Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On 2020-05-13 11:02, i...@aulix.com wrote: (all your emails to @misc) Dear Info, the best way to get answers to all of your questions regarding OpenBSD is to try and run OpenBSD for a few years trying to make it help with your real-world needs, such as personal laptop, home gateway, personal email or web server etc. After some time, you will be able to decide wheather OpenBSD is the right choice for you. You should be able to find majority of answers to your questions regarding OpenBSD in manpages, FAQ, and books similar to "Absolute OpenBSD", "The Book of PF" etc. There are also various blogs from OpenBSD users, whose quality varies from very bad to very good. As for idle gossip, I can suggest local bars, which is what I use. I understand they are all closed now due to current situation with pandemic, but @misc mailing list is really poor substitute. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
> This is "testing the waters" racism. Where did you find an indication of a racism?
Re: OpenSSH FIDO (Nitrokey) support (Was: Re: OpenBSD insecurity rumors from isopenbsdsecu.re)
Btw, thanks for this site link, may be something like: https://web.archive.org/web/20200513115537/https://undeadly.org/cgi?action=article=20190302235509 could work. > On Wed, May 13, 2020 at 12:59:26PM +0200, i...@aulix.com wrote: > >> Thanks for your suggestion, >> >> but googling for keys: +openbsd +nitrokey >> >> does not indicate anything interesting except a few of my own questions on >> the Nitrokey support forum. > > I had to look up "Nitrokey" to verify that it was what I thought it was, but > that had me > do a quick search for "OpenSSH FIDO support", which turned up among other > things this > article: https://undeadly.org/cgi?action=article;sid=20191115064850 as well > as a number > of blog posts and HOWTO-ish pieces that seem to indicate that quite likely > the combination > would work. > > I haven't tried the thing myself, but you should be able to find the same > stuff I did > on the web. Then you could probably find a way to test with an OpenBSD setup > in a way > that does not break things too horribly in case anything fails. > > All the best, > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On Tue, May 12, 2020 at 05:09:16AM +0200, i...@aulix.com wrote: > Treat it as my secret, I want and that is why I ask because I can, I wish you > tell me the answer without a knowledge of "why I ask", > it is a very long discussion of answering by a question to question in your > Jewish style, is not it? NOPE. This is "testing the waters" racism. NOPE NOPE NOPE. We have this in the US right now all over the place. This is casual "slip in some comment and see" if I can ramp it up. It might not seem like a big deal, but I'm seeing nazi flags and confederate flags IRL now, and I think this right here is how it starts. GTFO
Re: OpenSSH FIDO (Nitrokey) support (Was: Re: OpenBSD insecurity rumors from isopenbsdsecu.re)
Thanks for suggestion, I already have seen it and even contacted SSH developer Damien Miller regarding FIDO key support a few weeks ago. What I am looking for right now is something different, it is if ssh-pkcs11-helper works with SSHD daemon on OpenBSD to store there its server private key in a general Nitrokey Pro 2 (not HSM). Btw, I am going to use several client side dongles at once for a single SSH session like Rutoken ECP2, FIDO2, and Nitrokey Pro 2 only on the server yet. > On Wed, May 13, 2020 at 12:59:26PM +0200, i...@aulix.com wrote: > >> Thanks for your suggestion, >> >> but googling for keys: +openbsd +nitrokey >> >> does not indicate anything interesting except a few of my own questions on >> the Nitrokey support forum. > > I had to look up "Nitrokey" to verify that it was what I thought it was, but > that had me > do a quick search for "OpenSSH FIDO support", which turned up among other > things this > article: https://undeadly.org/cgi?action=article;sid=20191115064850 as well > as a number > of blog posts and HOWTO-ish pieces that seem to indicate that quite likely > the combination > would work. > > I haven't tried the thing myself, but you should be able to find the same > stuff I did > on the web. Then you could probably find a way to test with an OpenBSD setup > in a way > that does not break things too horribly in case anything fails. > > All the best, > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
OpenSSH FIDO (Nitrokey) support (Was: Re: OpenBSD insecurity rumors from isopenbsdsecu.re)
On Wed, May 13, 2020 at 12:59:26PM +0200, i...@aulix.com wrote: > Thanks for your suggestion, > > but googling for keys: +openbsd +nitrokey > > does not indicate anything interesting except a few of my own questions on > the Nitrokey support forum. I had to look up "Nitrokey" to verify that it was what I thought it was, but that had me do a quick search for "OpenSSH FIDO support", which turned up among other things this article: https://undeadly.org/cgi?action=article;sid=20191115064850 as well as a number of blog posts and HOWTO-ish pieces that seem to indicate that quite likely the combination would work. I haven't tried the thing myself, but you should be able to find the same stuff I did on the web. Then you could probably find a way to test with an OpenBSD setup in a way that does not break things too horribly in case anything fails. All the best, -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
Thanks for your suggestion, but googling for keys: +openbsd +nitrokey does not indicate anything interesting except a few of my own questions on the Nitrokey support forum. I would like to hear from some real OpenBSD user about he is happy with Nitrokey on OpenBSD. Another my point is about hardware security, it does not matter how long someone uses an operation system like OpenBSD (10 or 20 years) unless he has a very special knowledge he will not determine any hardware insecurities without external help. > On 2020-05-13 11:02, i...@aulix.com wrote: > >>> (all your emails to @misc) > > Dear Info, > > the best way to get answers to all of your questions regarding OpenBSD > is to try and run OpenBSD for a few years trying to make it help with > your real-world needs, such as personal laptop, home gateway, personal > email or web server etc. After some time, you will be able to decide > wheather OpenBSD is the right choice for you. > > You should be able to find majority of answers to your questions > regarding OpenBSD in manpages, FAQ, and books similar to "Absolute > OpenBSD", "The Book of PF" etc. There are also various blogs from > OpenBSD users, whose quality varies from very bad to very good. > > As for idle gossip, I can suggest local bars, which is what I use. I > understand they are all closed now due to current situation with > pandemic, but @misc mailing list is really poor substitute. > > Regards, > > -- > Before enlightenment - chop wood, draw water. > After enlightenment - chop wood, draw water. > > Marko Cupać > https://www.mimar.rs/
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
> Free advice from a fellow East European who might better understand your obnoxious behaviour on this list: I find behavior of commenters like you much more obnoxious and simply trolling me and the whole topic of this thread and some interesting facts mentioned here which might not please people (agents?) like you. >This community's motto is "Shut up and hack!". Is not it idiotic to hack (work on it, spend time and resources on it) something until you know exactly if it really solves your problem? >You are just talking a lot about OpenBSD and not hacking at all on OpenBSD >stuff. See answer above. I would not spend a single second of my life for working on something before I try to verify it is useful enough for me and makes me some type of a profit. > By now, probably lots of people just ignore you, because your frequent (and sometimes naive) emails amount to spam for most of them, especially the most knowledgeable. Trolls like you often like to say from a position of "all", though you are NOT all even in a very nearest approach. Actually you a minority opinions of whom is not interesting for me and most likely harmful and trying to create wrong beliefs for me. I am interested only in answers of positive minded people who are willing to help and prefer to ban out trolls like you from my thread, though it is obvious if even trolls have power to blacklist my e-mail I can automate with ZennoPoster or pure DotNet/Mono a routing to register under a new account in a about 1 min under a new e-mail with new domain and continue discussion only with a positive part of the community.
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
And who the fuck gave you permission to talk cockbreath? ‐‐‐ Original Message ‐‐‐ On Monday, May 11, 2020 8:03 PM, Daniel Jakots wrote: > On Mon, 11 May 2020 17:27:24 +, slackwaree > slackwa...@protonmail.com wrote: > > > I wish if the someone who took the time to make this page at least > > would make an antisystemD page instead. > > I doubt anyone asked you how they should spend their time. > > > Let's face it how much time that old fart linus has, maybe > > COVID takes him too. > > Are you really saying you hope he dies? No I don't hope that this shithill dies, I hope half of the world population dies because they ain't good for anything. Eating shitting fuckmachines. All they know how to shit out retards like you. You surely ain't come out on the front hole but the back go back sit in a corner. > What the fuck is wrong with you? > > > I couldn't care less either, all I care is my > > BSD servers uptime 600+ days and not 1 day I worry about their > > security. > > You are clearly clueless. Ain't worth my time maggot, kind of you should die in COVID with their tard family. > > Please refrain from posting again such shitty emails. > > Thanks, > Daniel
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
Please leave, optionally seek professional help and never come back. -- I'm not entirely sure you are real.
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
> What exactly does your budget mean? These are all free, open source > operating system. You may sell both OpenBSD and any installations and > consulting. That could improve your income for your budget. I am in the process of trying to find a devops remote work, may be it will improve my budget, actually I am not familiar with current global market and my position in it and not sure if I have enough time to get a secure working place before I will have to look for cheaper and less qualified job alternatives not so sensitive to my working place security. > Open source means that most developers work for free and fun or to > obtain something they in particular want. Convince some developers to > work on your own desires, whether with OpenBSD or elsewhere. I am just trying to get a help at least with a simple question if Orange PI ONE (Cortex A7 free of Spectre issue) + Nitrokey Pro 2 + OpenBSD is enough for a secure SSH server and client end points, still nobody told anything related to it. Or may be anyone knows are there any better alternatives? > >> I guess it is a huge work to harden Linux installation to a level compared >> to OpenBSD, there is some interesting work which is by Whonix but >> unfortunately with systemd, and it seems someone from that community is >> referring to isopenbsdsecu.re site, so it looks to me like a OpenBSD vs >> Whonix dispute, excuse me if I am wrong. > > Linus actively discourages security work. OpenBSD is thrilled to > actively work on security. A major compenent that brings security > benefits is simple auditing of code, not for security but for > correctness. > If you are seeking perfect security, YOU CAN'T HAVE IT! > It is impossible. Not even agencies such as the NSA, etc have it. > Remember Edward Snowden? All systems can be breached. Period. Then how can I provide a good level of security for my remote client if everything can be broken? How much does it cost to break remotely into a SSH server running OpenBSD on Orange PI ONE with SSH private keys stored in Nitrokey Pro 2? If I connect to it from my home from a similar dedicated console (say Cubietruck + Nitrokey Pro 2 + OpenBSD) without any other spare software on that board? It will be dedicated only for devops activity. On both side of the channel would be a firewall which allows connection only for specified IP addresses (me and the client). Local physical perimeter is secured at least against external threats, I cannot protect from a teleportation :) But presumably it is not possible to reflash Orangle PI Boot ROM or Nitrokey Pro 2 anyway and I can periodically verify integrity of OpenBSD installation on the SD card. Any other applications except SSH and ansible like browsers would be running from another computers or cloud VM. > > My suggestion is to stop taking a confrontational attitude ( you may not > even realize you are doing it) and try to take a congenial attitude. It > will always produce more good results than confrontation. Good point, I am just trying to, OpenBSD chat and community is very nice, it is very interesting to talk to such high qualified persons, Thank you
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On Tue, May 12, 2020 at 07:17:44AM +0200, i...@aulix.com wrote: > I would prefer to begin from grsecurity, but it is not available up to date > for my budget. > What exactly does your budget mean? These are all free, open source operating system. You may sell both OpenBSD and any installations and consulting. That could improve your income for your budget. > I would also try HardenedBSD, but it is only amd64 now? And how many active > developers there are? one or two? > I run two intel based servers with OpenBSD amd64. They run flawlessly. > OpenBSD looks as the only viable option for me right now, may be one another > is a systemd free distro like Devuan with a hardened kernel like by @anthrax, > but I am too unskilled even to understand what are improvements of @anthrax > kernel for me without a good doc for it in the existence, and on the other > hand OpenBSD is famous with its very good documentation. Open source means that most developers work for free and fun or to obtain something they in particular want. Convince some developers to work on your own desires, whether with OpenBSD or elsewhere. > > I guess it is a huge work to harden Linux installation to a level compared to > OpenBSD, there is some interesting work which is by Whonix but unfortunately > with systemd, and it seems someone from that community is referring to > isopenbsdsecu.re site, so it looks to me like a OpenBSD vs Whonix dispute, > excuse me if I am wrong. > Linus actively discourages security work. OpenBSD is thrilled to actively work on security. A major compenent that brings security benefits is simple auditing of code, not for security but for correctness. If you are seeking perfect security, YOU CAN'T HAVE IT! It is impossible. Not even agencies such as the NSA, etc have it. Remember Edward Snowden? All systems can be breached. Period. My suggestion is to stop taking a confrontational attitude ( you may not even realize you are doing it) and try to take a congenial attitude. It will always produce more good results than confrontation. Chris Bennett PS. Please format your emails to 80 or 72 character width. Your long lines are mildly irritating and non-standard in the Unix-like world. Or just hit enter more often.
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
>Also NSA controls your brain with 5G radio waves. Go burn some towers in the name of the Freedom! Would not just a foil hat help? Do you have some OpenBSD edition?
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On Tue, 12 May 2020 at 09:47, wrote: > > Is not systemd one of such backdoors? Does it include any interesting > "features" except so called "init system"? 1) You're asking in the wrong place 2) It's off topic 3) If you need to ask, it means you don't have a clue. It's ok to ask, but don't make sweeping statements if you don't have a clue 4) Learn how to quote a message. -- Ottavio Caruso
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On Tue, 12 May 2020 at 02:13, wrote: > > Linux GNU software has hardly visible NSA backdoors If you have the technical skills to back this argument up, please look in the "Linux GNU software" source, find the backdoors and report back. -- Ottavio Caruso
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On Tue, May 12, 2020 at 10:47:48AM +0200, i...@aulix.com wrote: > Sure I do not have such skills, I am a very noob trying to build a > secure console and router, but most likely IMHO the backdoors are > targeted to be used from invisible virtualization trojans on X86? I > was even suggested to avoid Libreboot on X86 because it is GNU, though > for me it is sometimes difficult to understand where trolling is in > this area of my interest. > > Is not systemd one of such backdoors? Does it include any interesting > "features" except so called "init system"? Also NSA controls your brain with 5G radio waves. Go burn some towers in the name of the Freedom!
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
Sure I do not have such skills, I am a very noob trying to build a secure console and router, but most likely IMHO the backdoors are targeted to be used from invisible virtualization trojans on X86? I was even suggested to avoid Libreboot on X86 because it is GNU, though for me it is sometimes difficult to understand where trolling is in this area of my interest. Is not systemd one of such backdoors? Does it include any interesting "features" except so called "init system"?
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
Original Message Subject: Re: OpenBSD insecurity rumors from isopenbsdsecu.re From: i...@aulix.com Date: Mon, May 11, 2020 9:18 pm To: Philip Guenther Cc: OpenBSD misc It is IMHO rather not a matter of trusting your questions, but not my willingness to answer them right now, but I can answer them later if I want, it is not a matter of trust but rather a tactics of choosing a sequence of what to answer and when. You know there is no a lot of secure enough alternatives to choose from except OpenBSD, and your commits alone shall not be of that a big problem and reason to reject OpenBSD since the code is being reviewed by other OpenBSD participants? Do you think there are less committers like you in many many Linux components like Linux kernel, AppArmor, a Linux distro and is there any other choice for me except OpenBSD and some type of a hardened Linux without systemd like Devuan or Alpine? Is not it a childish behavior of yours that is if I do not follow your method of discussion then I shall not use your work, you ban me from allowed users at least mentally by your ultimatum not practically of course as you cannot prohibit me to use any open source products like OpenBSD or Linux distros. ** To give a quick answer and to the point, when OpenBSD originally split from NetBSD, cryptographic software with any part of it written by US citizens could not be distributed outside the US without explicit government approval and licensure. If any revisions are made by US citizens, the entire code base would also be considered to prohibited to anyone outside the US without explicit government approval. If you want further details of the restrictions, lookup ITAR in your favorite search engine. I do not choose to further test the patience of most of the other users of the listserve, many of whom are already aware of this.
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
There is a single place to take buzzwords from (not random as you said): http://www.freezepage.com/1589263204VJFCCPNUBQ https://hardenedbsd.org/content/easy-feature-comparison
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On Tue, May 12, 2020 at 7:19 AM wrote: > > I would prefer to begin from grsecurity, but it is not available up to date > for my budget. > > I would also try HardenedBSD, but it is only amd64 now? And how many active > developers there are? one or two? > > OpenBSD looks as the only viable option for me right now, may be one another > is a systemd free distro like Devuan with a hardened kernel like by @anthrax, > but I am too unskilled even to understand what are improvements of @anthrax > kernel for me without a good doc for it in the existence, and on the other > hand OpenBSD is famous with its very good documentation. > > I guess it is a huge work to harden Linux installation to a level compared to > OpenBSD, there is some interesting work which is by Whonix but unfortunately > with systemd, and it seems someone from that community is referring to > isopenbsdsecu.re site, so it looks to me like a OpenBSD vs Whonix dispute, > excuse me if I am wrong. You keep swallowing up buzzwords from completely random places without taking the time to understand what everything means or how it affects you. There's no silver bullet. Figure out and enumerate *your* threat model, then find a solution that you understand.
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On Mon, May 11, 2020 at 9:17 PM wrote: > I was told on the chat that Linux GNU software has hardly visible NSA > backdoors and IMHO most funding for Linux seems to be from USA ? This is beyond incompetent. You've got the wrong mailing list for this kind of issue, you haven't identified the version with the problem, you haven't even identified the problem. All you are doing is citing vague rumor. Why are you doing this? -- Raul
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
I would prefer to begin from grsecurity, but it is not available up to date for my budget. I would also try HardenedBSD, but it is only amd64 now? And how many active developers there are? one or two? OpenBSD looks as the only viable option for me right now, may be one another is a systemd free distro like Devuan with a hardened kernel like by @anthrax, but I am too unskilled even to understand what are improvements of @anthrax kernel for me without a good doc for it in the existence, and on the other hand OpenBSD is famous with its very good documentation. I guess it is a huge work to harden Linux installation to a level compared to OpenBSD, there is some interesting work which is by Whonix but unfortunately with systemd, and it seems someone from that community is referring to isopenbsdsecu.re site, so it looks to me like a OpenBSD vs Whonix dispute, excuse me if I am wrong.
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
You are acting a fool. If you admit to seeing how they eat their own dog food and the quality of the project because of their own way, but only when it suits your internet arguments, then you may as well just buy security from a big corporate Linux. It's not about $100 words hiding a children's tantrum after being told it's up to you, it's about understanding that *it's up to you*. On Tue, May 12, 2020, 4:20 PM wrote: > It is IMHO rather not a matter of trusting your questions, but not my > willingness to answer them right now, but I can answer them later if I > want, it is not a matter of trust but rather a tactics of choosing a > sequence of what to answer and when. > > You know there is no a lot of secure enough alternatives to choose from > except OpenBSD, and your commits alone shall not be of that a big problem > and reason to reject OpenBSD since the code is being reviewed by other > OpenBSD participants? > > Do you think there are less committers like you in many many Linux > components like Linux kernel, AppArmor, a Linux distro and is there any > other choice for me except OpenBSD and some type of a hardened Linux > without systemd like Devuan or Alpine? > > Is not it a childish behavior of yours that is if I do not follow your > method of discussion then I shall not use your work, you ban me from > allowed users at least mentally by your ultimatum not practically of course > as you cannot prohibit me to use any open source products like OpenBSD or > Linux distros. > >
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
It is IMHO rather not a matter of trusting your questions, but not my willingness to answer them right now, but I can answer them later if I want, it is not a matter of trust but rather a tactics of choosing a sequence of what to answer and when. You know there is no a lot of secure enough alternatives to choose from except OpenBSD, and your commits alone shall not be of that a big problem and reason to reject OpenBSD since the code is being reviewed by other OpenBSD participants? Do you think there are less committers like you in many many Linux components like Linux kernel, AppArmor, a Linux distro and is there any other choice for me except OpenBSD and some type of a hardened Linux without systemd like Devuan or Alpine? Is not it a childish behavior of yours that is if I do not follow your method of discussion then I shall not use your work, you ban me from allowed users at least mentally by your ultimatum not practically of course as you cannot prohibit me to use any open source products like OpenBSD or Linux distros.
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On Mon, May 11, 2020 at 6:09 PM wrote: ... > > And why would *you* care about those ways? If you can't tell us why you > would care, how can we answer your _real_ question? > Treat it as my secret, I want and that is why I ask because I can, I wish > you tell me the answer without a knowledge of "why I ask", > it is a very long discussion of answering by a question to question in > your Jewish style, is not it? > I considered treating your questions in good faith, but then you said this. If my questions have you spouting this nonrational drivel them you should stay away from OpenBSD because I am a committer and if you can't trust my questions then you shouldn't trust my code. Philip Guenther
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
> I'm not sure what that sentence even means. What would a "trust relationship" > between OpenBSD and "current USA" actually mean in terms of a CHANGE IN > BEHAVIOR? "CHANGE IN BEHAVIOR" of whom or of what? > Hell, what does "current USA" even _mean_?!? Very high activity of NSA to embed their backdoors eveywhere they can. >Did you mean to say "the US Federal Government"? If so, what would "trust >between OpenBSD and the US Federal Government" actually mean in terms of a >change in behavior that you, i...@aulix.com, could actually detect? How does it matter if I can detect something? Do you mean i...@aulix.com is too Untermensch just to even wonder and ask such questions? Can anyone detect this? https://web.archive.org/web/20190624163342/https://www.rlighthouse.com/targeted-individuals.html Does OpenBSD project according to: https://web.archive.org/web/20200512025352/https://www.openbsd.org/crypto.html prohibit american people to work on OpenBSD cryptography? > > And why would *you* care about those ways? If you can't tell us why you would > care, how can we answer your _real_ question? Treat it as my secret, I want and that is why I ask because I can, I wish you tell me the answer without a knowledge of "why I ask", it is a very long discussion of answering by a question to question in your Jewish style, is not it? > > There is cryptographic software in OpenBSD that was developed in part by > someone who is/was a US citizen, in OpenSSH even, as a check of > copyright/license statements on source files show. How does that change your > world view? I told you not about the past, but about the CURRENT (TODAY not EARLIER) state of things, and OpenBSD ban on americans to work on its crypto, you see?
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On Mon, May 11, 2020 at 4:28 PM wrote: > Is not a prohibition for USA citizens to work on OpenBSD cryptography > software parts an indication of trust relationship between current OpenBSD > and current USA? > I'm not sure what that sentence even means. What would a "trust relationship" between OpenBSD and "current USA" actually mean in terms of a CHANGE IN BEHAVIOR? Hell, what does "current USA" even _mean_?!? Did you mean to say "the US Federal Government"? If so, what would "trust between OpenBSD and the US Federal Government" actually mean in terms of a change in behavior that you, i...@aulix.com, could actually detect? And why would *you* care about those ways? If you can't tell us why you would care, how can we answer your _real_ question? There is cryptographic software in OpenBSD that was developed in part by someone who is/was a US citizen, in OpenSSH even, as a check of copyright/license statements on source files show. How does that change your world view? Philip Guenther
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
> If any widely-used open source software had government backdoors in it, > nobody in the know would be telling folks about it in random IRC chat rooms. I do not understand your argument, are you trolling to hide how actual things are going to?
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
If any widely-used open source software had government backdoors in it, nobody in the know would be telling folks about it in random IRC chat rooms. BW On Mon, 11 May 2020 18:13:35 -0700 wrote I was told on the chat that Linux GNU software has hardly visible NSA backdoors and IMHO most funding for Linux seems to be from USA ? Only single Linus person alone is paid about 30 times more per year by Linux foundation than the whole OpenBSD foundation total fundraising goal, not sure if it is an indication of Linux be more corporation sponsored and oriented.Is not USA a beneficiary of big transnational corporation and capital?
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
Is not a prohibition for USA citizens to work on OpenBSD cryptography software parts an indication of trust relationship between current OpenBSD and current USA?
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
I was told on the chat that Linux GNU software has hardly visible NSA backdoors and IMHO most funding for Linux seems to be from USA ? Only single Linus person alone is paid about 30 times more per year by Linux foundation than the whole OpenBSD foundation total fundraising goal, not sure if it is an indication of Linux be more corporation sponsored and oriented.Is not USA a beneficiary of big transnational corporation and capital?
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On 2020-05-11, Stuart Longland wrote: > BSD came from the US (University of California), but most of today's > implementations have been very significantly changed since then. BSD built on top of AT UNIX, which came from Bell Labs in New Jersey. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
I wish if the someone who took the time to make this page at least would make an antisystemD page instead. This is just a pointless brainless monkey(s) wasting our time webpage, it is not even funny and we are passed April 1 a long time ago. However I never knew linus said such things: "I think the OpenBSD crowd is a bunch of masturbating monkeys" I guess this is just another reason for ditching linux in favor of BSDs. Let's face it how much time that old fart linus has, maybe COVID takes him too. I couldn't care less either, all I care is my BSD servers uptime 600+ days and not 1 day I worry about their security. Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Thursday, May 7, 2020 4:00 PM, wrote: > Dear OpenBSD fans, > > Can you please comment negative appraisal from the following website: > > https://isopenbsdsecu.re/quotes/ > > I did not want to hurt anyone, just looking for a secure OS and OpenBSD > looked very nice to me before I have found this website. > > Kind Regards
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On 11/5/20 5:00 am, i...@aulix.com wrote: > Btw, does not it look like a PR competition of Linux from USA vs OpenBSD from > Canada/London? Actually, I think you'll find both OSes have significant contributions from all around the world. Linux (which is a kernel, not an OS) originated from Finland. BSD came from the US (University of California), but most of today's implementations have been very significantly changed since then. In any case, I don't think it's helpful to characterise an OS by its country of origin. Even less so, when it's an open-source OS with contributions that are sourced globally. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere. Help fund COVID-19 research: https://stuartl.longlandclan.id.au/blog/2020/04/20/who-covid19/
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
There are already enough funny pages about systemd technical deviations, e.g.: https://dev1galaxy.org/viewtopic.php?id=3427
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
Here's a game. Name as many operating systems as you can that encrypt the page file or swap space by default?
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On Mon, 11 May 2020 17:27:24 +, slackwaree wrote: > I wish if the someone who took the time to make this page at least > would make an antisystemD page instead. I doubt anyone asked you how they should spend their time. > Let's face it how much time that old fart linus has, maybe > COVID takes him too. Are you really saying you hope he dies? What the fuck is wrong with you? > I couldn't care less either, all I care is my > BSD servers uptime 600+ days and not 1 day I worry about their > security. You are clearly clueless. Please refrain from posting again such shitty emails. Thanks, Daniel
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
Le 10/05/2020 à 21:00, i...@aulix.com a écrit : Also that said, all mothafuckaaa which keep send posts like this, put your head within your ass and just accept: you are OpenBSD user! Taking into account your earlier kind detailed counter explanation about many mentioned issues and mitigations I would not agree that OpenBSD community is unwelcome, so that issue seems to be not true too :) Btw, does not it look like a PR competition of Linux from USA vs OpenBSD from Canada/London? OpenBSD prohibits USA citizens to work on its crypto? I doubt it, but as I am French I have no opinion on these questions. Serurity is not the only goal of OpenBSD and should not be your only criteria. -Extract from the FAQ About OpenBSD The OpenBSD project produces a freely available, multi-platform 4.4BSD-based UNIX-like operating system. Our goals place emphasis on correctness, security, standardization, and portability. https://www.openbsd.org/faq/faq1.html#WhatIs -- If you are looking for, try the OSes that attracts you and make the choice that suits you (it can be several). Even if a Ferrari is better than a Renault on a theoretical aspect, I prefer my Renault because it is good enough to go to work and will always cost me less. If you made a mistake you can always go back on your choice or even change your mind. With practical knowledge and hindsight you will be in a better position to form an opinion on this subject that worries you. Regards, -- Stéphane Aulery
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
>Also that said, all mothafuckaaa which keep send posts like this, put your >head within your ass and just accept: you are OpenBSD user! Taking into account your earlier kind detailed counter explanation about many mentioned issues and mitigations I would not agree that OpenBSD community is unwelcome, so that issue seems to be not true too :) Btw, does not it look like a PR competition of Linux from USA vs OpenBSD from Canada/London? OpenBSD prohibits USA citizens to work on its crypto?
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
That Talk of isopen ... is a joke! He start agreeing with puffy supremacy. All these years I have made jokes with fbsd guys and some "hax0rs" during event's. The reason is simple, they attack OpenBSD community and then always end with a lack of arguments. Even with Qualys recent discoveries, which in my personal opinion they could send all issues together, they preferred to do on that way. That said, I still asking, why the other projects do not try at least start to make their operating system more secure by default? OpenBSD since the begin the main focus is paranoid security. They will take years to have a solid rock like OpenBSD. Also that said, all mothafuckaaa which keep send posts like this, put your head within your ass and just accept: you are OpenBSD user! Em dom., 10 de mai. de 2020 às 01:45, Stéphane Aulery escreveu: > Hello, > > Le 07/05/2020 à 16:00, i...@aulix.com a écrit : > > > > Can you please comment negative appraisal from the following website: > > > > https://isopenbsdsecu.re/quotes/ > > > > I did not want to hurt anyone, just looking for a secure OS and OpenBSD > looked very nice to me before I have found this website. > > > > This explanation [1] from the author of the site should be enough for you: > > > Why was this website created? > > Someone was bragging on IRC about how secure OpenBSD is compared to > everything else, but this came without concrete evidences. > > Tired of having to endure this once too often, time was spent > documenting OpenBSD’s security features: > > where are they coming from? > against what are they defending? > how successful are they? > > Because, in the words of Ryan Mallon: > > Threat modelling rule of thumb: if you don’t explain exactly what > you are securing against and how you secure against it, the answers can > be assumed to be: “bears” and “not very well”. > > > The quotes were chosen to be especially aggressive but we could find as > many against other operating systems. > > For me it's on the same level as "The UNIX-HATERS Handbook" [2], just a > big ball of hate and FUD. > > After full reading, out of 52 exposed points there are 4 frankly against > OpenBSD, 12 for OpenBSD and all the rest is opinion and filling. > > It wants to be impressive, but it’s just swank of a meticulous hater. > > Regards, > > > > [1] https://isopenbsdsecu.re/about/ > [2] https://web.mit.edu/~simsong/www/ugh.pdf > > > > Mitigations > > Arc4random > > [...] Nowadays, arc4random in userland is available on various > platforms, even when not being natively implemented, thanks to libbsd. > NetBSD, FreeBSD, Linux, … have all moved to a ChaCha20-based CSPRNG. > Even Tor is now using some of its code, for performance reasons. > > OpenBSD took inspiration from Linux two decades ago, but nowadays, it’s > the other way around, OpenBSD is driving the CSRPNG game! > > OK. > > ASLR > > [...] OpenBSD randomizing everything is neat, and forces attackers to > find/create better leaks. But nowadays, all the modern operating systems > have those kind of mitigations, are are now focusing on killing bugs > exploitable when an attacker has some reading capabilities. > > And what are these modern OSes? OpenBSD is a fossilized and archived OS > on archive.org? > > Atexit hardening > > [...] In the glibc, the pointers to the function are obfuscated with a > rol+xor via the PTR_MANGLE macro against a secret, which is roughly > equivalent to what Windows is doing. This mitigation is completely > bypassed with an arbitrary read: get the secret, obfuscate the pointer > to your payload, done. > > Musl has no hardening at all > > On OpenBSD, the pointers are stored in a read-only memory zone, only > made writeable when __cxa_atexit is called. To bypass this, an attacker > would need to get code execution to modify the permissions of the memory > zone. > > Where is the point? > > > Development practises - Development practises > > OpenBSD got no continuous integration system, and apparently build > breakage are, according to the FAQ, happening from time to time [...] > > There is a code style, but since it’s not automatically enforced, if > only because there is no CI. > > The VCS used is CVS, the Concurrent Versions System [...] > > This is not what makes security! > > Development practises - Code reviews > > OpenBSD claims that they have “between six and twelve members who > continue to search for and fix new security holes”, but it seems that > this doesn’t prevent low-hanging bugs from entering the codebase, for > example: [...] > > Ah, because those who don't read their code are more likely to find errors? > > Development practises - Security advisories > > OpenBSD is publishing security issues on its Errata pages, but doesn’t > provide much context nor analysis. [...] > >
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
Hello, Le 07/05/2020 à 16:00, i...@aulix.com a écrit : Can you please comment negative appraisal from the following website: https://isopenbsdsecu.re/quotes/ I did not want to hurt anyone, just looking for a secure OS and OpenBSD looked very nice to me before I have found this website. This explanation [1] from the author of the site should be enough for you: Why was this website created? Someone was bragging on IRC about how secure OpenBSD is compared to everything else, but this came without concrete evidences. Tired of having to endure this once too often, time was spent documenting OpenBSD’s security features: where are they coming from? against what are they defending? how successful are they? Because, in the words of Ryan Mallon: Threat modelling rule of thumb: if you don’t explain exactly what you are securing against and how you secure against it, the answers can be assumed to be: “bears” and “not very well”. The quotes were chosen to be especially aggressive but we could find as many against other operating systems. For me it's on the same level as "The UNIX-HATERS Handbook" [2], just a big ball of hate and FUD. After full reading, out of 52 exposed points there are 4 frankly against OpenBSD, 12 for OpenBSD and all the rest is opinion and filling. It wants to be impressive, but it’s just swank of a meticulous hater. Regards, [1] https://isopenbsdsecu.re/about/ [2] https://web.mit.edu/~simsong/www/ugh.pdf Mitigations Arc4random [...] Nowadays, arc4random in userland is available on various platforms, even when not being natively implemented, thanks to libbsd. NetBSD, FreeBSD, Linux, … have all moved to a ChaCha20-based CSPRNG. Even Tor is now using some of its code, for performance reasons. OpenBSD took inspiration from Linux two decades ago, but nowadays, it’s the other way around, OpenBSD is driving the CSRPNG game! OK. ASLR [...] OpenBSD randomizing everything is neat, and forces attackers to find/create better leaks. But nowadays, all the modern operating systems have those kind of mitigations, are are now focusing on killing bugs exploitable when an attacker has some reading capabilities. And what are these modern OSes? OpenBSD is a fossilized and archived OS on archive.org? Atexit hardening [...] In the glibc, the pointers to the function are obfuscated with a rol+xor via the PTR_MANGLE macro against a secret, which is roughly equivalent to what Windows is doing. This mitigation is completely bypassed with an arbitrary read: get the secret, obfuscate the pointer to your payload, done. Musl has no hardening at all On OpenBSD, the pointers are stored in a read-only memory zone, only made writeable when __cxa_atexit is called. To bypass this, an attacker would need to get code execution to modify the permissions of the memory zone. Where is the point? Development practises - Development practises OpenBSD got no continuous integration system, and apparently build breakage are, according to the FAQ, happening from time to time [...] There is a code style, but since it’s not automatically enforced, if only because there is no CI. The VCS used is CVS, the Concurrent Versions System [...] This is not what makes security! Development practises - Code reviews OpenBSD claims that they have “between six and twelve members who continue to search for and fix new security holes”, but it seems that this doesn’t prevent low-hanging bugs from entering the codebase, for example: [...] Ah, because those who don't read their code are more likely to find errors? Development practises - Security advisories OpenBSD is publishing security issues on its Errata pages, but doesn’t provide much context nor analysis. [...] Ok, that's a point, but is it necessary to point to the way of reproducing an exploit after having patched it? It is a practice, nothing more, which neither adds to nor takes anything away from security. Disk encryption [...] This is looking like a solid design, pretty similar to what LUKS is doing. Unfortunately, it doesn’t support using a TPM or an enclave (like Intel’s SGX, AMD’s SEV, …) to perform key-derivation and prevent offline bruteforcing. Pathetic. Embargoes handling OpenBSD isn’t usually included in security embargoes anymore, likely because they have the bad habit of not playing well with them, although they never technically broken one. [...] And should we play the game of the one with the cleanest ass? Explicit_bzero and bzero [...] While it might get optimized away when using static linking with LTO, it’s sill a neat way of improving forward secrecy, by trying to remove cryptographic materials from memory as soon as possible. Where is the problem? OBSD +1 Fork
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
At risk of responding without having read through the entire website, it seems to mostly be about OpenBSD's exploit mitigations, and nothing else. But OpenBSD does a lot of other things well, like doing lots of code reviews, having a culture of writing code with an eye toward security in the first place, providing API's that are more difficult for developers to misuse (strlcat, pledge), and generally good design like building things with privilege separation in lots of places. OpenBSD also has lots of mitigations, but then so do other OS'es. Mitigations have always been and will probably always be a controversial and fraught topic. That's because mitigations are just that - they're *mitigations*. For the most part they're not supposed to provide more-or-less impenetrable security barriers like with privilege separation, memory safe languages, etc. They're just there to make an attacker's life harder and their chances of success lower than otherwise. For this reason, they're subject to an endless arms race, with developers always introducing new and interesting mitigations, and exploit writers always researching fun and bizarre ways to work around them. The best an OS can do is to stay as close to the state of the art as possible. So, there's probably some valid criticisms in there (I haven't read through them all), but "some of OpenBSD's exploit mitigations have some issues" is not grounds to say that OpenBSD is bad or insecure, as a blanket statement. OpenBSD has a lot of great things going for it. My 2 cents, BW On Thu, 07 May 2020 07:00:15 -0700 wrote Dear OpenBSD fans, Can you please comment negative appraisal from the following website: https://isopenbsdsecu.re/quotes/ I did not want to hurt anyone, just looking for a secure OS and OpenBSD looked very nice to me before I have found this website. Kind Regards
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
I got mixed feelings... This list seems very cherry-picked from people with a predetermined disliking of OpenBSD. If you check out the mitigations tab, you won't be able to find anything new or undocumented there. It looks like we as a community triggered a guy who retaliated by key-smashing together a rather nonconstructive criticism of OpenBSD's security and code development process. At 17, I might not be experienced enough for my opinion to count very much, but this seems like bait to make people angry rather than a security effort worth mentioning. The difference between security researchers and that guy IMO is that researchers help fix the problems, that guy only points the problems out. We got a bully on our hands here. To any OpenBSD developers reading this, you rock! Keep up the good work. Kristjan On 5/7/20 4:00 PM, i...@aulix.com wrote: > Dear OpenBSD fans, > > Can you please comment negative appraisal from the following website: > > https://isopenbsdsecu.re/quotes/ > > I did not want to hurt anyone, just looking for a secure OS and OpenBSD > looked very nice to me before I have found this website. > > Kind Regards > signature.asc Description: OpenPGP digital signature
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On 5/7/20 7:02 PM, Aaron Mason wrote: > On Fri, May 8, 2020 at 2:30 AM jeanfrancois wrote: >> >> As long as there's no material published it's worth just any other word. >> > > To quote Douglas Adams on whether you can trust people on the > internet, "of course not, it's just people talking". > wait a minute. you are on the internet, I am on the internet. I CAN"T TRUST ANYONE. MY LIFE IS FALLING APART. but then I shouldn't trust what you said too. Ah, okok, i'll not trust what you said *promptly goes to the nearest zebra crossing to get killed* (sorry I just had to)
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On Fri, May 8, 2020 at 2:30 AM jeanfrancois wrote: > > As long as there's no material published it's worth just any other word. > To quote Douglas Adams on whether you can trust people on the internet, "of course not, it's just people talking". -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On 5/7/20 11:11 AM, Kevin Chadwick wrote: > On 2020-05-07 14:10, Consus wrote: >> On Thu, May 07, 2020 at 04:00:15PM +0200, i...@aulix.com wrote: >>> Dear OpenBSD fans, >>> >>> Can you please comment negative appraisal from the following website: >>> >>> https://isopenbsdsecu.re/quotes/ >>> >>> I did not want to hurt anyone, just looking for a secure OS and >>> OpenBSD looked very nice to me before I have found this website. >> > > Perhaps you could cite which part as the parts I read should seem without > merit > to anybody? > >> The fun thing to do: offer $50k rewards for code execution >> vulnerabilities and wait for results. >> > > "Apple has lately been slapping proprietary mitigations around like there’s no > tomorrow. But thing is, mitigations are often delicate creatures, with rather > fragile assumptions. Having too many of them in one place can easily make them > break one another, as happened here with execute-only memory vs PAN." > > I am sure that examples of mitigations leveraging and protecting each other, > or > an exploit failing because of multiple mitigations is far more common than > them > hurting each other. > > "I put a lot more faith in privilege separation and reduction than in all the > mitigations. I’d be really impressed by a move to a safe language… most > everyone > is late to that party, so it’s a chance for someone to pull ahead if they > wanted > bragging rights" > > I wouldn't want to read an OS written in Rust and I would love to see secure > developments in C even if it hampers potential performance. Things like Go are > not suitable for an OS with many small programs. > Curious about why... though admittedly I have never written or read rust in great detail. Genuinely curious why, I thought it was supposed to be pretty nice with thread safety and all that jazz. > Also, OpenBSD is one of the pioneers of privilege separation and most Go > programs are not privilege separated at all. > > I quickly lost interest, sorry. IMO, the main thing that causes exploitations > is > carelessness. OpenBSD cares and is careful! > Aisha
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On 2020-05-07 10:00, i...@aulix.com wrote: > Dear OpenBSD fans, > > Can you please comment negative appraisal from the following > website: > > https://isopenbsdsecu.re/quotes/ > > I did not want to hurt anyone, just looking for a secure OS and > OpenBSD looked very nice to me before I have found this website. Rule of life #1: when lots of people hate you, you are either doing something very wrong...or very right. People don't waste their time on people who are average-ish. That's actually how I found OpenBSD -- reading through a once popular chat website, saw people spending a lot of time throwing a lot of hate and personal attacks at Theo and his team. Well, by my figuring, anyone who gets that much venom tossed at them needs a looking at! That was 22+ years ago. No regrets. You have to decide for yourself if OpenBSD is very right or very wrong for you (not a lot of people in the middle, and that's fine.) Looking at the quotes, I see... * Jealousy * competitors * broad, general statements * Blablabla * People with a self contradictory titles. * people hiding behind pseudonyms * People that have All The Answers, just waiting for someone to do what they say. * Name callers * "No shit Sherlock"ers * "OpenBSD sucks, I like your website!" * "OpenBSD does what it set out to do, I like your website" * People "removing all doubt" (as in, "Better to be thought a fool than to open your mouth and remove all doubt") * "if it isn't popular, it's not good"er * unbacked claims. * another, this one thinks only about fighting the past wars. * more unbacked claims, this one, totally anonymous. * A person wanting YOU to find exploits in OSs. Guess they are all pretty secure if they aren't finding them themselves. Seriously, if you understand OpenBSD's work, you would take many of those quotes as complements. OpenBSD's security mitigations broke a "secure" language? Maybe you should check your assumptions. Elsewhere on that website, he mocks OpenBSD for calling someone "inaccurate jerks" -- I happened to click on that, since it didn't exactly roll off the tongue, and what is the actual context? Theo saying, "No, that's not a hardware problem, that's an OpenBSD problem and it should be fixed". You were not supposed to look at the context, I guess. The line about "Insults" is actually someone mock- complaining about doas not insulting users like sudo does.The more stuff I click on, the more I start to think, this is an irony site! This guy LOVES OpenBSD! Well, fudge. I just wasted a lot of time writing this!) Nick.
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
Good evening, As long as there's no material published it's worth just any other word. You can state anything you like granted this collection has value, so no there are no clear points, nothing really worthwhile can emerge. When I feel lost in any Unix system calls I just open an OpenBSD's man page and there you go, things are clear, well explained, and make sense. This above response just any other words too, but actually that's why we like it, this OS and environment just makes sense. Regards J.F. Le 07/05/2020 à 16:00, i...@aulix.com a écrit : Dear OpenBSD fans, Can you please comment negative appraisal from the following website: https://isopenbsdsecu.re/quotes/ I did not want to hurt anyone, just looking for a secure OS and OpenBSD looked very nice to me before I have found this website. Kind Regards
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On 2020-05-07 14:48, Aisha Tammy wrote: >> I wouldn't want to read an OS written in Rust and I would love to see secure >> developments in C even if it hampers potential performance. Things like Go >> are >> not suitable for an OS with many small programs. >> > Curious about why... though admittedly I have never written or read rust in > great detail. > Genuinely curious why, I thought it was supposed to be pretty nice with > thread safety and > all that jazz. > It was more the privilege separation part that I found made the comment show a lack of understanding. Privsep really has more to do with design than a language. Aside from the Go/Linux Kernel seteuid bug. https://github.com/golang/go/issues/1435 There have been many proposals for many years to reduce the care needed to write good C and performance or feature support like breaking some pointer use cases, always seems to win the argument upstream. A paper/plugin/extension is written and rarely makes the mainstream compilers, even as a flag. Admittedly, I don't have much Rust experience, either. Ada seems more applicable to avoiding dynamic memory on micro processors and I don't have the time to sacrifice, even on ADA with GCC support or on maintaining tooling and porting code bases. To me, Rust reads like C++ on steroids and I never liked C++ and so I lost all interest very quickly. I just have too many questions when reading it. I rarely like abstraction. Ada looks nicer to read to me but perhaps it wouldn't have that thread safety that you mention or the momentum Rust seems to have gained? Didn't Linus push back against C++ too? I guess I like Go and Ada because they are more similar to C and fairly simple in their core. I think Reyk tweeted about not liking Rust or it being a real pain and now seems to have tweeted about quite liking it. I am not closed minded but more skeptical of ever taking to it.
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On 2020-05-07 14:10, Consus wrote: > On Thu, May 07, 2020 at 04:00:15PM +0200, i...@aulix.com wrote: >> Dear OpenBSD fans, >> >> Can you please comment negative appraisal from the following website: >> >> https://isopenbsdsecu.re/quotes/ >> >> I did not want to hurt anyone, just looking for a secure OS and >> OpenBSD looked very nice to me before I have found this website. > Perhaps you could cite which part as the parts I read should seem without merit to anybody? > The fun thing to do: offer $50k rewards for code execution > vulnerabilities and wait for results. > "Apple has lately been slapping proprietary mitigations around like there’s no tomorrow. But thing is, mitigations are often delicate creatures, with rather fragile assumptions. Having too many of them in one place can easily make them break one another, as happened here with execute-only memory vs PAN." I am sure that examples of mitigations leveraging and protecting each other, or an exploit failing because of multiple mitigations is far more common than them hurting each other. "I put a lot more faith in privilege separation and reduction than in all the mitigations. I’d be really impressed by a move to a safe language… most everyone is late to that party, so it’s a chance for someone to pull ahead if they wanted bragging rights" I wouldn't want to read an OS written in Rust and I would love to see secure developments in C even if it hampers potential performance. Things like Go are not suitable for an OS with many small programs. Also, OpenBSD is one of the pioneers of privilege separation and most Go programs are not privilege separated at all. I quickly lost interest, sorry. IMO, the main thing that causes exploitations is carelessness. OpenBSD cares and is careful!
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
I don't claim to be an fan of OpenBSD security myself, but as long ås somebody än effort to collevt quotes aboit it's insrcurity I guess it provides decent security to the average pimp on the block. On 7 May 2020 16:00:15 CEST, i...@aulix.com wrote: >Dear OpenBSD fans, > >Can you please comment negative appraisal from the following website: > >https://isopenbsdsecu.re/quotes/ > >I did not want to hurt anyone, just looking for a secure OS and OpenBSD >looked very nice to me before I have found this website. > >Kind Regards -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On Thu, May 07, 2020 at 04:00:15PM +0200, i...@aulix.com wrote: > Dear OpenBSD fans, > > Can you please comment negative appraisal from the following website: > > https://isopenbsdsecu.re/quotes/ > > I did not want to hurt anyone, just looking for a secure OS and OpenBSD > looked very nice to me before I have found this website. > > Kind Regards 16 people there. I only heard of two (Linus Torvalds, Ilja van Sprundel). Who cares? -peter
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On Thu, May 07, 2020 at 04:00:15PM +0200, i...@aulix.com wrote: > Dear OpenBSD fans, > > Can you please comment negative appraisal from the following website: > > https://isopenbsdsecu.re/quotes/ > > I did not want to hurt anyone, just looking for a secure OS and > OpenBSD looked very nice to me before I have found this website. The fun thing to do: offer $50k rewards for code execution vulnerabilities and wait for results.
OpenBSD insecurity rumors from isopenbsdsecu.re
Dear OpenBSD fans, Can you please comment negative appraisal from the following website: https://isopenbsdsecu.re/quotes/ I did not want to hurt anyone, just looking for a secure OS and OpenBSD looked very nice to me before I have found this website. Kind Regards
