Re: [LUAU] so much for OpenBSD
On Mon, 6 Aug 2007, Peter Besenbruch wrote: Julian Yap wrote: SELinux is enabled by default (targeted policy) in Red Hat Enterprise Linux and Fedora. And it's amazing how much better Fedora runs when you turn them off. :) Indeed. After having lost and recovered several Fedora systems in the past few years due to selinux startup problems I've found it's just easier to leave it off. ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
Re: [LUAU] so much for OpenBSD
On Aug 7, 2007, at 3:05 AM, Antonio Querubin wrote: On Mon, 6 Aug 2007, Peter Besenbruch wrote: Julian Yap wrote: SELinux is enabled by default (targeted policy) in Red Hat Enterprise Linux and Fedora. And it's amazing how much better Fedora runs when you turn them off. :) Indeed. After having lost and recovered several Fedora systems in the past few years due to selinux startup problems I've found it's just easier to leave it off. I'm sure your networking runs faster with the firewall off, and that a Windows machine runs faster sans the massive infection of spyware and other crap that they tend to carry. ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
[LUAU] so much for OpenBSD
and their over-hyped security focus. They can't even behave responsibly when a remote execution bug shows up. http://www.coresecurity.com/index.php5? module=ContentModaction=itemid=1703 (Anyone else remember Clinton's deny deny deny?) They've now been forced to change their tagline to, Only two remote holes in the default install, in more than 10 years! (The previous hole was an OpenSSH exploit found by Mark Dowd in June 2002.) Gee, it could be, OpenBSD: exploitable every five years, thus far! they even won an award for their bad behavior: http://pwnie- awards.org/winners.html: --- Pwnie for Lamest Vendor Response Awarded to the vendor who mishandled a security vulnerability most spectacularly. OpenBSD IPv6 mbuf kernel buffer overflow (CVE-2007-1365) OpenBSD team The OpenBSD team refused to acknowledge the bug as a security vulnerability and issued a reliability fix for it. A week later Core Security had developed proof of concept code that demonstrated remote code execution. Read the full timeline and quotes in the Core advisory (above). ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
Re: [LUAU] so much for OpenBSD
well Keep in mind no other OS has even a close record to what the openbsd team has done. And dont forget that the ssh you use everyday is written by the openbsd team, thats right. Theo and co. have done a HUGE job improving security the unix world at large. and on the topic of this particular exploit, you would actaully have to be on the same physical LAN segment to use this exploit. this is a not an over the internet hack that can occur to quote from http://www.securiteam.com/unixfocus/5HP0C1FKUO.html However, in order to exploit a vulnerable system an attacker needs to be able to inject fragmented IPv6 packets on the target system's local network. This requires direct physical/logical access to the target's local network -in which case the attacking system does not need to have a working IPv6 stack- or the ability to route or tunnel IPv6 packets to the target from a remote network. 99% of users will not even have a a problem with this and you dont even have to patch the system if you dont want to simply put 'block in quick inet6' in your pf.conf dont dump on the openbsd guys. their product rocks. Sean On 8/5/07, Jim Thompson [EMAIL PROTECTED] wrote: and their over-hyped security focus. They can't even behave responsibly when a remote execution bug shows up. http://www.coresecurity.com/index.php5? module=ContentModaction=itemid=1703 (Anyone else remember Clinton's deny deny deny?) They've now been forced to change their tagline to, Only two remote holes in the default install, in more than 10 years! (The previous hole was an OpenSSH exploit found by Mark Dowd in June 2002.) Gee, it could be, OpenBSD: exploitable every five years, thus far! they even won an award for their bad behavior: http://pwnie- awards.org/winners.html: --- Pwnie for Lamest Vendor Response Awarded to the vendor who mishandled a security vulnerability most spectacularly. OpenBSD IPv6 mbuf kernel buffer overflow (CVE-2007-1365) OpenBSD team The OpenBSD team refused to acknowledge the bug as a security vulnerability and issued a reliability fix for it. A week later Core Security had developed proof of concept code that demonstrated remote code execution. Read the full timeline and quotes in the Core advisory (above). ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
Re: [LUAU] so much for OpenBSD
On Aug 6, 2007, at 1:09 PM, 808blogger wrote: well Keep in mind no other OS has even a close record to what the openbsd team has done. Please. And dont forget that the ssh you use everyday is written by the openbsd team, thats right. Theo and co. have done a HUGE job improving security the unix world at large. So what? There were RSA-keyed, encrypted telnets in-existence before ssh got written. (Under my watch, by Doug Barnes, at Tadpole, circa 1994. Doug later of 'C2' fame.) and on the topic of this particular exploit, you would actaully have to be on the same physical LAN segment to use this exploit. this is a not an over the internet hack that can occur to quote from http://www.securiteam.com/unixfocus/5HP0C1FKUO.html However, in order to exploit a vulnerable system an attacker needs to be able to inject fragmented IPv6 packets on the target system's local network. This requires direct physical/logical access to the target's local network -in which case the attacking system does not need to have a working IPv6 stack- or the ability to route or tunnel IPv6 packets to the target from a remote network. logical... if your router manages to create a tunnel for you, you're hosed. Its **SPIN**, get it? 99% of users will not even have a a problem with this and you dont even have to patch the system if you dont want to simply put 'block in quick inet6' in your pf.conf Right, but the claim is default installation, and they didn't want to lose that. (and let us not forget that the other bug was in (drumroll) ssh) dont dump on the openbsd guys. their product rocks. their process for security bugs appears to be quite badly borked. and FreeBSD rocks much, much harder. Jim ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
Re: [LUAU] so much for OpenBSD
So, let me get this straight. What are we talking about here? ONE security 'hole' or exploit every FIVE YEARS? As opposed to ONE hole punched in Windows OS every FIVE MINUTES? (Or less?) No brainer if you ask me. I think they're making way too much of such a little thing comparatively speaking. (actually there is no comparison) :) Whatdayathink Jim? :) Bully Jim Thompson wrote: On Aug 6, 2007, at 1:09 PM, 808blogger wrote: well Keep in mind no other OS has even a close record to what the openbsd team has done. Please. And dont forget that the ssh you use everyday is written by the openbsd team, thats right. Theo and co. have done a HUGE job improving security the unix world at large. So what? There were RSA-keyed, encrypted telnets in-existence before ssh got written. (Under my watch, by Doug Barnes, at Tadpole, circa 1994. Doug later of 'C2' fame.) and on the topic of this particular exploit, you would actaully have to be on the same physical LAN segment to use this exploit. this is a not an over the internet hack that can occur to quote from http://www.securiteam.com/unixfocus/5HP0C1FKUO.html However, in order to exploit a vulnerable system an attacker needs to be able to inject fragmented IPv6 packets on the target system's local network. This requires direct physical/logical access to the target's local network -in which case the attacking system does not need to have a working IPv6 stack- or the ability to route or tunnel IPv6 packets to the target from a remote network. logical... if your router manages to create a tunnel for you, you're hosed. Its **SPIN**, get it? 99% of users will not even have a a problem with this and you dont even have to patch the system if you dont want to simply put 'block in quick inet6' in your pf.conf Right, but the claim is default installation, and they didn't want to lose that. (and let us not forget that the other bug was in (drumroll) ssh) dont dump on the openbsd guys. their product rocks. their process for security bugs appears to be quite badly borked. and FreeBSD rocks much, much harder. Jim ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
Re: [LUAU] so much for OpenBSD
There are a plethora of operating systems one could run on a computer. OpenBSD and Windows do not represent anything like an endpoint on the continuum. While the OpenBSD approach, (inspect the source by hand, which they term an audit), while yielding some results, is fundamentally flawed. Read it and weep for OpenBSD: http://www.cs.utah.edu/flux/fluke/html/ inevit-abs.html As proof, there are other computer architectures which have not been hacked, despite tremendous efforts, and others which were only hacked once (Multics), and then only because someone left a low-level debugger configured in-place. OpenBSD (and most of the other *nix- based platforms) do not, for instance, implement BIBA by default. Linux has the SElinux extensions which are now part of the 2.6 kernel series, though not enabled by default, when last I checked. In FreeBSD land, there is a project named TrustedBSD. TrustedBSD provides a set of extensions to FreeBSD to add support for {ACLs, Capabilities, Mandatory Access Control, Auditing} as well as supporting features to implement them. These features are being integrated into the base operating system distribution, with the intent that they be part of FreeBSD. Restated, the OpenBSD and TrustedBSD projects have largely different thrusts: the OpenBSD project seeks to provide a correct and bug-free POSIX implementation (where correctness includes a focus on failing to suffer from security holes). It also includes cryptography-related features as a primary development goal, hence early development and integration of IPsec in the base system (and a continuing high level of maturity of their implementation), as well as their work on OpenSSH. TrustedBSD project seeks to introduce a variety of features, some described in the defunct POSIX.1e draft. These include MLS (with fixex-label BIBA), MAC, ACLs, FLASK and Type Enforcement. Its possible (and perhaps probable) that OpenBSD will pick up some of the TrustedBSD work, but this just proves that you can't look to OpenBSD as the secure operating system. Solaris has had similar work in-place for *years*. Whats next is the integration of source control into the mechanisms for patching running systems, just the thing that IBM and Lisp Machine environments (*) had in the 80s and before. These are the kinds of systems that we are now having to rediscover to be able to respond quickly when hackers find security flaws in our running systems. My 'complaint' about OpenBSD was really more finger pointing at their flawed response. They really wanted to preserve the N years since a remote exploit, but could not. Though it took five years for the last one, you get no guarantees that the next one isn't being discovered while I type this. Jim (*) interestingly, you cant mount several popular attacks (buffer/ stack over-runs, etc) on Lisp Machines, either. On Aug 6, 2007, at 3:45 PM, bully wrote: So, let me get this straight. What are we talking about here? ONE security 'hole' or exploit every FIVE YEARS? As opposed to ONE hole punched in Windows OS every FIVE MINUTES? (Or less?) No brainer if you ask me. I think they're making way too much of such a little thing comparatively speaking. (actually there is no comparison) :) Whatdayathink Jim? :) Bully Jim Thompson wrote: On Aug 6, 2007, at 1:09 PM, 808blogger wrote: well Keep in mind no other OS has even a close record to what the openbsd team has done. Please. And dont forget that the ssh you use everyday is written by the openbsd team, thats right. Theo and co. have done a HUGE job improving security the unix world at large. So what? There were RSA-keyed, encrypted telnets in-existence before ssh got written. (Under my watch, by Doug Barnes, at Tadpole, circa 1994. Doug later of 'C2' fame.) and on the topic of this particular exploit, you would actaully have to be on the same physical LAN segment to use this exploit. this is a not an over the internet hack that can occur to quote from http://www.securiteam.com/unixfocus/5HP0C1FKUO.html However, in order to exploit a vulnerable system an attacker needs to be able to inject fragmented IPv6 packets on the target system's local network. This requires direct physical/logical access to the target's local network -in which case the attacking system does not need to have a working IPv6 stack- or the ability to route or tunnel IPv6 packets to the target from a remote network. logical... if your router manages to create a tunnel for you, you're hosed. Its **SPIN**, get it? 99% of users will not even have a a problem with this and you dont even have to patch the system if you dont want to simply put 'block in quick inet6' in your pf.conf Right, but the claim is default installation, and they didn't want to lose that. (and let us not forget that the other bug was in (drumroll) ssh) dont
Re: [LUAU] so much for OpenBSD
--- Jim Thompson [EMAIL PROTECTED] wrote: Linux has the SElinux extensions which are now part of the 2.6 kernel series, though not enabled by default, when last I checked. SELinux is enabled by default (targeted policy) in Red Hat Enterprise Linux and Fedora. In Fedora at least since version 3, released 2004/11/08: http://docs.fedoraproject.org/selinux-faq-fc3/index.html#id2825207 Not in Fedora 2 though: http://docs.fedoraproject.org/selinux-faq-fc2/index.html#id2658863 ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
Re: [LUAU] so much for OpenBSD
Julian Yap wrote: SELinux is enabled by default (targeted policy) in Red Hat Enterprise Linux and Fedora. And it's amazing how much better Fedora runs when you turn them off. :) -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau