Re: The insecurity of OpenBSD

2010-01-30 Thread Anathae E. Townsend 
snip 
indent
The author of the linked article kind of lost me at as soon as a
service is enabled or software from the ports tree is installed.

Well SHEEIII, who knew. I better run out right now and replace
all my firewalls with iLinux. 

I had no idea that it was up to me to understand/mitigate the risks in
using ports and services. How dare I not get my hand held.

I don't see much different in this point then saying Windows is secure
only until you plug in the ethernet cable.
spewhotchocolateonmonitor
/indent

Re: The insecurity of OpenBSD

2010-01-25 Thread Jordi Espasa Clofent 

On 01/23/2010 01:02 AM, Steve Shockley wrote:

On 1/22/2010 12:13 PM, Dan Harnett wrote

Nowhere in the article is proof provided that OpenBSD is insecure.


Sure there is; OpenBSD uses Sendmail and BIND, and they've had lots of
vulnerabilities!


http://www.openbsd.org/faq/faq1.html#HowAbout
http://www.openbsd.org/policy.html

Simply read. Even you can ;)


--
I must not fear. Fear is the mind-killer. Fear is the little-death that 
brings total obliteration. I will face my fear. I will permit it to pass 
over me and through me. And when it has gone past I will turn the inner 
eye to see its path. Where the fear has gone there will be nothing. Only 
I will remain.


Bene Gesserit Litany Against Fear.

Re: The insecurity of OpenBSD

2010-01-22 Thread Marco Peereboom 
It doesn't and I'll argue all day that it won't help you a bit.

Here is an example:
1. running system with OMGACL
2. pkg_add -ui
3. couple of days later at 3am bz got come to the datacenter because
   the app bombed
4. oh, the acl terminated it; adjust
5. repeat 3 - 4 until it works
6. repeat 2 - 5 in perpetuity

- or -

1. Disable ACL.

BTW, microsoft implemented every single ACL type mechanism the NSA ever
made public.  Tell me again how well it worked for them.

Show me an admin that isn't lazy and I'll show you a liar.

On Fri, Jan 22, 2010 at 12:35:03AM -0500, Dan Harnett wrote:
 On Fri, Jan 22, 2010 at 02:47:27PM +1100, Aaron Mason wrote:
  On Fri, Jan 22, 2010 at 1:56 PM, Zamri Besar zam4e...@gmail.com wrote:
   The insecurity of OpenBSD
   http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/
  
   -zamri-
  
  
  
  An interesting read - but seems to just be ACLs, ACLs, ACLs and that's
  about it.  And this person's source on the failings of strl{cat,cpy}
  cite a guy from Redhat calling it ineffiient BSD crap and that's
  about it.
 
 It's better if you remove all the non-sense, hypocrisy, and political
 bull.  OpenBSD does not have some sort of MAC.  Okay, nothing new there.
 Move along.

Re: The insecurity of OpenBSD

2010-01-22 Thread Brad Tilley 
On Fri, 22 Jan 2010 07:22 -0600, Marco Peereboom sl...@peereboom.us wrote:
 It doesn't and I'll argue all day that it won't help you a bit.
 
 Here is an example:
 1. running system with OMGACL
 2. pkg_add -ui
 3. couple of days later at 3am bz got come to the datacenter because
the app bombed
 4. oh, the acl terminated it; adjust
 5. repeat 3 - 4 until it works
 6. repeat 2 - 5 in perpetuity
 
 - or -
 
 1. Disable ACL.

[snip]

I saw a group of sys admins go through those very steps several years ago while 
attempting to deploy SELinux. After 3 months of trying to make it work, they 
disabled it. It could have been done, but they would have had to triple the 
support staff to make it work.

Re: The insecurity of OpenBSD

2010-01-22 Thread Dan Harnett 
On Fri, Jan 22, 2010 at 07:22:58AM -0600, Marco Peereboom wrote:
 It doesn't and I'll argue all day that it won't help you a bit.

I couldn't agree more.

 BTW, microsoft implemented every single ACL type mechanism the NSA ever
 made public.  Tell me again how well it worked for them.

More importantly, how well has it worked for end users doing general
computing tasks?

Glancing through the author's other posts, I don't get the feeling that
this person is in an environment that needs the level of security that
the NSA does or has ever been in one.  Most of the posts revolve around
removing malware from Windows XP or which virus scanner is the best...
sarcasmI'm not sure why ACLs have not helped this person in those
situations./sarcasm

Nowhere in the article is proof provided that OpenBSD is insecure.
There are comparisons made.  OS A has 'this', OS B has 'that'.  OpenBSD
does not.  So, OpenBSD by comparison is less secure, therefore
insecure.  It's non-sense.  There isn't even proof that feature this
or feature that have provided stronger security.  Those features are
not enabled by default and are often tedious to get working correctly.
Basically, OS A does not benefit from this out of the box and OS B
does not benefit from that out of the box.  They are strawman
arguments with no actual facts.

The benefits of OpenBSD are not even covered.  The author claims OpenBSD
makes no effort to contain unauthorized remote access, yet many of the
default daemons attempt to contain security breaches through reduced
privileges and chroot.  Basically, the same effect the author claims a
MAC system would give you (if that system were infallible and effective,
as the author blindly believes).  It's built into the daemon, by
default.  How did the author miss this?

I also do not understand why strlcpy and strlcat are causing the author
so much grief.  This person didn't seem to know they existed before
writing the article.  I work in an ISP environment and it has caused
zero issues to both myself and our users.  Of course, the author does
not provide any real world examples of issues or exactly what code has
been broken by use of strlcpy or strlcat.

The author also missed how OpenBSD's current methods match it's
development model very well.  The OpenBSD developers are in control of
all the code.  There aren't 3rd party patches being introduced daily
that change thousands of lines of code with unknown consequences or
unintended interactions with the existing code base.  Correcting the
code works very well for OpenBSD.

The only facts I actually got from the article are (1) OpenBSD does not
have some type of MAC, which I already know, and have no problem with,
and (2) the author does not like OpenBSD and wants you not to like it,
too.

Re: The insecurity of OpenBSD

2010-01-22 Thread Scott Learmonth 
On Fri, Jan 22, 2010 at 12:13:38PM -0500, Dan Harnett wrote:
 On Fri, Jan 22, 2010 at 07:22:58AM -0600, Marco Peereboom wrote:
  It doesn't and I'll argue all day that it won't help you a bit.
 
 I couldn't agree more.
 
  BTW, microsoft implemented every single ACL type mechanism the NSA ever
  made public.  Tell me again how well it worked for them.
 
 More importantly, how well has it worked for end users doing general
 computing tasks?
 
 Glancing through the author's other posts, I don't get the feeling that
 this person is in an environment that needs the level of security that
 the NSA does or has ever been in one.  Most of the posts revolve around
 removing malware from Windows XP or which virus scanner is the best...
 sarcasmI'm not sure why ACLs have not helped this person in those
 situations./sarcasm
 
 Nowhere in the article is proof provided that OpenBSD is insecure.
 There are comparisons made.  OS A has 'this', OS B has 'that'.  OpenBSD
 does not.  So, OpenBSD by comparison is less secure, therefore
 insecure.  It's non-sense.  There isn't even proof that feature this
 or feature that have provided stronger security.  Those features are
 not enabled by default and are often tedious to get working correctly.
 Basically, OS A does not benefit from this out of the box and OS B
 does not benefit from that out of the box.  They are strawman
 arguments with no actual facts.
 
 The benefits of OpenBSD are not even covered.  The author claims OpenBSD
 makes no effort to contain unauthorized remote access, yet many of the
 default daemons attempt to contain security breaches through reduced
 privileges and chroot.  Basically, the same effect the author claims a
 MAC system would give you (if that system were infallible and effective,
 as the author blindly believes).  It's built into the daemon, by
 default.  How did the author miss this?
 
 I also do not understand why strlcpy and strlcat are causing the author
 so much grief.  This person didn't seem to know they existed before
 writing the article.  I work in an ISP environment and it has caused
 zero issues to both myself and our users.  Of course, the author does
 not provide any real world examples of issues or exactly what code has
 been broken by use of strlcpy or strlcat.
 
 The author also missed how OpenBSD's current methods match it's
 development model very well.  The OpenBSD developers are in control of
 all the code.  There aren't 3rd party patches being introduced daily
 that change thousands of lines of code with unknown consequences or
 unintended interactions with the existing code base.  Correcting the
 code works very well for OpenBSD.
 
 The only facts I actually got from the article are (1) OpenBSD does not
 have some type of MAC, which I already know, and have no problem with,
 and (2) the author does not like OpenBSD and wants you not to like it,
 too.
 
 
The author of the linked article kind of lost me at as soon as a
service is enabled or software from the ports tree is installed.

Well SHEEIII, who knew. I better run out right now and replace
all my firewalls with iLinux. 

I had no idea that it was up to me to understand/mitigate the risks in
using ports and services. How dare I not get my hand held.

I don't see much different in this point then saying Windows is secure
only until you plug in the ethernet cable.

Re: The insecurity of OpenBSD

2010-01-22 Thread John Jackson 
On Fri, Jan 22, 2010 at 10:56:14AM +0800, Zamri Besar wrote:
 The insecurity of OpenBSD
 http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/
 
 -zamri-

Sometimes the add-on security enhancements directly weaken system
security:

http://www.milw0rm.com/exploits/9191


   Bypassing the null ptr dereference protection in the mainline kernel
   via two methods -
 if SELinux is enabled, it allows pulseaudio to map at 0
 UPDATE: not just that, SELinux lets any user in unconfined_t map at
 0, overriding the mmap_min_addr restriction!  pulseaudio is not
 needed at all!  Having SELinux enabled actually *WEAKENS* system
 security for these kinds of exploits!



John

Re: The insecurity of OpenBSD

2010-01-22 Thread Marc Espie 
On Fri, Jan 22, 2010 at 12:13:38PM -0500, Dan Harnett wrote:
 I also do not understand why strlcpy and strlcat are causing the author
 so much grief.  This person didn't seem to know they existed before
 writing the article.  I work in an ISP environment and it has caused
 zero issues to both myself and our users.  Of course, the author does
 not provide any real world examples of issues or exactly what code has
 been broken by use of strlcpy or strlcat.

trust an idiot to quote another idiot (Drepper).
The first one is clueless wrt security, the second one is clueless wrt
real programmers.

Re: The insecurity of OpenBSD

2010-01-22 Thread J Sisson 
On Thu, Jan 21, 2010 at 8:56 PM, Zamri Besar zam4e...@gmail.com wrote:
 The insecurity of OpenBSD
 http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/

 -zamri-



That's a great article...I mean, I'd rather go get shots the day after
hiring a hooker instead of wearing a condom in the first place
because, you know, condoms fail all the time, right?  And shots from
the doctor are infallible, right?

Re: The insecurity of OpenBSD

2010-01-22 Thread Chris Bennett 

What a laugh.

I hope all of you see that this article has to be a hoax.

Oh well, I certainly learned a lot from this.

find / -name .* -print  /etc/changelist
chmod -R / 

I feel so much safer!

--
A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders,
give orders, cooperate, act alone, solve equations, analyze a new
problem, pitch manure, program a computer, cook a tasty meal, fight
efficiently, die gallantly. Specialization is for insects.
  -- Robert Heinlein

Re: The insecurity of OpenBSD

2010-01-22 Thread ropers 
2010/1/22 Zamri Besar zam4e...@gmail.com:
 The insecurity of OpenBSD
 http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/

 The OpenBSD approach to security is primarily focused on writing quality
code, with the aim being to eliminate vulnerabilities in source code. To this
end, the OpenBSD team has been quite successful, with the base system having
had very few vulnerabilities in a heck of a long time. While this approach
is commendable, it is fundamentally flawed when compared to the approach taken
by various extended access control frameworks.

 The extended access control frameworks that I refer to are generally
implementations of MAC, RBAC, TE or some combination or variation of these
basic models. There are many different implementations, generally written for
Linux due to its suitability as a testing platform.

So... the author prefers shoddy, buggy, non-quality code as long as it
provides extra access control granularity.
Yeah...
I stopped reading at that point.

regards,
--ropers

Re: The insecurity of OpenBSD

2010-01-22 Thread Scott McEachern 

ropers wrote:

2010/1/22 Zamri Besar zam4e...@gmail.com:
  

The insecurity of OpenBSD
http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/


So... the author prefers shoddy, buggy, non-quality code as long as it
provides extra access control granularity.
Yeah...
I stopped reading at that point.


  


I saw a patch committed for the non-OpenBSD version of ntpd a couple of 
days ago.  I wonder what ACL solves that problem?


Wuhoo! SELinux just stopped a cracking attempt tomorrow!  Hey, wait...

--

-RSM

http://www.erratic.ca

Re: The insecurity of OpenBSD

2010-01-22 Thread Steve Shockley 

On 1/22/2010 12:13 PM, Dan Harnett wrote

Nowhere in the article is proof provided that OpenBSD is insecure.


Sure there is; OpenBSD uses Sendmail and BIND, and they've had lots of 
vulnerabilities!

Re: The insecurity of OpenBSD

2010-01-21 Thread Aaron Mason 
On Fri, Jan 22, 2010 at 1:56 PM, Zamri Besar zam4e...@gmail.com wrote:
 The insecurity of OpenBSD
 http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/

 -zamri-



An interesting read - but seems to just be ACLs, ACLs, ACLs and that's
about it.  And this person's source on the failings of strl{cat,cpy}
cite a guy from Redhat calling it ineffiient BSD crap and that's
about it.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse

Re: The insecurity of OpenBSD

2010-01-21 Thread Eric Furman 
On Fri, 22 Jan 2010 10:56 +0800, Zamri Besar zam4e...@gmail.com
wrote:
 The insecurity of OpenBSD
 http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/

I know, I know a troll, but I'll bite.
This is laughable because of his examples and lack of actual good ones.
OpenVMS is only mentioned in a footnote.
And no mention of arguably the most secure OS on the market, OS400.
Yes, I am a UNIX and an OpenBSD fan, but if you are going to
criticize OBSD at least use real arguments. That RBAC and other
garbage is just talk. Can it increase security? Yes, when used
properly, but it rarely is. If you want proof of that statement
just look at Windows. He downplays Windows in the article, but
I am familiar with NT. NT *has* the full suite of security
measures that he talks about as being essential. Role based
access controls, the works, but just look at its track record.
Its track record on security is abysmal so so much for that
theory. It's just talk.
He begins to talk about that to design a truly secure OS one
must design it from the beginning with security in mind, but
then he stops there. This demonstrates a fundamental lack of
understanding of how a *true* secure OS is designed.
Designing the OS with security in mind is just the beginning.
You must also develop the *hardware* architecture in concert
with the OS to develop a truly secure OS. This is why *any* OS
on the i386 platform is *ucked before it begins. The risks
can only be mitigated and OpenBSD does as good a job as is
probably possible.

Re: The insecurity of OpenBSD

2010-01-21 Thread STeve Andre' 
On Thursday 21 January 2010 21:56:14 Zamri Besar wrote:
 The insecurity of OpenBSD
 http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/

 -zamri-

This should have been posted to advocacy, not misc.  Actually, it doesn't
truly belong there, either.  There seems to be enough commentary at
the wordpress site.

--STeve Andre'

Re: The insecurity of OpenBSD

2010-01-21 Thread Dan Harnett 
On Fri, Jan 22, 2010 at 02:47:27PM +1100, Aaron Mason wrote:
 On Fri, Jan 22, 2010 at 1:56 PM, Zamri Besar zam4e...@gmail.com wrote:
  The insecurity of OpenBSD
  http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/
 
  -zamri-
 
 
 
 An interesting read - but seems to just be ACLs, ACLs, ACLs and that's
 about it.  And this person's source on the failings of strl{cat,cpy}
 cite a guy from Redhat calling it ineffiient BSD crap and that's
 about it.

It's better if you remove all the non-sense, hypocrisy, and political
bull.  OpenBSD does not have some sort of MAC.  Okay, nothing new there.
Move along.