Re: The insecurity of OpenBSD
snip indent The author of the linked article kind of lost me at as soon as a service is enabled or software from the ports tree is installed. Well SHEEIII, who knew. I better run out right now and replace all my firewalls with iLinux. I had no idea that it was up to me to understand/mitigate the risks in using ports and services. How dare I not get my hand held. I don't see much different in this point then saying Windows is secure only until you plug in the ethernet cable. spewhotchocolateonmonitor /indent
Re: The insecurity of OpenBSD
On 01/23/2010 01:02 AM, Steve Shockley wrote: On 1/22/2010 12:13 PM, Dan Harnett wrote Nowhere in the article is proof provided that OpenBSD is insecure. Sure there is; OpenBSD uses Sendmail and BIND, and they've had lots of vulnerabilities! http://www.openbsd.org/faq/faq1.html#HowAbout http://www.openbsd.org/policy.html Simply read. Even you can ;) -- I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration. I will face my fear. I will permit it to pass over me and through me. And when it has gone past I will turn the inner eye to see its path. Where the fear has gone there will be nothing. Only I will remain. Bene Gesserit Litany Against Fear.
Re: The insecurity of OpenBSD
It doesn't and I'll argue all day that it won't help you a bit. Here is an example: 1. running system with OMGACL 2. pkg_add -ui 3. couple of days later at 3am bz got come to the datacenter because the app bombed 4. oh, the acl terminated it; adjust 5. repeat 3 - 4 until it works 6. repeat 2 - 5 in perpetuity - or - 1. Disable ACL. BTW, microsoft implemented every single ACL type mechanism the NSA ever made public. Tell me again how well it worked for them. Show me an admin that isn't lazy and I'll show you a liar. On Fri, Jan 22, 2010 at 12:35:03AM -0500, Dan Harnett wrote: On Fri, Jan 22, 2010 at 02:47:27PM +1100, Aaron Mason wrote: On Fri, Jan 22, 2010 at 1:56 PM, Zamri Besar zam4e...@gmail.com wrote: The insecurity of OpenBSD http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/ -zamri- An interesting read - but seems to just be ACLs, ACLs, ACLs and that's about it. And this person's source on the failings of strl{cat,cpy} cite a guy from Redhat calling it ineffiient BSD crap and that's about it. It's better if you remove all the non-sense, hypocrisy, and political bull. OpenBSD does not have some sort of MAC. Okay, nothing new there. Move along.
Re: The insecurity of OpenBSD
On Fri, 22 Jan 2010 07:22 -0600, Marco Peereboom sl...@peereboom.us wrote: It doesn't and I'll argue all day that it won't help you a bit. Here is an example: 1. running system with OMGACL 2. pkg_add -ui 3. couple of days later at 3am bz got come to the datacenter because the app bombed 4. oh, the acl terminated it; adjust 5. repeat 3 - 4 until it works 6. repeat 2 - 5 in perpetuity - or - 1. Disable ACL. [snip] I saw a group of sys admins go through those very steps several years ago while attempting to deploy SELinux. After 3 months of trying to make it work, they disabled it. It could have been done, but they would have had to triple the support staff to make it work.
Re: The insecurity of OpenBSD
On Fri, Jan 22, 2010 at 07:22:58AM -0600, Marco Peereboom wrote: It doesn't and I'll argue all day that it won't help you a bit. I couldn't agree more. BTW, microsoft implemented every single ACL type mechanism the NSA ever made public. Tell me again how well it worked for them. More importantly, how well has it worked for end users doing general computing tasks? Glancing through the author's other posts, I don't get the feeling that this person is in an environment that needs the level of security that the NSA does or has ever been in one. Most of the posts revolve around removing malware from Windows XP or which virus scanner is the best... sarcasmI'm not sure why ACLs have not helped this person in those situations./sarcasm Nowhere in the article is proof provided that OpenBSD is insecure. There are comparisons made. OS A has 'this', OS B has 'that'. OpenBSD does not. So, OpenBSD by comparison is less secure, therefore insecure. It's non-sense. There isn't even proof that feature this or feature that have provided stronger security. Those features are not enabled by default and are often tedious to get working correctly. Basically, OS A does not benefit from this out of the box and OS B does not benefit from that out of the box. They are strawman arguments with no actual facts. The benefits of OpenBSD are not even covered. The author claims OpenBSD makes no effort to contain unauthorized remote access, yet many of the default daemons attempt to contain security breaches through reduced privileges and chroot. Basically, the same effect the author claims a MAC system would give you (if that system were infallible and effective, as the author blindly believes). It's built into the daemon, by default. How did the author miss this? I also do not understand why strlcpy and strlcat are causing the author so much grief. This person didn't seem to know they existed before writing the article. I work in an ISP environment and it has caused zero issues to both myself and our users. Of course, the author does not provide any real world examples of issues or exactly what code has been broken by use of strlcpy or strlcat. The author also missed how OpenBSD's current methods match it's development model very well. The OpenBSD developers are in control of all the code. There aren't 3rd party patches being introduced daily that change thousands of lines of code with unknown consequences or unintended interactions with the existing code base. Correcting the code works very well for OpenBSD. The only facts I actually got from the article are (1) OpenBSD does not have some type of MAC, which I already know, and have no problem with, and (2) the author does not like OpenBSD and wants you not to like it, too.
Re: The insecurity of OpenBSD
On Fri, Jan 22, 2010 at 12:13:38PM -0500, Dan Harnett wrote: On Fri, Jan 22, 2010 at 07:22:58AM -0600, Marco Peereboom wrote: It doesn't and I'll argue all day that it won't help you a bit. I couldn't agree more. BTW, microsoft implemented every single ACL type mechanism the NSA ever made public. Tell me again how well it worked for them. More importantly, how well has it worked for end users doing general computing tasks? Glancing through the author's other posts, I don't get the feeling that this person is in an environment that needs the level of security that the NSA does or has ever been in one. Most of the posts revolve around removing malware from Windows XP or which virus scanner is the best... sarcasmI'm not sure why ACLs have not helped this person in those situations./sarcasm Nowhere in the article is proof provided that OpenBSD is insecure. There are comparisons made. OS A has 'this', OS B has 'that'. OpenBSD does not. So, OpenBSD by comparison is less secure, therefore insecure. It's non-sense. There isn't even proof that feature this or feature that have provided stronger security. Those features are not enabled by default and are often tedious to get working correctly. Basically, OS A does not benefit from this out of the box and OS B does not benefit from that out of the box. They are strawman arguments with no actual facts. The benefits of OpenBSD are not even covered. The author claims OpenBSD makes no effort to contain unauthorized remote access, yet many of the default daemons attempt to contain security breaches through reduced privileges and chroot. Basically, the same effect the author claims a MAC system would give you (if that system were infallible and effective, as the author blindly believes). It's built into the daemon, by default. How did the author miss this? I also do not understand why strlcpy and strlcat are causing the author so much grief. This person didn't seem to know they existed before writing the article. I work in an ISP environment and it has caused zero issues to both myself and our users. Of course, the author does not provide any real world examples of issues or exactly what code has been broken by use of strlcpy or strlcat. The author also missed how OpenBSD's current methods match it's development model very well. The OpenBSD developers are in control of all the code. There aren't 3rd party patches being introduced daily that change thousands of lines of code with unknown consequences or unintended interactions with the existing code base. Correcting the code works very well for OpenBSD. The only facts I actually got from the article are (1) OpenBSD does not have some type of MAC, which I already know, and have no problem with, and (2) the author does not like OpenBSD and wants you not to like it, too. The author of the linked article kind of lost me at as soon as a service is enabled or software from the ports tree is installed. Well SHEEIII, who knew. I better run out right now and replace all my firewalls with iLinux. I had no idea that it was up to me to understand/mitigate the risks in using ports and services. How dare I not get my hand held. I don't see much different in this point then saying Windows is secure only until you plug in the ethernet cable.
Re: The insecurity of OpenBSD
On Fri, Jan 22, 2010 at 10:56:14AM +0800, Zamri Besar wrote: The insecurity of OpenBSD http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/ -zamri- Sometimes the add-on security enhancements directly weaken system security: http://www.milw0rm.com/exploits/9191 Bypassing the null ptr dereference protection in the mainline kernel via two methods - if SELinux is enabled, it allows pulseaudio to map at 0 UPDATE: not just that, SELinux lets any user in unconfined_t map at 0, overriding the mmap_min_addr restriction! pulseaudio is not needed at all! Having SELinux enabled actually *WEAKENS* system security for these kinds of exploits! John
Re: The insecurity of OpenBSD
On Fri, Jan 22, 2010 at 12:13:38PM -0500, Dan Harnett wrote: I also do not understand why strlcpy and strlcat are causing the author so much grief. This person didn't seem to know they existed before writing the article. I work in an ISP environment and it has caused zero issues to both myself and our users. Of course, the author does not provide any real world examples of issues or exactly what code has been broken by use of strlcpy or strlcat. trust an idiot to quote another idiot (Drepper). The first one is clueless wrt security, the second one is clueless wrt real programmers.
Re: The insecurity of OpenBSD
On Thu, Jan 21, 2010 at 8:56 PM, Zamri Besar zam4e...@gmail.com wrote: The insecurity of OpenBSD http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/ -zamri- That's a great article...I mean, I'd rather go get shots the day after hiring a hooker instead of wearing a condom in the first place because, you know, condoms fail all the time, right? And shots from the doctor are infallible, right?
Re: The insecurity of OpenBSD
What a laugh. I hope all of you see that this article has to be a hoax. Oh well, I certainly learned a lot from this. find / -name .* -print /etc/changelist chmod -R / I feel so much safer! -- A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects. -- Robert Heinlein
Re: The insecurity of OpenBSD
2010/1/22 Zamri Besar zam4e...@gmail.com: The insecurity of OpenBSD http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/ The OpenBSD approach to security is primarily focused on writing quality code, with the aim being to eliminate vulnerabilities in source code. To this end, the OpenBSD team has been quite successful, with the base system having had very few vulnerabilities in a heck of a long time. While this approach is commendable, it is fundamentally flawed when compared to the approach taken by various extended access control frameworks. The extended access control frameworks that I refer to are generally implementations of MAC, RBAC, TE or some combination or variation of these basic models. There are many different implementations, generally written for Linux due to its suitability as a testing platform. So... the author prefers shoddy, buggy, non-quality code as long as it provides extra access control granularity. Yeah... I stopped reading at that point. regards, --ropers
Re: The insecurity of OpenBSD
ropers wrote: 2010/1/22 Zamri Besar zam4e...@gmail.com: The insecurity of OpenBSD http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/ So... the author prefers shoddy, buggy, non-quality code as long as it provides extra access control granularity. Yeah... I stopped reading at that point. I saw a patch committed for the non-OpenBSD version of ntpd a couple of days ago. I wonder what ACL solves that problem? Wuhoo! SELinux just stopped a cracking attempt tomorrow! Hey, wait... -- -RSM http://www.erratic.ca
Re: The insecurity of OpenBSD
On 1/22/2010 12:13 PM, Dan Harnett wrote Nowhere in the article is proof provided that OpenBSD is insecure. Sure there is; OpenBSD uses Sendmail and BIND, and they've had lots of vulnerabilities!
Re: The insecurity of OpenBSD
On Fri, Jan 22, 2010 at 1:56 PM, Zamri Besar zam4e...@gmail.com wrote: The insecurity of OpenBSD http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/ -zamri- An interesting read - but seems to just be ACLs, ACLs, ACLs and that's about it. And this person's source on the failings of strl{cat,cpy} cite a guy from Redhat calling it ineffiient BSD crap and that's about it. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: The insecurity of OpenBSD
On Fri, 22 Jan 2010 10:56 +0800, Zamri Besar zam4e...@gmail.com wrote: The insecurity of OpenBSD http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/ I know, I know a troll, but I'll bite. This is laughable because of his examples and lack of actual good ones. OpenVMS is only mentioned in a footnote. And no mention of arguably the most secure OS on the market, OS400. Yes, I am a UNIX and an OpenBSD fan, but if you are going to criticize OBSD at least use real arguments. That RBAC and other garbage is just talk. Can it increase security? Yes, when used properly, but it rarely is. If you want proof of that statement just look at Windows. He downplays Windows in the article, but I am familiar with NT. NT *has* the full suite of security measures that he talks about as being essential. Role based access controls, the works, but just look at its track record. Its track record on security is abysmal so so much for that theory. It's just talk. He begins to talk about that to design a truly secure OS one must design it from the beginning with security in mind, but then he stops there. This demonstrates a fundamental lack of understanding of how a *true* secure OS is designed. Designing the OS with security in mind is just the beginning. You must also develop the *hardware* architecture in concert with the OS to develop a truly secure OS. This is why *any* OS on the i386 platform is *ucked before it begins. The risks can only be mitigated and OpenBSD does as good a job as is probably possible.
Re: The insecurity of OpenBSD
On Thursday 21 January 2010 21:56:14 Zamri Besar wrote: The insecurity of OpenBSD http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/ -zamri- This should have been posted to advocacy, not misc. Actually, it doesn't truly belong there, either. There seems to be enough commentary at the wordpress site. --STeve Andre'
Re: The insecurity of OpenBSD
On Fri, Jan 22, 2010 at 02:47:27PM +1100, Aaron Mason wrote: On Fri, Jan 22, 2010 at 1:56 PM, Zamri Besar zam4e...@gmail.com wrote: The insecurity of OpenBSD http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/ -zamri- An interesting read - but seems to just be ACLs, ACLs, ACLs and that's about it. And this person's source on the failings of strl{cat,cpy} cite a guy from Redhat calling it ineffiient BSD crap and that's about it. It's better if you remove all the non-sense, hypocrisy, and political bull. OpenBSD does not have some sort of MAC. Okay, nothing new there. Move along.