but molasses-like performance turned me away. Also, the virtual memory implementation and disk caching don't seem to be as well-developed as FreeBSD.
You may be cool, and Theo may be a script kiddie.
However, the system he built works. Frankly, I don't care how the guy acts (in fact his email persona is terribly prickly, and I wouldn't go out of my way to meet him in person) but he has put together a system that really works (and in which the bits work together, unlike some free *nix-like OSs I could mention). I don't understand that much of it, and I don't need to since he has done the work for me. For that, no matter what the guy is like as a human being, I am grateful and in this venue he gets my thanks and respect.
[cut long, serious reply to a guy who WROTE THAT HE WAS A TROLL!]
See subject.
Ok this is nice and dandy everyone talking about encrypted filesystems as if they actually knew something about it (most probably don't) so I'll be the voice of the unenlightened (wm is better :)
What is the name of such an encryption system?
Also, I'm running OpenBSD current and I'm wondering what "aeon" is in the GENERIC kernel config.
It states that it is an encryption card...how does this work and will this increase security in OpenBSD?
Also, I've never seen that config in FreeBSD or Linux, so is openBSD the only one who can or wants to use it?
It might be secure but not that stable. Our company tried using OpenBSD as a proxy server (with squid) and the damn box crashed in one hour! Then I installed Linux on it and all has been ok. (That my personal experience with OpenBSD..) But I must admit that Net/OpenBSD on some other platfroms work much better than Linux (sparc is one good example)
Would C4 create a problem if the computer coolant system fails and the temperature inside the box rises? I don't know much about explosives, but what you suggest sounds very dangerous. My box can get quite hot. I wouldn't want to blow the thing to pieces the next time I decide to compile something big.
He booted from a disk, then mounted the drive. He then could modify ANY file. No OS can be safe from this unless it's burned into rom (and even then you can take out the drives).
Isn't Hotmail run on FreeBSD?
> recommend checking back issues of phrack you BSD snob.
He's not a BSD snob, he's an OpenBSD snob.
Personally, I don't think OpenBSD is any more or less secure than Free- or NetBSD: If someone from those camps finds a bug in "his" BSD, in most cases it's present in OpenBSD as well. If someone founds a bug in OpenBSD and fixes it, the other BSDs will check and eventually fix this bug as in their sources.
damn canadian site is slower than molasass
:)
oh and, "go *BSD!"
"There is no spoon" - Neo, The Matrix
1) disable floppy-boot in bios-setup.
2) set bios-password
3) lock case, and have a case-breach-sensor, which triggers deletion of all HDDs. This prevents the attacker from deleting the bios-password and from taking out the discs
4) don't have reset or power-switches (not needed if atx-powersupply). ctrl-alt-del deactivated too of course.
So, this only leaves pulling the plug to turn the machine off, then open it, shorten the bios-password-del-jumper and THEN boot from floppy. And therefore we need to:
5) have 2 of these boxes which monitor each other and have them sound a big, loud alarm in case one fails. Disc-deletion and sealing of all doors to the server-room is then, of course, a standard feature
Did I forget anything ? ;-)
rob
It doesn't matter how tight your kernel and base software are (As de Raadt says in the article) if you go out and install a third party server that's insecure. I do agree with him that Linux dist maintainers such as Redhat are much too lax in the security arena when they assemble their distributions. They've always been much to free with those setuid bits, pretty much guaranteeing that if a user can get a login on your system, it is then trivial to obtain root.
In my experience, third party source code auditing is the number one way to guarantee that any given piece of software is secure. Back when I was working with Data General to get a B2 certification for DG/UX one of my jobs was to audit functions in the C library. We'd take a function, look at the source, form a test plan, write up the test plan, and feed a test program to an automated test platform that would try the function out with an assortment of values, checking for unwanted side effects or erroneus return values. We did this for every single function in the C library. We did similar testing on all the core utilities of the OS. All our tests were completely documented so that they could be reviewed later. I'd feel a lot more secure with Linux if a distribution would apply this level of scrutiny to any program given a setuid bit and the C library as well (And I'd want to be able to access the test plans and results online.)
Yes, I do like IBM. I recall, with some fondness, finding and disabling 14 different case sensors, temp sensors, and fan sensors to be able to warm my morning muffin on the heat sink of my RS6000 workstation every morning a few years ago. The CE almost had kittens, then asked how I had done it ...
Having witnessed the sociopathic Deraadt first-hand when he sabotaged NetBSD's sourcetree, I'm surprised anyone would go near him.
0 51+297018+/usr/local/www/db/text/1996/free bsd-questions/19961222.freebsd-questions
4 4+0+/usr/local/www/db/text/1996/freebsd-ha ckers/19961020.freebsd-hackers
6 7+65920+/usr/local/www/db/text/1996/freebs d-hackers/19961020.freebsd-hackers
Want proof?
http://www.freebsd.org/cgi/getmsg.cgi?fetch=293
http://www.freebsd.org/cgi/getmsg.cgi?fetch=560
http://www.freebsd.org/cgi/getmsg.cgi?fetch=635
I wouldn't use OpenBSD if it was the only free operating system on Earth.
True, which is why what I said wouldn't stop anyone,
just probably annoy them a little bit. It's a moot point
anyway, seeing as I was way off base in describing
how the password system works...
I've only been using OpenBSD for a week or two now, and I think I see a way to configure it so that changing the root password would be a real pain after booting from a floppy disk.
On OpenBSD, all account information is stored in a non-text format file called (on my system) pwd.db. Editing user information is done by running the new password entries through a program called pwd_mkdb which preforms some checks, then modifies the database.
I believe, that if the authentication technique for Root is set to One Time Passwords, that you would have to edit pwd.db itself to revert to normal passwords, as I do not think that pwd_mkdb will make that change.
yep, it's that easy. physical_access = you_can_do_anything.
/mnt/serveriwanttohack, and then edit /mnt/serveriwanttohack/etc/passwd.
at the lilo prompt, instead of typing 'linux' (or whatever) type 'linux single'. bam, instant root access shell.
as for the other operating systems, assuming they're not using a cryptographic file system, your worst case scenario is add the drive to an alternate machine which can access the filesystem, mount it as
I, personally, am not concerned with these kinds of 'vulnerabilities' considering that in almost all cases, if you have something truly secure, they're locked away in a camera'd, card-access only server room anyway.
has to be BSD style init. BSD init has the advantage that all configuration parameters are located in one nice easy to find place. SysV style init on the other hand offers an easier method if inserting/deleting services, and runlevels are useful. inittab is great for keeping something running, ttytab from BSD is poor in comparison, the only way I can keep something running from ttytab is if I hack it so that it's a TTY.
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
The password information is stored in /etc/master.passwd. It is then compiled into a db database /etc/spwd.db, for reasons of speed. This is the "shadow" file that you are used to seeing. It also has more records than you are used to seeing, including password expiry and so on. When you use vipw(8) to change the password file, it then translates this into the standard passwd file that programs are used to seeing and plonks it in /etc/passwd. This file is then also put into a database for quicker access.
/etc/ttys.
Note that the db database is pretty similiar to the way that sendmail handles it's maps.
For the full lowdown, do "man 5 passwd".
I'm not sure whether or not the authentication technique would be used in single user mode.
I think you can make the system ask for a password in single user mode by labelling the console "insecure" in
It's actually kinda fun to give my box a little action. And what action... I haven't seen this many hits on my own website... um... ever!
And, of course, it can be misleading to speak of a "secure operating system" - security is a property of the system as a whole. A Windows NT mail hub can store and forward a PGP-encrypted message without the contents of the message being any more readable, and an OpenBSD machine can be configured with open "telnet" ports and guessable passwords.
And if the telnet ports are open, so what? maybe a user account is compromised, but that attacker still isn't going to gain root. Compare that to Redhat Linux, shipping a remote root vulnerable imapd until the release of 6.0!
No one involved with the OpenBSD project claims that it can be used by clueless people. In fact, quite the contrary. They encourage people to discover facts for themselves, educate themselves thoroughly, rather than providing simple cookbook instructions without understanding. Rather, the emphasis is on providing an operating system that is complete, secure, stable, and instantly usable for the educated user.
Anonymous Cowards just don't know humor when they read it, do they?
So these storerooms full of Sun equipment... how well inventoried are they? :-)
Any chance my van could be used for, uh, off-site storage?
"Flame away, I wear asbestos underwear"
I've used a few different versions of both for a while. They are about as similar as two versions of Unix-like OSes can be. People who live mostly in the X Windows System will probably never notice which is which.
When fiddling with init scripts, I prefer BSD. This is a very subjective thing and I think largely the preference is determined based on what you learned first...
When fiddling with devices, I prefer Linux -- BSD disk labels (somewhat like an alternate method of an extended partition on a PC, not really) are a little daunting for the uninitiated, IMHO.
When it comes to handling package management, Debian has the only Linux distribution that comes close to FreeBSD in terms of ease of use and power. For people who don't think much of package management (you Slackware guys), you might prefer NetBSD.
"Flame away, I wear asbestos underwear"
If I understand the previous poster correctly, the power-on password is resettable, but only if you know the current password. This would be realizable using a EEPROM (the two 'E's stand for Electically Erasable) such a PROM is reprogrammable but non-volatile. Otherwise, you're right, there would be not any point.
--
"L'IT c'est moi!"
On behalf of all of us, thank you!
Of course, you didn't close your HTML tags properly. You should have used /WHINE. Just being picky :-) Oh, and I can't view the site either :-(
"The invisible and the non-existent look very much alike." -- Delos B. McKown
It's actually kinda fun to give my box a little action. And what action... I haven't seen this many hits on my own website... um... ever!
Maybe I'll tinker with FreeBSD 68k, and maybe try it on one of the x86 boxes here at work.
But only because I have an aging Sun workstation at home ...
... well I've now switched to RedHat 6.0 on my Sparc. It runs faster simply because of the development choices made by the SparcLinux team. The NetBSD guys had to make the decision whether to go for out and out performance on each platform that they support, or opt for sheer portablility convenience. To optimise for each platform would have meant much more work, and much more platform specific code. The SparcLinux team went for performance, and have a kernel that outperforms NetBSD - and seems as stable.
For portablility, NetBSD is the champion of the *BSD's. If you need prepackaged security tools, then OpenBSD is your obvious choice. And if you're running an Intel machine then FreeBSD performs the best of the BSD's on that platform.
As for NetBSD
Chris
Chris Wareham
(you wont get the subject line unless you've seen 'Only Fools and Horses', an occasionally funny British sitcom).
I've actually had my eye on a rather nice 21" premium Sun monitor (I've only got one of the cheaper 17" ones at home). I honestly don't know what is going to happen to all the hardware, but I doubt they'll offer it for sale to the staff.
Which reminds me. The Goth/Industrial club I go to (the legendary Slimelight in Islington, London) has converted one of its unused rooms into a warehouse for just about every kind of computer kit. Vax's, Suns and hordes of old PC's. Strange.
Chris
Chris Wareham
I was fascinated to see that the US DOJ, which must be a hive of petty bureaucrats, uses a free OS like OpenBSD. Here at ... no I better not name them ... I can't get authorisation for a Unix development server. It's bloody ludicrous.
...
... no more Unix development. Everyfing must run on Windows NT - it's the future.
I'm rewriting two systems that currently run on Solaris. I was expected to do this from an NT workstation running Hummingbird Exceed and connecting to a server in Amsterdam.
Firstly, the development server no lnoger exists. Secondly, our net connection to Holland is diabolical.
So I replaced NT with Linux on the sly, and rewrote the system in two weeks. Now I need to test it
The recently appointed IT manager has made one decision since taking up his post:
Duhhh
This has meant two things for me, a recently arrived contractor:
1) The Unix sysadmins *all* left in disgust at the switch to NT
2) We have storerooms full of unused Sun equipment, but no one will sanction the setting up of a new Unix server
Sorry about the pointless griping, but I had to get it off my chest.
Chris
Chris Wareham
There are two kinds of 'physical access' - access to the keyboard and floppy drive, and full access to the machine, including removing the case.
In many environments such as schools, users have the first but not the second. You can assume that they won't open the case of the machine or steal it, but they will try booting from floppy, CTRL-ALT-DEL or 'linux single'. In these cases, a BIOS password and LILO boot password, combined with a secure operating system, should suffice.
-- Ed Avis ed@membled.com
So just use your own version of pwd_mkdb that is a little more obliging.
-- Ed Avis ed@membled.com
There, now your box should be secure against physical attacks.
Okay, I don't claim to hate *BSD or know everything there is to know about *BSD or Linux.
But, this article was completely full of statements with no numbers or facts to back any of it up. Infact it seems to want to trash Linux pretty bad by claiming to be much better in all the aspects mentioned in the article.
First, off the comment about *BSD fragmentation and being so aged it's useless? Personally, I've never heard such rumors. And if I did, I wouldn't go taking them for face value. If you think that everything you read on the net is true. You have bigger misconceptions then these.
And I don't think Linux is slower in any regard or truely fragmented. I do however think that some distrobutions have gotten sloppy though. And in turn performance isn't what it should be. Once again this isn't a problem. Surely with all the distros out there one should be able to suit your needs. Choice is good.
The author also mentions all the applications out there for *BSD. Well, I'd bet the majority of the *BSD people out after installing *BSD run out for KDE or GNOME or some other major piece of GPL'ed software. So even though I don't think it's wrong of them to use GCC for there needs(isn't that what it's there for). I do think it is wrong of the *BSD communities to complain about the GPL license. By now most people should know this is a personal prefrence and nobody is going to change anyone's mind.
And here is a quote ment to start a flame war.
"But many are simply curious about why a new user would choose Linux over FreeBSD, despite FreeBSD's technical superiority."
Well, that statement should have flushed the last of the credibility this author had left. Obivously, he is bias and this just adds to the rest of the FUD he is spreading. Once again, these are all his personal opinions and not facts. He seems to have made these opinions public to confuse newbies and put down Linux.
The author also mentions that some scripts he wrote broke when upgrading. And that upgrading the to glibc was a pain. I guess he was expecting progress to be held up because he wrote a few scripts and didn't like upgrading his compiler. Next time I'm sure they will check in with him first. Once again I think that this is a common mistake of expecting everything to be hand feed. Even though it's software that is in *developement*.
The only problem I have with *BSD? Well, I can tell you that I'm not fond of the licensing. And I'm definately sick of these *BSD vs. Linux wars going on. And that I'm starting to become a little disappointed in Slashdot's choice of articles lately. But, don't think I don't love you anymore Rob. I do appreciate this site, thanks(to everyone at Slashdot and Andover).
Conclusion:
Don't give this article a second thought. Don't go flaming this guy. If you feel the need to correct him. *BE POLITE*
With BSD kernel securelevels:
-1: Permanently insecure.
0: Insecure. Anything is possible.
1: File flags (e.g, schg, sattr, sunlnk, etc) cannot be modified. No direct memory access.
(if you run xdm, raise the level in Xsession or some such so that it happens AFTER x starts)
2: Same as 1 + No direct disk access (can't write directly to block devices)
3: Same as 2 + firewall rules can't be changed.
Very good things, these levels.
Three Step Plan:
1. Take over the world.
2. Get a lot of cookies.
3. Eat the cookies.
I have seen quite a few comments on being able to
bypass BIOS passwords with shorting the battery or disconnecting it. That's true of most systems, but for my old IBM PC330 (486DX2-66). The power on password came with the following caveat: "If you forget this password, there is no way to change it or reset it and the motherboard must be replaced."
I never believed this was true until I finally got ahold of the internal Service Manual for this one. The corrective action to take on a unit that had been returned due to a lost Power-on password was to replace the motherboard!
There was a second level of password that was kept that could be reset if you were too chicken to use the power-on. Man, sometimes IBM stuffs the damndest stuff into their BIOS and board designs.
Very interesting. In order to use real security and really strong crypto DOJ has to import crypto. This does not stop them from screaming about export restrictions though...
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
I gave OpenBSD a go on two systems - the first one it crashed repeatedly while recompiling the kernel, the second it couldn't recognise the ethernet card (couldn't even get up to the stage of recompiling the kernel)
FreeBSD did the same thing on the second box - couldn't recognise the ethernet card. While comparing the ethernet driver sections of the OpenBSD kernel source and the Linux kernel source, I noted that Linux supported 4 times as many chipsets as the BSD's, including the one for the card in the second machine. I chuckled actually as *BSD advocates are always claiming that they have better networking than Linux. They can feel free to continue thinking that fallacy, there were some other strong points to OpenBSD that I liked a lot and its a shame that I can't run a BSD system due to severe lack of hardware support in their kernels.
Of course the NetBSD crowd are now going to tell me that its my fault for not using NetBSD - but don't bother, I already checked and the card isn't supported with that either.
Matt
I use both.
They both do good jobs at the same thing. I personally like OpenBSD's NAT implementation (all you have to do is add -alias to your pppd command line and you have NAT) but at the same time, I like alot of things about Linux too.
Using the tool that I like for the job at hand.
Try both! Learning something new never hurts and who knows... the knowledge will probably come in handy some day!
--
Neurowiz
As for OpenBSD's security, 2.5 years without a security alert speaks for itself I think.
That means that for the last 2.5 years, not enough sites have been running OpenBSD for it to be worth trying to crack.
There is no doubt that the OpenBSD team have done a better job on out-of-the-box security than any other free system out there, but that does not mean that the system is uncrackable. They would be the first to tell you that. As the system's popularity grows and it becomes a richer target, you will start to see OpenBSD security alerts.
Place a good-sized charge of C4 (explosives) inside the case. Connect the detonator to tamper switches on all case junctions, and place cut-lines across the panels.
If anyone tries to open that computer to bypass OS and BIOS security, it'll blow itself to pieces, taking the data with it. And prolly the one doing the crack, as an added bonus.
The best place to put the device would be in a empty hard drive case. With the exception of the wiring for the tamper switches (and you could prolly get creative and hide thoses well), it would be indisquishable from a real drive. It would also put the charge right near the data it is designed to destroy.
If you're brave, use a mercury switch so the thing cannot even be moved.
If you're *REALLY* brave, connect a relay to the PSU, so the thing cannot even be *turned off*.
If you ever want access to the system again, replace the keyboard lock with a decent lock, complete with a tamper switch, and still no one will be the wiser.
This is, of course, supreme overkill, and highly dangerous to boot, but I suppose if you really don't want your data getting compromised...
DISCLAIMER: If you actually do this, and then blow up something you wanted (data, a body part, whatever), do not blame me. I said it was dangerous.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
I use Debian GNU/Linux 2.1 /etc/inittab file:
If you boot into sigle user modem it WILL ask you for password. This has nothing to do with OS Kernel but with INIT scripts!
The following is from my
# What to do in single-user mode.
~~:S:wait:/sbin/sulogin
Screw RedHat for not using this!
You create an empty password in the shadow password file. After reboot you login as root and you're not asked for a password.
--
My comments and opinions completely reflect those of anyone and anything I am remotely associated with.
And where would you store the key to unencrypt these FS's?
So you'd have to put the key on a smartcard. Of which there would be copies (can't have the company go down because someone lost a smartcard)
I found info on the RAID support. Check their FAQ page like I should have. :)
Do really dense people warp space more than others?
Actually, scroll up to section 12.2 not 12.4 like I linked.
Do really dense people warp space more than others?
The whole thing was someone asked him to change the passwd file for them...
Duh
Why would that be? Bad code in BSD, just like in Linux, get's ripped out. Especially if it's security-oriented.
tell that to the guys at phrack magazine who have a neat little openbsd compatible kernel module to subvert your tried and trusted OS. recommend checking back issues of phrack you BSD snob.
if a user account is compromised, root access *will* be obtained one way or another. any admin would be horrified at your clueless statement above claiming that openbsd with a compromised user account would somehow be less vulnerable to attackers. fact is - user accounts is a last ditch attempt at raising the bar for attackers..once the guy logs in, its all over. BTW, those imapd vulnerabilities etc, would also affect openBSD..the kernel may be secure but utilities used could compromise the system. dont tell me that an openbsd systems with vulnerable KDE desktop is any more secure than a linux system with an imapd overflow. both systems are compromisable.
Very true. Even with a case lock on the machine, these are only measures meant to stall someone, prevent mischief, or simply make it not worth breaking into more than anything else. True security in the sense you're talking about means locking a machine in a door-less vault with no connectivity to the outside world. Of course... then you open yourself up to nose-toting talk show hosts. 8)
Security in real life means making things secure enough that almost anyone tempted to break it will go on to easier prospects when they feel the effort isn't worth the end result.
LouZiffer
There's an easy way to prevent someone from ever booting to a floppy drive on a server - take out the floppy drive. I've run my main server for years with no floppy drive in it.
LouZiffer
No, it's perfectly safe as C4 cannot be exploded through heat alone. The mercury switch sounds kinda dicey though.
here's what you do; go in at night, when you'll be relatively alone. then you take all the Sun hardware out to your car, and drive home. then you send it to me. we can even do it COD. okay?
I assume if OpenBSD puts such an emphasis on security, shadowed passwords would be a default setting which would have stopped the method you've outlined here. I'm amazed that the disgruntled system admin didn't use them, but that may go some way to explain why he was let go.
As for OpenBSD's security, 2.5 years without a security alert speaks for itself I think.
Um...that seems really stupid (re: avoiding security by allowing a boot from a floppy). The MUST be an option to NOT boot from a floppy. I can hardly believe that Linux has no way of letting you do this. Just set it in BIOS if all else fails. Probably someone figured that they might have to get into the box at some point later in time so they kept "boot from floppy" in the boot sequence. Anyway, *physical* security is always a prerequisite for electronic security. NSA doesn't keep their boxes on the front lawn you know ;)
It's 10 PM. Do you know if you're un-American?
If you really care, many BIOS's allow you to change the boot order of the drives. This would mean that the machine wouldn't boot from a floppy unless there was no bootable partition on the primary harddrive. I've done this a couple of times for various reasons on my Windows box.
-konstant
-konstant
Yes! We are all individuals! I'm not!
got my Mountain Dew, PIL in my CD... I'm ready to rock and roll.
Thanks for the input!
Killing spammers is too good for them.
But I do have an old Mac IIci that was "beefed" up (remember when 24mb of RAM was so big your friends would all come over to dig your set up?). Maybe I'll tinker with FreeBSD 68k, and maybe try it on one of the x86 boxes here at work.
Not to start a debate or flame war, but for anyone who's used *BSD and Linux why do you prefer one over the other? Or the particular distribution of either that you use? I've only had experience with Debian (which I have read is more secure and I use more often)and RH (the first one I tried, mega mega easy to install and configure), and a weeeeeee bit on LinuxPPC.
Killing spammers is too good for them.
One aspect of better is that BSD encourages
programers to think through what they are doing while linux is more of a quick hack. That is Linux is more release quickly and often where as BSD is get
it right, then release. The only advantage is if it is wrong BSD makes it easier to throw away that code as it isn't released.
Does this also mean that it is harder to remove bad code if it does make it into a release?
Rather than rant about the finer points of the differences of the *.BSD family, I'll just congratulate Theo on some well deserved publicity. OpenBSD is by far the most secure OS available. Just ask the folks at DefCon..._ _
_______________________________________________
$which weed
this site is horrible...might as well take this link down at this rate...
You'd have to physically secure the machine, and remove / prevent installation of all forms of removable bootable media, including floppy drives and CDs. As other posters have noted, the OS cannot stop a floppy boot because the OS is not loaded before the boot starts.
Caveat: if you do your own, personal kernel mods, scramble the file system in a particular way, keep the modified kernel on a floppy that is secure at ALL times, and you never ever let the key out -- you still won't prevent a boot, but you might be able to prevent (meaningful) filesystem access. Then, the most that anybody can do is take the drive (or take a clone) and work on it in their own time.
BIOS protection can be undone, given time and, say, a screwdriver (if no lock), or sufficient cutting/drilling equipment. Remove the battery, or find the mobo manual and check for the jumper that resets to factory settings.
Only the dead have seen the end of war.
um, how exactly would shadowed passwds stop you from booting from a floppy and editing /etc/shadow? (hint, they won't). from what i can gather, what he did was boot from a floppy, mount the root fs and remove the encrypted root password from /etc/shadow.
OpenBSD has the best security out of the box period. Why? ... just scan the changelogs. ... we fixed that in OpenBSD X months ago."
1) Only Totally Free OS where the developers have done a line-by-line security audit of the source tree.
2) Many of the BUGS/exploits that are discovered in other OS's were fixed in OpenBSD ages ago (before the other's)
How many times in Bugtraq have I read a line that goes "oh that bug
I have managed (with some help from the developers and a little old fashioned reading/learning) to get TONS of stuff working right on OpenBSD.
Right from the begining I found OpenBSD easier to install and use.
I also loved the "simple and secure" default install OpenBSD is famous for. I didn't like the other OS's 'lets install everything under the sun and more plus lets activate the whole mess' type of installs.
OpenBSD is for me. Using it now.
The only file systems which could help guard against this type of attack would be a cryptographic file system or a steganographic file system.
Simple, it is BSD, not SysV.
There are differences, but you get used to that. I'm already in the habbit of typing "ps -aef;ps -aux;ps -ae;ps -ex;ps -ax;ps -a" of which normally only one returns what I was looking for. (Challange, guess which variant eash is used on - trick question, I may have one made up)
Other than command line arguements, of which ps is about the worst few people will be able to tell the difference without being told. That is if you replcaed the login screen on any xbsd box with one that said Linux few people would notice the difference.
I like the way freeBSD is configured, but I've only played with slackware 3.0 for linux, which is not a fair comparition.
As a programer, I think that *BSD is better programed overall. This is not to say that *BSD is perfect, or that Linux is all bad, there are places where linux is better programed. Overall though from what I've seen the majority of cases leaves *BSD better. One aspect of better is that BSD encourages programers to think through what they are doing while linux is more of a quick hack. That is Linux is more release quickly and often where as BSD is get it right, then release. The only advantage is if it is wrong BSD makes it easier to throw away that code as it isn't released.
FreeBSD has better networking code, though linux has cought up for the most part. Linux has better SMP, but FreeBSD is catching up. OpenBSD is more secure, netBSD is more portable. (Linux has been ported alot, but netBSD has more useful working ports, while many linux ports belong in the curisoity catagory due to the hardware limits)
Finially, BSD is not GNU. This is religion for many people, but the fact it I don't like the GNU license. Your welcome to disagree, I don't worship the BSD license, just prefer it given a choice
Please be gentle with my box... this may not be wise of me.
You missed one:
7) BSD is all caps, and capslock sucks
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
1) BSD Sucks
2) Linux is best
3) BSD is too fragmented
4) BSD is dying
5) There is no software for BSD
6) There is no hardware support for BSD.
<WHINE>
I said it so all you trolls don't have to.
Never used OpenBSD before, but this is from their faq:
/usr is not the same partition that / is (and it shouldn't be) then you will need to mount it, also /usr && mount /usr
8.3 - I forgot my root password, what do I do now?
A few steps to recovery
1.Boot into single user mode. For i386 arch type boot -s at the boot prompt.
2.mount the drives.
bsd# fsck -p / && mount -u /
3.If
bsd# fsck -p
4.run passwd
5.boot into mulituser mode.. and remember your password!
This has nothing to do w/ shadow passwords. The method he described will work even if you have shadow passwords. Even if the passwords were stored on another system and all over the wire data was encrypted w/ 5billion bit encryption you could still boot from a floppy and modify whatever files you needed to in order to disable said protection. Or you could replace /bin/login with /bin/sh. If you have physical access to the machine it is NOT secure.
-matt
Linux would have no way not to let you boot from a floppy. The BIOS handles booting, not the kernel. LILO does have some security options for not allowing paramaters to be passed to the kernel, but booting from the disk drive bypasses the hdd alltogether so it doesn't matter. Disabling it in the BIOS does nothing either; most mbs these days have a jumper that will clear the BIOS, and if that doesn't work you can just pull the battery. If someone has physical access to the box it is not secure.
-matt
Bail out of there while the getting is good. Sounds like the new IT manager there is a PHB of the worst variety.
The MUST be an option to NOT boot from a floppy. I can hardly believe that Linux has no way of letting you do this. Just set it in BIOS if all else fails.
Its a hardware problem. Linux can't do anything to fix that, and neither can anything else. If you have physical access to the machine you can override anything (including BIOS passwords, by resetting the CMOS memory (either a jumper or shorting the battery momentarily)). Even if no floppy is connected, you can open the machine and hook one up. Or you can remove the hard drive the passwd or shadow file is on, hook it up to another machine and change the files.
Unless you physically lock the machine up, it is not secure.
Yes, if the guy was really paranoid, he would have changed the boot
sequence and password protected the BIOS, but it wouldn't have
prevented "plan B" - which is to wipe the BIOS by opening the case, or
to remove the HD and install it in another machine.
And yes, I'm aware of the need for physical security; (the servers
were stored in a locked, alarmed room.)
I was just asking, because (as I said) this BSD shop told them that if
it was running BSD, then there was no way anyone could break into
them.
So which OS's do you use that can prevent you from booting from a
different volume? (be it floppy, hard drive, or some other medium.)
I've set up OpenBSD as a firewall here at my office and I love it. The system is stable, easily secured, and fairly fast. If a script kiddie put all that in motion, then more power to him. It's not about personalities, it's about a good operating system. Period.
The server is not pumping out many bits...
Geeky modern art T-shirts
Many, many people use Windows NT to store and transmit top-secret data. Does that mean that NT is secure, or just that the expertise to properly evaluate security is much rarer than the willingness to believe marketing that says what you want to hear?
And, of course, it can be misleading to speak of a "secure operating system" - security is a property of the system as a whole. A Windows NT mail hub can store and forward a PGP-encrypted message without the contents of the message being any more readable, and an OpenBSD machine can be configured with open "telnet" ports and guessable passwords.
The care and effort put into OpenBSD's security aspects is of course useful and laudable, but it won't do you the user any good if you don't understand your own role in keeping the system secure.
--
Xenu loves you!
I assume if OpenBSD puts such an emphasis on security, shadowed passwords would be a default setting which would have stopped the method you've outlined here. I'm amazed that the disgruntled system admin didn't use them, but that may go some way to explain why he was let go.
This is not true. You can't directly get to a root shell like you can with single user mode (or, if single user prompts for a password, try lilo: linux rw init=/bin/sh --don't forget to umount /, then just reboot the machine, shutdown won't work) on linux. You can just pop in an install floppy and mount your / filesystem and edit the passwd file though. Physical access = root access. Shadowing the passwords doesn't change that, you can still edit /etc/shadow.
*chuckle*
In general, physical access to the machine allows access to everything, typically through a method such as what you employed. BSD is no different from Linux (or DOS, or NT, or about anything else) in this regard.
Yes, a person could use a cryptographic hack to keep all file systems encrypted, but the performance hit is usually bad enough that most people find it far, far more economical (and effective) to lock the servers in a machine room with restricted access...
"Flame away, I wear asbestos underwear"
Here we use OpenBSD as part of our IDS solution. It has a couple of qualities that make it a great choice. First, it is very secure as a default installation. Second, BSD in general has some of the fastest network sniffing capabilities of any OS. Third, some OS's like Linux and Solaris don't know how many packets they've really dropped so you can't tell for certain how good they are doing. Fourth, it is FREE. The DOJ has contractors just as any agency (even NSA has contractors for some things I'm told). If you get people that understand what they need and what works best for the situation it isn't surprising to see it used by Gov't.
As for limitations, it comes with X and Netscape. Also, there are some new programs that are supposed to allow you to compile Linux binaries and run them. I haven't used this but it sounds cool. So, basically it isn't much more limited than Linux for software. Last I saw it doesn't support dual CPUs and I'm not sure about RAID so it gives up quite a lot to Linux there. Maybe once Linux becomes too mainstream and Linus too much of an icon, all the 'real' computer hacks will turn to OpenBSD for the next revolution? Just kidding.
Lastly, I know that people have been donating hardware (like gigabit ether) that will help keep it a viable, quality OS.
Do really dense people warp space more than others?
This reminds me...
A couple of weeks ago, I got a call from a company that was letting
their sysadmin go (and not on good terms, either), and needed someone
to hack their (linux) servers, as nobody else knew root passwords; I
got called in; downtime was not an issue, so (with the aid of a
rescue disk) it was just a matter of rebooting the boxes and editing
the passwd file...
After seeing how simple it was to get into the boxes, they immediately
asked if I could switch the boxes over to BSD, as the previous people
they had called (a BSD shop) had told them that if they had used
BSD, then there was no way anyone could get into the boxes, as BSD is
"uncrackable."
Now, I don't have any experience with BSD (I tried installing it, but
there are no drivers for my home machine, which I use as a testbed,)
so I didn't have any firm comeback; but I would like to know (from
the BSD people who will be reading this) if the same technique I used
would be possible on a BSD machine. (I'm hard pressed to think of how
this could be done, short of encrypting the root FS, or something
similar.)
Can anyone shed some light on this? Is BSD really "uncrackable", or
are these other guys just blowing smoke?