Re: WAY OT: Have you hugged your local OpenBSD dev lately?
On Tue, 15 Dec 2009 10:39:33 +1300 Paul M l...@no-tek.com wrote: On 15/12/2009, at 7:10 AM, Bob Beck wrote: | People are at the core motivated by their own self-interest. Anyone | who says they aren't is selling something. Yes, they're selling hilarity. It's The Onion, after all. Yes, but it's funny because it's true. Even OpenBSD developers are motivated by self interest...Ever wonder why the answers on misc@ are so taunting or dismissive for people who whine without producing code? Self interest is probably THE most basic instinct of any creature anywhere - it's how the species survives. Kids learn, as they grow, to temper it and become more 'human', but it remains the root of survival of the species. It's just that the boundaries of self interest expand over time. Like every other kind of shit it expands to fill the alloted space + X% where X is a positive integer. Dhu paulm
Re: OT: Have you hugged your local OpenBSD dev lately?
Ted Unangst wrote: On Sat, Dec 12, 2009 at 4:47 PM, Lars Nooden lars.cura...@gmail.com wrote: So everything under X should be considered available to everything else under X. I presume new models for displays, or new ways to get some kind of privilege separation for X, have been discussed to death already. Is there any key discussion or publication? I'm not sure what you're after, but two conceivable starting points would be the man pages for xauth and XSelectInput. Those help. I'm trying to get an idea, even an abstract one, of how individual windows could be kept from poaching i/o from each other. /Lars
Re: OT: Have you hugged your local OpenBSD dev lately?
On Fri, Dec 18, 2009 at 4:31 PM, Lars Nooden lars.cura...@gmail.com wrote: Ted Unangst wrote: I'm not sure what you're after, but two conceivable starting points would be the man pages for xauth and XSelectInput. Those help. I'm trying to get an idea, even an abstract one, of how individual windows could be kept from poaching i/o from each other. XGrabKeyboard. There's also a whole section on security in man xterm, sorry, forgot about it before. But it's no magic bullet. Suddenly, your window manager hotkeys stop working, so you can't really have a default current window grabs keyboard policy. Your screensaver also needs to grab the keyboard. So if your browser only grabs the keyboard while entering a password field, that essentially means the screen locker will never activate in that state. Rare, but totally confusing to users.
Re: OT: Have you hugged your local OpenBSD dev lately?
On Sat, 12 Dec 2009 23:47:38 +0200 (EET) Lars Nooden lars.cura...@gmail.com wrote: On Sat, 12 Dec 2009, Duncan Patton a Campbell wrote: On Wed, 18 Nov 2009 21:51:03 -0800 Ted Unangst ted.unan...@gmail.com wrote: How many people are aware that any X program can listen to the keystrokes of any other X program? Any machine running or accessed by an X-machine is fundamentally insecure to whatever level of perms the accessor has. Which doesn't mean that I don't use X, just that I assume, a-priori, that anything on X is common-wealth. So everything under X should be considered available to everything else under X. I presume new models for displays, or new ways to get some kind of privilege separation for X, have been discussed to death already. Is there any key discussion or publication? I assume you've been to x.org and are asking me for a qualitative assessment I'm not qualified to answer;-) Over the years this issue has re-emerged in various contexts with various proposals and I don't think any resolution better than a vetted code base has been agreed. Dhu /Lars
Re: OT: Have you hugged your local OpenBSD dev lately?
On Sat, Dec 12, 2009 at 4:47 PM, Lars Nooden lars.cura...@gmail.com wrote: So everything under X should be considered available to everything else under X. I presume new models for displays, or new ways to get some kind of privilege separation for X, have been discussed to death already. Is there any key discussion or publication? I'm not sure what you're after, but two conceivable starting points would be the man pages for xauth and XSelectInput.
Re: OT: Have you hugged your local OpenBSD dev lately?
On Mon, Dec 14, 2009 at 06:08:30AM -0700, Duncan Patton a Campbell wrote: On Sat, 12 Dec 2009 23:47:38 +0200 (EET) Lars Nooden lars.cura...@gmail.com wrote: On Sat, 12 Dec 2009, Duncan Patton a Campbell wrote: On Wed, 18 Nov 2009 21:51:03 -0800 Ted Unangst ted.unan...@gmail.com wrote: How many people are aware that any X program can listen to the keystrokes of any other X program? Any machine running or accessed by an X-machine is fundamentally insecure to whatever level of perms the accessor has. Which doesn't mean that I don't use X, just that I assume, a-priori, that anything on X is common-wealth. So everything under X should be considered available to everything else under X. I presume new models for displays, or new ways to get some kind of privilege separation for X, have been discussed to death already. Is there any key discussion or publication? I assume you've been to x.org and are asking me for a qualitative assessment I'm not qualified to answer;-) Over the years this issue has re-emerged in various contexts with various proposals and I don't think any resolution better than a vetted code base has been agreed. Considering the design of X, I don't expect any valid security model to emerge out of it. If things are insecure, piling more protocols and more concepts on top of it is unlikely to make things better. The more complicated, the less secure. Look at recent X evolution. Tell me which way the wind blows ? The way I read things, they're mostly concerned with getting things faster, which can often be worthwhile. And adding more bloat to compete with Windows applications and eye-candy... that, in some lands, is considered worthwhile. From past experience, I would expect much waving of hands over a two weeks periods, with lots of expert telling you It's a complicated problem, running around in circle finding even MORE complicated problems to solve, and then things going back to its general state of apathy with respect to security issues.
Re: OT: Have you hugged your local OpenBSD dev lately?
From past experience, I would expect much waving of hands over a two weeks periods, with lots of expert telling you It's a complicated problem, running around in circle finding even MORE complicated problems to solve, and then things going back to its general state of apathy with respect to security issues. I don't believe it's apathy, as much as a realization that in general, the focus of the developers will always be on speed and eye candy to the expense of all else, including stability and security. As such we concentrate on looking at things that can mitigate somewhat, at least in the saner cases, such as when it is not an accellerated driver with full access to the machine. Then we at least have some more secure by default options. The fact is though, Monsterously accellerated X with full access to the machine hardware bypasseses much of the security protection openbsd provides. Do some people want/need it? sure. but they sould do so understanding that they are incurring a greater risk by using it. in this manner.
Re: OT: Have you hugged your local OpenBSD dev lately?
On 12/14/09 11:43 AM, Bob Beck wrote: From past experience, I would expect much waving of hands over a two weeks periods, with lots of expert telling you It's a complicated problem, running around in circle finding even MORE complicated problems to solve, and then things going back to its general state of apathy with respect to security issues. I don't believe it's apathy, as much as a realization that in general, the focus of the developers will always be on speed and eye candy to the expense of all else, including stability and security. As such we concentrate on looking at things that can mitigate somewhat, at least in the saner cases, such as when it is not an accellerated driver with full access to the machine. Then we at least have some more secure by default options. The fact is though, Monsterously accellerated X with full access to the machine hardware bypasseses much of the security protection openbsd provides. Do some people want/need it? sure. but they sould do so understanding that they are incurring a greater risk by using it. in this manner. Well, Bob, this is much like the new study that just came out for kids, here replace kids by your favorite X users and X developers that wants these goodies. The conclusion is pretty much the same and can read like: The Journal Of Child Psychology And Psychiatry has concluded that an estimated 98 percent of children under the age of 10 are remorseless sociopaths with little regard for anything other than their own egocentric interests and pleasures. http://www.theonion.com/content/news/new_study_reveals_most_children I just don't think in this case here that it is limited to Children only. (; Peace, Daniel
Re: OT: Have you hugged your local OpenBSD dev lately?
The Journal Of Child Psychology And Psychiatry has concluded that an estimated 98 percent of children under the age of 10 are remorseless sociopaths with little regard for anything other than their own egocentric interests and pleasures. http://www.theonion.com/content/news/new_study_reveals_most_children I just don't think in this case here that it is limited to Children only. (; The people who publish such research, and those that read it and find it novel have obviously never been parents themselves, or even someone's boss. People are at the core motivated by their own self-interest. Anyone who says they aren't is selling something.
Re: OT: Have you hugged your local OpenBSD dev lately?
+-- | On 2009-12-14 10:17:54, Bob Beck wrote: | | http://www.theonion.com/content/news/new_study_reveals_most_children | | The people who publish such research, and those that read it and find | it novel have obviously never been parents themselves, or even | someone's boss. | | People are at the core motivated by their own self-interest. Anyone | who says they aren't is selling something. Yes, they're selling hilarity. It's The Onion, after all. -- bda cyberpunk is dead. long live cyberpunk.
Re: OT: Have you hugged your local OpenBSD dev lately?
| People are at the core motivated by their own self-interest. Anyone | who says they aren't is selling something. Yes, they're selling hilarity. It's The Onion, after all. Yes, but it's funny because it's true. Even OpenBSD developers are motivated by self interest...Ever wonder why the answers on misc@ are so taunting or dismissive for people who whine without producing code?
Re: OT: Have you hugged your local OpenBSD dev lately?
On Mon, Dec 14, 2009 at 05:03:40PM +0100, Marc Espie wrote: Considering the design of X, I don't expect any valid security model to emerge out of it. The Competitors to X section of the X11 Wikipedia page has some interesting comments about alternatives to X http://en.wikipedia.org/wiki/X_Window_System#Competitors_to_X Unfortunately, none of them are close to becoming a reality in the near future.
Re: WAY OT: Have you hugged your local OpenBSD dev lately?
On 15/12/2009, at 7:10 AM, Bob Beck wrote: | People are at the core motivated by their own self-interest. Anyone | who says they aren't is selling something. Yes, they're selling hilarity. It's The Onion, after all. Yes, but it's funny because it's true. Even OpenBSD developers are motivated by self interest...Ever wonder why the answers on misc@ are so taunting or dismissive for people who whine without producing code? Self interest is probably THE most basic instinct of any creature anywhere - it's how the species survives. Kids learn, as they grow, to temper it and become more 'human', but it remains the root of survival of the species. paulm
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, 18 Nov 2009 21:51:03 -0800 Ted Unangst ted.unan...@gmail.com wrote: How many people are aware that any X program can listen to the keystrokes of any other X program? Any machine running or accessed by an X-machine is fundamentally insecure to whatever level of perms the accessor has. Which doesn't mean that I don't use X, just that I assume, a-priori, that anything on X is common-wealth. Dhu
Re: OT: Have you hugged your local OpenBSD dev lately?
On Sat, 12 Dec 2009, Duncan Patton a Campbell wrote: On Wed, 18 Nov 2009 21:51:03 -0800 Ted Unangst ted.unan...@gmail.com wrote: How many people are aware that any X program can listen to the keystrokes of any other X program? Any machine running or accessed by an X-machine is fundamentally insecure to whatever level of perms the accessor has. Which doesn't mean that I don't use X, just that I assume, a-priori, that anything on X is common-wealth. So everything under X should be considered available to everything else under X. I presume new models for displays, or new ways to get some kind of privilege separation for X, have been discussed to death already. Is there any key discussion or publication? /Lars
Re: OT: Have you hugged your local OpenBSD dev lately?
On Fri, 20 Nov 2009 14:37:36 +1100 Aaron Mason wrote: On Fri, Nov 20, 2009 at 2:06 PM, rhubbell rhubb...@ihubbell.com wrote: On Fri, 20 Nov 2009 12:02:51 +1100 Definitely not missing the point. Maybe you missed mine. Not worrying because you trust everything about OpenBSD and everyone that's worked on it and every package you've installed and every piece of hardware you've installed, etc., etc. It's naive to point elsewhere and say see, they're not secure. For example should I trust you and the other tooters just because you insist OpenBSD's secure? That's a good point. However a story told on the testimonials page is a good reason not to take our word for it, because it's been demonstrated. A redhat server rooted but OpenBSD servers left after Maybe an OpenBSD tooter was the rooter? being probed is quite a feat. A P133 w/ 64mb of RAM being floodpinged by 900 hosts that only got a little slower from it is also a considerable achievement. Agreed. How would you know if you've been compromised? If it's the crown jewels it may be worth it to remain undetected, right? Saying it's not possible to avoid detection is naive. Usually when a machine is compromised, it is then used to attack other How much is an exploit worth? If you're going to reveal the fact you've compromised a system, it's not worth that much. sites - that would be detected. A large sudden data transfer from a machine with the company's crown jewels on it would be a pretty good indicator as well. If the log files are sent offsite - a very wise move I believe - they could contain traces of the attack as well. I'm not naive though - you would actually have to be watching these, and if you're not, today's a good day to start. Hope this helps. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: OT: Have you hugged your local OpenBSD dev lately?
On Fri, 20 Nov 2009 15:31:47 +1100 Rod Whitworth wrote: On Thu, 19 Nov 2009 19:06:53 -0800, rhubbell wrote: 8 snipped for brevity. You miss the point - the reason we toot that particular horn is that you don't have to worry about those sorts of things (well, apart from Definitely not missing the point. Maybe you missed mine. Not worrying because you trust everything about OpenBSD and everyone that's worked on it and every package you've installed and every piece of hardware you've installed, etc., etc. It's naive to point elsewhere and say see, they're not secure. For example should I trust you and the other tooters just because you insist OpenBSD's secure? No. That isn't the point really. It's very rare for OpenBSD to have exploits against it but I don't hear any of the developers saying that How would you know though? Your argument has been compromised because it's presuming the exploit's detectable. it is impregnable, just that it's as good as they can make it for their own peace of mind. They are continually re-reading the source and using various tools to do audits to help make the code correct. Correct code is a foundation of security. As you are new here, you may not yet know that OpenBSD doesn't give a stuff about market share and is developed by the devs for their own use and if someone else likes it, it's a case of Here's the ftp server or you can buy a CD and if it suits your purpose, that's fine. If it doesn't then we won't cry when you leave. I'm finding it amusing that when folks on the list ask a question answered in the docs it's always RTFM. But when not asking for documented info it comes flwoing out. (^: That has suited me for about 8 years and it has guarded quite a few crown jewels for my clients in that time. Guarded by which definition? Meaning as far as you know it was never compromised? Oh, and I'm a retired IBM Linux instructor so I have a pretty good insight into the relative merits of this community vs that one. Too vague for me. The point of most chuckling about others (distros,versions, dev teams) silly actions is that the OpenBSD community doesn't suffer the stupidity du jour. Recent sightings elsewhere are binary blobs, proprietary drivers and the really stupid Debian key messup. Just a bit of Schaudenfreude really when you consider that their woe is self-inflicted. Right so my point is that I still find it interesting that these threads about look at them are just some hand-waving. Look over there, look how they are, hahaha. That to me is a red flag to be more vigilant and to not look over there, but they seem to be trying to distract from vigilance.
Re: OT: Have you hugged your local OpenBSD dev lately?
On Fri, 20 Nov 2009 08:22:45 -0500 Brad Tilley wrote: On Thu, Nov 19, 2009 at 10:06 PM, rhubbell rhubb...@ihubbell.com wrote: It's naive to point elsewhere and say see, they're not secure. Other similar systems are not as secure and that has been objectively demonstrated. Here's one example. See the chart at the top of page Ok, since you say it's objective it must be.
Re: OT: Have you hugged your local OpenBSD dev lately?
On Fri, 20 Nov 2009 18:22:08 +0100 soko.tica wrote: On 11/20/09, rhubbell rhubb...@ihubbell.com wrote: Definitely not missing the point. Maybe you missed mine. Not worrying because you trust everything about OpenBSD and everyone that's worked on it and every package you've installed and every piece of hardware you've installed, etc., etc. It's naive to point elsewhere and say see, they're not secure. For example should I trust you and the other tooters just because you insist OpenBSD's secure? OpenBSD's security isn't affected at all if we, as users, insist on it. I insist on things all the time.
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, 25 Nov 2009 00:00:08 +1100 SJP Lists wrote: 2009/11/20 rhubbell rhubb...@ihubbell.com: Definitely not missing the point. Maybe you missed mine. Not worrying because you trust everything about OpenBSD and everyone that's worked on it and every package you've installed and every piece of hardware you've installed, etc., etc. It's naive to point elsewhere and say see, they're not secure. For example should I trust you and the other tooters just because you insist OpenBSD's secure? It's not about absolute trust, or faith, it's about playing the odds. You can choose a OS built with security as the primary focus at one extreme, or one that's insecure by default at the other. No OS will be absolutely secure, but at least one tries to be. I know.
Re: OT: Have you hugged your local OpenBSD dev lately?
On Thu, Nov 26, 2009 at 2:10 PM, rhubbell rhubb...@ihubbell.com wrote: On Fri, 20 Nov 2009 08:22:45 -0500 Brad Tilley wrote: On Thu, Nov 19, 2009 at 10:06 PM, rhubbell rhubb...@ihubbell.com wrote: It's naive to point elsewhere and say see, they're not secure. Other similar systems are not as secure and that has been objectively demonstrated. Here's one example. See the chart at the top of page Ok, since you say it's objective it must be. It's as objective as you'll find. OpenSolaris is based on Solaris which is Sun's OS (Sun sponsored the research) and they treated OpenSolaris just like the others. One concern was the amount of change compared to the amount of bugs. From the paper, ... The Linux kernel has been checked with the Coverity Prevent tool in multiple years. It was surprising to us to find that many bugs in code we thought to be clean, however, the churn rate in the Linux community is higher than that in the other two communities. Rate of change is crucial. I just saw this quote from Greg Kroah-Hartman in an interview at http://howsoftwareisbuilt.com: Well, just to touch back on that rate of change that I mentioned before, I just looked it up, and we add 11,000 lines, remove 5500 lines, and modify 2200 lines every single day [to the Linux kernel]. Systems with that amount of change are more prone to failure. I would not want to fly on an airplane that got a new, different engine bolted on every week. I think that's the point of the comparisons. Nothing against other systems, they are fine for certain things and thank goodness for companies such as RedHat that tame that change into something manageable. Brad
Re: OT: Have you hugged your local OpenBSD dev lately?
2009/11/20 rhubbell rhubb...@ihubbell.com: Definitely not missing the point. Maybe you missed mine. Not worrying because you trust everything about OpenBSD and everyone that's worked on it and every package you've installed and every piece of hardware you've installed, etc., etc. It's naive to point elsewhere and say see, they're not secure. For example should I trust you and the other tooters just because you insist OpenBSD's secure? It's not about absolute trust, or faith, it's about playing the odds. You can choose a OS built with security as the primary focus at one extreme, or one that's insecure by default at the other. No OS will be absolutely secure, but at least one tries to be.
Re: OT: Have you hugged your local OpenBSD dev lately?
On Thu, Nov 19, 2009 at 10:06 PM, rhubbell rhubb...@ihubbell.com wrote: It's naive to point elsewhere and say see, they're not secure. Other similar systems are not as secure and that has been objectively demonstrated. Here's one example. See the chart at the top of page three: http://research.sun.com/projects/downunder/publications/documents/kca09.pdf If you care about these things, then you use OpenBSD. Brad
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, 18 Nov 2009 16:05:04 -0800 Bryan bra...@gmail.com wrote: So glad we don't have these kinds of issues... https://bugzilla.redhat.com/show_bug.cgi?id=534047 And finally... https://www.redhat.com/archives/fedora-devel-list/2009-November/msg01445.html Good fun though. -- Oliver PETER email: oli...@peter.de.com ICQ# 113969174 I'm just a simple man trying to make my way in the universe. -- Jango Fett
Re: OT: Have you hugged your local OpenBSD dev lately?
On 11/20/09, rhubbell rhubb...@ihubbell.com wrote: Definitely not missing the point. Maybe you missed mine. Not worrying because you trust everything about OpenBSD and everyone that's worked on it and every package you've installed and every piece of hardware you've installed, etc., etc. It's naive to point elsewhere and say see, they're not secure. For example should I trust you and the other tooters just because you insist OpenBSD's secure? OpenBSD's security isn't affected at all if we, as users, insist on it. It's the proven record. While others get new GUIs with each new release of their OS of choice, we get tmux, and security fix of a remote vulnerability of a non-base package within 2 hours since it became known. We, non-technical users, see the no-nonsense attitude of devs on this very list. I haven't seen any tooting here, devs are busy with more important work than to campaign that our OS of choice is of different league from any other. We already know that.
Re: OT: Have you hugged your local OpenBSD dev lately?
On Fri, 20 Nov 2009 12:02:51 +1100 Aaron Mason wrote: On Thu, Nov 19, 2009 at 5:40 PM, rhubbell rhubb...@ihubbell.com wrote: On Wed, 18 Nov 2009 16:05:04 -0800 Bryan wrote: So glad we don't have these kinds of issues... New around here, but I'm noticing a lot of tooting of our own horn...so to speak. With all the possible vectors for compromising a system that are available it just sounds naive to keep touting how secure this or that is. Do you own the physical network that your bits traverse? Do you guard your computer 24-7? And on and on. You miss the point - the reason we toot that particular horn is that you don't have to worry about those sorts of things (well, apart from Definitely not missing the point. Maybe you missed mine. Not worrying because you trust everything about OpenBSD and everyone that's worked on it and every package you've installed and every piece of hardware you've installed, etc., etc. It's naive to point elsewhere and say see, they're not secure. For example should I trust you and the other tooters just because you insist OpenBSD's secure? 24-7 guarding, that's an entirely separate problem that has nothing to do with OpenBSD or any OS for that matter). People report that they can get a novice colleague to set up an OpenBSD box using just the CD, copy the company's crown jewels to it and leave it for a year, knowing that it has never been compromised. How would you know if you've been compromised? If it's the crown jewels it may be worth it to remain undetected, right? Saying it's not possible to avoid detection is naive. I will say the Fedora has bigger issues than allowing users to install pkgs. I just went through trying out Fedora 11 and it was a nightmare to me. Doing simple things with the network has been made so painful that clawing out my eyes started to seem like relief. But maybe all flavors are going this way. Part of the never ending bloat. OpenBSD is one of a few OSes that aren't taking this path. If you want the bloat, you add it yourself - it isn't included out of the box. Right, it's why I am trying it out. I used to run Ubuntu on my firewall - I found it easier to edit /etc/network/interfaces manually than to use GNOME's retarded GUI network config tool. I fired up OpenBSD 4.5 and haven't looked back. Yep, been there, used ubuntu for a while, recently tried Fedora11 and now here I am.
Re: OT: Have you hugged your local OpenBSD dev lately?
On Fri, Nov 20, 2009 at 2:06 PM, rhubbell rhubb...@ihubbell.com wrote: On Fri, 20 Nov 2009 12:02:51 +1100 Definitely not missing the point. Maybe you missed mine. Not worrying because you trust everything about OpenBSD and everyone that's worked on it and every package you've installed and every piece of hardware you've installed, etc., etc. It's naive to point elsewhere and say see, they're not secure. For example should I trust you and the other tooters just because you insist OpenBSD's secure? That's a good point. However a story told on the testimonials page is a good reason not to take our word for it, because it's been demonstrated. A redhat server rooted but OpenBSD servers left after being probed is quite a feat. A P133 w/ 64mb of RAM being floodpinged by 900 hosts that only got a little slower from it is also a considerable achievement. How would you know if you've been compromised? If it's the crown jewels it may be worth it to remain undetected, right? Saying it's not possible to avoid detection is naive. Usually when a machine is compromised, it is then used to attack other sites - that would be detected. A large sudden data transfer from a machine with the company's crown jewels on it would be a pretty good indicator as well. If the log files are sent offsite - a very wise move I believe - they could contain traces of the attack as well. I'm not naive though - you would actually have to be watching these, and if you're not, today's a good day to start. Hope this helps. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: OT: Have you hugged your local OpenBSD dev lately?
On Thu, 19 Nov 2009 19:06:53 -0800, rhubbell wrote: 8 snipped for brevity. You miss the point - the reason we toot that particular horn is that you don't have to worry about those sorts of things (well, apart from Definitely not missing the point. Maybe you missed mine. Not worrying because you trust everything about OpenBSD and everyone that's worked on it and every package you've installed and every piece of hardware you've installed, etc., etc. It's naive to point elsewhere and say see, they're not secure. For example should I trust you and the other tooters just because you insist OpenBSD's secure? No. That isn't the point really. It's very rare for OpenBSD to have exploits against it but I don't hear any of the developers saying that it is impregnable, just that it's as good as they can make it for their own peace of mind. They are continually re-reading the source and using various tools to do audits to help make the code correct. Correct code is a foundation of security. As you are new here, you may not yet know that OpenBSD doesn't give a stuff about market share and is developed by the devs for their own use and if someone else likes it, it's a case of Here's the ftp server or you can buy a CD and if it suits your purpose, that's fine. If it doesn't then we won't cry when you leave. That has suited me for about 8 years and it has guarded quite a few crown jewels for my clients in that time. Oh, and I'm a retired IBM Linux instructor so I have a pretty good insight into the relative merits of this community vs that one. The point of most chuckling about others (distros,versions, dev teams) silly actions is that the OpenBSD community doesn't suffer the stupidity du jour. Recent sightings elsewhere are binary blobs, proprietary drivers and the really stupid Debian key messup. Just a bit of Schaudenfreude really when you consider that their woe is self-inflicted. *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
OT: Have you hugged your local OpenBSD dev lately?
So glad we don't have these kinds of issues... https://bugzilla.redhat.com/show_bug.cgi?id=534047
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, Nov 18, 2009 at 04:05:04PM -0800, Bryan wrote: So glad we don't have these kinds of issues... https://bugzilla.redhat.com/show_bug.cgi?id=534047 no one offered a diff to implement that feature on OpenBSD yet ? it can easily be done by writing a sudoKit policy :-) Gilles -- Gilles Chehade freelance developer/sysadmin/consultant http://www.poolp.org
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, Nov 18, 2009 at 04:05:04PM -0800, Bryan wrote: So glad we don't have these kinds of issues... https://bugzilla.redhat.com/show_bug.cgi?id=534047 Wow that's tremendously funny. -- DISCLAIMER: http://goldmark.org/jeff/stupid-disclaimers/ This message will self-destruct in 3 seconds.
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, Nov 18, 2009 at 16:55, Abel Abraham Camarillo Ojeda acam...@the00z.org wrote: On Wed, Nov 18, 2009 at 04:05:04PM -0800, Bryan wrote: So glad we don't have these kinds of issues... https://bugzilla.redhat.com/show_bug.cgi?id=534047 Wow that's tremendously funny. -- DISCLAIMER: http://goldmark.org/jeff/stupid-disclaimers/ This message will self-destruct in 3 seconds. I particular like comment #8, where one of the devs basically says this is a feature, not a bug
Re: OT: Have you hugged your local OpenBSD dev lately?
Before everyone goes too bonkers, consider exactly how safe/dangerous this behavior actually is on a single user machine. Food for thought. Think to yourself: what *exactly* is the difference between the only user account on your machine and root? How are you safe? On Nov 18, 2009, at 4:05 PM, Bryan bra...@gmail.com wrote: So glad we don't have these kinds of issues... https://bugzilla.redhat.com/show_bug.cgi?id=534047
Re: OT: Have you hugged your local OpenBSD dev lately?
Before everyone goes too bonkers, consider exactly how safe/dangerous this behavior actually is on a single user machine. Food for thought. Think to yourself: what *exactly* is the difference between the only user account on your machine and root? How are you safe? Not everyone runs firefox as root, like you Ted. Blurring all the lines is the wrong assesment. Yes, a lot of safety is about hurdles. The sidewalk is raised to a different height than the road as a hurdle, and it has a safety benefit. It reduces the danger for pedestrians because drivers don't what want the hurdle of replacing their rims. That is safety. I prefer the hurdles.
Re: OT: Have you hugged your local OpenBSD dev lately?
2009/11/19 Ted Unangst ted.unan...@gmail.com: Think to yourself: what *exactly* is the difference between the only user account on your machine and root? How are you safe? And then you create a guest account on your netbook... Read the comments. There are some interesting exploits for this... Best Martin
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, 18 Nov 2009 17:08 -0800, Bryan bra...@gmail.com wrote: On Wed, Nov 18, 2009 at 16:55, Abel Abraham Camarillo Ojeda acam...@the00z.org wrote: On Wed, Nov 18, 2009 at 04:05:04PM -0800, Bryan wrote: So glad we don't have these kinds of issues... https://bugzilla.redhat.com/show_bug.cgi?id=534047 Wow that's tremendously funny. -- DISCLAIMER: http://goldmark.org/jeff/stupid-disclaimers/ This message will self-destruct in 3 seconds. I particular like comment #8, where one of the devs basically says this is a feature, not a bug Holy crap, you're right! This is funny as hell. I originally had not read the comments section. I especially liked; I don't particularly care how UNIX has always worked. In other words; I don't particularly care about security you masturbating monkeys. :)
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, Nov 18, 2009 at 05:38:38PM -0800, Ted Unangst wrote: Before everyone goes too bonkers, consider exactly how safe/dangerous this behavior actually is on a single user machine. Food for thought. Think to yourself: what *exactly* is the difference between the only user account on your machine and root? How are you safe? On Nov 18, 2009, at 4:05 PM, Bryan bra...@gmail.com wrote: So glad we don't have these kinds of issues... https://bugzilla.redhat.com/show_bug.cgi?id=534047 well i think that the problem is that the new *feature* is enabled by default, it will definitely be useful on desktops/netbook/whatever. -- DISCLAIMER: http://goldmark.org/jeff/stupid-disclaimers/ This message will self-destruct in 3 seconds.
Re: OT: Have you hugged your local OpenBSD dev lately?
--- On Wed, 11/18/09, Bryan bra...@gmail.com wrote: From: Bryan bra...@gmail.com Subject: OT: Have you hugged your local OpenBSD dev lately? To: Misc OpenBSD misc@openbsd.org Received: Wednesday, November 18, 2009, 7:05 PM So glad we don't have these kinds of issues... https://bugzilla.redhat.com/show_bug.cgi?id=534047 This is a blatant ID10T error. Comments 9 and 10 are my favorite. Last I looked it *was* insecure to let non-root users install software let alone do it by default and without a password! --- James A. Peltier james_a_pelt...@yahoo.ca __ Looking for the perfect gift? Give the gift of Flickr! http://www.flickr.com/gift/
Re: OT: Have you hugged your local OpenBSD dev lately?
On Nov 18, 2009, at 5:47 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: Before everyone goes too bonkers, consider exactly how safe/dangerous this behavior actually is on a single user machine. Food for thought. Think to yourself: what *exactly* is the difference between the only user account on your machine and root? How are you safe? Not everyone runs firefox as root, like you Ted. It's the easiest way to nice it to -10... Blurring all the lines is the wrong assesment. Yes, a lot of safety is about hurdles. The sidewalk is raised to a different height than the road as a hurdle, and it has a safety benefit. It reduces the danger for pedestrians because drivers don't what want the hurdle of replacing their rims. That is safety. I prefer the hurdles.
Re: OT: Have you hugged your local OpenBSD dev lately?
If you give untrusted people unsupervised access to your laptop, I hope you have a better lock than I do. On Nov 18, 2009, at 5:45 PM, Martin SchrC6der mar...@oneiros.de wrote: 2009/11/19 Ted Unangst ted.unan...@gmail.com: Think to yourself: what *exactly* is the difference between the only user account on your machine and root? How are you safe? And then you create a guest account on your netbook... Read the comments. There are some interesting exploits for this... Best Martin
Re: OT: Have you hugged your local OpenBSD dev lately?
Not a change i would make, but for a desktop? Not a big deal. On Nov 18, 2009, at 5:48 PM, Eric Furman misc@openbsd.org wrote: but making it *default* behaviour?? On Wed, 18 Nov 2009 17:38 -0800, Ted Unangst ted.unan...@gmail.com wrote: Before everyone goes too bonkers, consider exactly how safe/dangerous this behavior actually is on a single user machine. Food for thought. Think to yourself: what *exactly* is the difference between the only user account on your machine and root? How are you safe? On Nov 18, 2009, at 4:05 PM, Bryan bra...@gmail.com wrote: So glad we don't have these kinds of issues... https://bugzilla.redhat.com/show_bug.cgi?id=534047
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, Nov 18, 2009 at 05:38:38PM -0800, Ted Unangst wrote: Before everyone goes too bonkers, consider exactly how safe/dangerous this behavior actually is on a single user machine. but did they also by default restrict the system to 1 user? it's not so much the idea that's laughable, but the way it was implemented. What I contest is that to *undo* it you need to be an experienced system admin that knows how to write policykit policies and where to drop them. I think we can count the number of people able to do that on the tips of my fingers. - Simo Sorce, Software Engineer at Red Hat, Inc. -- jake...@sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org
Re: OT: Have you hugged your local OpenBSD dev lately?
To be sure, I don't think it's the best idea. But practically? For actual users running fedora? I doubt the change makes much difference for many of them. The reason I even brought this up is not because I like the idea, but because I think it is a good opportunity to reflect on what user permissions accomplish on a typical desktop machine. Consider where your secrets, whatever they may be, are kept and how you access them. How many people are aware that any X program can listen to the keystrokes of any other X program? When you type your password into sudo, how do you know it's the real sudo? How do you know you aren't running badsudo because you're actually running badsh and it redirected your path? On Nov 18, 2009, at 8:49 PM, Jacob Meuser jake...@sdf.lonestar.org wrote: On Wed, Nov 18, 2009 at 05:38:38PM -0800, Ted Unangst wrote: Before everyone goes too bonkers, consider exactly how safe/dangerous this behavior actually is on a single user machine. but did they also by default restrict the system to 1 user? it's not so much the idea that's laughable, but the way it was implemented. What I contest is that to *undo* it you need to be an experienced system admin that knows how to write policykit policies and where to drop them. I think we can count the number of people able to do that on the tips of my fingers. - Simo Sorce, Software Engineer at Red Hat, Inc. -- jake...@sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, 18 Nov 2009 16:05:04 -0800 Bryan wrote: So glad we don't have these kinds of issues... New around here, but I'm noticing a lot of tooting of our own horn...so to speak. With all the possible vectors for compromising a system that are available it just sounds naive to keep touting how secure this or that is. Do you own the physical network that your bits traverse? Do you guard your computer 24-7? And on and on. I will say the Fedora has bigger issues than allowing users to install pkgs. I just went through trying out Fedora 11 and it was a nightmare to me. Doing simple things with the network has been made so painful that clawing out my eyes started to seem like relief. But maybe all flavors are going this way. Part of the never ending bloat.
