Like other projects, we will not be incorporating new code from David Dawes into the XFree86 codebase used in OpenBSD. All such changes have to be skipped, rewritten, or you can contact the XFree86 group and place your own efforts to repair this damage.
the message continues.. but I think you get the point. Check the mailing list archives for the entire message
When I see things like this.
It really doesn't give me a good feeling as to ESR's technical understandings of SPF.
I'm sure Wietse and Claus have a pretty good grip on SPF as well. You may want to have a look at the postfix-users archives to confirm that for yourselves.
That's not a bad deal. To put my initial comments in perspective though, I paid $100 Canadian to buy a complete running machine with 270Mhz/64M/4Gb HD.
So althought it's not *that* expensive. Buying $84US worth of RAM would just about double my investment.
On a positive note though, of all the Sun Hardware I have (3 machines) nothing has every failed. So they can definitely be a good long term investment.
Some people seem to be missing the point of spf. SPF is a mechanism that allows people to publish their own records to defend themselves against joe-jobbing. Anyone who has been joe-jobbed will be all over something like this. The fact that publishing these records benefits you directly, will help something like this spread in a timely manner.
It's also beneficial in the regard that when rolled out to where it becomes standard, mail will be far more accountable, and as spammers start joe-jobbing those people who have not yet published these records, it will only help motivate those hold-outs to get on the bandwagon and defend themselves.
"If you're a power user, Windows is definitely out, Linux is a good bet, OS X is a good alternative."
This is gross oversimplification, not to mention quite inaccurate. I'm a system administrator / developer. You don't get to be much more of a "power user". Windows is definitely not "out". In some unfortunate cases, it is damn near required. If you want to do things like static binary analysis, you're going to be using IDA. If you're going to play a wide variety of games, you're also going to be running windows.
"Linux" isn't a desktop. People who keep mixing up Linux with KDE/Gnome and the like, should really get a clue. Let us look at how a power user gets to interact with Gnome. Holy crap, you can't customize the default applications menu without going into/usr/share and hand-editing things. I tried to figure out how to add keybindings, and it turns out all the crap is in an xml *registry*. This is *not* a welcoming environment to a "power user". I'll have to give KDE a whirl and see how it stacks up. But for now I think I'll stick with fluxbox/Windows XP on my dual-boot system. Which both fulfill my "power user" needs quite nicely.
As for OS X, as a "power user" I really need more than one mouse button. As a more technical response it falls short in the same categories mentioned for Linux.
By normal channels, I mean, a person with commit access having their machine compromised.
As for peer review, the person doing the back door had a decent idea, there looked to be two commits one which was +58 -0, followed by a -58 +0. The second of which said "oops, edited the wrong file". I could see where people would have seen that and said "oh, he touched the wrong file, nothing changed here, these aren't the droids I'm looking for".
Peer review did not catch this. This was detected because people injected code into a specific place where inconsistencies are complained about by the revision control software.
Had this code come in through proper channels, I wouldn't be so sure that it would've been spotted. Most of the source code trojans people have found in the past were not well hidden, and were turned up relatively shortly. The cases I'm referring to are the trojaned configure scripts, that happened to, I believe, irssi and dsniff, or was it fragroute.. (it was definitely something by Dug Song)
If you would like to tout peer review. Could you provide a valid example ? They probably are out there, but I can't recall any, and this is not what happened here.
Perhaps I'm being a little too demanding. But if you can't properly operate the disk partitioning tools for an OS, maybe you aren't really qualified to be doing benchmarks on it.
Most of the comments about Felix being an idiot have good reason for doing so. He went out of his way to trash talk OpenBSD, and most of the problems he encountered were as a direct result of his inability to RTFM. Why should the OpenBSD community have any patience for someone who bechmarks first and ask's questions later ?
Ptrace hole ring a bell ? How about ftp.gnu.org getting rooted as a result of it ? Please.. if you aren't informed on security matters, cease commenting about them.
For those interested in getting some more facts on this. Key points are that this isn't really news. It's just a story in a "news"paper. The DARPA grant has been going for quite some time now, and funding will once again be an issue that must be dealt with.
quoting Theo's post to misc@openbsd.org:
so, the article missed a few things
let me clarify a few things that did not make it to the story
the darpa grant started funding us about 18 months ago
sometimes it takes a while for the press to notice
there's a bunch of people, you can probably tell by the stuff they are working, who are funded from the darpa grant to work full time.
the article does not say what exactly we've been working on it, but if you are running 3.1, you are using what we had then. same for 3.2. and when you get 3.3, you will be running some of it. when you get 3.4, there'll be even more.
as well, since it frees up CD sales money, a few other people have been funded out of that as well.
it may seem like a lot of money, but there are overheads, and some of the funding was also absorbed by upenn (that is how grants work when you involve a US university)
however, the grant only runs for about another 6 months.
which is kind of scary, since with the US economy tanking so very nicely, and at the same time people becoming much more comfortable with ftp installs, we are seeing massive decreases in cd sales (massive decrease in sales from the US, but no real decrease from the rest of the world -- you decide what that means).
at the same time, we are seeing massive increases in ftp installs.
so.. i don't pretend to know what will happen after the darpa grant is over.
i know we have some more security work, in particular some stuff extending out of W^X, that we want to do, and that stuff really needs fulltime people pushing it.
also, i've been informed that the money translates to more like 1.5 cruise missiles.
Perhaps he should start by reading bugtraq. If he had, perhaps he would have seen this hole in ssh.com's lovely software in 2002.
http://online.securityfocus.com/bid/6247
Or, who can forget this unbeliavably idiotic mistake in their client from 2001 http://online.securityfocus.com/bid/3078
Yet he call's it more reliable that OpenSSH. Maybe he should look into the nice new privsep code in OpenSSH and comment on that. So called security experts make me wish public floggings were still a common event.
Slashdot Mirror
From: Theo de Raadt
Like other projects, we will not be incorporating new code from David
Dawes into the XFree86 codebase used in OpenBSD. All such changes
have to be skipped, rewritten, or you can contact the XFree86 group
and place your own efforts to repair this damage.
the message continues.. but I think you get the point. Check the mailing list archives for the entire message
When I see things like this. It really doesn't give me a good feeling as to ESR's technical understandings of SPF.
I'm sure Wietse and Claus have a pretty good grip on SPF as well. You may want to have a look at the postfix-users archives to confirm that for yourselves.
Before looking at SPF you may want to read what Claus Assmann, and Wietse Venema have to say on the subject.
If you don't know who these two people are, I seriously hope you're not someone who's making decisions affecting SMTP on the Internet.
That's not a bad deal. To put my initial comments in perspective though, I paid $100 Canadian to buy a complete running machine with 270Mhz/64M/4Gb HD.
So althought it's not *that* expensive. Buying $84US worth of RAM would just about double my investment.
On a positive note though, of all the Sun Hardware I have (3 machines) nothing has every failed. So they can definitely be a good long term investment.
I have an ultra5/270 running happily as a dev box at home here. Two things you may want to know before diving into the market.
The stock IDE performance is painfully slow.
Buying RAM for the ultra5/10 is really expensive.
Some people seem to be missing the point of spf. SPF is a mechanism that allows people to publish their own records to defend themselves against joe-jobbing. Anyone who has been joe-jobbed will be all over something like this. The fact that publishing these records benefits you directly, will help something like this spread in a timely manner.
It's also beneficial in the regard that when rolled out to where it becomes standard, mail will be far more accountable, and as spammers start joe-jobbing those people who have not yet published these records, it will only help motivate those hold-outs to get on the bandwagon and defend themselves.
Others have already covered the MythTV aspects of replacing this thing. Asterisk would be the obvious replacement for the VOIP/PBX end of this system.
"If you're a power user, Windows is definitely out, Linux is a good bet, OS X is a good alternative."
/usr/share and hand-editing things. I tried to figure out how to add keybindings, and it turns out all the crap is in an xml *registry*. This is *not* a welcoming environment to a "power user". I'll have to give KDE a whirl and see how it stacks up. But for now I think I'll stick with fluxbox/Windows XP on my dual-boot system. Which both fulfill my "power user" needs quite nicely.
This is gross oversimplification, not to mention quite inaccurate. I'm a system administrator / developer. You don't get to be much more of a "power user". Windows is definitely not "out". In some unfortunate cases, it is damn near required. If you want to do things like static binary analysis, you're going to be using IDA. If you're going to play a wide variety of games, you're also going to be running windows.
"Linux" isn't a desktop. People who keep mixing up Linux with KDE/Gnome and the like, should really get a clue. Let us look at how a power user gets to interact with Gnome. Holy crap, you can't customize the default applications menu without going into
As for OS X, as a "power user" I really need more than one mouse button. As a more technical response it falls short in the same categories mentioned for Linux.
Insightful my ass. Nowhere does it say CVS was exploited.
The code was injected into a CVS tree, the box could have been compromised in another fashion, such as a wu-ftp hole or some such thing.
So please, don't throw the word exploit around as if you have 1/2 a clue about security. It just makes you look silly to those of us who do.
By normal channels, I mean, a person with commit access having their machine compromised.
As for peer review, the person doing the back door had a decent idea, there looked to be two commits one which was +58 -0, followed by a -58 +0. The second of which said "oops, edited the wrong file". I could see where people would have seen that and said "oh, he touched the wrong file, nothing changed here, these aren't the droids I'm looking for".
Peer review did not catch this. This was detected because people injected code into a specific place where inconsistencies are complained about by the revision control software.
Had this code come in through proper channels, I wouldn't be so sure that it would've been spotted. Most of the source code trojans people have found in the past were not well hidden, and were turned up relatively shortly. The cases I'm referring to are the trojaned configure scripts, that happened to, I believe, irssi and dsniff, or was it fragroute.. (it was definitely something by Dug Song)
If you would like to tout peer review. Could you provide a valid example ? They probably are out there, but I can't recall any, and this is not what happened here.
It won't take long to collect the necessary packets though.
There are tools to reinject valid packets, that in turn cause more traffic, which gives you more packets to reinject which in turn....
An example is in bsd-airtools in the source file reinj.c, if I recall correctly.
Perhaps I'm being a little too demanding. But if you can't properly operate the disk partitioning tools for an OS, maybe you aren't really qualified to be doing benchmarks on it.
Most of the comments about Felix being an idiot have good reason for doing so. He went out of his way to trash talk OpenBSD, and most of the problems he encountered were as a direct result of his inability to RTFM. Why should the OpenBSD community have any patience for someone who bechmarks first and ask's questions later ?
Ptrace hole ring a bell ? How about ftp.gnu.org getting rooted as a result of it ? Please.. if you aren't informed on security matters, cease commenting about them.
For those interested in getting some more facts on this. Key points are that this isn't really news.
It's just a story in a "news"paper. The DARPA grant has been going for quite some time now, and
funding will once again be an issue that must be dealt with.
quoting Theo's post to misc@openbsd.org:
so, the article missed a few things
let me clarify a few things that did not make it to the story
the darpa grant started funding us about 18 months ago
sometimes it takes a while for the press to notice
there's a bunch of people, you can probably tell by the stuff they are
working, who are funded from the darpa grant to work full time.
the article does not say what exactly we've been working on it, but if
you are running 3.1, you are using what we had then. same for 3.2.
and when you get 3.3, you will be running some of it. when you get
3.4, there'll be even more.
as well, since it frees up CD sales money, a few other people have
been funded out of that as well.
it may seem like a lot of money, but there are overheads, and some of
the funding was also absorbed by upenn (that is how grants work when
you involve a US university)
however, the grant only runs for about another 6 months.
which is kind of scary, since with the US economy tanking so very
nicely, and at the same time people becoming much more comfortable
with ftp installs, we are seeing massive decreases in cd sales
(massive decrease in sales from the US, but no real decrease from the
rest of the world -- you decide what that means).
at the same time, we are seeing massive increases in ftp installs.
so.. i don't pretend to know what will happen after the darpa grant is
over.
i know we have some more security work, in particular some stuff
extending out of W^X, that we want to do, and that stuff really needs
fulltime people pushing it.
also, i've been informed that the money translates to more like 1.5
cruise missiles.
Perhaps he should start by reading bugtraq. If he had, perhaps he would have seen this hole in ssh.com's lovely software in 2002.
http://online.securityfocus.com/bid/6247
Or, who can forget this unbeliavably idiotic mistake in their client from 2001
http://online.securityfocus.com/bid/3078
Yet he call's it more reliable that OpenSSH. Maybe he should look into the nice new privsep code in OpenSSH and comment on that. So called security experts make me wish public floggings were still a common event.