Re: Removing FUSE would theoretically make a system more secure?
Hello, "> And what are you defending against?" there was/is a great guy that investigated the security of the BSDs, reported a few bugs too: https://www.youtube.com/watch?v=rRg2vuwF1hY=youtu.be=1522 that lead to ex.: https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/017_fuse.patch.sig So would the mentioned method, by removing the "grep -i fuse /sys/conf/GENERIC" and doing re-compile would "disable FUSE"? Thanks for the syspatch/relinking hint, I forgot about them if I touch the kernel! Thanks! > Sent: Sunday, January 28, 2018 at 5:15 AM > From: mar...@martinbrandenburg.com > To: misc@openbsd.org, whoonet...@mail.com > Subject: Re: Removing FUSE would theoretically make a system more secure? > > > afaik if I would remove the lines that contains "FUSE" and "fuse" from > > /sys/conf/GENERIC and re-compile the kernel, that would mean, there will be > > no more FUSE support in my kernel after reboot. > > > > If so, would this step help to make my system more secure? Ex.: from a > > future FUSE related security issue? > > > > just asking theoretically, since I don't use FUSE related stuff, so > > thinking of that is unneeded. > > > > or it would just create an unsupported kernel which didn't had any tests > > regarding the missing fuse and maybe cause bigger issues and security > > issues vs. if I wouldn't touched it? > > I daresay that removing FUSE support will make you invulnerable to any > kind of bug in FUSE. jca has already given you an outline of the > reasons to believe such a bug, if it exists, is rather unlikely to be > exploitable. > > You had better consider what you're giving up when you make this change. > You won't be able to use FUSE. You won't be able to use syspatch. I'm > not sure how it affects kernel relinking. You'll have to build your > kernels yourself on all architectures you run for each release and every > kernel-related erratum. You'll have to maintain your changes. You > can't just say "I'm not sure" as I just did. You'll have to take > responsibility for the possibility that running a non-standard > configuration may introduce bugs. > > And what are you defending against? Somebody has to get root or a way > to mount filesystems without root. We'll assume he's got a way to mount > filesystems without root, because if he had a way to get root, he > wouldn't need bother with anything else. Then he's got to have his FUSE > exploit which gives him root. Since he probably doesn't have an account > on your system, he's got to have a third exploit to start running code > to begin with. > > Defense in depth is good, but this isn't worth the effort on your part. > > Your security need only be good enough to require an attacker spend more > than he's willing to spend. > > Martin > >
Removing FUSE would theoretically make a system more secure?
Hello, afaik if I would remove the lines that contains "FUSE" and "fuse" from /sys/conf/GENERIC and re-compile the kernel, that would mean, there will be no more FUSE support in my kernel after reboot. If so, would this step help to make my system more secure? Ex.: from a future FUSE related security issue? just asking theoretically, since I don't use FUSE related stuff, so thinking of that is unneeded. or it would just create an unsupported kernel which didn't had any tests regarding the missing fuse and maybe cause bigger issues and security issues vs. if I wouldn't touched it? Many thanks!
Re: OpenBSD !HTTPS websites - why?
Hello, > hosted on various machines run by different people. I'm not sure if > there's any viable way to handle keys and certificates for this type > of situation. -->> ### letsencrypt: Can one domain have multiple servers controlled by different entities Yes, but there will need to be some coordination for getting the SSL certificates How can the coordination work (depends on the ACME challenge used) HTTP Working together Whenever one of the 2 hosts wants to renew a cert they would need to deploy a .well_known file to both servers, so that no matter which one letsencrypt access they get the right file. Centralised You can run an additional server, which both parties can push files to, and have both servers redirect any requests for .well_known to this server DNS Full access Either of the 2 hosts would need to be able to add DNS records to pass the checks Custom API An API can be setup so that the 2 hosts can submit an ACME response and have it served Limiting impact of breaches As the servers need to be able to generate SSL certificates if they are breached they will be able to generate certs. Using Must-Staple ( https://scotthelme.co.uk/ocsp-must-staple/ ) the impact of current certs leaking can be reduced, but this will not help if the host is instructed to make new certs without this after generation. Using CT logs you can watch for invalid certs, and using CAA you can limit which CAs will issue certs, which will help reduce the breach impact. You could even use CAA to disable certs entirely, and only allow issuance by contacting you and manually removing the record until the cert has been issued, reducing your attack window, but increasing the management overhead. ### > Sent: Monday, January 15, 2018 at 1:37 PM > From: "Stuart Henderson" <s...@spacehopper.org> > To: misc@openbsd.org > Subject: Re: OpenBSD !HTTPS websites - why? > > On 2018-01-15, who one <whoonet...@mail.com> wrote: > > Hello, > > > > http://www.openbsdfoundation.org/ > > http://firmware.openbsd.org/firmware/ > > > > When can we have HTTPS connection on these websites? > > > > What website remains that doesn't have HTTPS yet and related to OpenBSD? > > > > Security should be in layers, HTTPS is one additional layer. > > > > 70% of the websites in the world uses HTTPS: https://letsencrypt.org/stats/ > > , see "Percentage of Web Pages Loaded by Firefox Using HTTPS". If OpenBSD > > is security oriented, HTTPS should be de facto. > > > > Many thanks. > > > > > > I can't speak for openbsdfoundation, but for firmware.openbsd.org it's > hosted on various machines run by different people. I'm not sure if > there's any viable way to handle keys and certificates for this type > of situation. > > Firmware packages do have signify(1) signatures themselves. These > are verified early - before passing to gzip to decompress them. > However there is a remaining issue that a MITM could suppress > certain packages, or provide older signed versions. > > >
Re: Kernel panic with openbsd 6.2
Could it be related to: https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners/ ? > Sent: Friday, January 19, 2018 at 9:50 PM > From: "Mik J"> To: Misc > Subject: Kernel panic with openbsd 6.2 > > Hello, > > I had many kernel panic these past days. This is a 6.2 openbsd VM running on > esxi 5.5 > > I took screenshots then followed > https://www.openbsd.org/ddb.html > > # objdump -dlr /sys/arch/amd64/compile/GENERIC.MP/obj/if_vmx.o > > /tmp/if_vmx.dis > > # grep "" /tmp/if_vmx.dis > 10f6: e8 d5 00 00 00 callq 11d0 > 1176: e8 55 00 00 00 callq 11d0 > 11d0 : > 1857: e8 74 f9 ff ff callq 11d0 > > # grep -n 10f6 /tmp/if_vmx.dis > 1667: 10f6: e8 d5 00 00 00 callq 11d0 > > # grep ":" /tmp/if_vmx.dis > 11d0 : > > # printf '%x\n' $((0x11d0 + 0x263)) > 1433 > > vi /tmp/if_vmx.dis > 2040 1433: ba 01 00 00 00 mov $0x1,%edx > I find is on line 2040 > > => But the file is only 1251 line long > nl -ba /sys/dev/pci/if_vmx.c | sed -n 2040p > > => So that last command gives me nothing > > Do you have an idea of what mistake I did so that I can make a report ? > > Thank you > >
Re: History documentation
Hey, strange, there is 5.3 in https://cloudflare.cdn.openbsd.org/pub/OpenBSD/doc/history/ is this still maintained? Many thanks. > Sent: Saturday, January 20, 2018 at 1:21 PM > From: mazocomp> To: misc@openbsd.org > Subject: History documentation > > Hi! > Both obsd-faq.txt and pf-faq.txt in pub/OpenBSD/doc/ are same as > obsd-faq52.txt and pf-faq52.txt in pub/OpenBSD/doc/history/ > So I wonder is there a point to keep them out of date? > >
OpenBSD !HTTPS websites - why?
Hello, http://www.openbsdfoundation.org/ http://firmware.openbsd.org/firmware/ When can we have HTTPS connection on these websites? What website remains that doesn't have HTTPS yet and related to OpenBSD? Security should be in layers, HTTPS is one additional layer. 70% of the websites in the world uses HTTPS: https://letsencrypt.org/stats/ , see "Percentage of Web Pages Loaded by Firefox Using HTTPS". If OpenBSD is security oriented, HTTPS should be de facto. Many thanks.
Re: Community-driven OpenBSD tutorials wiki?
imho use the official documentation, not separated wiki. this is the right way. > Sent: Friday, January 05, 2018 at 8:32 PM > From: "Karel Gardas"> To: "Andreas Thulin" > Cc: "misc@openbsd.org" > Subject: Re: Community-driven OpenBSD tutorials wiki? > > On Thu, 04 Jan 2018 14:17:51 + > Andreas Thulin wrote: > > > Hi all! > > > > Thought I'd create an OpenBSD wiki somewhere, where anyone (especially > > non-developers like myself) could create and edit tutorials for stuff > > non-developers like myself would find useful. I find that sometimes > > existing tutorials become outdated, and was thinking that a wiki would make > > updates easier. > > Not bad idea, but when speaking about OpenBSD I would rather recommend to > update/fix/enhance OpenBSD's own man collection. > >
Re: Kernel memory leaking on Intel CPUs?
sorry, didn't sent my original mail in plaintext Google came out with a more detailed explanation: https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html Any hardening setting should be enabled? Or code needs to be updated? What is the advise for OpenBSD? Thanks, > Subject: Kernel memory leaking on Intel CPUs? > https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/ > > "It is understood the bug is present in modern Intel processors produced in > the past decade. It allows normal user programs – from database applications > to JavaScript in web browsers – to discern to some extent the layout or > contents of protected kernel memory areas." > > "The fix is to separate the kernel's memory completely from user processes > using what's called Kernel Page Table Isolation, or KPTI. At one point, > Forcefully Unmap Complete Kernel With Interrupt Trampolines, aka FUCKWIT, was > mulled by the Linux kernel team, giving you an idea of how annoying this has > been for the developers." > > "AMD processors are not subject" > > https://www.postgresql.org/message-id/2018010354.qikjmf7dvnjgb...@alap3.anarazel.de > > Did anyone hear about this?
Kernel memory leaking on Intel CPUs?
https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/ "It is understood the bug is present in modern Intel processors produced in the past decade. It allows normal user programs – from database applications to JavaScript in web browsers – to discern to some extent the layout or contents of protected kernel memory areas." "The fix is to separate the kernel's memory completely from user processes using what's called Kernel Page Table Isolation, or KPTI. At one point, Forcefully Unmap Complete Kernel With Interrupt Trampolines, aka FUCKWIT, was mulled by the Linux kernel team, giving you an idea of how annoying this has been for the developers." "AMD processors are not subject" https://www.postgresql.org/message-id/2018010354.qikjmf7dvnjgb...@alap3.anarazel.de Did anyone hear about this?
FW:Ordеr 10466117 let v-vitamin be the constructor of your macho-success!:
http://y.ahoo.it/QD0ir?/2010/10/her pass he repeated softlynightshade stiffened.aspx for danger the fearful remorselessness of!shrugged bishop oliver is said to
Oportunidad de Negocio | en U.S.A.
[demime 1.01d removed an attachment of type image/jpeg which had a name of REDUCE ONE SEP 2010.001.jpg]
E-Mailing rémunéré au résultat
Si ce message ne s'affiche pas correctement, vous pouvez le visualiser en suivant ce lien. [IMAGE] COMMUNIQUEZ SANS VOUS ENGAGER ! Enfin une solution de mise en place de campagnes e-mailing rimuniries au risultat : [IMAGE] Nous vous offrons la possibiliti dâaccider ` lâe-mailing et de rialiser des ventes en toute siriniti financihre. [IMAGE] Email :* Nom :* Prinom :* Tiliphone :* Sociiti :* Message : Les champs marquis d'un * sont obligatoires. e-mailingone -Sarl au capital de 15⬠50 rue Henri Prou 78340 Les Clayes sous bois â Siret n0 49793861300013 Si vous ne souhaitez plus recevoir de message de notre part, cliquez ici
Re: Microsoft gets the Most Secure Operating Systems award
On 9/19/07, Peter N. M. Hansteen [EMAIL PROTECTED] wrote: The One [EMAIL PROTECTED] writes: Security is one of the concerns Leopard will solve. **BLAM** Security is never, ever a completely solved problem. Your world just isn' that simple. Do NOT pass GO. I sincerely hope never to hear such nonsense on misc, ever again. Sure, the next release is always better. But you won't hear me saying that OpenBSD 4.3 is your solution to all ills. At the moment, both Leopard and OpenBSD 4.3 are clouds of virtual unobtanium, not to be confused with the final solution to anything. Don't bother following up, I won't be listening. Or maybe I will, and I might even venture out from under my rock again before 4.4 ships. If anyone can solve security, whether it is with Leopard or in the future, Apple definitely can. In my opinion, Apple performs 100% in the software field, and 90% in the hardware field, which is due to, as I explained in my previous messages, depending off of factories in third-world countries that are not even Apple operated! But Apple has done so much with software, it is obvious that, in the end, Apple will reach the goal. Even when personal computers are replaced with a different technology, Apple will be on top.
Re: Microsoft gets the Most Secure Operating Systems award
Sorry but I am just disagreed with Theo saying that OS X is buggy and insecure. On 9/21/07, Marc Espie [EMAIL PROTECTED] wrote: On Fri, Sep 21, 2007 at 12:08:55AM +1000, The One wrote: If anyone can solve security, whether it is with Leopard or in the future, Apple definitely can. In my opinion, Apple performs 100% in the software field, and 90% in the hardware field, which is due to, as I explained in my previous messages, depending off of factories in third-world countries that are not even Apple operated! But Apple has done so much with software, it is obvious that, in the end, Apple will reach the goal. Even when personal computers are replaced with a different technology, Apple will be on top. Stop sending this stuff to misc@openbsd.org, it is totally irrelevant here, and your email address tags you as a Troll as well.
Re: FW: Microsoft gets the Most Secure Operating Systems award
On 9/21/07, stuart van Zee [EMAIL PROTECTED] wrote: The One [EMAIL PROTECTED] writes: If anyone can solve security, whether it is with Leopard or in the future, Apple definitely can. In my opinion, Apple performs 100% in the software field, and 90% in the hardware field, which is due to, as I explained in my previous messages, depending off of factories in third-world countries that are not even Apple operated! But Apple has done so much with software, it is obvious that, in the end, Apple will reach the goal. Even when personal computers are replaced with a different technology, Apple will be on top. Solve security? GEESH! Mr. The One I must humbly submit to you that you DO NOT KNOW WHEREFORE YOU SPEAK! There is no such thing as Solving Security. It does not exist. It could only exist in a perfect world and as you know, or at least should know, this is NOT a perfect world. My opinion is that Apple puts out a nice product for what it is. I love my MacBook, I use it to play online games and work my second job as an internet radio show personality. I use it when I don't want to think after a long day of thinking at work (thinking isn't my best subject after all). BUT! I do not delude myself into thinking that it is some great bastion of security or ever will be. At work, I use OpenBSD for firewalls, mail servers, (gulp) an FTP server, NIDS, time server, etc... etc... etc... Do I think that OpenBSD is the end-all-be-all of security? nope. A system, no matter how good it is, is only as good as the admin who sets it up. Some systems start out from a much better position than others, and my opinion is that OpenBSD is the very best at this, but ultimately, it has to be set up to do whatever job it needs to perform. No matter how perfect the base system is, there is no way to get around this. There is NO WAY an OS can SOLVE SECURITY. It is as impossible as making an ice machine that SOLVES the problem of ice melting. It is as idiotic as the belief that the Titanic was unsinkable. Please, do not put so much blind faith in a system that is built more for user experience than it is for security. Do not put so much blind faith in ANYTHING. Nothing is infallible, everything eventually crumbles. Even OpenBSD has had 2 remote exploits in the default install in the last 10 years. It happens, even to the very best. Nothing can, or ever will, be able to change this, it is an immutable fact. period. s Hi Stuart, Of course, nothing can ever be immune! Sorry for allowing you to have such a misconception about myself! :) But, as I have said before, Apple has virtually never failed in software, why should it fail in security? The One.
Re: Microsoft gets the Most Secure Operating Systems award
But if OS X Tiger was to gain 100 % market share, I honestly believe that my Mac would not be affected by any viruses or hacking, whatsoever. Of course, there may be some flaws discovered if such an event were to occur, but I am a very careful being. And with Safari's Private Browsing and helpful settings in System Preferences, my Mac would be completely secure! :) By the way, Apple makes sure to release security updates in relatively quick amounts of time! ;) With that in mind, and a stronger Leopard coming soon, what can possibly occur in a negative connotation? -The One On 9/19/07, The One [EMAIL PROTECTED] wrote: What I meant to say was that Leopard's release will solve every current problem prevailant in OS X Tiger and people's opinions about the Macintosh platform, although their current, so-called opinions have no evidence behind them, whatsoever. Security is one of the concerns Leopard will solve. I was, in a way, issuing a final statement about the stance of operating systems and general computers, at least OS X and Windows-wise. OpenBSD and Linux both have functions that make them unique. The simple fact is that the Windows OS has nothing unique about it whatsoever ... except for the fact that it is the only flawed OS to gain massive poularity ... temporarily -The One On 9/18/07, Nick Guenther [EMAIL PROTECTED] wrote: Why are you still talking? Why are you topposting? Why does it matter to the world at all what your one random friend does? And the standard: What does this have to do with OpenBSD? On 9/17/07, The One [EMAIL PROTECTED] wrote: Apple will, undoubtedly, implement some of these basic techniques for Leopard. But market share has completely NOTHING to do with OS X's security. Apple always has and will be 100 % when it comes to their software for OS X and OS X itself. Only time will tell. Leopard's release will solve every Mac user's concerns and PC fanboys idiocy! Even my friend, who uses a PC, is considering the purchase of a Mac. I told him to wait until October, which is very near, to buy one. That way he will not have to pay extra for Leopard! ;) On 9/5/07, Nick Shank [EMAIL PROTECTED] wrote: The One wrote: But how would it spread? There have been 2 OS X viruses, yet they spread terribly. And Apple has already fixed the issue. :) -The One On 9/2/07, Kennith Mann III [EMAIL PROTECTED] wrote: On 9/1/07, The One [EMAIL PROTECTED] wrote: On 3/23/07 2:53 AM, Theo de Raadt wrote: Symantec have been trying to demonise OS X for a long while. And it is going to work soon. Because OS X has no Propolice-like compiler stack protection, nor anything like W^X which makes parts of the address space non-executable, nor anything like address space randomization which makes certain attacks very difficult, especially with the previous two techniques. So when they have a bug, it is exploitable just like bugs are on any other powerpc or i386 machine running some other operating system. These days even operating systems like Vista have the above 3 security technologies. First of all, bugs and viruses are two different things. Second, OS X does not need third-party protection. All of the protection is built into the OS! If Vista is so secure, then why does one need to download virus/spyware protection when it can simply be built into the OS? -The One I don't have virus/spyware protection and I've been fine before with Vista and XP. Perhaps you mean to say why do users who install things they shouldn't need virus/spyware protection? which I would argue that the OS doesn't matter. I could write a script that asks for rootly permission in OS X and start nuking stuff with the promise of prettier icons for their desktop or IM client. If you were to argue for worms and things of the like, then I would agree. The only virus I will probably ever catch is some zero-day that hits the world and gets in my work network (won't happen at my house -- I live alone) Here we hit the heart of the issue. The virus and spyware detection software for Windows isn't really to protect to the OS. It's to protect the user from themselves.
Re: Microsoft gets the Most Secure Operating Systems award
What I meant to say was that Leopard's release will solve every current problem prevailant in OS X Tiger and people's opinions about the Macintosh platform, although their current, so-called opinions have no evidence behind them, whatsoever. Security is one of the concerns Leopard will solve. I was, in a way, issuing a final statement about the stance of operating systems and general computers, at least OS X and Windows-wise. OpenBSD and Linux both have functions that make them unique. The simple fact is that the Windows OS has nothing unique about it whatsoever ... except for the fact that it is the only flawed OS to gain massive poularity ... temporarily -The One On 9/18/07, Nick Guenther [EMAIL PROTECTED] wrote: Why are you still talking? Why are you topposting? Why does it matter to the world at all what your one random friend does? And the standard: What does this have to do with OpenBSD? On 9/17/07, The One [EMAIL PROTECTED] wrote: Apple will, undoubtedly, implement some of these basic techniques for Leopard. But market share has completely NOTHING to do with OS X's security. Apple always has and will be 100 % when it comes to their software for OS X and OS X itself. Only time will tell. Leopard's release will solve every Mac user's concerns and PC fanboys idiocy! Even my friend, who uses a PC, is considering the purchase of a Mac. I told him to wait until October, which is very near, to buy one. That way he will not have to pay extra for Leopard! ;) On 9/5/07, Nick Shank [EMAIL PROTECTED] wrote: The One wrote: But how would it spread? There have been 2 OS X viruses, yet they spread terribly. And Apple has already fixed the issue. :) -The One On 9/2/07, Kennith Mann III [EMAIL PROTECTED] wrote: On 9/1/07, The One [EMAIL PROTECTED] wrote: On 3/23/07 2:53 AM, Theo de Raadt wrote: Symantec have been trying to demonise OS X for a long while. And it is going to work soon. Because OS X has no Propolice-like compiler stack protection, nor anything like W^X which makes parts of the address space non-executable, nor anything like address space randomization which makes certain attacks very difficult, especially with the previous two techniques. So when they have a bug, it is exploitable just like bugs are on any other powerpc or i386 machine running some other operating system. These days even operating systems like Vista have the above 3 security technologies. First of all, bugs and viruses are two different things. Second, OS X does not need third-party protection. All of the protection is built into the OS! If Vista is so secure, then why does one need to download virus/spyware protection when it can simply be built into the OS? -The One I don't have virus/spyware protection and I've been fine before with Vista and XP. Perhaps you mean to say why do users who install things they shouldn't need virus/spyware protection? which I would argue that the OS doesn't matter. I could write a script that asks for rootly permission in OS X and start nuking stuff with the promise of prettier icons for their desktop or IM client. If you were to argue for worms and things of the like, then I would agree. The only virus I will probably ever catch is some zero-day that hits the world and gets in my work network (won't happen at my house -- I live alone) Here we hit the heart of the issue. The virus and spyware detection software for Windows isn't really to protect to the OS. It's to protect the user from themselves.
Re: Microsoft gets the Most Secure Operating Systems award
Apple will, undoubtedly, implement some of these basic techniques for Leopard. But market share has completely NOTHING to do with OS X's security. Apple always has and will be 100 % when it comes to their software for OS X and OS X itself. Only time will tell. Leopard's release will solve every Mac user's concerns and PC fanboys idiocy! Even my friend, who uses a PC, is considering the purchase of a Mac. I told him to wait until October, which is very near, to buy one. That way he will not have to pay extra for Leopard! ;) On 9/5/07, Nick Shank [EMAIL PROTECTED] wrote: The One wrote: But how would it spread? There have been 2 OS X viruses, yet they spread terribly. And Apple has already fixed the issue. :) -The One On 9/2/07, Kennith Mann III [EMAIL PROTECTED] wrote: On 9/1/07, The One [EMAIL PROTECTED] wrote: On 3/23/07 2:53 AM, Theo de Raadt wrote: Symantec have been trying to demonise OS X for a long while. And it is going to work soon. Because OS X has no Propolice-like compiler stack protection, nor anything like W^X which makes parts of the address space non-executable, nor anything like address space randomization which makes certain attacks very difficult, especially with the previous two techniques. So when they have a bug, it is exploitable just like bugs are on any other powerpc or i386 machine running some other operating system. These days even operating systems like Vista have the above 3 security technologies. First of all, bugs and viruses are two different things. Second, OS X does not need third-party protection. All of the protection is built into the OS! If Vista is so secure, then why does one need to download virus/spyware protection when it can simply be built into the OS? -The One I don't have virus/spyware protection and I've been fine before with Vista and XP. Perhaps you mean to say why do users who install things they shouldn't need virus/spyware protection? which I would argue that the OS doesn't matter. I could write a script that asks for rootly permission in OS X and start nuking stuff with the promise of prettier icons for their desktop or IM client. If you were to argue for worms and things of the like, then I would agree. The only virus I will probably ever catch is some zero-day that hits the world and gets in my work network (won't happen at my house -- I live alone) Here we hit the heart of the issue. The virus and spyware detection software for Windows isn't really to protect to the OS. It's to protect the user from themselves.
Re: Microsoft gets the Most Secure Operating Systems award
But how would it spread? There have been 2 OS X viruses, yet they spread terribly. And Apple has already fixed the issue. :) -The One On 9/2/07, Kennith Mann III [EMAIL PROTECTED] wrote: On 9/1/07, The One [EMAIL PROTECTED] wrote: On 3/23/07 2:53 AM, Theo de Raadt wrote: Symantec have been trying to demonise OS X for a long while. And it is going to work soon. Because OS X has no Propolice-like compiler stack protection, nor anything like W^X which makes parts of the address space non-executable, nor anything like address space randomization which makes certain attacks very difficult, especially with the previous two techniques. So when they have a bug, it is exploitable just like bugs are on any other powerpc or i386 machine running some other operating system. These days even operating systems like Vista have the above 3 security technologies. First of all, bugs and viruses are two different things. Second, OS X does not need third-party protection. All of the protection is built into the OS! If Vista is so secure, then why does one need to download virus/spyware protection when it can simply be built into the OS? -The One I don't have virus/spyware protection and I've been fine before with Vista and XP. Perhaps you mean to say why do users who install things they shouldn't need virus/spyware protection? which I would argue that the OS doesn't matter. I could write a script that asks for rootly permission in OS X and start nuking stuff with the promise of prettier icons for their desktop or IM client. If you were to argue for worms and things of the like, then I would agree. The only virus I will probably ever catch is some zero-day that hits the world and gets in my work network (won't happen at my house -- I live alone)
Re: filesystems?
FAT32. On 9/3/07, stan [EMAIL PROTECTED] wrote: I'm trying to decide what filesystem to use on a USB drive. I'd like to be able to access the unit from OpenBSD, FreeBSD, Linux, and perhaps Windows. What is the intersection of the sets of filesystems supported by these various OS's? -- I'm sorry, no one here has any intentions of helping you with anything. I am the manager of all of Customer Service.
Re: Microsoft gets the Most Secure Operating Systems award
On 3/23/07 2:53 AM, Theo de Raadt wrote: Symantec have been trying to demonise OS X for a long while. And it is going to work soon. Because OS X has no Propolice-like compiler stack protection, nor anything like W^X which makes parts of the address space non-executable, nor anything like address space randomization which makes certain attacks very difficult, especially with the previous two techniques. So when they have a bug, it is exploitable just like bugs are on any other powerpc or i386 machine running some other operating system. These days even operating systems like Vista have the above 3 security technologies. First of all, bugs and viruses are two different things. Second, OS X does not need third-party protection. All of the protection is built into the OS! If Vista is so secure, then why does one need to download virus/spyware protection when it can simply be built into the OS? -The One
Re: Pf question
Thanks for the info and I have learned a bit from it, but not quite what I'm after. I'm looking for how to direct traffic to a couple internal web servers based on what IP alias of the external interface the traffic connects to. For example: Traffic connecting to xxx.xxx.xxx.178:80 goes to 192.168.0.75:80 Traffic connecting to xxx.xxx.xxx.180:80 goes to 192.168.0.85:80 Where 178 and 180 are aliases on the same external interface. I'm curious what my rules would need to be to make that happen. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Ouellet Sent: Sunday, December 18, 2005 12:16 AM To: Logical One Cc: misc@openbsd.org Subject: Re: Pf question Daniel Ouellet wrote: Logical One wrote: Can someone give me some idea of what RDR and PASS IN/OUT rules I'd need for just a portion of this (say the web servers) and I can figure out the rest on my own? Read here: http://www.bgnett.no/~peter/pf/en/pf-firewall.pdf in PDF or http://www.bgnett.no/~peter/pf/en/ in html. Page 16 of th PDF for example for web server. Sorry, page 33! I was reading something else and was on page 16. Confuse the two... Anyway, read it all, it's good learning anyway. Daniel
Pf question
Just a quick question I hope. I have the following setup: 1 internal interface 1 external interface 3 static routable IP's assigned to external interface (one primary, two aliases) I want to use one IP for NAT and some port redirection to a client system and a web server, another IP for a second web server, and the remaining IP for a FTP server. I've been playing with the rules and reading documentation on this for several days now and haven't gotten anywhere. I know about BINAT and would prefer not to use it in favor of RDR'ing the ports that are common between servers to the respective server based on the IP address that is connected to from the outside world. Can someone give me some idea of what RDR and PASS IN/OUT rules I'd need for just a portion of this (say the web servers) and I can figure out the rest on my own? I can make the ftp server work, but I don't know how to say that traffic to a specific IP should be directed to it. Thanks, Logical_1
VMWare is b0rked?
Hello, Is anyone still able to run ports/vmware/3 on OpenBSD 3.8 or -current? Even with a valid license, the configuration wizard crashes with Unexpected output - VMware SLAVE PANIC: (UI) NOT_IMPLEMENTED F(638):637 VMWare modules were properly loaded. Any idea? -- Frank - my stupid blog: http://00f.net L'annuaire des professionnels de la manucure et de la pedicure : http://www.manucure-pro.com
Re: VMWare is b0rked?
On Tue, Nov 15, 2005 at 03:49:52PM +0059, Frank Denis (Jedi/Sector One) wrote: Even with a valid license, the configuration wizard crashes with Unexpected output - VMware SLAVE PANIC: (UI) NOT_IMPLEMENTED F(638):637 It works with a manual configuration, though.
PPTP in 3.7
I am trying to find some current documentation or pointers on how to setup a PPTP connection from my OpenBSD 3.7 firewall to my work VPN running PPTP. I've seen quite a few things, but most are outdated or conflicting in the instructions they give. I have seen some references to the kernel supporting this functionality natively while other say that recompiling the kernel is necessary and still others say a third party program is needed. I am just looking for somewhere to start that has current information or maybe even a copy of the configs from someone who has set this up before. I'd also like to find information on what settings are needed in pf if a PPTP connection is used, but the networks is bridges are using the same addressing scheme. I also need to know how to configure the router (OpenBSD) to pass traffic to certain addresses out the VPN connection, others back into the LAN, and the rest out my cable connection. I need to know how to configure the VPN so that it is not my default gateway out since my home connection is much faster than the T1 at my office where the VPN connects. Thanks for any pointers, hints, advice, configs or whatever else anyone has to contribute and I'm sorry for being a bother, but while the information is out there, I have been unable to find what is relevant to my config. Thanks, Logical_1
Re: Mac Mini as Firewall
On Tue, Nov 01, 2005 at 11:32:32AM +0100, Antoine Jacoutot wrote: You may want to have a look at the hard drive which is slow and might be a bottleneck... The Mac Mini hard drive can easily be replaced by a 7200 RPM drive. Mine is running with a Hitachi 7K100 drive and it is way faster than the original drive. And replacing the hard drive does *not* void the warranty. Best regards, -- Frank - my stupid blog: http://00f.net L'annuaire des professionnels de la manucure et de la pedicure : http://www.manucure-pro.com
Re: powernow
On Fri, Oct 28, 2005 at 12:16:10AM -0700, Ted Unangst wrote: thanks all. there's some newer code in cvs now.. It still hangs for me when changing hw.setperf -- Frank - my stupid blog: http://00f.net L'annuaire des professionnels de la manucure et de la pedicure : http://www.manucure-pro.com
Re: powernow
On Wed, Oct 26, 2005 at 11:16:31PM -0700, Ted Unangst wrote: there is a diff from gordon klok in the snapshots that should improve support for k7 and k8 family powernow (cool and quiet). i'd like to know where/if it works, what messages get printed, and if hw.setperf does anything useful. md5 -t with setperf=0 and 100 would be nice. Changing hw.setperf totally freezes the system. Hardware is a Biostar iDEQ 220K (VIA VT8237, AMD64 3400). dmesg follows : OpenBSD 3.8-current (GENERIC) #210: Tue Oct 25 23:07:20 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Athlon(tm) 64 Processor 3400+ (AuthenticAMD 686-class, 512KB L2 cache) 2.40 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2 cpu0: AMD Powernow: TS FID VID TTP cpu0: AMD Cool`n'Quiet K8: 0 available states real mem = 535273472 (522728K) avail mem = 481550336 (470264K) using 4278 buffers containing 26865664 bytes (26236K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(c5) BIOS, date 07/27/05, BIOS32 rev. 0 @ 0xf9fa0 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xc834 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc790/160 (8 entries) pcibios0: PCI Exclusive IRQs: 3 5 10 12 pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT82C596A ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x1 0xd/0x1000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA K8M800 Host rev 0x00 pchb1 at pci0 dev 0 function 1 VIA K8M800 Host rev 0x00 pchb2 at pci0 dev 0 function 2 VIA K8M800 Host rev 0x00 pchb3 at pci0 dev 0 function 3 VIA K8M400 Host rev 0x00 pchb4 at pci0 dev 0 function 4 VIA K8M800 Host rev 0x00 pchb5 at pci0 dev 0 function 7 VIA K8M800 Host rev 0x00 ppb0 at pci0 dev 1 function 0 VIA K8HTB AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon VE QY rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) wi0 at pci0 dev 8 function 0 Intersil PRISM2.5 rev 0x01: irq 5 wi0: PRISM2.5 ISL3874A(Mini-PCI) (0x8013), Firmware 1.1.1 (primary), 1.7.4 (station), address 00:09:5b:41:d8:19 VIA VT6306 FireWire rev 0x80 at pci0 dev 11 function 0 not configured rl0 at pci0 dev 13 function 0 Realtek 8139 rev 0x10: irq 12, address 00:e0:4c:da:e1:ab rlphy0 at rl0 phy 0: RTL internal phy pciide0 at pci0 dev 15 function 0 VIA VT6420 SATA rev 0x80: DMA pciide0: using irq 10 for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: HDS722525VLSA80 wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide1 at pci0 dev 15 function 1 VIA VT82C571 IDE rev 0x06: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd1 at pciide1 channel 0 drive 0: IBM-DJNA-371800 wd1: 16-sector PIO, LBA, 17206MB, 35239680 sectors wd2 at pciide1 channel 0 drive 1: IBM-DTLA-307045 wd2: 16-sector PIO, LBA, 43979MB, 90069840 sectors wd1(pciide1:0:0): using PIO mode 4, DMA mode 2 wd2(pciide1:0:1): using PIO mode 4, DMA mode 2 atapiscsi0 at pciide1 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TOSHIBA, DVD-ROM SD-M1612, 1004 SCSI0 5/cdrom removable cd0(pciide1:1:0): using PIO mode 4, DMA mode 2 uhci0 at pci0 dev 16 function 0 VIA VT83C572 USB rev 0x81: irq 5 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 16 function 1 VIA VT83C572 USB rev 0x81: irq 5 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 16 function 2 VIA VT83C572 USB rev 0x81: irq 10 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 16 function 3 VIA VT83C572 USB rev 0x81: irq 10 usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 16 function 4 VIA VT6202 USB rev 0x86: irq 3 usb4 at ehci0: USB revision 2.0 uhub4 at usb4 uhub4: VIA EHCI root hub, rev 2.00/1.00, addr 1 uhub4: 8 ports with 8 removable, self powered pcib0 at pci0 dev 17 function 0 VIA VT8237 ISA rev 0x00 auvia0 at pci0 dev 17 function 5 VIA VT8233 AC97 rev 0x60: irq 3 ac97: codec id 0x414c4760 (Avance Logic ALC655) audio0 at auvia0 pchb6 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00 pchb7 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00 pchb8 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev 0x00 pchb9 at pci0 dev 24 function 3 AMD AMD64 Misc Cfg rev 0x00 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0:
OpenOffice.org 2.0 works on OpenBSD
Hello, Just a little note to tell that the just-released OpenOffice.org 2.0 perfectly works on OpenBSD with the Linux emulation (tested with OpenBSD-current). Basic instructions: http://www.00f.net/php/show-article.php/openoffice_on_openbsd Best regards, -- Frank - my stupid blog: http://00f.net L'annuaire des professionnels de la manucure et de la pedicure : http://www.manucure-pro.com
Re: Happy Birthday OpenBSD ! 10 years !
On Fri, Oct 14, 2005 at 08:39:15AM -0600, Theo de Raadt wrote: Oct 14 OpenBSD born, Saturday 16:36 MST, 1995 Sorry, but so many of you are uninformed. date: 1995/10/18 08:37:01; author: deraadt; state: Exp; That is when the repository was created. That is the official date. I don't know where people get the other date from. This is the calendar.openbsd entry for Oct 14.
Re: uvm_mapent_alloc: out of static map entries, check MAX_KMAPENT
On Fri, Oct 07, 2005 at 12:29:17PM -0400, Brad wrote: Now instead of your system panicing, the kernel will try to allocate more memory for additional map entries. The kernel will print ouf the usual uvm_mapent_alloc: out of static map entries but not panic. Indeed, I upgraded a system that used to panic() without raising MAX_KMAPENT and now if only prints the message without panic()ing. Also, looking at the vmstat display of systat you will see that kmapent has been added to the bottom right corner, this will show you the number of map entries currently in use by the kernel. Unfortunately, that number is hidden in a 80x24 terminal. That host currently has 1583 kmap entries. -- Frank - my stupid blog: http://00f.net L'annuaire des professionnels de la manucure et de la pedicure : http://www.manucure-pro.com
Re: nfs mounting
On Sat, Oct 08, 2005 at 05:27:59PM -0400, Chuck Robey wrote: I have just ogtten usb networking up on my Zaurus, and now I'm tryingto get /usr/local, /usr/ports, and /usr/src remotely mounted from my nearby FreeBSD system. I can get the mount done, but I can't affect any files ... for example, if I tryi to touch (as root on the Zaurus) /usr/local/garbage, I get Permission denied. When you access a file as root, the access is made as the nobody user by default. See the -mapproot= option in export(5). -- Frank - my stupid blog: http://00f.net L'annuaire des professionnels de la manucure et de la pedicure : http://www.manucure-pro.com
Re: cpuburn: operation not permitted
On Sun, Aug 07, 2005 at 12:49:02PM -0500, Matt Garman wrote: I'd like to load the CPU as much as possible, while at the same time monitoring temperatures, so that I can make sure my computer doesn't overheat. Try running blogbench - http://blogbench.pureftpd.org/ - it brings hardware to its knees and it can help to discover overheating.
Re: Choices for Soekris disk drives
On Fri, Jul 15, 2005 at 07:55:59PM +0530, Mayuresh Kathe wrote: *AVOID* 2.5 IDE Laptop drives. I've had pretty bad experience with them, 1. They heat up a lot 2. Are slow 3. Fail quite often (this could be due to the heat) (face problems with Toshiba and IBM) I have the opposite experience. My Net4801 is running 24/7 for one year with a Momentus drive (5400 RPMs) and it is neither slow nor hot. Hitachi also produces drives that are designed to run 24/7 (Eudurastar, now obsoleted by E7K60 and E7K100 drives). My Mac Mini is running with a 7K100 (80 Gb, 7200 RPM, 8 Mb cache) drive and it is as fast as any 3,5 drive. It seems to heat up more than the Momentus since the fan often wakes up, but it works reliably.
Re: Mini-PC recommendation?
On Sun, Jul 03, 2005 at 02:28:00PM -0500, Matthew Weigel wrote: Take a look at the BioStar iDeq 220K, which uses K8M800 and VT8237... looks like on-board SATA, LAN*, and sound are supported, but useable graphics might be missing. I'm going to buy one. Support for the Via Unichrome chipset seems to be missing in OpenBSD Xorg server, but it is in the Xorg CVS tree.
Re: Flash Plugin for Firefox
On Tue, Jul 05, 2005 at 05:44:01PM -0800, JR Dalrymple wrote: I think if you used Opera for 5 days you'd find it better in EVERY WAY POSSIBLE than Firefox... My 2 cents. I find page loads to be much faster, and nav is 10x faster with gestures and keyboard shortcuts. Except that there is nothing like AdBlock, DOM Inspector, CSS editor and Developer Toolbar for Opera. swfdec is exciting, unfortunately it just never works with real-life Flash files.
Re: sleep patterns...
On Tue, Jul 05, 2005 at 02:22:13PM +0100, Stuart Henderson wrote: Dragonfly have 'rm -I' (ask for confirmation if deleting 3 files or -r) which works very well. Used routinely (e.g. in an alias in login shells), I think it gives better protection than 'rm -i' since the prompt is rare enough you don't train yourself to confirm automatically. You can apply the following old patch to do it in OpenBSD. http://42-networks.com/obsd_patches/rm_I.patch
Re: Mini-PC recommendation?
On Sun, Jul 03, 2005 at 12:57:04PM +0200, [EMAIL PROTECTED] wrote: This heavily depends on what you use it for. We make good experiences with Geode based systems (like the Soekris 4801) as they are low power devices for router/firewall applications. I also have a Net4801 that performs perfectly as a firewall and home server. But I was more looking for a workstation, preferably based supporting socket AMD64. But in this area, every vendor seems to use nothing but Nforce or Radeon chipsets.
Mini-PC recommendation?
What experiences do people have with OpenBSD and a mini-PC like Biostar's or Soltek's? Most interesting ones seems to based upon Nvidia chipsets, but unfortunately they don't seem to be supported by OpenBSD.
Re: human-time limit.
On Sun, Jun 26, 2005 at 05:55:25PM +, David Pluoe wrote: Are you gonna add anytime soon a resource limit for human-time, so it would be easier to keep dead locks and any other same kind of type processes in control? httpd would really benefit from it when providing service for many newbie users out there. http://www.42-networks.com/obsd_patches/rlimit_time.patch
How to set up a read-only CVS server?
Hello, I'd like to offer a public OpenBSD CVS mirror, but I have no experience with setting up CVS servers, especially public ones. My question may sound obvious: how to set up a read-only CVS server, using the reference CVS or OpenCVS? I found various tutorials and scripts, but they all describe the insecure pserver way. I tried to have different uids for the files and for the anoncvs account, but the CVS server chokes when it comes to creating lock files. The only working way I found was a systrace policy (just in case it would be useful to anyone, you can find it here: ftp://ftp.00f.net/misc/systrace/usr_bin_cvs). But there must be a most obvious way to do it. How are you doing it, guys? TIA, -Frank.
Re: Gigabit Firewall NIC Interrupt Performance Problem
On Mon, May 30, 2005 at 11:37:16AM -0400, Jamie Yukes wrote: I have a Dell Poweredge 1750 with basically OpenBSD 3.6 (3.5-current Aug 2004) It has the dual onboard Gigabit links, using the Broadcom BCM5704C chipset. I can't seem to handle more than 120Mbps of VoIP traffic on this link. The system reports 96% time in Interrupts. Try to run bsd.mp even if you only have one processor. IOAPIC helps a lot.
Re: mounting ext3fs via ext2fs
On Mon, May 30, 2005 at 03:25:02PM +, Thorsten Glaser wrote: ports/sysutils/e2fsprogs Sure, but to be fair, if he cares about his data, it's probably a bad idea to try a 3-years old version of e2fsprogs on a platform that the software was almost never tested on and that refused to mount the filesystem for a (yet) undetermined reason.
Re: mounting ext3fs via ext2fs
On Sun, May 29, 2005 at 11:00:34PM +0200, Rogier Krieger wrote: Feel free to correct me if I'm wrong, but as far as I know, ext3fs is not supported. ext3 is mostly ext2 with an extra inode to handle the journal. You can usually mount the partition as ext3 or ext2 without any special tweak. However on some distributions (at least Fedora it seems), directory hashing (htree) is enabled by default when partitions are formatted as ext3. And *BSD don't support htree yet. So maybe this is your showstopper. While running Linux, try tune2fs -O ^dir_index /dev/your volume in order to remove htree on the partition. -- Frank - my stupid blog: http://00f.net
Re: Burn Testing
On Tue, May 24, 2005 at 04:00:20PM +0100, Gaby vanhegan wrote: I have acquired some second-hand dual processor servers with the intention of putting OpenBSD with on them. I have put Debian on one of them and FreeBSD on another, and am pounding them as hard as I can with setiathome to see if they fall over. Is there a similar burn-testing app that I can run on OpenBSD to test the stability of the machines over a 12 day period? Try blogbench: http://blogbench.pureftpd.org/ It stresses a lot your hardware and your OS, and if often triggers kernel panics if something is wrong.
Re: Dell HW?
On Thu, May 19, 2005 at 02:10:06PM -0500, L. V. Lammert wrote: We have been requested to use Dell HW for some new systems. Any recommended models (RM) for: 1) Gateway/firewall? 2) SAN? It really depends on your exact needs (how many NICs, how many disks, etc). Almost every Dell seems to work fine with OpenBSD, but definitely avoid CERC controllers, especially the SATA ones. Go with PERC 4 that are way more reliable. The company I'm working for is almost exclusively buying Dell 1850 nowadays. They work flawlessly with Linux, DragonFlyBSD and OpenBSD even in 64-bit mode. And unless you absolutely need Dell, also have a look at Transtec hardware, which is almost half the price of Dell's for the same features and the same support. http://www.transtec.de/D/E/index.html We use their Opteron systems (1001L for web servers and processing and 2500L for databases and file servers) with no issue so far. For a SAN, their 2500L are really nice, as you can put up to 10 disks there, without the need for any external enclosure. Best regards, -- Frank - my stupid blog: http://00f.net
Re: Nine months girl begin learning OpenBSD!
On Tue, May 17, 2005 at 09:24:04PM +0200, Frank Denis (Jedi/Sector One) wrote: Mine was also tainted by OpenBSD when she was 4 : http://www.c9x.org/jedi/openbaby.html Ah no, she was 8 months old, sorry :( OpenBSD still lacks software for kids like Tuxpaint or Gcompris, though.
Re: need help: system freezes unexpectedly
On Mon, May 09, 2005 at 09:30:52PM +0200, Georg Kremsner wrote: Could you tell me a good alternative to mount_null ? It's for my ftp-share and i don't want to share the whole disks, because not all data is to be shared. Use pure-ftpd and symbolic links.