Re: [LUAU] so much for OpenBSD
On Mon, 6 Aug 2007, Peter Besenbruch wrote: Julian Yap wrote: SELinux is enabled by default (targeted policy) in Red Hat Enterprise Linux and Fedora. And it's amazing how much better Fedora runs when you turn them off. :) Indeed. After having lost and recovered several Fedora systems in the past few years due to selinux startup problems I've found it's just easier to leave it off. ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
Re: [LUAU] so much for OpenBSD
On Aug 7, 2007, at 3:05 AM, Antonio Querubin wrote: On Mon, 6 Aug 2007, Peter Besenbruch wrote: Julian Yap wrote: SELinux is enabled by default (targeted policy) in Red Hat Enterprise Linux and Fedora. And it's amazing how much better Fedora runs when you turn them off. :) Indeed. After having lost and recovered several Fedora systems in the past few years due to selinux startup problems I've found it's just easier to leave it off. I'm sure your networking runs faster with the firewall off, and that a Windows machine runs faster sans the massive infection of spyware and other crap that they tend to carry. ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
[LUAU] so much for OpenBSD
and their over-hyped security focus. They can't even behave responsibly when a remote execution bug shows up. http://www.coresecurity.com/index.php5? module=ContentModaction=itemid=1703 (Anyone else remember Clinton's deny deny deny?) They've now been forced to change their tagline to, Only two remote holes in the default install, in more than 10 years! (The previous hole was an OpenSSH exploit found by Mark Dowd in June 2002.) Gee, it could be, OpenBSD: exploitable every five years, thus far! they even won an award for their bad behavior: http://pwnie- awards.org/winners.html: --- Pwnie for Lamest Vendor Response Awarded to the vendor who mishandled a security vulnerability most spectacularly. OpenBSD IPv6 mbuf kernel buffer overflow (CVE-2007-1365) OpenBSD team The OpenBSD team refused to acknowledge the bug as a security vulnerability and issued a reliability fix for it. A week later Core Security had developed proof of concept code that demonstrated remote code execution. Read the full timeline and quotes in the Core advisory (above). ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
Re: [LUAU] so much for OpenBSD
well Keep in mind no other OS has even a close record to what the openbsd team has done. And dont forget that the ssh you use everyday is written by the openbsd team, thats right. Theo and co. have done a HUGE job improving security the unix world at large. and on the topic of this particular exploit, you would actaully have to be on the same physical LAN segment to use this exploit. this is a not an over the internet hack that can occur to quote from http://www.securiteam.com/unixfocus/5HP0C1FKUO.html However, in order to exploit a vulnerable system an attacker needs to be able to inject fragmented IPv6 packets on the target system's local network. This requires direct physical/logical access to the target's local network -in which case the attacking system does not need to have a working IPv6 stack- or the ability to route or tunnel IPv6 packets to the target from a remote network. 99% of users will not even have a a problem with this and you dont even have to patch the system if you dont want to simply put 'block in quick inet6' in your pf.conf dont dump on the openbsd guys. their product rocks. Sean On 8/5/07, Jim Thompson [EMAIL PROTECTED] wrote: and their over-hyped security focus. They can't even behave responsibly when a remote execution bug shows up. http://www.coresecurity.com/index.php5? module=ContentModaction=itemid=1703 (Anyone else remember Clinton's deny deny deny?) They've now been forced to change their tagline to, Only two remote holes in the default install, in more than 10 years! (The previous hole was an OpenSSH exploit found by Mark Dowd in June 2002.) Gee, it could be, OpenBSD: exploitable every five years, thus far! they even won an award for their bad behavior: http://pwnie- awards.org/winners.html: --- Pwnie for Lamest Vendor Response Awarded to the vendor who mishandled a security vulnerability most spectacularly. OpenBSD IPv6 mbuf kernel buffer overflow (CVE-2007-1365) OpenBSD team The OpenBSD team refused to acknowledge the bug as a security vulnerability and issued a reliability fix for it. A week later Core Security had developed proof of concept code that demonstrated remote code execution. Read the full timeline and quotes in the Core advisory (above). ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
Re: [LUAU] so much for OpenBSD
On Aug 6, 2007, at 1:09 PM, 808blogger wrote: well Keep in mind no other OS has even a close record to what the openbsd team has done. Please. And dont forget that the ssh you use everyday is written by the openbsd team, thats right. Theo and co. have done a HUGE job improving security the unix world at large. So what? There were RSA-keyed, encrypted telnets in-existence before ssh got written. (Under my watch, by Doug Barnes, at Tadpole, circa 1994. Doug later of 'C2' fame.) and on the topic of this particular exploit, you would actaully have to be on the same physical LAN segment to use this exploit. this is a not an over the internet hack that can occur to quote from http://www.securiteam.com/unixfocus/5HP0C1FKUO.html However, in order to exploit a vulnerable system an attacker needs to be able to inject fragmented IPv6 packets on the target system's local network. This requires direct physical/logical access to the target's local network -in which case the attacking system does not need to have a working IPv6 stack- or the ability to route or tunnel IPv6 packets to the target from a remote network. logical... if your router manages to create a tunnel for you, you're hosed. Its **SPIN**, get it? 99% of users will not even have a a problem with this and you dont even have to patch the system if you dont want to simply put 'block in quick inet6' in your pf.conf Right, but the claim is default installation, and they didn't want to lose that. (and let us not forget that the other bug was in (drumroll) ssh) dont dump on the openbsd guys. their product rocks. their process for security bugs appears to be quite badly borked. and FreeBSD rocks much, much harder. Jim ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
Re: [LUAU] so much for OpenBSD
So, let me get this straight. What are we talking about here? ONE security 'hole' or exploit every FIVE YEARS? As opposed to ONE hole punched in Windows OS every FIVE MINUTES? (Or less?) No brainer if you ask me. I think they're making way too much of such a little thing comparatively speaking. (actually there is no comparison) :) Whatdayathink Jim? :) Bully Jim Thompson wrote: On Aug 6, 2007, at 1:09 PM, 808blogger wrote: well Keep in mind no other OS has even a close record to what the openbsd team has done. Please. And dont forget that the ssh you use everyday is written by the openbsd team, thats right. Theo and co. have done a HUGE job improving security the unix world at large. So what? There were RSA-keyed, encrypted telnets in-existence before ssh got written. (Under my watch, by Doug Barnes, at Tadpole, circa 1994. Doug later of 'C2' fame.) and on the topic of this particular exploit, you would actaully have to be on the same physical LAN segment to use this exploit. this is a not an over the internet hack that can occur to quote from http://www.securiteam.com/unixfocus/5HP0C1FKUO.html However, in order to exploit a vulnerable system an attacker needs to be able to inject fragmented IPv6 packets on the target system's local network. This requires direct physical/logical access to the target's local network -in which case the attacking system does not need to have a working IPv6 stack- or the ability to route or tunnel IPv6 packets to the target from a remote network. logical... if your router manages to create a tunnel for you, you're hosed. Its **SPIN**, get it? 99% of users will not even have a a problem with this and you dont even have to patch the system if you dont want to simply put 'block in quick inet6' in your pf.conf Right, but the claim is default installation, and they didn't want to lose that. (and let us not forget that the other bug was in (drumroll) ssh) dont dump on the openbsd guys. their product rocks. their process for security bugs appears to be quite badly borked. and FreeBSD rocks much, much harder. Jim ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
Re: [LUAU] so much for OpenBSD
There are a plethora of operating systems one could run on a
computer. OpenBSD and Windows do not represent anything like an
endpoint on the continuum.
While the OpenBSD approach, (inspect the source by hand, which they
term an audit), while yielding some results, is fundamentally flawed.
Read it and weep for OpenBSD: http://www.cs.utah.edu/flux/fluke/html/
inevit-abs.html
As proof, there are other computer architectures which have not been
hacked, despite tremendous efforts, and others which were only hacked
once (Multics), and then only because someone left a low-level
debugger configured in-place. OpenBSD (and most of the other *nix-
based platforms) do not, for instance, implement BIBA by default.
Linux has the SElinux extensions which are now part of the 2.6 kernel
series, though not enabled by default, when last I checked.
In FreeBSD land, there is a project named TrustedBSD.
TrustedBSD provides a set of extensions to FreeBSD to add support for
{ACLs, Capabilities, Mandatory Access Control, Auditing} as well as
supporting features to implement them. These features are being
integrated into the base operating system distribution, with the
intent that they be part of FreeBSD.
Restated, the OpenBSD and TrustedBSD projects have largely different
thrusts: the OpenBSD project seeks to provide a correct and bug-free
POSIX implementation (where correctness includes a focus on failing
to suffer from security holes). It also includes cryptography-related
features as a primary development goal, hence early development and
integration of IPsec in the base system (and a continuing high level
of maturity of their implementation), as well as their work on
OpenSSH. TrustedBSD project seeks to introduce a variety of
features, some described in the defunct POSIX.1e draft. These
include MLS (with fixex-label BIBA), MAC, ACLs, FLASK and Type
Enforcement.
Its possible (and perhaps probable) that OpenBSD will pick up some of
the TrustedBSD work, but this just proves that you can't look to
OpenBSD as the secure operating system. Solaris has had similar
work in-place for *years*.
Whats next is the integration of source control into the mechanisms
for patching running systems, just the thing that IBM and Lisp
Machine environments (*) had in the 80s and before.
These are the kinds of systems that we are now having to rediscover
to be able to respond quickly when hackers find security flaws in our
running systems.
My 'complaint' about OpenBSD was really more finger pointing at
their flawed response. They really wanted to preserve the N years
since a remote exploit, but could not.
Though it took five years for the last one, you get no guarantees
that the next one isn't being discovered while I type this.
Jim
(*) interestingly, you cant mount several popular attacks (buffer/
stack over-runs, etc) on Lisp Machines, either.
On Aug 6, 2007, at 3:45 PM, bully wrote:
So, let me get this straight. What are we talking about here? ONE
security 'hole' or exploit every FIVE YEARS?
As opposed to ONE hole punched in Windows OS every FIVE MINUTES?
(Or less?)
No brainer if you ask me. I think they're making way too much of
such a little thing comparatively speaking. (actually there is no
comparison) :)
Whatdayathink Jim? :)
Bully
Jim Thompson wrote:
On Aug 6, 2007, at 1:09 PM, 808blogger wrote:
well Keep in mind no other OS has even a close record to
what the
openbsd team has done.
Please.
And dont forget that the ssh you use everyday is
written by the openbsd team, thats right. Theo and co. have done
a HUGE job
improving security the unix world at large.
So what? There were RSA-keyed, encrypted telnets in-existence
before ssh got written.
(Under my watch, by Doug Barnes, at Tadpole, circa 1994. Doug
later of 'C2' fame.)
and on the topic of this particular exploit, you would actaully
have to be
on the same physical LAN segment to use this exploit. this is a
not an over
the internet hack that can occur
to quote from http://www.securiteam.com/unixfocus/5HP0C1FKUO.html
However, in order to exploit a vulnerable system an attacker
needs to be
able to inject fragmented IPv6 packets on the target system's
local network.
This requires direct physical/logical access to the target's
local network
-in which case the attacking system does not need to have a
working IPv6
stack- or the ability to route or tunnel IPv6 packets to the
target from a
remote network.
logical... if your router manages to create a tunnel for you,
you're hosed.
Its **SPIN**, get it?
99% of users will not even have a a problem with this and
you dont even have to patch the system if you dont want to
simply put
'block in quick inet6' in your pf.conf
Right, but the claim is default installation, and they didn't
want to lose that.
(and let us not forget that the other bug was in (drumroll) ssh)
dont
Re: [LUAU] so much for OpenBSD
--- Jim Thompson [EMAIL PROTECTED] wrote: Linux has the SElinux extensions which are now part of the 2.6 kernel series, though not enabled by default, when last I checked. SELinux is enabled by default (targeted policy) in Red Hat Enterprise Linux and Fedora. In Fedora at least since version 3, released 2004/11/08: http://docs.fedoraproject.org/selinux-faq-fc3/index.html#id2825207 Not in Fedora 2 though: http://docs.fedoraproject.org/selinux-faq-fc2/index.html#id2658863 ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
Re: [LUAU] so much for OpenBSD
Julian Yap wrote: SELinux is enabled by default (targeted policy) in Red Hat Enterprise Linux and Fedora. And it's amazing how much better Fedora runs when you turn them off. :) -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
