Secure end points for Internet tunnel, the most secure hardware
Hi, Please let me know, is it a good idea to use OpenBSD to connect to a remote LAN via SSH? Port forwarding is enough for me, though I can pass-through OpenVPN via SSH forward too. SSH seems to me as the most secure channel compare to other software and it is easy to get it working. I need a secure dedicated textual SSH console connected to Internet at home - Console1 and preferably a two ports router on another end of the Internet line to accept my SSH connections - Router1. What are the best methods to keep private keys in a safe place? I do not know anything better than devices like Nitrokey Pro, though some PCI card (secure java card) reader devices exist too. Can OpenBSD use USB dongle (not a flash drive) Nitrokey Pro 2 to store SSH private keys BOTH on the server side and on the client side? One first dongle on the client and another second dongle on the server - two dongles in total :) What is the most secure hardware (which was sold in public shops) for Console1 and Router1 ? Can you offer anything better than Cortex A7 board which is immune to Spectre? What is the most secure Cortex A7 board on which OpenBSD can run? I guess it shall have as little BLOBs as possible - only a small Boot ROM like Beaglebone Black which unfortunately is not Cortex A7, but rather Cortex A8.
Trinity desktop environment
Is it possible to run TDE by trinitydesktop.org on OpenBSD? Or is it going to be possible in the future?
Re: Networking/pf question, I am not sure ?
Here is all the config files of my openbsd-router. traceroute yahoo.com.hk on
my xperia (android) stop at ip of my openbsd-router. There is nothing display
on openbsd-router running tcpdump -eni pflog0.
dhclient.conf
append domain-name-servers 127.0.0.1;
==
dhcpd.conf-
# $OpenBSD: dhcpd.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#
# Network: 192.168.1.0/255.255.255.0
# Domain name: my.domain
# Name servers: 192.168.1.3 and 192.168.1.5
# Default router: 192.168.1.1
# Addresses: 192.168.1.32 - 192.168.1.127
#
option domain-name "my.domain";
#option domain-name-servers 192.168.1.3, 192.168.1.5;
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
option domain-name-servers 192.168.1.1;
range 192.168.1.32 192.168.1.127;
}
==
pf.conf --
# The wirde and wireless interface of the LAN
wired="re0"
#wifi=""
# This is a table of non-routable addresses that will be used later
table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 192.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 }
set block-policy drop
set loginterface egress
set skip on lo
# Normalize the traffic
match in all scrub (no-df random-id max-mss 1440)
# Perform NAT
match out on egress inet from !(egress:network) to any nat-to (egress:0)
block in quick on egress from to any
block return out quick on egress from any to
block all
pass out quick inet keep state
pass in on { $wired } inet
# Forward incoming connection ( on TCP port 40 and 443 ) to web server
#pass in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to
192.168.1.2
resolv.conf--
# Generated by alc0 dhclient
nameserver 192.168.8.1
nameserver 127.0.0.1
lookup file bind
sysctl.conf-
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
=
unbound.conf
server:
interface: 192.168.1.1
interface: 127.0.0.1
interface: ::1
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/24 allow
access-control: 0.0.0.0/0 refuse
access-control: ::0/0 refuse
access-control: ::1 allow
do-not-query-localhost: no
hide-identity: yes
hide-version: yes
forward-zone:
name: "."
forward-addr: 64.6.64.6 # Verisign
forward-addr: 94.75.228.29 # chaos Computer Club
forward-first: yes #try direct if forwarder fails
===
dmesg
OpenBSD 6.6-stable (GENERIC.MP) #1: Thu May 7 17:40:45 HKT 2020
clare...@o66.my.domain:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 6156845056 (5871MB)
avail mem = 5957545984 (5681MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xfbe20 (23 entries)
bios0: vendor American Megatrends Inc. version "P1.20" date 11/30/2012
bios0: ASRock 960GM-VGS3 FX
acpi0 at bios0: ACPI 1.0
acpi0: sleep states S0 S1 S3 S4 S5
acpi0: tables DSDT FACP APIC MCFG OEMB AAFT HPET SSDT
acpi0: wakeup devices PCE2(S4) PCE3(S4) PCE4(S4) PCE5(S4) PCE6(S4) PCE7(S4)
PCE9(S4) PCEA(S4) PCEB(S4) PCEC(S4) SBAZ(S4) PS2K(S4) P0PC(S4) UHC1(S4)
UHC2(S4) UHC3(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Athlon(tm) II X4 630 Processor, 2805.89 MHz, 10-05-02
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,NODEID,ITSC
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line
16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative
cpu0: AMD erratum 721 detected and fixed
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 200MHz
cpu0: mwait min=64, max=64, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD Athlon(tm) II X4 630 Processor, 2805.51 MHz, 10-05-02
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,NODEID,ITSC
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line
16-way L2 cache
cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
cpu1: DTLB 48 4KB en
Re: Networking/pf question, I am not sure ?
I find out the problem is in the unbound.conf file. Now, my xeperia can use
the internet. Thanks you for your help..
Clarence
===original
server:
interface: 192.168.1.1
interface: 127.0.0.1
interface: ::1
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/24 allow
access-control: 0.0.0.0/0 refuse
access-control: ::0/0 refuse
access-control: ::1 allow
do-not-query-localhost: no
hide-identity: yes
hide-version: yes
forward-zone:
name: "."
forward-addr: 64.6.64.6 # Verisign
forward-addr: 94.75.228.29 # chaos Computer Club
forward-first: yes #try direct if forwarder fails
== changed unbound.conf===
server:
interface: 192.168.1.1
interface: 127.0.0.1
access-control: 192.168.1.0/24 allow
access-control: 127.0.0.0/8 allow
do-not-query-localhost: no
hide-identity: yes
hide-version: yes
forward-zone:
name: "."
forward-addr: 64.6.64.6 # Verisign
forward-addr: 94.75.228.29 # chaos Computer Club
forward-first: yes #try direct if forwarder fails
==
man Chan () 在 2020年5月11日星期一 下午3:21:17 [GMT+8] 寫道:
Here is all the config files of my openbsd-router. traceroute yahoo.com.hk on
my xperia (android) stop at ip of my openbsd-router. There is nothing display
on openbsd-router running tcpdump -eni pflog0.
dhclient.conf
append domain-name-servers 127.0.0.1;
==
dhcpd.conf-
# $OpenBSD: dhcpd.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#
# Network: 192.168.1.0/255.255.255.0
# Domain name: my.domain
# Name servers: 192.168.1.3 and 192.168.1.5
# Default router: 192.168.1.1
# Addresses: 192.168.1.32 - 192.168.1.127
#
option domain-name "my.domain";
#option domain-name-servers 192.168.1.3, 192.168.1.5;
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
option domain-name-servers 192.168.1.1;
range 192.168.1.32 192.168.1.127;
}
==
pf.conf --
# The wirde and wireless interface of the LAN
wired="re0"
#wifi=""
# This is a table of non-routable addresses that will be used later
table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 192.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 }
set block-policy drop
set loginterface egress
set skip on lo
# Normalize the traffic
match in all scrub (no-df random-id max-mss 1440)
# Perform NAT
match out on egress inet from !(egress:network) to any nat-to (egress:0)
block in quick on egress from to any
block return out quick on egress from any to
block all
pass out quick inet keep state
pass in on { $wired } inet
# Forward incoming connection ( on TCP port 40 and 443 ) to web server
#pass in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to
192.168.1.2
resolv.conf--
# Generated by alc0 dhclient
nameserver 192.168.8.1
nameserver 127.0.0.1
lookup file bind
sysctl.conf-
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
=
unbound.conf
server:
interface: 192.168.1.1
interface: 127.0.0.1
interface: ::1
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/24 allow
access-control: 0.0.0.0/0 refuse
access-control: ::0/0 refuse
access-control: ::1 allow
do-not-query-localhost: no
hide-identity: yes
hide-version: yes
forward-zone:
name: "."
forward-addr: 64.6.64.6 # Verisign
forward-addr: 94.75.228.29 # chaos Computer Club
forward-first: yes #try direct if forwarder fails
===
dmesg
OpenBSD 6.6-stable (GENERIC.MP) #1: Thu May 7 17:40:45 HKT 2020
clare...@o66.my.domain:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 6156845056 (5871MB)
avail mem = 5957545984 (5681MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xfbe20 (23 entries)
bios0: vendor American Megatrends Inc. version "P1.20" date 11/30/2012
bios0: ASRock 960GM-VGS3 FX
acpi0 at bios0: ACPI 1.0
acpi0: sleep states S0 S1 S3 S4 S5
acpi0: tables DSDT FACP APIC MCFG OEMB AAFT HPET SSDT
acpi0: wakeup devices PCE2(S4) PCE3(S4) PCE4(S4) PCE5(S4) PCE6(S4) PCE7(S4)
PCE9(S4) PCEA(S4) PCEB(S4) PCEC(S4) SBAZ(S4) PS2K(S4) P0PC(S4) UHC1(S4)
UHC2(S4) UHC3(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Athlon(tm) II X4 630 Processor, 2805.89 MHz, 10-05-02
cpu0:
Re: Trinity desktop environment
i...@aulix.com [i...@aulix.com] wrote: > Is it possible to run TDE by trinitydesktop.org on OpenBSD? > Or is it going to be possible in the future? You'd have to ask Trinity. Trinity doesn't maintain their own compatibility for BSDs as a priority, so it's not a trivial effort for an outsider. That being said, the port and patches for KDE 3.5 in /usr/ports/x11/kde might be a good start if you wanted to make the effort yourself.
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On Mon, 11 May 2020 17:27:24 +, slackwaree wrote: > I wish if the someone who took the time to make this page at least > would make an antisystemD page instead. I doubt anyone asked you how they should spend their time. > Let's face it how much time that old fart linus has, maybe > COVID takes him too. Are you really saying you hope he dies? What the fuck is wrong with you? > I couldn't care less either, all I care is my > BSD servers uptime 600+ days and not 1 day I worry about their > security. You are clearly clueless. Please refrain from posting again such shitty emails. Thanks, Daniel
Re: @OpenBSD_src Twitter 140char limit?
On 10/05/2020 23.30, Isak Holmström wrote: > I do believe it's using the "new" limit introduced 2017 :) > > my $default_maxlen = 280; > > I found this on GitHub. Though there a reference in the code to 140. Yes.. I might not have counted the characters actually used and assumed it was 140 since it says: "OpenBSD Commit messages in 140 characters or less. Just commits to the src module. For more see @OpenBSD_src" -- TN
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
There are already enough funny pages about systemd technical deviations, e.g.: https://dev1galaxy.org/viewtopic.php?id=3427
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
Here's a game. Name as many operating systems as you can that encrypt the page file or swap space by default?
Re: @OpenBSD_src Twitter 140char limit?
On 2020-05-11, Tommy Nevtelen wrote: > On 10/05/2020 23.30, Isak Holmström wrote: > > I do believe it's using the "new" limit introduced 2017 :) > > > > my $default_maxlen = 280; > > > > I found this on GitHub. Though there a reference in the code to 140. > > Yes.. I might not have counted the characters actually used and assumed > it was 140 since it says: It definitely uses 280, check the tweets.
Mandate control in OpenBSD like SELinux or AppArmor
Please let me know, what are analogues of SELinux and AppArmor in OBSD ?
Re: @OpenBSD_src Twitter 140char limit?
On 11/05/2020 21.23, Stuart Henderson wrote: On 2020-05-11, Tommy Nevtelen wrote: On 10/05/2020 23.30, Isak Holmström wrote: I do believe it's using the "new" limit introduced 2017 :) my $default_maxlen = 280; I found this on GitHub. Though there a reference in the code to 140. Yes.. I might not have counted the characters actually used and assumed it was 140 since it says: It definitely uses 280, check the tweets. Yes yes, that was what I meant. I did count them before I sent the last mail, but not the first one :) So only an update to the description would be needed, just to make it correct. -- TN
Re: Mandate control in OpenBSD like SELinux or AppArmor
On May 11, 2020 7:27:49 PM UTC, i...@aulix.com wrote: >Please let me know, what are analogues of SELinux and AppArmor in OBSD > http://www.openbsd.org/mail.html You are supposed to "do your homework" and try googling and searching the mailing list archive before asking questions. Clearly you have not, please do!
Re: change default constraint server in ntpd.conf
On 2020-05-08 00:17, Theo de Raadt wrote: Theo de Raadt wrote: (...) Stuart Henderson wrote: (...) Dear Stuart, Theo, thank you for insightful answers. I admit my understanding of intricacies of ntp protocol equals zero - same as my current motivation to learn more about it. My need for accurate timekeeping on my OpenBSD firewalls is best described by the fact that I occasionally log into branch routers where I routinely discover their clock is off by >2 years because I forget to either start ntpd with default ntpd.conf in appropriate rdomain with Internet access, or to edit default ntpd.conf to point them to internal ntp server, also running on OpenBSD with default ntpd.conf. To my great joy, this never affects their main functionality of pushing packets between branch office and HQ in a way I consider secure enough. My main motivation for asking this question on @misc was political, and went along the lines of "why send these ad-peddling, private-data-slurping clowns any packets?" Thanks to your answers, I understand now there is more to it than "let's just put some website that is most likely to be there when we query it for constraints, and also promote it a bit while there". Stay fresh, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
discard me
discard me
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On 11/5/20 5:00 am, i...@aulix.com wrote: > Btw, does not it look like a PR competition of Linux from USA vs OpenBSD from > Canada/London? Actually, I think you'll find both OSes have significant contributions from all around the world. Linux (which is a kernel, not an OS) originated from Finland. BSD came from the US (University of California), but most of today's implementations have been very significantly changed since then. In any case, I don't think it's helpful to characterise an OS by its country of origin. Even less so, when it's an open-source OS with contributions that are sourced globally. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere. Help fund COVID-19 research: https://stuartl.longlandclan.id.au/blog/2020/04/20/who-covid19/
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
I wish if the someone who took the time to make this page at least would make an antisystemD page instead. This is just a pointless brainless monkey(s) wasting our time webpage, it is not even funny and we are passed April 1 a long time ago. However I never knew linus said such things: "I think the OpenBSD crowd is a bunch of masturbating monkeys" I guess this is just another reason for ditching linux in favor of BSDs. Let's face it how much time that old fart linus has, maybe COVID takes him too. I couldn't care less either, all I care is my BSD servers uptime 600+ days and not 1 day I worry about their security. Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Thursday, May 7, 2020 4:00 PM, wrote: > Dear OpenBSD fans, > > Can you please comment negative appraisal from the following website: > > https://isopenbsdsecu.re/quotes/ > > I did not want to hurt anyone, just looking for a secure OS and OpenBSD > looked very nice to me before I have found this website. > > Kind Regards
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On 2020-05-11, Stuart Longland wrote: > BSD came from the US (University of California), but most of today's > implementations have been very significantly changed since then. BSD built on top of AT&T UNIX, which came from Bell Labs in New Jersey. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
I was told on the chat that Linux GNU software has hardly visible NSA backdoors and IMHO most funding for Linux seems to be from USA ? Only single Linus person alone is paid about 30 times more per year by Linux foundation than the whole OpenBSD foundation total fundraising goal, not sure if it is an indication of Linux be more corporation sponsored and oriented.Is not USA a beneficiary of big transnational corporation and capital?
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
Is not a prohibition for USA citizens to work on OpenBSD cryptography software parts an indication of trust relationship between current OpenBSD and current USA?
Re: Mandate control in OpenBSD like SELinux or AppArmor
Good point, yesterday I found only: https://www.osnews.com/story/18684/selinux-vs-openbsds-default-security/ According to which there was not a mandate control in OpenBSD 10 years ago while in FreeBSD it appeared and existed significantly earlier.
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
If any widely-used open source software had government backdoors in it, nobody in the know would be telling folks about it in random IRC chat rooms. BW On Mon, 11 May 2020 18:13:35 -0700 wrote I was told on the chat that Linux GNU software has hardly visible NSA backdoors and IMHO most funding for Linux seems to be from USA ? Only single Linus person alone is paid about 30 times more per year by Linux foundation than the whole OpenBSD foundation total fundraising goal, not sure if it is an indication of Linux be more corporation sponsored and oriented.Is not USA a beneficiary of big transnational corporation and capital?
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
> If any widely-used open source software had government backdoors in it, > nobody in the know would be telling folks about it in random IRC chat rooms. I do not understand your argument, are you trolling to hide how actual things are going to?
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On Mon, May 11, 2020 at 4:28 PM wrote: > Is not a prohibition for USA citizens to work on OpenBSD cryptography > software parts an indication of trust relationship between current OpenBSD > and current USA? > I'm not sure what that sentence even means. What would a "trust relationship" between OpenBSD and "current USA" actually mean in terms of a CHANGE IN BEHAVIOR? Hell, what does "current USA" even _mean_?!? Did you mean to say "the US Federal Government"? If so, what would "trust between OpenBSD and the US Federal Government" actually mean in terms of a change in behavior that you, i...@aulix.com, could actually detect? And why would *you* care about those ways? If you can't tell us why you would care, how can we answer your _real_ question? There is cryptographic software in OpenBSD that was developed in part by someone who is/was a US citizen, in OpenSSH even, as a check of copyright/license statements on source files show. How does that change your world view? Philip Guenther
Re: Secure end points for Internet tunnel, the most secure hardware
On Mon, May 11, 2020 at 5:16 PM wrote: > > Hi, Hi! > > [SNIP] > > Can you offer anything better than Cortex A7 board which is immune to Spectre? > What is the most secure Cortex A7 board on which OpenBSD can run? I guess it > shall have as little BLOBs as possible - only a small Boot ROM like > Beaglebone Black which unfortunately is not Cortex A7, but rather Cortex A8. > The Pine A64 (US$15 for the 512mb version or US$21 for the 1GB plus version) and the Rock64 (US$24.95 for the 1GB version) that both use a Cortex-A53 CPU that is immune to Spectre, can't speak to the blobbiness, though. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
> I'm not sure what that sentence even means. What would a "trust relationship" > between OpenBSD and "current USA" actually mean in terms of a CHANGE IN > BEHAVIOR? "CHANGE IN BEHAVIOR" of whom or of what? > Hell, what does "current USA" even _mean_?!? Very high activity of NSA to embed their backdoors eveywhere they can. >Did you mean to say "the US Federal Government"? If so, what would "trust >between OpenBSD and the US Federal Government" actually mean in terms of a >change in behavior that you, i...@aulix.com, could actually detect? How does it matter if I can detect something? Do you mean i...@aulix.com is too Untermensch just to even wonder and ask such questions? Can anyone detect this? https://web.archive.org/web/20190624163342/https://www.rlighthouse.com/targeted-individuals.html Does OpenBSD project according to: https://web.archive.org/web/20200512025352/https://www.openbsd.org/crypto.html prohibit american people to work on OpenBSD cryptography? > > And why would *you* care about those ways? If you can't tell us why you would > care, how can we answer your _real_ question? Treat it as my secret, I want and that is why I ask because I can, I wish you tell me the answer without a knowledge of "why I ask", it is a very long discussion of answering by a question to question in your Jewish style, is not it? > > There is cryptographic software in OpenBSD that was developed in part by > someone who is/was a US citizen, in OpenSSH even, as a check of > copyright/license statements on source files show. How does that change your > world view? I told you not about the past, but about the CURRENT (TODAY not EARLIER) state of things, and OpenBSD ban on americans to work on its crypto, you see?
Re: Secure end points for Internet tunnel, the most secure hardware
Aaron, thank you for your suggestion. For now I prefer to try to use the oldest suitable hardware I can find, not sure if it is a good idea. Please someone let me know if AllWinner SoC backdoor described at: https://www.theregister.co.uk/2016/05/09/allwinners_allloser_custom_kernel_has_a_nasty_root_backdoor/ can be exploited in OpenBSD? Is it a bad idea to run a small communication server on a AllWinner A20 board like a Cubitruck if it works with OpenBSD (it is not on the list though). What about other compatible boards like AllWinner A10 Orange PI One? I just want my DNS (local) and postfix, dovecot (Internet) and SSH (local and Internet) work on it protected from hackers.
Re: Secure end points for Internet tunnel, the most secure hardware
> What about other compatible boards like AllWinner A10 Orange PI One? Sorry for my mistake, Orange PI One is based on Cortex A7 AllWinner H3.
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On Mon, May 11, 2020 at 6:09 PM wrote: ... > > And why would *you* care about those ways? If you can't tell us why you > would care, how can we answer your _real_ question? > Treat it as my secret, I want and that is why I ask because I can, I wish > you tell me the answer without a knowledge of "why I ask", > it is a very long discussion of answering by a question to question in > your Jewish style, is not it? > I considered treating your questions in good faith, but then you said this. If my questions have you spouting this nonrational drivel them you should stay away from OpenBSD because I am a committer and if you can't trust my questions then you shouldn't trust my code. Philip Guenther
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
It is IMHO rather not a matter of trusting your questions, but not my willingness to answer them right now, but I can answer them later if I want, it is not a matter of trust but rather a tactics of choosing a sequence of what to answer and when. You know there is no a lot of secure enough alternatives to choose from except OpenBSD, and your commits alone shall not be of that a big problem and reason to reject OpenBSD since the code is being reviewed by other OpenBSD participants? Do you think there are less committers like you in many many Linux components like Linux kernel, AppArmor, a Linux distro and is there any other choice for me except OpenBSD and some type of a hardened Linux without systemd like Devuan or Alpine? Is not it a childish behavior of yours that is if I do not follow your method of discussion then I shall not use your work, you ban me from allowed users at least mentally by your ultimatum not practically of course as you cannot prohibit me to use any open source products like OpenBSD or Linux distros.
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
You are acting a fool. If you admit to seeing how they eat their own dog food and the quality of the project because of their own way, but only when it suits your internet arguments, then you may as well just buy security from a big corporate Linux. It's not about $100 words hiding a children's tantrum after being told it's up to you, it's about understanding that *it's up to you*. On Tue, May 12, 2020, 4:20 PM wrote: > It is IMHO rather not a matter of trusting your questions, but not my > willingness to answer them right now, but I can answer them later if I > want, it is not a matter of trust but rather a tactics of choosing a > sequence of what to answer and when. > > You know there is no a lot of secure enough alternatives to choose from > except OpenBSD, and your commits alone shall not be of that a big problem > and reason to reject OpenBSD since the code is being reviewed by other > OpenBSD participants? > > Do you think there are less committers like you in many many Linux > components like Linux kernel, AppArmor, a Linux distro and is there any > other choice for me except OpenBSD and some type of a hardened Linux > without systemd like Devuan or Alpine? > > Is not it a childish behavior of yours that is if I do not follow your > method of discussion then I shall not use your work, you ban me from > allowed users at least mentally by your ultimatum not practically of course > as you cannot prohibit me to use any open source products like OpenBSD or > Linux distros. > >
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
I would prefer to begin from grsecurity, but it is not available up to date for my budget. I would also try HardenedBSD, but it is only amd64 now? And how many active developers there are? one or two? OpenBSD looks as the only viable option for me right now, may be one another is a systemd free distro like Devuan with a hardened kernel like by @anthrax, but I am too unskilled even to understand what are improvements of @anthrax kernel for me without a good doc for it in the existence, and on the other hand OpenBSD is famous with its very good documentation. I guess it is a huge work to harden Linux installation to a level compared to OpenBSD, there is some interesting work which is by Whonix but unfortunately with systemd, and it seems someone from that community is referring to isopenbsdsecu.re site, so it looks to me like a OpenBSD vs Whonix dispute, excuse me if I am wrong.
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On Mon, May 11, 2020 at 9:17 PM wrote: > I was told on the chat that Linux GNU software has hardly visible NSA > backdoors and IMHO most funding for Linux seems to be from USA ? This is beyond incompetent. You've got the wrong mailing list for this kind of issue, you haven't identified the version with the problem, you haven't even identified the problem. All you are doing is citing vague rumor. Why are you doing this? -- Raul
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On Tue, May 12, 2020 at 7:19 AM wrote: > > I would prefer to begin from grsecurity, but it is not available up to date > for my budget. > > I would also try HardenedBSD, but it is only amd64 now? And how many active > developers there are? one or two? > > OpenBSD looks as the only viable option for me right now, may be one another > is a systemd free distro like Devuan with a hardened kernel like by @anthrax, > but I am too unskilled even to understand what are improvements of @anthrax > kernel for me without a good doc for it in the existence, and on the other > hand OpenBSD is famous with its very good documentation. > > I guess it is a huge work to harden Linux installation to a level compared to > OpenBSD, there is some interesting work which is by Whonix but unfortunately > with systemd, and it seems someone from that community is referring to > isopenbsdsecu.re site, so it looks to me like a OpenBSD vs Whonix dispute, > excuse me if I am wrong. You keep swallowing up buzzwords from completely random places without taking the time to understand what everything means or how it affects you. There's no silver bullet. Figure out and enumerate *your* threat model, then find a solution that you understand.
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
There is a single place to take buzzwords from (not random as you said): http://www.freezepage.com/1589263204VJFCCPNUBQ https://hardenedbsd.org/content/easy-feature-comparison
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
Original Message Subject: Re: OpenBSD insecurity rumors from isopenbsdsecu.re From: i...@aulix.com Date: Mon, May 11, 2020 9:18 pm To: Philip Guenther Cc: OpenBSD misc It is IMHO rather not a matter of trusting your questions, but not my willingness to answer them right now, but I can answer them later if I want, it is not a matter of trust but rather a tactics of choosing a sequence of what to answer and when. You know there is no a lot of secure enough alternatives to choose from except OpenBSD, and your commits alone shall not be of that a big problem and reason to reject OpenBSD since the code is being reviewed by other OpenBSD participants? Do you think there are less committers like you in many many Linux components like Linux kernel, AppArmor, a Linux distro and is there any other choice for me except OpenBSD and some type of a hardened Linux without systemd like Devuan or Alpine? Is not it a childish behavior of yours that is if I do not follow your method of discussion then I shall not use your work, you ban me from allowed users at least mentally by your ultimatum not practically of course as you cannot prohibit me to use any open source products like OpenBSD or Linux distros. ** To give a quick answer and to the point, when OpenBSD originally split from NetBSD, cryptographic software with any part of it written by US citizens could not be distributed outside the US without explicit government approval and licensure. If any revisions are made by US citizens, the entire code base would also be considered to prohibited to anyone outside the US without explicit government approval. If you want further details of the restrictions, lookup ITAR in your favorite search engine. I do not choose to further test the patience of most of the other users of the listserve, many of whom are already aware of this.
