Re: How secure is OpenBSD really
Thank you bot for the quick reply.
Re: How secure is OpenBSD really
Reading the archive it seems to me that el8 was taken as a joke: List: openbsd-misc Subject:Re: main openbsd server compromised ? From: e eliab () spack ! org Date: 2002-08-15 17:11:01 [Download message RAW] no, el8 is not a serious zine, it's a joke, i'm sure reading a little more of the zine would have made that obvious List: openbsd-misc Subject:Re: main openbsd server compromised ? From: e eliab () spack ! org Date: 2002-08-16 18:40:17 [Download message RAW] * dayioglu ([EMAIL PROTECTED]) wrote: On Thu, 2002-08-15 at 20:11, e wrote: no, el8 is not a serious zine, it's a joke, i'm sure reading a little more of the zine would have made that obvious Not to cause a flame-war but the disclosed mail traffic of K2 seem very normal. I did read the whole thing and to create so many joke mails is, err, at least unusual. Are you sure you read it all? quite sure, el8 has been known to do this same type of thing before. And that`s that. But onhttp://www.wired.com/culture/lifestyle/news/2002/08/54400 I read that OpenBSD co-founder Theo de Raadt, cited as a top el8 target, angrily refused to discuss the compromise (link http://www.openssh.com/txt/trojan.adv) in late July of a file server maintained by the open-source, Unix-based operating-system project. On Aug. 1, a dangerous Trojan horse program was discovered amid the code for OpenBSD, which is used by thousands of organizations and renowned for its security.. And: Christopher Ambient Empire Abad, a security expert with Qualys, confirmed that excerpts of e-mails and other files stolen from his directory on a server were published in el8's latest zine. So it appears to me that what el8 posted wasn`t a joke. Did I missed something again? With regards, Jernej On Tue, Apr 15, 2008 at 1:59 AM, Ted Unangst [EMAIL PROTECTED] wrote: On 4/14/08, Jernej Makovsek [EMAIL PROTECTED] wrote: Now with this post I don`t want to start any wars. I know that nothing is bullet proof and so on but as a wannabe OBSD user I`m just interested in if this compromise was analysed and especially how the code has changed from then, what did you do to make sure that this does not repeat. And if it was a third party app, why wasn`t it configured within a jail? Ok, I learned that sysjail was announced on May 22 2006, but surely you have chroot capability. And sysjail is connected with systrace... Well again, don`t want to start any flame, just interested how your community responded and responds to issues like that. Sure, I'll just sum up 6 years of pretty continuous development for you. Unfortunately, it would take too long to read and I don't want to waste any of your time, so I'll just summarize it as lots of changes.
Re: How secure is OpenBSD really
What's your point? Is OpenBSD perfect? No. Does it have flaws? Yes. Can it be broken? Yes, and you've dug something out from six years ago that may or not prove that. But the same can be said of Linux, Windows, Mac OS, etc., etc. Has every flaw/bug been discovered? No. Will there be more issues found? Yes. Does it tackle security pro-actively? Yes. Does it prefer security and openness and doing things correctly over bells whistles and best performance whatever the cost? Yes - security and correctness are priorities - but you could find that out from http://www.openbsd.org/goals.html. Does that mean that it will be perfect? No. Are the developers/leaders perfect? No. Is OpenBSD the One True Secure High Performance Operating System for every imaginable task? No ... but then nor is anything else. Is OpenBSD for you? Only you can decide ... and even if it is, it may not be the best tool for EVERY job. HTH. On 15/04/2008, at 10:28 PM, Jernej Makovsek wrote: Reading the archive it seems to me that el8 was taken as a joke: List: openbsd-misc Subject:Re: main openbsd server compromised ? From: e eliab () spack ! org Date: 2002-08-15 17:11:01 [Download message RAW] no, el8 is not a serious zine, it's a joke, i'm sure reading a little more of the zine would have made that obvious List: openbsd-misc Subject:Re: main openbsd server compromised ? From: e eliab () spack ! org Date: 2002-08-16 18:40:17 [Download message RAW] * dayioglu ([EMAIL PROTECTED]) wrote: On Thu, 2002-08-15 at 20:11, e wrote: no, el8 is not a serious zine, it's a joke, i'm sure reading a little more of the zine would have made that obvious Not to cause a flame-war but the disclosed mail traffic of K2 seem very normal. I did read the whole thing and to create so many joke mails is, err, at least unusual. Are you sure you read it all? quite sure, el8 has been known to do this same type of thing before. And that`s that. But onhttp://www.wired.com/culture/lifestyle/news/2002/08/54400 I read that OpenBSD co-founder Theo de Raadt, cited as a top el8 target, angrily refused to discuss the compromise (link http://www.openssh.com/txt/trojan.adv) in late July of a file server maintained by the open-source, Unix-based operating-system project. On Aug. 1, a dangerous Trojan horse program was discovered amid the code for OpenBSD, which is used by thousands of organizations and renowned for its security.. And: Christopher Ambient Empire Abad, a security expert with Qualys, confirmed that excerpts of e-mails and other files stolen from his directory on a server were published in el8's latest zine. So it appears to me that what el8 posted wasn`t a joke. Did I missed something again? With regards, Jernej On Tue, Apr 15, 2008 at 1:59 AM, Ted Unangst [EMAIL PROTECTED] wrote: On 4/14/08, Jernej Makovsek [EMAIL PROTECTED] wrote: Now with this post I don`t want to start any wars. I know that nothing is bullet proof and so on but as a wannabe OBSD user I`m just interested in if this compromise was analysed and especially how the code has changed from then, what did you do to make sure that this does not repeat. And if it was a third party app, why wasn`t it configured within a jail? Ok, I learned that sysjail was announced on May 22 2006, but surely you have chroot capability. And sysjail is connected with systrace... Well again, don`t want to start any flame, just interested how your community responded and responds to issues like that. Sure, I'll just sum up 6 years of pretty continuous development for you. Unfortunately, it would take too long to read and I don't want to waste any of your time, so I'll just summarize it as lots of changes.
Re: How secure is OpenBSD really
2008/4/15, Jernej Makovsek [EMAIL PROTECTED]: http://www.openssh.com/txt/trojan.adv) in late July of a file server maintained by the open-source, Unix-based operating-system project. On Aug. 1, a dangerous Trojan horse program was discovered amid the code for OpenBSD, which is used by thousands of organizations and renowned for its security.. Go back to your Linux system. IIRC the systems hacked don't run OpenBSD. RTFAQ.
Re: How secure is OpenBSD really
I'm sad to see this obvious troll working.
Re: How secure is OpenBSD really
As I said in my first post Now with this post I don`t want to start any wars. I know that nothing is bullet proof and so on but as a wannabe OBSD user I`m just interested in if this compromise was analysed and especially how the code has changed from then, what did you do to make sure that this does not repeat Now why did I post the Wired story? Because when I read the archive I was expecting that the penetration has been taken seriously and analysed publicly in detail. But instead it was dismissed as a joke. And it doesn`t matter if it`s form 2002, what`s important to me is how you deal with the problem. One can get flawed picture that this is how you deal with remote exploits. I was really looking forward to read your comments on how that and that developer did that and that error in analyizing the situation and how the changes you made to the exploited program changed other programs and such but instead ppl feel endangered. Ok, thanks for all the info. Flaming is starting, I have better things to do.. like make X work on OBSD. Bye On Tue, Apr 15, 2008 at 12:42 PM, Richard Toohey [EMAIL PROTECTED] wrote: What's your point? Is OpenBSD perfect? No. Does it have flaws? Yes. Can it be broken? Yes, and you've dug something out from six years ago that may or not prove that. But the same can be said of Linux, Windows, Mac OS, etc., etc. Has every flaw/bug been discovered? No. Will there be more issues found? Yes. Does it tackle security pro-actively? Yes. Does it prefer security and openness and doing things correctly over bells whistles and best performance whatever the cost? Yes - security and correctness are priorities - but you could find that out from http://www.openbsd.org/goals.html. Does that mean that it will be perfect? No. Are the developers/leaders perfect? No. Is OpenBSD the One True Secure High Performance Operating System for every imaginable task? No ... but then nor is anything else. Is OpenBSD for you? Only you can decide ... and even if it is, it may not be the best tool for EVERY job. HTH. On 15/04/2008, at 10:28 PM, Jernej Makovsek wrote: Reading the archive it seems to me that el8 was taken as a joke: List: openbsd-misc Subject:Re: main openbsd server compromised ? From: e eliab () spack ! org Date: 2002-08-15 17:11:01 [Download message RAW] no, el8 is not a serious zine, it's a joke, i'm sure reading a little more of the zine would have made that obvious List: openbsd-misc Subject:Re: main openbsd server compromised ? From: e eliab () spack ! org Date: 2002-08-16 18:40:17 [Download message RAW] * dayioglu ([EMAIL PROTECTED]) wrote: On Thu, 2002-08-15 at 20:11, e wrote: no, el8 is not a serious zine, it's a joke, i'm sure reading a little more of the zine would have made that obvious Not to cause a flame-war but the disclosed mail traffic of K2 seem very normal. I did read the whole thing and to create so many joke mails is, err, at least unusual. Are you sure you read it all? quite sure, el8 has been known to do this same type of thing before. And that`s that. But onhttp://www.wired.com/culture/lifestyle/news/2002/08/54400 I read that OpenBSD co-founder Theo de Raadt, cited as a top el8 target, angrily refused to discuss the compromise (link http://www.openssh.com/txt/trojan.adv) in late July of a file server maintained by the open-source, Unix-based operating-system project. On Aug. 1, a dangerous Trojan horse program was discovered amid the code for OpenBSD, which is used by thousands of organizations and renowned for its security.. And: Christopher Ambient Empire Abad, a security expert with Qualys, confirmed that excerpts of e-mails and other files stolen from his directory on a server were published in el8's latest zine. So it appears to me that what el8 posted wasn`t a joke. Did I missed something again? With regards, Jernej On Tue, Apr 15, 2008 at 1:59 AM, Ted Unangst [EMAIL PROTECTED] wrote: On 4/14/08, Jernej Makovsek [EMAIL PROTECTED] wrote: Now with this post I don`t want to start any wars. I know that nothing is bullet proof and so on but as a wannabe OBSD user I`m just interested in if this compromise was analysed and especially how the code has changed from then, what did you do to make sure that this does not repeat. And if it was a third party app, why wasn`t it configured within a jail? Ok, I learned that sysjail was announced on May 22 2006, but surely you have chroot capability. And sysjail is connected with systrace... Well again, don`t want to start any flame, just interested how your community responded and responds to issues like that. Sure, I'll just sum up 6 years of pretty continuous development for you. Unfortunately, it would take too long to
Re: How secure is OpenBSD really
On Tue, 15 Apr 2008 13:45:14 +0200 Jernej Makovsek [EMAIL PROTECTED] wrote: Please just ignore this post! As I said in my first post Now with this post I don`t want to start any wars. I know that nothing is bullet proof and so on but as a wannabe OBSD user I`m just interested in if this compromise was analysed and especially how the code has changed from then, what did you do to make sure that this does not repeat Now why did I post the Wired story? Because when I read the archive I was expecting that the penetration has been taken seriously and analysed publicly in detail. But instead it was dismissed as a joke. And it doesn`t matter if it`s form 2002, what`s important to me is how you deal with the problem. One can get flawed picture that this is how you deal with remote exploits. I was really looking forward to read your comments on how that and that developer did that and that error in analyizing the situation and how the changes you made to the exploited program changed other programs and such but instead ppl feel endangered. Ok, thanks for all the info. Flaming is starting, I have better things to do.. like make X work on OBSD. Bye On Tue, Apr 15, 2008 at 12:42 PM, Richard Toohey [EMAIL PROTECTED] wrote: What's your point? Is OpenBSD perfect? No. Does it have flaws? Yes. Can it be broken? Yes, and you've dug something out from six years ago that may or not prove that. But the same can be said of Linux, Windows, Mac OS, etc., etc. Has every flaw/bug been discovered? No. Will there be more issues found? Yes. Does it tackle security pro-actively? Yes. Does it prefer security and openness and doing things correctly over bells whistles and best performance whatever the cost? Yes - security and correctness are priorities - but you could find that out from http://www.openbsd.org/goals.html. Does that mean that it will be perfect? No. Are the developers/leaders perfect? No. Is OpenBSD the One True Secure High Performance Operating System for every imaginable task? No ... but then nor is anything else. Is OpenBSD for you? Only you can decide ... and even if it is, it may not be the best tool for EVERY job. HTH. On 15/04/2008, at 10:28 PM, Jernej Makovsek wrote: Reading the archive it seems to me that el8 was taken as a joke: List: openbsd-misc Subject:Re: main openbsd server compromised ? From: e eliab () spack ! org Date: 2002-08-15 17:11:01 [Download message RAW] no, el8 is not a serious zine, it's a joke, i'm sure reading a little more of the zine would have made that obvious List: openbsd-misc Subject:Re: main openbsd server compromised ? From: e eliab () spack ! org Date: 2002-08-16 18:40:17 [Download message RAW] * dayioglu ([EMAIL PROTECTED]) wrote: On Thu, 2002-08-15 at 20:11, e wrote: no, el8 is not a serious zine, it's a joke, i'm sure reading a little more of the zine would have made that obvious Not to cause a flame-war but the disclosed mail traffic of K2 seem very normal. I did read the whole thing and to create so many joke mails is, err, at least unusual. Are you sure you read it all? quite sure, el8 has been known to do this same type of thing before. And that`s that. But onhttp://www.wired.com/culture/lifestyle/news/2002/08/54400 I read that OpenBSD co-founder Theo de Raadt, cited as a top el8 target, angrily refused to discuss the compromise (link http://www.openssh.com/txt/trojan.adv) in late July of a file server maintained by the open-source, Unix-based operating-system project. On Aug. 1, a dangerous Trojan horse program was discovered amid the code for OpenBSD, which is used by thousands of organizations and renowned for its security.. And: Christopher Ambient Empire Abad, a security expert with Qualys, confirmed that excerpts of e-mails and other files stolen from his directory on a server were published in el8's latest zine. So it appears to me that what el8 posted wasn`t a joke. Did I missed something again? With regards, Jernej On Tue, Apr 15, 2008 at 1:59 AM, Ted Unangst [EMAIL PROTECTED] wrote: On 4/14/08, Jernej Makovsek [EMAIL PROTECTED] wrote: Now with this post I don`t want to start any wars. I know that nothing is bullet proof and so on but as a wannabe OBSD user I`m just interested in if this compromise was analysed and especially how the code has changed from then, what did you do to make sure that this does not repeat. And if it was a third party app, why wasn`t it configured within a jail? Ok, I learned that sysjail was announced on May 22 2006, but surely you have chroot capability. And sysjail is connected with systrace... Well again,
Re: How secure is OpenBSD really
Jernej: AFAIK there was only one provable and admitted case of an exploit of OpenBSD's public facing systems, and that was of an ftp server that happened to be hosting OpenBSD tarballs. And while FAQ 8.18 says that the project's publicly available servers at openbsd.org do not run OpenBSD, a compromise of an openbsd.org platofmr is really not the issue, though it highlights it. When you install this OS, it is secure by default. Wonderful. Making any configuration changes or adding any software might compromise that security. This means that security of the software configuration and the hardware platform are the administrator's responsibility -- mistakes could be made. In addition, OpenBSD systems may be compromised (and probably are) for other reasons than administrator error. Compromise is always possible through human behavior -- such as the inadvertent disclosure of passwords or keys, through social engineering scam attacks, etc. FYI: Since the inception of OpenBSD, there have been exactly two known remote exploits found in the OS. That's a pretty decent network-based security record for a general purpose OS.
Re: How secure is OpenBSD really
Ok, I should study faq and some mans. Thanks Josh. And other - sorry for the inconvenience. Jernej On Tue, Apr 15, 2008 at 2:18 PM, Josh Grosse [EMAIL PROTECTED] wrote: Jernej: AFAIK there was only one provable and admitted case of an exploit of OpenBSD's public facing systems, and that was of an ftp server that happened to be hosting OpenBSD tarballs. And while FAQ 8.18 says that the project's publicly available servers at openbsd.org do not run OpenBSD, a compromise of an openbsd.org platofmr is really not the issue, though it highlights it. When you install this OS, it is secure by default. Wonderful. Making any configuration changes or adding any software might compromise that security. This means that security of the software configuration and the hardware platform are the administrator's responsibility -- mistakes could be made. In addition, OpenBSD systems may be compromised (and probably are) for other reasons than administrator error. Compromise is always possible through human behavior -- such as the inadvertent disclosure of passwords or keys, through social engineering scam attacks, etc. FYI: Since the inception of OpenBSD, there have been exactly two known remote exploits found in the OS. That's a pretty decent network-based security record for a general purpose OS.
Re: How secure is OpenBSD really
Jernej Makovsek [EMAIL PROTECTED] writes: Reading the archive it seems to me that el8 was taken as a joke: Yes, some random person, on a publicly available list where anyone can post, said he thought it was a joke. Your point is? Go away, little troll. //art
Re: How secure is OpenBSD really
On Tue, Apr 15, 2008 at 01:45:14PM +0200, Jernej Makovsek wrote: As I said in my first post Now with this post I don`t want to start any wars. that's hard to believe, considering the subject you used, and the 6 year old spoof ezine story you asked about. disclaimers like the above generally mean exactly the opposite. if you really don't mean to start a flame war, ask your question in a more reasonable manner, or just do the research yourself. -- [EMAIL PROTECTED] SDF Public Access UNIX System - http://sdf.lonestar.org
How secure is OpenBSD really
Hi. I`m considering switching from Linux to OpenBSD because of the security of course. Now I wanted to be sure that I will finally be able to protect my box with smart encryption etc. (smart because anybody can write an encryption program, but few think about data that remains in RAM (even after computer is shut down)). So I read various underground ezines and page after page I got the feeling that people really struggle to brake into OBSD boxes. But something really confused me: 11:46PM up 2 days, 6:25, 22 users, load averages: 0.47, 0.27, 0.20 USERTTY FROM LOGIN@ IDLE WHAT deraadt C0 -Wed05PM 5:57 emacs -nw -u deraadt -f zenicb mickey p0 versalo.lucifier Wed07PM15 icb -n mickey -g hackers -s cvs millert p1 millert-gw.cs.co 3:37PM 2:48 tail -fn-100 /cvs/CVSROOT/ChangeLog deraadt p2 v.openbsd.orgThu11PM 1:06 -csh form p3 vell.nsc.ru Thu11PM 21:29 less /cvs/CVSROOT/ChangeLog pvalchev p4 dsl-dt-207-34-11 Thu05PM15 tail -fn-50 /home/hack/pvalchev/chan deraadt p5 zeus.theos.com Wed05PM 0 systat vm 1 deraadt p6 zeus.theos.com Wed05PM 2days tail -f /cvs/CVSROOT/ChangeLog deraadt p7 zeus.theos.com Wed05PM 3 -csh deraadt p8 zeus.theos.com Wed05PM 3 gv scanssh.ps deraadt p9 zeus.theos.com Wed05PM 1:26 emacs -nw -u deraadt -f mh-rmail deraadt pa zeus.theos.com Wed05PM16 less machdep.c deraadt pb zeus.theos.com Wed05PM16 -csh deraadt pc zeus.theos.com Wed05PM 5:57 -csh angelos pd coredump.cs.colu Thu02PM 2:48 icb -g hackers -h localhost -n angel deraadt pe zeus.theos.com Wed05PM 2:29 -csh provos pf ssh-mapper.citi. Wed05PM 27:21 tail -f I_AM_A_LUSER_AND_A_MORON brad q0 speedy.comstyle. Wed06PM 28:27 tail -f /cvs/CVSROOT/ChangeLog aaronq1 nic-131-c68-101. 8:43AM15 icb -scvs -ghackers lebelq2 modemcable093.15 Thu09PM 2:48 -bash wvdputte q3 reptile.rug.ac.b 5:45AM 12:56 tail -f 2001-09 jasonq4 24-168-200-128.w Thu08AM 1day -ksh deraadt q5 hackphreak.org4:20AM 0 w Taken from http://web.textfiles.com/ezines/EL8/el8.3.txt. Now with this post I don`t want to start any wars. I know that nothing is bullet proof and so on but as a wannabe OBSD user I`m just interested in if this compromise was analysed and especially how the code has changed from then, what did you do to make sure that this does not repeat. And if it was a third party app, why wasn`t it configured within a jail? Ok, I learned that sysjail was announced on May 22 2006, but surely you have chroot capability. And sysjail is connected with systrace... Well again, don`t want to start any flame, just interested how your community responded and responds to issues like that. With best regards, Jernej
Re: How secure is OpenBSD really
On 4/14/08, Jernej Makovsek [EMAIL PROTECTED] wrote: Now with this post I don`t want to start any wars. I know that nothing is bullet proof and so on but as a wannabe OBSD user I`m just interested in if this compromise was analysed and especially how the code has changed from then, what did you do to make sure that this does not repeat. And if it was a third party app, why wasn`t it configured within a jail? Ok, I learned that sysjail was announced on May 22 2006, but surely you have chroot capability. And sysjail is connected with systrace... Well again, don`t want to start any flame, just interested how your community responded and responds to issues like that. Sure, I'll just sum up 6 years of pretty continuous development for you. Unfortunately, it would take too long to read and I don't want to waste any of your time, so I'll just summarize it as lots of changes.