Re: OpenBSD insecurity rumors from isopenbsdsecu.re
Le 10/05/2020 à 21:00, i...@aulix.com a écrit : Also that said, all mothafuckaaa which keep send posts like this, put your head within your ass and just accept: you are OpenBSD user! Taking into account your earlier kind detailed counter explanation about many mentioned issues and mitigations I would not agree that OpenBSD community is unwelcome, so that issue seems to be not true too :) Btw, does not it look like a PR competition of Linux from USA vs OpenBSD from Canada/London? OpenBSD prohibits USA citizens to work on its crypto? I doubt it, but as I am French I have no opinion on these questions. Serurity is not the only goal of OpenBSD and should not be your only criteria. -Extract from the FAQ About OpenBSD The OpenBSD project produces a freely available, multi-platform 4.4BSD-based UNIX-like operating system. Our goals place emphasis on correctness, security, standardization, and portability. https://www.openbsd.org/faq/faq1.html#WhatIs -- If you are looking for, try the OSes that attracts you and make the choice that suits you (it can be several). Even if a Ferrari is better than a Renault on a theoretical aspect, I prefer my Renault because it is good enough to go to work and will always cost me less. If you made a mistake you can always go back on your choice or even change your mind. With practical knowledge and hindsight you will be in a better position to form an opinion on this subject that worries you. Regards, -- Stéphane Aulery
Re: @OpenBSD_CVS Twitter 140char limit?
10 maj 2020 23:00:45 Daniel Jakots : On Sat, 09 May 2020 19:17:29 +0200, Tommy Nevtelen wrote > Does anybody on this list manage @OpenBSD_CVS? Would be nice to lift > > the message truncation from the old 140char limit to the new 280char > > limit. Super annoying when I can't read an interesting commit message > > that is just a little longer :) > afresh1@ is pretty busy so your best luck is probably to submit a pull request at https://github.com/afresh1/openbsd-commits-to-twitter I do believe it's using the "new" limit introduced 2017 :) my $default_maxlen = 280; I found this on GitHub. Though there a reference in the code to 140. :wq isak Sent from mobile device, all error self inflicted.
Re: @OpenBSD_CVS Twitter 140char limit?
On Sat, 09 May 2020 19:17:29 +0200, Tommy Nevtelen wrote: > Hi there! > > Does anybody on this list manage @OpenBSD_CVS? Would be nice to lift > the message truncation from the old 140char limit to the new 280char > limit. Super annoying when I can't read an interesting commit message > that is just a little longer :) afresh1@ is pretty busy so your best luck is probably to submit a pull request at https://github.com/afresh1/openbsd-commits-to-twitter Cheers, Daniel
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
>Also that said, all mothafuckaaa which keep send posts like this, put your >head within your ass and just accept: you are OpenBSD user! Taking into account your earlier kind detailed counter explanation about many mentioned issues and mitigations I would not agree that OpenBSD community is unwelcome, so that issue seems to be not true too :) Btw, does not it look like a PR competition of Linux from USA vs OpenBSD from Canada/London? OpenBSD prohibits USA citizens to work on its crypto?
Re: UNIX crash course
Namaste Pekka, > Sent: Tuesday, April 21, 2020 at 9:11 PM > From: "Edgar Pettijohn" > To: "Pekka Niiranen" > Cc: misc@openbsd.org > Subject: Re: UNIX crash course > > On Tue, Apr 21, 2020 at 09:17:50PM +0300, Pekka Niiranen wrote: > > Hello Sirs, > > > > That is very comprehensive list of books, but I have > > not found any concise example of "OpenBSD development environment". > > There are KNF settings for vim and emacs in github but not much more. > > > > OpenBSD is in constant flux so I would like to know which > > of its various services controlled by rcctl would be > > the best starting point for analyzing how code a minimal server > > in OpenBSD 2020 including pledge and prilege separation methods. > > Which of the current services is "the present state of the art" for > > a starting point? > > > > The source code would be the best place to look. I know I've learned a > lot reading the code and manual pages. Not knowing your skill level, but > I often start with usr.sbin/identd/identd.c as a good skeleton. > > Edgar Caveat: Unfortunately, I can only read code. As such, I do not have any experience writing any daemon or code. In addition to the aforementioned advice, one may want to look at the following two repositories: https://github.com/krwesterback/newd Skeleton OpenBSD daemon - three process, priv separated https://github.com/krwesterback/newdctl Skeleton control program for OpenBSD daemon The last commits on these might seem slightly old, so in case there is an authoritative/updated location of these sources, please feel free to share that. > > > -pekka- Dhanyavaad, ab -|-|-|-|-|-|-|--
Networking/pf question, I am not sure ?
Hello, I recently setup a home network as followings (Just for fun): ISP <> openbsd router (version 6.6 Stable) <---> gigabits switch (TP-Link TL-SG1008D) <-> linksys ea8300 (with wireless) everything works except that I can't use my sony xperia tablet to access internet using the wireless function provide by the linksys-ea8300. When I replace the openbsd-router and switch with another wireless router, I can use my sony xperia to access the internet. Does any one try this before ? If yes, please let me to know how you do it. Thanks. Clarence
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
That Talk of isopen ... is a joke! He start agreeing with puffy supremacy. All these years I have made jokes with fbsd guys and some "hax0rs" during event's. The reason is simple, they attack OpenBSD community and then always end with a lack of arguments. Even with Qualys recent discoveries, which in my personal opinion they could send all issues together, they preferred to do on that way. That said, I still asking, why the other projects do not try at least start to make their operating system more secure by default? OpenBSD since the begin the main focus is paranoid security. They will take years to have a solid rock like OpenBSD. Also that said, all mothafuckaaa which keep send posts like this, put your head within your ass and just accept: you are OpenBSD user! Em dom., 10 de mai. de 2020 às 01:45, Stéphane Aulery escreveu: > Hello, > > Le 07/05/2020 à 16:00, i...@aulix.com a écrit : > > > > Can you please comment negative appraisal from the following website: > > > > https://isopenbsdsecu.re/quotes/ > > > > I did not want to hurt anyone, just looking for a secure OS and OpenBSD > looked very nice to me before I have found this website. > > > > This explanation [1] from the author of the site should be enough for you: > > > Why was this website created? > > Someone was bragging on IRC about how secure OpenBSD is compared to > everything else, but this came without concrete evidences. > > Tired of having to endure this once too often, time was spent > documenting OpenBSD’s security features: > > where are they coming from? > against what are they defending? > how successful are they? > > Because, in the words of Ryan Mallon: > > Threat modelling rule of thumb: if you don’t explain exactly what > you are securing against and how you secure against it, the answers can > be assumed to be: “bears” and “not very well”. > > > The quotes were chosen to be especially aggressive but we could find as > many against other operating systems. > > For me it's on the same level as "The UNIX-HATERS Handbook" [2], just a > big ball of hate and FUD. > > After full reading, out of 52 exposed points there are 4 frankly against > OpenBSD, 12 for OpenBSD and all the rest is opinion and filling. > > It wants to be impressive, but it’s just swank of a meticulous hater. > > Regards, > > > > [1] https://isopenbsdsecu.re/about/ > [2] https://web.mit.edu/~simsong/www/ugh.pdf > > > > Mitigations > > Arc4random > > [...] Nowadays, arc4random in userland is available on various > platforms, even when not being natively implemented, thanks to libbsd. > NetBSD, FreeBSD, Linux, … have all moved to a ChaCha20-based CSPRNG. > Even Tor is now using some of its code, for performance reasons. > > OpenBSD took inspiration from Linux two decades ago, but nowadays, it’s > the other way around, OpenBSD is driving the CSRPNG game! > > OK. > > ASLR > > [...] OpenBSD randomizing everything is neat, and forces attackers to > find/create better leaks. But nowadays, all the modern operating systems > have those kind of mitigations, are are now focusing on killing bugs > exploitable when an attacker has some reading capabilities. > > And what are these modern OSes? OpenBSD is a fossilized and archived OS > on archive.org? > > Atexit hardening > > [...] In the glibc, the pointers to the function are obfuscated with a > rol+xor via the PTR_MANGLE macro against a secret, which is roughly > equivalent to what Windows is doing. This mitigation is completely > bypassed with an arbitrary read: get the secret, obfuscate the pointer > to your payload, done. > > Musl has no hardening at all > > On OpenBSD, the pointers are stored in a read-only memory zone, only > made writeable when __cxa_atexit is called. To bypass this, an attacker > would need to get code execution to modify the permissions of the memory > zone. > > Where is the point? > > > Development practises - Development practises > > OpenBSD got no continuous integration system, and apparently build > breakage are, according to the FAQ, happening from time to time [...] > > There is a code style, but since it’s not automatically enforced, if > only because there is no CI. > > The VCS used is CVS, the Concurrent Versions System [...] > > This is not what makes security! > > Development practises - Code reviews > > OpenBSD claims that they have “between six and twelve members who > continue to search for and fix new security holes”, but it seems that > this doesn’t prevent low-hanging bugs from entering the codebase, for > example: [...] > > Ah, because those who don't read their code are more likely to find errors? > > Development practises - Security advisories > > OpenBSD is publishing security issues on its Errata pages, but doesn’t > provide much context nor analysis. [...] > >
Re: Networking/pf question, I am not sure ?
On 5/10/20 2:12 PM, Kaya Saman wrote: On 5/10/20 2:04 PM, Tom Smyth wrote: Hello Clarence, you would need to provide some more information about your setup, ip addresses on interfaces , what is your pf.conf etc... In your experia ( I believe they are android) you can download the hurricane electric network tools (HE network tools) (a free app to run rudimentary network diagnostic commands, such as ping traceroute dns lookup tests to identify the problem associated with your connection when using openBSD.. that would help you diagnose the source of the connectivity problems you are having... Hope this helps Tom Smyth On Sun, 10 May 2020 at 13:09, man Chan wrote: Hello, I recently setup a home network as followings (Just for fun): ISP <> openbsd router (version 6.6 Stable) <---> gigabits switch (TP-Link TL-SG1008D) <-> linksys ea8300 (with wireless) everything works except that I can't use my sony xperia tablet to access internet using the wireless function provide by the linksys-ea8300. When I replace the openbsd-router and switch with another wireless router, I can use my sony xperia to access the internet. Does any one try this before ? If yes, please let me to know how you do it. Thanks. Clarence I totally agree with the suggestion by @Tom above! Another good tool for Android is 'fing', it will give you access to Traceroute and Ping functions on your Xperia. The first thing to try would be to see if the Xperia can communicate with the gateway (OpenBSD router) then if that is successful public IP addresses. If something strange is going on you can further run Traceroute to narrow down where the issue is occurring. On the OpenBSD side, it could be a number of things like PF rules, routing, NAT but without further information it is basically a guess as to what it could be. Just to elaborate here a little; you can run the 'tcpdump' program on OpenBSD to give you more information. To get started: man tcpdump If you want to see where the packets from the Xperia are traveling then something like: tcpdump -eni (inside_interface) host (ip_of_Xperia) For debugging PF rules a good start is to use: tcpdump -eni pflog0 <- you can further narrow things down by using the 'action' option eg. 'block' / 'allow' Hope this helps a little more :-)
Re: Networking/pf question, I am not sure ?
On 5/10/20 2:04 PM, Tom Smyth wrote: Hello Clarence, you would need to provide some more information about your setup, ip addresses on interfaces , what is your pf.conf etc... In your experia ( I believe they are android) you can download the hurricane electric network tools (HE network tools) (a free app to run rudimentary network diagnostic commands, such as ping traceroute dns lookup tests to identify the problem associated with your connection when using openBSD.. that would help you diagnose the source of the connectivity problems you are having... Hope this helps Tom Smyth On Sun, 10 May 2020 at 13:09, man Chan wrote: Hello, I recently setup a home network as followings (Just for fun): ISP <> openbsd router (version 6.6 Stable) <---> gigabits switch (TP-Link TL-SG1008D) <-> linksys ea8300 (with wireless) everything works except that I can't use my sony xperia tablet to access internet using the wireless function provide by the linksys-ea8300. When I replace the openbsd-router and switch with another wireless router, I can use my sony xperia to access the internet. Does any one try this before ? If yes, please let me to know how you do it. Thanks. Clarence I totally agree with the suggestion by @Tom above! Another good tool for Android is 'fing', it will give you access to Traceroute and Ping functions on your Xperia. The first thing to try would be to see if the Xperia can communicate with the gateway (OpenBSD router) then if that is successful public IP addresses. If something strange is going on you can further run Traceroute to narrow down where the issue is occurring. On the OpenBSD side, it could be a number of things like PF rules, routing, NAT but without further information it is basically a guess as to what it could be. Regards, Kaya
Re: Networking/pf question, I am not sure ?
Hello Clarence, you would need to provide some more information about your setup, ip addresses on interfaces , what is your pf.conf etc... In your experia ( I believe they are android) you can download the hurricane electric network tools (HE network tools) (a free app to run rudimentary network diagnostic commands, such as ping traceroute dns lookup tests to identify the problem associated with your connection when using openBSD.. that would help you diagnose the source of the connectivity problems you are having... Hope this helps Tom Smyth On Sun, 10 May 2020 at 13:09, man Chan wrote: > > Hello, > I recently setup a home network as followings (Just for fun): > ISP <> openbsd router (version 6.6 Stable) <---> gigabits switch > (TP-Link TL-SG1008D) <-> linksys ea8300 (with wireless) > > everything works except that I can't use my sony xperia tablet to access > internet using the wireless function provide by the linksys-ea8300. > When I replace the openbsd-router and switch with another wireless router, I > can use my sony xperia to access the internet. Does any one try this before ? > If yes, please let me to know how you do it. Thanks. > Clarence -- Kindest regards, Tom Smyth.
Any plans to support newer Loongson-based systems?
According to https://www.openbsd.org/loongson.html only some old Loongson-based systems are supported. Are there any plans to support the more recent Loongson 3A3000- or the current 3A4000-based systems? I do not know where OpenBSD MIPS developers are located. Apparently the Loongson-based systems are not easily available outside China, but it seems Chinese merchants are selling 3A4000+mainboard bundles for somewhat less than 500 €, though I do not know if any of them ship outside China. Philipp
Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose
What would you suggest to keep private key material in a safe place? There are rumors that even material stored as not extractable in Nitrokey Pro still can be extracted by side channels like electromagnetic emission. Would running all Internet communication end points on low powered Cortex A7 (immune to Spectre) single boards with a NitroKey like device help? May be need to add optical convertors here to avoid a long Ethernet antenna? Can Nitrokey Pro be used to keep SSHD private key on a server running OpenBSD? On Linux it seems to be possible: https://support.nitrokey.com/t/can-nitrokey-pro2-be-used-in-openbsd-with-ssh-and-gpg/2347/16 Please confirm if Nitrokey Pro can be used on OpenBSD current or 6.7 for keeping both client and server private keys ?
Re: TOFU/cert pinning in libtls
Hi Lucas, Lucas wrote on Sat, May 09, 2020 at 06:18:50PM +: > I experimented with cert FP pinning in the past, too. tls_peer_cert_hash > is probably what you're looking for. Found it looking at > /usr/include/tls.h. Then tried to find it referenced in other manpages, > > oolong$ man -k Xr=tls_peer_cert_hash > nc(1) - arbitrary TCP and UDP connections and listens > > That's far from ideal IMO, While -k Xr= is occasionally useful, you should be aware that it does a substring search, so it only finds manual pages that explicitly reference tls_peer_cert_hash(3), but not manual pages that reference the same page under the more usual name tls_conn_version(3) or under other names like tls_peer_cert_notafter(3). For example, as tedu@ pointed out: $ man -k Xr=tls_conn_version | sed 's/,.*//' tls_config_verify tls_init tls_ocsp_process_response tls_read It would be theoretically possible to do this: * When searching for "Xr", treat that as a special case as follows: * First search for all pages having the Xr expression in their name rather than in an Xr macro. * Build a list of names from that, possibly including multiple names even when only a single page exists. * Search for Xr macros containing each of the names in turn and show all matching pages. Then again, it would be quite ugly to implement that. Doing such a multi-step search also wouldn't be fast but might take quite some time. And finally, while in this case, it's clearly what you would want, in other cases, users might wish to only search for one specific substring as we currently do, so your proposed behaviour would result in false positives from their point of view. Also, the current behaviour is much easier to explain in the apropos(1) manual page, which currently just needs to say Operator = evaluates a substring, while ~ evaluates a case-sensitive extended regular expression. without having to explain a special case for Xr. > but I don't know where, of the many tls_* > manpages, would I reference it. It is actually already referenced from at least four places in four different tls*(3) pages. Also, this is Unix, you can use pipes: $ man -k Nm=tls_peer_cert_hash | \ sed 's/(.*//; s/,//g; s/\