Re: Only two holes in a heck of a long time, but why?
On 2014-04-07, Kevin Chadwick ma1l1i...@yahoo.co.uk wrote: previously on this list Stuart Henderson contributed: If a port is considered dangerous like wireshark was it is removed to avoid encouraging it but users can still build it of course. There's a problem with *not* having it in ports too, if people do compile it for themselves, considering how long the damn thing takes to build it's highly likely that they won't update it as often as if there were packages... And it's less bad now than it used to be - they don't do proper privilege separation like OpenBSD's tcpdump does, but at least it's now just the network capture part that runs as root, the packet dissectors now run as a normal uid. I thought it was the sheer number of parsing bugs, wouldn't dumpcap suid have sorted that or have they built it in more finely and did doing that just bring other insecurities? It used to be that, in order to run live captures, you had to run the whole thing as root. Totally unsafe. Following the dumpcap split, the dissectors (which are still dangerous and untrustworthy) are run as a normal user. This is better than it used to be, though still not great; looking at the release notes for pretty much every version of wireshark ever released will show a number of security-related bugs in this area, this is difficult code to get right and is obviously handling untrusted data, and I think many users would run it as their normal user account. But then one could also say that about your average web browser.. Compare with the model used by OpenBSD's tcpdump - the dissectors are run in a child process, chrooted in an empty unwritable directory. (tcpdump.org's version is not as strong; they can chroot/drop privs, however this is done in a single process).
Re: Only two holes in a heck of a long time, but why?
So, Martin, what is your point ?
Re: Only two holes in a heck of a long time, but why?
On Sun, Apr 06, 2014 at 03:38:17PM -0700, Chris Cappuccio wrote: Chris Bennett [chrisbenn...@bennettconstruction.us] wrote: X is also built in. Gee, base is so insecure!! X is a security disaster Most of the internet sites I use work just fine with lynx. vi works ok. I use some shell scripts with sed to do wonderful things. Perl is handy ;). And the new changes to nice text sizes on boot make the boot console very usable. But speaking of X, is there anyone working on a good replacement? Chris
Re: Only two holes in a heck of a long time, but why?
previously on this list Stuart Henderson contributed: If a port is considered dangerous like wireshark was it is removed to avoid encouraging it but users can still build it of course. There's a problem with *not* having it in ports too, if people do compile it for themselves, considering how long the damn thing takes to build it's highly likely that they won't update it as often as if there were packages... And it's less bad now than it used to be - they don't do proper privilege separation like OpenBSD's tcpdump does, but at least it's now just the network capture part that runs as root, the packet dissectors now run as a normal uid. I thought it was the sheer number of parsing bugs, wouldn't dumpcap suid have sorted that or have they built it in more finely and did doing that just bring other insecurities? I agree I could have chosen much better examples but I was trying to point out that even ports have some security consideration, randomised tcp and dns preventing mitm way before linux would have been better examples or even things like ping being different under the hood. -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd ___ I have no idea why RTFM is used so aggressively on LINUX mailing lists because whilst 'apropos' is traditionally the most powerful command on Unix-like systems it's 'modern' replacement 'apropos' on Linux is a tool to help psychopaths learn to control their anger. (Kevin Chadwick) ___
Re: Only two holes in a heck of a long time, but why?
previously on this list Riccardo Mottola contributed: Yes, sysmerge is really neat. Perhaps I should expand as to why if it has been so long without him using. sysmerge handles everything in /etc! via etc??.tgz and xetc??.tgz and lets you do quick diffs (which I shamelessly copied from for my install scripts, thanks Antoine) rather than check later or drop to commandline like apt. So yes you do need to keep an eye on current or instead you can now use packages kindly made by mtier for stable and almost never *need* to reboot unless you want to, so yes you do have apt-get functionality for a year at a time and most likely going by the past without reboots if you want and then the upgrade will be quicker with no difference to following the upgrade procedure to avoid problems on debian. Now try it out, go on get a FIX ;-) -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd ___ I have no idea why RTFM is used so aggressively on LINUX mailing lists because whilst 'apropos' is traditionally the most powerful command on Unix-like systems it's 'modern' replacement 'apropos' on Linux is a tool to help psychopaths learn to control their anger. (Kevin Chadwick) ___
Re: Only two holes in a heck of a long time, but why?
On August 27, 2014 10:16:21 PM CEST, Kevin Chadwick ma1l1i...@yahoo.co.uk wrote: ... Kevin, FYI, your time is horribly off...
Re: Only two holes in a heck of a long time, but why?
Chris Bennett [chrisbenn...@bennettconstruction.us] wrote: X is also built in. Gee, base is so insecure!! X is a security disaster
Re: Only two holes in a heck of a long time, but why?
On 4/6/2014 18:38, Chris Cappuccio wrote: Chris Bennett [chrisbenn...@bennettconstruction.us] wrote: X is also built in. Gee, base is so insecure!! X is a security disaster http://media.ccc.de/browse/congress/2013/30C3_-_5499_-_en_-_saal_1_-_201312291830_-_x_security_-_ilja_van_sprundel.html That is a good talk on the security mess that is X. TL;DW is - lots of legacy code and bad coding practices. -- staticsafe
Re: Only two holes in a heck of a long time, but why?
On Sun, Apr 6, 2014 at 7:00 PM, staticsafe m...@staticsafe.ca wrote: On 4/6/2014 18:38, Chris Cappuccio wrote: Chris Bennett [chrisbenn...@bennettconstruction.us] wrote: X is also built in. Gee, base is so insecure!! X is a security disaster X is the worst form of windowing system, except for all those other forms that have been tried from time to time. ? Naaah it's just bad. (still waiting for webkit on framebuffer) -- - () ascii ribbon campaign - against html e-mail /\
Re: Only two holes in a heck of a long time, but why?
On Apr 05 00:06:56, yellowgoldm...@gmail.com wrote: but eventually began using Debian because it was much easier to maintain Can you please give an example of a maintenance task that is easier then the comparable/analogous task in OpenBSD? ^ Because I remember Debian kinda sucked when I used it in 1998. apt-get update; apt-get dist-upgrade between versions are pretty awesome. No doubt. In what way exactly is it easier than an OpenBSD upgrade followed by pkg_add -u? Seriously though, the reason for me (and many people apparently) to use OpenBSD is the _extreme_simplicity_ of just about anything. OpenBSD is great to use, but BSD's in general This list is not about BSDs in general. are not simplistic when it comes to package management, What on earth are you talking about? Have you used pkg_add recently? hence the reason why FreeBSD is developing the new pkg tool.. whch is pretty much a clone of what apt does on Debian. For me I remember when time was spend updating from one OpenBSD version to the next. So many hours. If you spent _hours_ updating an OpenBSD install, then you were doing something very, very wrong. An update of three of my machines last night took about 8 minutes each, including sysmerge and packages.
Re: Only two holes in a heck of a long time, but why?
Hi, Can you please give an example of a maintenance task that is easier then the comparable/analogous task in OpenBSD? ^ Because I remember Debian kinda sucked when I used it in 1998. apt-get update; apt-get dist-upgrade between versions are pretty awesome. No doubt. In what way exactly is it easier than an OpenBSD upgrade followed by pkg_add -u? It rocks. If you spent _hours_ updating an OpenBSD install, then you were doing something very, very wrong. An update of three of my machines last night took about 8 minutes each, including sysmerge and packages. Yes, sysmerge is really neat. Riccardo
Re: Only two holes in a heck of a long time, but why?
Hi, Martin Braun wrote: By easier to maintain it means apt-get update; apt-get dist-upgrade which is freaking neat! You can say what you want about Debian, but their apt system is exceptional! Especially between versions. it is getting a bit off-topic, but yes... I stand to that. I tinker with operating systems since a dozen of years, mostly for personal (dis)pleasure and for the fun and pride in making sure the applications I write and maintain are as cross-platform as possible. I heart lies in NetBSD and OpenBSD, but I must say Debian is really convenient. Apt-get is exceptional indeed! What disturbs me in Debian is that after 10+ years you slowly learn the quite bad quality of what is inside the package! However, when I compare the package contents, I see that e.g. OpenBSD has up-to-date GNUstep packages, Debian has sometimes old stuff, but with a hell of patches. Now... patches, when there is upstream? In all operating systems you want to use beyond the basics you need apps and ports.. and the quality of those can be very variable! Riccardo
Re: Only two holes in a heck of a long time, but why?
On 04/03/14 22:04, Martin Braun wrote: ... Maybe I am just plain stupid, but could someone explain to me the point in bragging about only two remote holes in the default install, when the default install is useless before you add some content to the system, unless you're running a web server serving static content only. I have no idea what is your diagnosis as I am trained as a mathematician not as a physician. However I think I can address the useless part of your question. I work in a robotics lab of a major research university lab where we use default OpenBSD install for pretty much our entire network infrastructure with exception of our file servers. Just to set the record straight I will list explicitly services I am personally running of a default installation: 1. Firewall 2. VPN gateway(/etc/rc.d/npppd) 3. DHCP server (/etc/rc.d/dhcpd) 4. DNS (/etc/rc.d/unbound) 5. LDAP server (/etc/rc.d/ldapd) 6. Mail server (/etc/rc.d/smtpd) 7. NTP server (/etc/rc.d/ntpd) 8. Web server (/etc/rc.d/nginx) 9. sftp server with chrooted accounts 10. ssh gateway 11. Code repository (CVS) 12. My servers back up themselves using cron and altroot mechanism. 13. My servers monitor themselves with snmpd, sensorsd, and log files. 14. We use softraid to fully encrypted laptops. I do not know if the above list looks impressive to you but for me it looks damn impressive. With small add on or with home brewed Perl script you can easily poll SNMP daemons from other machines making your OpenBSD server monitor tool for entire lab. With a small add on I run our bugtracker of essentially stock Nginx. Now I could theoretically run a NFS file server of a default OpenBSD installation but I like Hammer better than FFS or FFS2. The default installation has everything for a C, C++, ADA, Fortran, Perl, or Lua developer. Now being trained as a mathematician I have to sadly notice that I can not do mathematics out of box on OpenBSD because TeX is very strange public domain software (TRIP test) but I am sure if Don changes his mind and really puts TeX in a public domain kerTeX will become quickly a part of the base. No! By easier to maintain it means apt-get update; apt-get dist-upgrade which is freaking neat! I thought that the April fool's date was a few days ago. You can say what you want about Debian, but their apt system is exceptional! Especially between versions. I do not like to use Linux but when I have to use I use only RedHat clones. I am sick of listening about Debian repositories. I am running all the latest and greatest software on my PUIAS 6.5 machines. You have to know your Yum. MATLAB, Oracle or any other serious proprietary vendor supports only RedHat. Cheers, Predrag P.S. I wanted to suggest that you go little bit through /etc/rc.d/ but after reading that things about apt-get I do not think there is a point. Just stick with Debian and stay away from OpenBSD.
Re: Only two holes in a heck of a long time, but why?
On Apr 04 04:04:47, yellowgoldm...@gmail.com wrote: As we all know on the front page of OpenBSD it says Only two remote holes in the default install, in a heck of a long time. I don't understand why this is such a big deal. Look at the history of other systems and their remote holes. Don't you think OpenBSD stands out in this regard? A part from the base system in xBSD, OpenBSD - so far - also contains a chrooted web server, that can't be used for much else than serving static content, and then the X system, which also can't be used for anything before installing some third party application. What do you mean, apart from the base system? nginx _is_ in the base system. X and the WMs can be used for their main purpose: a couple of well organized xterms. More importantly, the base system also contains a TON of other usefull stuff. Do you pretend to not know this, or do you not know this? All in all the default install is pretty useless Ah, so the firewall, the dhcp, the mail server, the nameserver, carp, bgpd, sndiod, none of that counts, right? Unbelievable. So we need those third party applications to start the party, Party suggests you come from linux. Right? Maybe I am just plain stupid, but could someone explain to me the point in bragging about only two remote holes in the default install, when the default install is useless before you add some content to the system, unless you're running a web server serving static content only. Or a mail server. Or a firewall. Or a nameserver. Or a router. Or run an audio streaming server with midi (yes, that's in base). Or do software development in C or Perl or shell. But you are right, most of my machines are pretty boring. They just sit there doing what they are suppossed to. No party there.
Re: Only two holes in a heck of a long time, but why?
On Fri, Apr 4, 2014, at 01:47 AM, Martin Braun wrote: The particular issue didn't compromise the web server it only compromised the web application, but yes that made me look deeper into operating systems and security. I even tested FreeBSD Jails, but lets not go there. I used OpenBSD back in the 3.x days, but eventually began using Debian because it was much easier to maintain - yes, I compromissed quality over convinience. Easier to maintain?? How? This has not been my experience. Theo thank you for your reply. My mail was not meant in any negative way, I just didn't understand it. Having all these always-enabled-security settings of course makes a big difference! 2014-04-04 6:24 GMT+02:00 Theo de Raadt dera...@cvs.openbsd.org: On Thu, Apr 3, 2014 at 10:04 PM, Martin Braun yellowgoldm...@gmail.com wrote: As we all know on the front page of OpenBSD it says Only two remote holes in the default install, in a heck of a long time. I don't understand why this is such a big deal. Because their shit don't stink? Unlike other distributions that are defective upon install? You cannot understand why that is not a big deal? https://lists.debian.org/debian-user/2014/03/msg00795.html On Mar 13, 2014 11:06 PM, Martin Braun yellowgoldm...@gmail.com wrote: Hi I have recently experienced a server being hacked due to a security problem with a PHP application that made it possible for the hacker to gain a web shell. Software security is a tricky thing. If Martin's PHP got hacked, it is likely he does not have a strong understanding of the underpinnings of how holing happens. That's fine. I don't tune my engine either. 1) Some attacks are possible because of rather simple logic errors in the software. ( everyone makes logic errors...) 2) Other attacks involve extremely complex mechanisms and, depend upon memory layout conditions that can be guessed or controlled by an attacker. This attack surface received significant attention starting around 2001. ( this is where OpenBSD's efforts have focused attention, with tremendous effect, meaning the mitigations we trailed are now proven enough your phones have them enabled system-wide, but your Linux boxes do not.) 3) Other attack mechanisms are based on configuration errors, and sometimes default configuration processes trick people into those mistakes ( our group argues for simpler setups, shrug) 4) The list goes on, but the above 3 cover the most serious penetrations. None of us know which particular combination of things got Martin's environment fried. I hazard a guess that he can't believe that a group exists who have focused on this for 20 years, with such success over 10 years. Obviously other software groups are better financed... Anyways, it is possible to succeed. The explanation is simple, we traded about 5% of application performance for built-in ALWAYS-ENABLED security mitigations that we found in research papers, or elsewhere, or invented ourselves. Because machines keep getting faster, our community barely noticed the performance loss. But they notice that they were not getting holed. That's worth praising. Good god, Ubuntu says you can Start, drag, drop, deploy, done! Unbelievable, how pathetic a claim. You go get 'em, Martin...
Re: Only two holes in a heck of a long time, but why?
On Fri, Apr 4, 2014 at 3:13 AM, Eric Furman ericfur...@fastmail.net wrote: On Fri, Apr 4, 2014, at 01:47 AM, Martin Braun wrote: I used OpenBSD back in the 3.x days, but eventually began using Debian because it was much easier to maintain - yes, I compromissed quality over convinience. Easier to maintain?? How? This has not been my experience. apt-get upgrade and apt-get distupgrade is pretty neat. Especially when they go from version to new version of the OS. -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4
Re: Only two holes in a heck of a long time, but why?
Hahahahahahahahahaha.. Reaallly!!! :) You should have sent this a couple of days ago as an April fools, I genuinly thought it was at first. Anyway it seems like enough people have already replied so I won't add any more. Just had to reply because this geuninly made me laugh out loud. Good luck and happy learning. OpenBSD is a learning curve but one which will pay off if you persevere (especially if you're trying to use it for network services). On 04/04/14 03:04, Martin Braun wrote: As we all know on the front page of OpenBSD it says Only two remote holes in the default install, in a heck of a long time. I don't understand why this is such a big deal. A part from the base system in xBSD, OpenBSD - so far - also contains a chrooted web server, that can't be used for much else than serving static content, and then the X system, which also can't be used for anything before installing some third party application. All in all the default install is pretty useless in itself and I am going to quote Absolute OpenBSD by Michael Lucas: «You're installed OpenBSD and rebooted into a bare-bones system. Of course, a minimal Unix-like system is actually pretty boring. While it makes a powerful foundation, it doesn't actually do much of anything.» So we need those third party applications to start the party, yet none of these applications receives the same code audit, security development and quality control as OpenBSD does. As soon as we install a single third party application our entire operating system is, in theory at least, compromised as these third party applications gets installed as root. Maybe I am just plain stupid, but could someone explain to me the point in bragging about only two remote holes in the default install, when the default install is useless before you add some content to the system, unless you're running a web server serving static content only. Best regards. Martin
Re: Only two holes in a heck of a long time, but why?
By easier to maintain, it means having regular task of patching the system here or there a.k.a. job security for system administrators :) On Fri, Apr 4, 2014 at 3:13 PM, Eric Furman ericfur...@fastmail.net wrote: On Fri, Apr 4, 2014, at 01:47 AM, Martin Braun wrote: The particular issue didn't compromise the web server it only compromised the web application, but yes that made me look deeper into operating systems and security. I even tested FreeBSD Jails, but lets not go there. I used OpenBSD back in the 3.x days, but eventually began using Debian because it was much easier to maintain - yes, I compromissed quality over convinience. Easier to maintain?? How? This has not been my experience. Theo thank you for your reply. My mail was not meant in any negative way, I just didn't understand it. Having all these always-enabled-security settings of course makes a big difference! 2014-04-04 6:24 GMT+02:00 Theo de Raadt dera...@cvs.openbsd.org: On Thu, Apr 3, 2014 at 10:04 PM, Martin Braun yellowgoldm...@gmail.com wrote: As we all know on the front page of OpenBSD it says Only two remote holes in the default install, in a heck of a long time. I don't understand why this is such a big deal. Because their shit don't stink? Unlike other distributions that are defective upon install? You cannot understand why that is not a big deal? https://lists.debian.org/debian-user/2014/03/msg00795.html On Mar 13, 2014 11:06 PM, Martin Braun yellowgoldm...@gmail.com wrote: Hi I have recently experienced a server being hacked due to a security problem with a PHP application that made it possible for the hacker to gain a web shell. Software security is a tricky thing. If Martin's PHP got hacked, it is likely he does not have a strong understanding of the underpinnings of how holing happens. That's fine. I don't tune my engine either. 1) Some attacks are possible because of rather simple logic errors in the software. ( everyone makes logic errors...) 2) Other attacks involve extremely complex mechanisms and, depend upon memory layout conditions that can be guessed or controlled by an attacker. This attack surface received significant attention starting around 2001. ( this is where OpenBSD's efforts have focused attention, with tremendous effect, meaning the mitigations we trailed are now proven enough your phones have them enabled system-wide, but your Linux boxes do not.) 3) Other attack mechanisms are based on configuration errors, and sometimes default configuration processes trick people into those mistakes ( our group argues for simpler setups, shrug) 4) The list goes on, but the above 3 cover the most serious penetrations. None of us know which particular combination of things got Martin's environment fried. I hazard a guess that he can't believe that a group exists who have focused on this for 20 years, with such success over 10 years. Obviously other software groups are better financed... Anyways, it is possible to succeed. The explanation is simple, we traded about 5% of application performance for built-in ALWAYS-ENABLED security mitigations that we found in research papers, or elsewhere, or invented ourselves. Because machines keep getting faster, our community barely noticed the performance loss. But they notice that they were not getting holed. That's worth praising. Good god, Ubuntu says you can Start, drag, drop, deploy, done! Unbelievable, how pathetic a claim. You go get 'em, Martin...
Re: Only two holes in a heck of a long time, but why?
previously on this list Andy contributed: OpenBSD is a learning curve but one which will pay off if you persevere (especially if you're trying to use it for network services). This is the best, perhaps only way to answer the question as there are many reasons mainly coming down to security being I won't say the priority or certainly absolute priority but given a lot of importance. Security bugs in the linux kernel are bugs and any security issues are less important. If a port is considered dangerous like wireshark was it is removed to avoid encouraging it but users can still build it of course. I would guess as the job is made difficult by a bugs a bug that the two remote holes statement would atleast be in two or three digits for just the linux kernel by now. Correct code takes priority over adding features but you would be surprised at the rate of features being added and the features OpenBSD has that Linux does not. -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd ___ I have no idea why RTFM is used so aggressively on LINUX mailing lists because whilst 'apropos' is traditionally the most powerful command on Unix-like systems it's 'modern' replacement 'apropos' on Linux is a tool to help psychopaths learn to control their anger. (Kevin Chadwick) ___
Re: Only two holes in a heck of a long time, but why?
On 04/03/14 22:04, Martin Braun wrote: ... Maybe I am just plain stupid, but could someone explain to me the point in bragging about only two remote holes in the default install, when the default install is useless before you add some content to the system, unless you're running a web server serving static content only. Let's pretend your statement about the default install being useless hadn't been totally disproved already... If you are building a big, complicated house, the first thing you need is a solid foundation. Now, you can build the rest of the house poorly or well, but if the foundation is bad, the house is not going to be solid, no matter the effort put into it. The start to a good structure is a solid foundation. Yes, put crapplications on OpenBSD, and you won't have good security (though -- you MAY get lucky and have OpenBSD save your *** anyway). But put good applications on a bad platform, you are unlikely to have good security. Now, you have been taking shortcuts to get bad applications running on easy OSs (which probably means you were able to google for complete how-tos so you didn't have to understand your task at hand), and I'm sure like most people, you figure, what does it matter? You can always blame the attackers, you can say everything has bugs, nothing is perfect, and all the other excuses and evasions people have used. News flash: the world is changing -- The general public is starting to realize that the people they entrust with their data ARE responsible for the security of that data, and not quite willing to accept the same old crap excuses anymore. Nick.
Re: Only two holes in a heck of a long time, but why?
Static web pages?? Did you notice that sqlite3 is in base? So you could run your website off of a database, write your OWN software in perl, make highly interactive pages, view them in lynx, offer images to outside viewers browsers, etc. I'm using postgresql, but I could change over to all base software and run software that only works off of base. Hmm, very static. X is also built in. Gee, base is so insecure!! Chris Bennett
Re: Only two holes in a heck of a long time, but why?
All in all the default install is pretty useless in itself and I am going to quote Absolute OpenBSD by Michael Lucas: «You're installed OpenBSD and rebooted into a bare-bones system. Of course, a minimal Unix-like system is actually pretty boring. While it makes a powerful foundation, it doesn't actually do much of anything.» I may be a bit pedantic here but considering Michael's quote, he said *boring* not *useless*. This is also reflected in his second sentence ... making a *powerful* foundation ... Having a small pool of OpenBSD machines running for web, email, CARPed firewalls and networking applications, I usually only install one ports package - puppet to have it fit into our configuration management
Re: Only two holes in a heck of a long time, but why?
On Apr 3, 2014, at 10:20 PM, Kenneth Westerback kwesterb...@gmail.com wrote: On 3 April 2014 22:04, Martin Braun yellowgoldm...@gmail.com wrote: As we all know on the front page of OpenBSD it says Only two remote holes in the default install, in a heck of a long time. I don't understand why this is such a big deal. A part from the base system in xBSD, OpenBSD - so far - also contains a chrooted web server, that can't be used for much else than serving static content, and then the X system, which also can't be used for anything before installing some third party application. All in all the default install is pretty useless in itself and I am going to quote Absolute OpenBSD by Michael Lucas: «You're installed OpenBSD and rebooted into a bare-bones system. Of course, a minimal Unix-like system is actually pretty boring. While it makes a powerful foundation, it doesn't actually do much of anything.» So we need those third party applications to start the party, yet none of these applications receives the same code audit, security development and quality control as OpenBSD does. As soon as we install a single third party application our entire operating system is, in theory at least, compromised as these third party applications gets installed as root. Maybe I am just plain stupid, but could someone explain to me the point in bragging about only two remote holes in the default install, when the default install is useless before you add some content to the system, unless you're running a web server serving static content only. Firewalls? BGP Routers? Email servers? Relayd load balancers? All base-only external facing devices that might be nice to not have exploits in by default. Ken Best regards. Martin It’s also nice to know you can safely enable networking on your computer to install software, whether connected directly or through a firewall. In theory your own network should be a safe haven. In practice we know that's not always the case. The current survival time for an unpatched Windows system when first connected to the internet ranges from 66 minutes to 2,630 minutes.* I've seen Windows computers take hours to fully patch after initial install. Linux systems have much better ranges (95 minutes to 2,141) and usually patch much quicker. Still, all else being equal, I choose the system that's not likely to be compromised while I patch or install software. And that's worth bragging about. --Aaron * Data for 2014-01-01 through 2014-04-03: https://isc.sans.edu/survivaltime.html.
Re: Only two holes in a heck of a long time, but why?
On Fri, Apr 4, 2014 at 1:15 PM, Aaron Poffenberger a...@hypernote.comwrote: On Apr 3, 2014, at 10:20 PM, Kenneth Westerback kwesterb...@gmail.com wrote: On 3 April 2014 22:04, Martin Braun yellowgoldm...@gmail.com wrote: As we all know on the front page of OpenBSD it says Only two remote holes in the default install, in a heck of a long time. I don't understand why this is such a big deal. A part from the base system in xBSD, OpenBSD - so far - also contains a chrooted web server, that can't be used for much else than serving static content, and then the X system, which also can't be used for anything before installing some third party application. All in all the default install is pretty useless in itself and I am going to quote Absolute OpenBSD by Michael Lucas: «You're installed OpenBSD and rebooted into a bare-bones system. Of course, a minimal Unix-like system is actually pretty boring. While it makes a powerful foundation, it doesn't actually do much of anything.» So we need those third party applications to start the party, yet none of these applications receives the same code audit, security development and quality control as OpenBSD does. As soon as we install a single third party application our entire operating system is, in theory at least, compromised as these third party applications gets installed as root. Maybe I am just plain stupid, but could someone explain to me the point in bragging about only two remote holes in the default install, when the default install is useless before you add some content to the system, unless you're running a web server serving static content only. Firewalls? BGP Routers? Email servers? Relayd load balancers? All base-only external facing devices that might be nice to not have exploits in by default. Ken Best regards. Martin Itâs also nice to know you can safely enable networking on your computer to install software, whether connected directly or through a firewall. In theory your own network should be a safe haven. In practice we know that's not always the case. The current survival time for an unpatched Windows system when first connected to the internet ranges from 66 minutes to 2,630 minutes.* I've seen Windows computers take hours to fully patch after initial install. Linux systems have much better ranges (95 minutes to 2,141) and usually patch much quicker. Still, all else being equal, I choose the system that's not likely to be compromised while I patch or install software. And that's worth bragging about. --Aaron * Data for 2014-01-01 through 2014-04-03: https://isc.sans.edu/survivaltime.html. Bollocks The uptime depends of the user, ie the main source of problems Linux packages are full of ugly bugs that can be detected with classic dev tools. Microsoft drivers are fugly and nvidia is king in creating bloated computer. Let say this in a friday way: In the hand of the 6 years old with a hammer any computer uptime is low. The OP dont even know javascript why are we talking in this thread ? Oh, it is friday -- () ascii ribbon campaign - against html e-mail /\
Re: Only two holes in a heck of a long time, but why?
On 2014-04-04, Kevin Chadwick ma1l1i...@yahoo.co.uk wrote: If a port is considered dangerous like wireshark was it is removed to avoid encouraging it but users can still build it of course. There's a problem with *not* having it in ports too, if people do compile it for themselves, considering how long the damn thing takes to build it's highly likely that they won't update it as often as if there were packages... And it's less bad now than it used to be - they don't do proper privilege separation like OpenBSD's tcpdump does, but at least it's now just the network capture part that runs as root, the packet dissectors now run as a normal uid.
Re: Only two holes in a heck of a long time, but why?
No! By easier to maintain it means apt-get update; apt-get dist-upgrade which is freaking neat! You can say what you want about Debian, but their apt system is exceptional! Especially between versions. 2014-04-04 12:18 GMT+02:00 Tito Mari Francis Escaño titomarifran...@gmail.com: By easier to maintain, it means having regular task of patching the system here or there a.k.a. job security for system administrators :) On Fri, Apr 4, 2014 at 3:13 PM, Eric Furman ericfur...@fastmail.netwrote: On Fri, Apr 4, 2014, at 01:47 AM, Martin Braun wrote: The particular issue didn't compromise the web server it only compromised the web application, but yes that made me look deeper into operating systems and security. I even tested FreeBSD Jails, but lets not go there. I used OpenBSD back in the 3.x days, but eventually began using Debian because it was much easier to maintain - yes, I compromissed quality over convinience. Easier to maintain?? How? This has not been my experience. Theo thank you for your reply. My mail was not meant in any negative way, I just didn't understand it. Having all these always-enabled-security settings of course makes a big difference! 2014-04-04 6:24 GMT+02:00 Theo de Raadt dera...@cvs.openbsd.org: On Thu, Apr 3, 2014 at 10:04 PM, Martin Braun yellowgoldm...@gmail.com wrote: As we all know on the front page of OpenBSD it says Only two remote holes in the default install, in a heck of a long time. I don't understand why this is such a big deal. Because their shit don't stink? Unlike other distributions that are defective upon install? You cannot understand why that is not a big deal? https://lists.debian.org/debian-user/2014/03/msg00795.html On Mar 13, 2014 11:06 PM, Martin Braun yellowgoldm...@gmail.com wrote: Hi I have recently experienced a server being hacked due to a security problem with a PHP application that made it possible for the hacker to gain a web shell. Software security is a tricky thing. If Martin's PHP got hacked, it is likely he does not have a strong understanding of the underpinnings of how holing happens. That's fine. I don't tune my engine either. 1) Some attacks are possible because of rather simple logic errors in the software. ( everyone makes logic errors...) 2) Other attacks involve extremely complex mechanisms and, depend upon memory layout conditions that can be guessed or controlled by an attacker. This attack surface received significant attention starting around 2001. ( this is where OpenBSD's efforts have focused attention, with tremendous effect, meaning the mitigations we trailed are now proven enough your phones have them enabled system-wide, but your Linux boxes do not.) 3) Other attack mechanisms are based on configuration errors, and sometimes default configuration processes trick people into those mistakes ( our group argues for simpler setups, shrug) 4) The list goes on, but the above 3 cover the most serious penetrations. None of us know which particular combination of things got Martin's environment fried. I hazard a guess that he can't believe that a group exists who have focused on this for 20 years, with such success over 10 years. Obviously other software groups are better financed... Anyways, it is possible to succeed. The explanation is simple, we traded about 5% of application performance for built-in ALWAYS-ENABLED security mitigations that we found in research papers, or elsewhere, or invented ourselves. Because machines keep getting faster, our community barely noticed the performance loss. But they notice that they were not getting holed. That's worth praising. Good god, Ubuntu says you can Start, drag, drop, deploy, done! Unbelievable, how pathetic a claim. You go get 'em, Martin...
Re: Only two holes in a heck of a long time, but why?
So you had a good time.. great! So I guess you're running a clean OpenBSD box without any kind of thirdparty application? In that case great.. otherwise go suck on a lollypop! 2014-04-04 12:18 GMT+02:00 Andy a...@brandwatch.com: Hahahahahahahahahaha.. Reaallly!!! :) You should have sent this a couple of days ago as an April fools, I genuinly thought it was at first. Anyway it seems like enough people have already replied so I won't add any more. Just had to reply because this geuninly made me laugh out loud. Good luck and happy learning. OpenBSD is a learning curve but one which will pay off if you persevere (especially if you're trying to use it for network services). On 04/04/14 03:04, Martin Braun wrote: As we all know on the front page of OpenBSD it says Only two remote holes in the default install, in a heck of a long time. I don't understand why this is such a big deal. A part from the base system in xBSD, OpenBSD - so far - also contains a chrooted web server, that can't be used for much else than serving static content, and then the X system, which also can't be used for anything before installing some third party application. All in all the default install is pretty useless in itself and I am going to quote Absolute OpenBSD by Michael Lucas: «You're installed OpenBSD and rebooted into a bare-bones system. Of course, a minimal Unix-like system is actually pretty boring. While it makes a powerful foundation, it doesn't actually do much of anything.» So we need those third party applications to start the party, yet none of these applications receives the same code audit, security development and quality control as OpenBSD does. As soon as we install a single third party application our entire operating system is, in theory at least, compromised as these third party applications gets installed as root. Maybe I am just plain stupid, but could someone explain to me the point in bragging about only two remote holes in the default install, when the default install is useless before you add some content to the system, unless you're running a web server serving static content only. Best regards. Martin
Re: Only two holes in a heck of a long time, but why?
I used OpenBSD back in the 3.x days, The last 3.x release was 8 years ago. Are you fucking serious? Yup. but eventually began using Debian because it was much easier to maintain Can you please give an example of a maintenance task that is easier then the comparable/analogous task in OpenBSD? Because I remember Debian kinda sucked when I used it in 1998. apt-get update; apt-get dist-upgrade between versions are pretty awesome. Seriously though, the reason for me (and many people apparently) to use OpenBSD is the _extreme_simplicity_ of just about anything. OpenBSD is great to use, but BSD's in general are not simplistic when it comes to package management, hence the reason why FreeBSD is developing the new pkg tool.. whch is pretty much a clone of what apt does on Debian. For me I remember when time was spend updating from one OpenBSD version to the next. So many hours. Debian was a fantastic relief back then and still is. However, this is without comparing security issues, but only talking about simplicity. 2014-04-04 9:21 GMT+02:00 Jan Stary h...@stare.cz: I used OpenBSD back in the 3.x days, The last 3.x release was 8 years ago. Are you fucking serious? but eventually began using Debian because it was much easier to maintain Can you please give an example of a maintenance task that is easier then the comparable/analogous task in OpenBSD? Because I remember Debian kinda sucked when I used it in 1998. Seriously though, the reason for me (and many people apparently) to use OpenBSD is the _extreme_simplicity_ of just about anything.
Re: Only two holes in a heck of a long time, but why?
apt-get though seemingly simple, brings in shit load of libraries with names resembling alien species. Try doing a dpkg -l | wc -l and you'll get the idea. Even a default Debian system can have hundreds of libraries of dubious origins. Would I trust my important data to it? Definitely not. Don't make the mistake of confusing simplicity with minimal work, which I think is what you have been implying all along. OpenBSD is the most simple OS I've ever had the pleasure of working with - as I know I am always in control, as there are very few unknowns. If you are serious about having a internet facing server with important data, then you should try OpenBSD. If it doesn't work, you always have a choice to move back to your favorite OS. Right tool for the job. -ag -- sent via 100% recycled electrons from my mobile command center. On Apr 4, 2014, at 3:06 PM, Martin Braun yellowgoldm...@gmail.com wrote: I used OpenBSD back in the 3.x days, The last 3.x release was 8 years ago. Are you fucking serious? Yup. but eventually began using Debian because it was much easier to maintain Can you please give an example of a maintenance task that is easier then the comparable/analogous task in OpenBSD? Because I remember Debian kinda sucked when I used it in 1998. apt-get update; apt-get dist-upgrade between versions are pretty awesome. Seriously though, the reason for me (and many people apparently) to use OpenBSD is the _extreme_simplicity_ of just about anything. OpenBSD is great to use, but BSD's in general are not simplistic when it comes to package management, hence the reason why FreeBSD is developing the new pkg tool.. whch is pretty much a clone of what apt does on Debian. For me I remember when time was spend updating from one OpenBSD version to the next. So many hours. Debian was a fantastic relief back then and still is. However, this is without comparing security issues, but only talking about simplicity. 2014-04-04 9:21 GMT+02:00 Jan Stary h...@stare.cz: I used OpenBSD back in the 3.x days, The last 3.x release was 8 years ago. Are you fucking serious? but eventually began using Debian because it was much easier to maintain Can you please give an example of a maintenance task that is easier then the comparable/analogous task in OpenBSD? Because I remember Debian kinda sucked when I used it in 1998. Seriously though, the reason for me (and many people apparently) to use OpenBSD is the _extreme_simplicity_ of just about anything.
Re: Only two holes in a heck of a long time, but why?
No! By easier to maintain it means apt-get update; apt-get dist-upgrade which is freaking neat! You can say what you want about Debian, but their apt system is exceptional! Especially between versions. Yes, truly exceptional. I had a blast upgrading from Sheesh to Whoosy, or whatever they're called again. After a few hours of downloading and unpacking, it failed miserably and I had to foogle for hours trying to figure out how to fix it. Finally got it working so now I can enjoy outdated software rather than seriously outdated software! Freaking neat! I could have upgraded OpenBSD several times in that time.
Re: Only two holes in a heck of a long time, but why?
On Apr 4, 2014, at 18:06, Martin Braun yellowgoldm...@gmail.com wrote: I used OpenBSD back in the 3.x days, The last 3.x release was 8 years ago. Are you fucking serious? Yup. but eventually began using Debian because it was much easier to maintain Can you please give an example of a maintenance task that is easier then the comparable/analogous task in OpenBSD? Because I remember Debian kinda sucked when I used it in 1998. apt-get update; apt-get dist-upgrade between versions are pretty awesome. Seriously though, the reason for me (and many people apparently) to use OpenBSD is the _extreme_simplicity_ of just about anything. OpenBSD is great to use, but BSD's in general are not simplistic when it comes to package management, hence the reason why FreeBSD is developing the new pkg tool.. whch is pretty much a clone of what apt does on Debian. For me I remember when time was spend updating from one OpenBSD version to the next. So many hours. Debian was a fantastic relief back then and still is. However, this is without comparing security issues, but only talking about simplicity. Modern releases of OpenBSD are pretty easy and fast to update, especially with sysmerge. I used to have a pretty custom setup, and upgrade time wasn't my favourite (and so I skipped many releases...) But it is a lot easier these days. You don't get precompiled patched kernels, though. This is the part that takes the longest for me (assuming there are patches that require kernel compiles) because my edge box isn't particularly fast. The package updating wasn't much different than running apt-get. It seems to me that the difference between Debian and OpenBSD (and I've used both just as recently) is that one you update to reboot, and the other you reboot to upgrade. time and effort seems about the same, these days. -- jdv
Re: Only two holes in a heck of a long time, but why?
On Fri, Apr 04, 2014 at 07:48:50PM -0400, John D. Verne wrote: On Apr 4, 2014, at 18:06, Martin Braun yellowgoldm...@gmail.com wrote: I used OpenBSD back in the 3.x days, The last 3.x release was 8 years ago. Are you fucking serious? Yup. but eventually began using Debian because it was much easier to maintain Can you please give an example of a maintenance task that is easier then the comparable/analogous task in OpenBSD? Because I remember Debian kinda sucked when I used it in 1998. apt-get update; apt-get dist-upgrade between versions are pretty awesome. - Update with the bsd.rd kernel. - Follow the instructions http://www.openbsd.org/faq/upgrade54.html - pkg_add -u Seriously though, the reason for me (and many people apparently) to use OpenBSD is the _extreme_simplicity_ of just about anything. OpenBSD is great to use, but BSD's in general are not simplistic when it comes to package management, hence the reason why FreeBSD is developing the new pkg tool.. whch is pretty much a clone of what apt does on Debian. For me I remember when time was spend updating from one OpenBSD version to the next. So many hours. Debian was a fantastic relief back then and still is. However, this is without comparing security issues, but only talking about simplicity. Modern releases of OpenBSD are pretty easy and fast to update, especially with sysmerge. I used to have a pretty custom setup, and upgrade time wasn't my favourite (and so I skipped many releases...) But it is a lot easier these days. You don't get precompiled patched kernels, though. This is the part that takes the longest for me (assuming there are patches that require kernel compiles) because my edge box isn't particularly fast. The package updating wasn't much different than running apt-get. http://www.mtier.org/index.php/solutions/apps/openup/ It seems to me that the difference between Debian and OpenBSD (and I've used both just as recently) is that one you update to reboot, and the other you reboot to upgrade. time and effort seems about the same, these days. -- jdv -- Juan Francisco Cantero Hurtado http://juanfra.info
Re: Only two holes in a heck of a long time, but why?
The statement holds true though (well, I trust it does, I can't verify). They're bragging about holes, or lack thereof, in their software, not third party software. It's a matter of personal preference how much needs to be added to a base install to make it good for your use. I use complete base installs as routers, so I suppose one's need for additional software is relative to the intended use. On Thu, Apr 3, 2014 at 7:04 PM, Martin Braun yellowgoldm...@gmail.comwrote: As we all know on the front page of OpenBSD it says Only two remote holes in the default install, in a heck of a long time. I don't understand why this is such a big deal. A part from the base system in xBSD, OpenBSD - so far - also contains a chrooted web server, that can't be used for much else than serving static content, and then the X system, which also can't be used for anything before installing some third party application. All in all the default install is pretty useless in itself and I am going to quote Absolute OpenBSD by Michael Lucas: «You're installed OpenBSD and rebooted into a bare-bones system. Of course, a minimal Unix-like system is actually pretty boring. While it makes a powerful foundation, it doesn't actually do much of anything.» So we need those third party applications to start the party, yet none of these applications receives the same code audit, security development and quality control as OpenBSD does. As soon as we install a single third party application our entire operating system is, in theory at least, compromised as these third party applications gets installed as root. Maybe I am just plain stupid, but could someone explain to me the point in bragging about only two remote holes in the default install, when the default install is useless before you add some content to the system, unless you're running a web server serving static content only. Best regards. Martin
Re: Only two holes in a heck of a long time, but why?
So we need those third party applications to start the party, yet none of these applications receives the same code audit, security development and quality control as OpenBSD does. But unlike on other operating systems, those applications are ALWAYS compiled with PIE, and the stack protector is ALWAYS on, and the address space is ALWAYS heavily randomized, and libc and the base librares ALWAYS have various mitigations and other randomizations turned on. Approximately 100 mitigation components (large and small) add up, and apply to every single program run on such a machine in various ways (large and small). It is not zero sum.
Re: Only two holes in a heck of a long time, but why?
On 3 April 2014 22:04, Martin Braun yellowgoldm...@gmail.com wrote: As we all know on the front page of OpenBSD it says Only two remote holes in the default install, in a heck of a long time. I don't understand why this is such a big deal. A part from the base system in xBSD, OpenBSD - so far - also contains a chrooted web server, that can't be used for much else than serving static content, and then the X system, which also can't be used for anything before installing some third party application. All in all the default install is pretty useless in itself and I am going to quote Absolute OpenBSD by Michael Lucas: «You're installed OpenBSD and rebooted into a bare-bones system. Of course, a minimal Unix-like system is actually pretty boring. While it makes a powerful foundation, it doesn't actually do much of anything.» So we need those third party applications to start the party, yet none of these applications receives the same code audit, security development and quality control as OpenBSD does. As soon as we install a single third party application our entire operating system is, in theory at least, compromised as these third party applications gets installed as root. Maybe I am just plain stupid, but could someone explain to me the point in bragging about only two remote holes in the default install, when the default install is useless before you add some content to the system, unless you're running a web server serving static content only. Firewalls? BGP Routers? Email servers? Relayd load balancers? All base-only external facing devices that might be nice to not have exploits in by default. Ken Best regards. Martin
Re: Only two holes in a heck of a long time, but why?
On Thu, Apr 3, 2014 at 10:04 PM, Martin Braun yellowgoldm...@gmail.comwrote: As we all know on the front page of OpenBSD it says Only two remote holes in the default install, in a heck of a long time. I don't understand why this is such a big deal. Because their shit don't stink? Unlike other distributions that are defective upon install? You cannot understand why that is not a big deal? -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4
Re: Only two holes in a heck of a long time, but why?
Martin Braun yellowgoldm...@gmail.com wrote: As we all know on the front page of OpenBSD it says Only two remote holes in the default install, in a heck of a long time. I don't understand why this is such a big deal. A part from the base system in xBSD, OpenBSD - so far - also contains a chrooted web server, that can't be used for much else than serving static content, and then the X system, which also can't be used for anything before installing some third party application. All in all the default install is pretty useless in itself and I am going to quote Absolute OpenBSD by Michael Lucas: «You're installed OpenBSD and rebooted into a bare-bones system. Of course, a minimal Unix-like system is actually pretty boring. While it makes a powerful foundation, it doesn't actually do much of anything.» So we need those third party applications to start the party, yet none of these applications receives the same code audit, security development and quality control as OpenBSD does. There are many quality daemons in base, including mail, web, and name servers among others. They do receive the same code audit, security development, and quality control that everything else in base gets. As soon as we install a single third party application our entire operating system is, in theory at least, compromised as these third party applications gets installed as root. I don't buy this. Theo and friends are not the only competent developers in the world. There is plenty of well-written software that is simply not within the scope of this project. Be careful what you install, but realize that unless you make everything yourself from TTL chips, you're going to have to trust someone to write good code. (and manufacture good hardware!) Maybe I am just plain stupid, but could someone explain to me the point in bragging about only two remote holes in the default install, when the default install is useless before you add some content to the system, unless you're running a web server serving static content only. The default install doesn't have the web server running. By your logic you are compromised as soon as you type /usr/sbin/httpd. The point is that the developers are proud of their accomplishment and show it. Nobody is claiming that OpenBSD is infallible. See errata.html or source-changes for evidence - Martin
Re: Only two holes in a heck of a long time, but why?
On Thu, Apr 3, 2014 at 10:04 PM, Martin Braun yellowgoldm...@gmail.comwrote: As we all know on the front page of OpenBSD it says Only two remote holes in the default install, in a heck of a long time. I don't understand why this is such a big deal. Because their shit don't stink? Unlike other distributions that are defective upon install? You cannot understand why that is not a big deal? https://lists.debian.org/debian-user/2014/03/msg00795.html On Mar 13, 2014 11:06 PM, Martin Braun yellowgoldm...@gmail.com wrote: Hi I have recently experienced a server being hacked due to a security problem with a PHP application that made it possible for the hacker to gain a web shell. Software security is a tricky thing. If Martin's PHP got hacked, it is likely he does not have a strong understanding of the underpinnings of how holing happens. That's fine. I don't tune my engine either. 1) Some attacks are possible because of rather simple logic errors in the software. ( everyone makes logic errors...) 2) Other attacks involve extremely complex mechanisms and, depend upon memory layout conditions that can be guessed or controlled by an attacker. This attack surface received significant attention starting around 2001. ( this is where OpenBSD's efforts have focused attention, with tremendous effect, meaning the mitigations we trailed are now proven enough your phones have them enabled system-wide, but your Linux boxes do not.) 3) Other attack mechanisms are based on configuration errors, and sometimes default configuration processes trick people into those mistakes ( our group argues for simpler setups, shrug) 4) The list goes on, but the above 3 cover the most serious penetrations. None of us know which particular combination of things got Martin's environment fried. I hazard a guess that he can't believe that a group exists who have focused on this for 20 years, with such success over 10 years. Obviously other software groups are better financed... Anyways, it is possible to succeed. The explanation is simple, we traded about 5% of application performance for built-in ALWAYS-ENABLED security mitigations that we found in research papers, or elsewhere, or invented ourselves. Because machines keep getting faster, our community barely noticed the performance loss. But they notice that they were not getting holed. That's worth praising. Good god, Ubuntu says you can Start, drag, drop, deploy, done! Unbelievable, how pathetic a claim. You go get 'em, Martin...
Re: Only two holes in a heck of a long time, but why?
On Fri, Apr 4, 2014 at 12:24 AM, Theo de Raadt dera...@cvs.openbsd.orgwrote: On Thu, Apr 3, 2014 at 10:04 PM, Martin Braun yellowgoldm...@gmail.com wrote: As we all know on the front page of OpenBSD it says Only two remote holes in the default install, in a heck of a long time. I don't understand why this is such a big deal. Because their shit don't stink? Unlike other distributions that are defective upon install? You cannot understand why that is not a big deal? https://lists.debian.org/debian-user/2014/03/msg00795.html On Mar 13, 2014 11:06 PM, Martin Braun yellowgoldm...@gmail.com wrote: Hi I have recently experienced a server being hacked due to a security problem with a PHP application that made it possible for the hacker to gain a web shell. Definitely not enough iron in someone's diet... -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4
Re: Only two holes in a heck of a long time, but why?
On 14-04-03 7:04 PM, Martin Braun wrote: As we all know on the front page of OpenBSD it says Only two remote holes in the default install, in a heck of a long time. I don't understand why this is such a big deal. anecdote Not 3 days ago, I isolated suspicious network activity to a high-end networking product (microwave transmitter to be precise). Some exploit was most probably used to break into a privileged shell through the GUI, disable logs, re-configure name-server settings, bust cgi's causing control loss of the underlying system (reboot? What's that? RTFD? what's that?), and start flinging spam. Said product does use some flava of linux as a base, though which is a closely guarded secret. /anecdote Not trying to bash linux (there are many, far easier ways of doing so). But, an autonomous, single-purpose device, being turned into spam spewing brain-dead zombie on account of some kind of remote hole or holes? Amusement++ Use of high-end copy-pasta'd from the manufacturer's website. -- http://blog.sarlok.com/ Sometimes all the left hand needs to know is where the right hand is, so it knows where to point the blame.
Re: Only two holes in a heck of a long time, but why?
The particular issue didn't compromise the web server it only compromised the web application, but yes that made me look deeper into operating systems and security. I even tested FreeBSD Jails, but lets not go there. I used OpenBSD back in the 3.x days, but eventually began using Debian because it was much easier to maintain - yes, I compromissed quality over convinience. Theo thank you for your reply. My mail was not meant in any negative way, I just didn't understand it. Having all these always-enabled-security settings of course makes a big difference! 2014-04-04 6:24 GMT+02:00 Theo de Raadt dera...@cvs.openbsd.org: On Thu, Apr 3, 2014 at 10:04 PM, Martin Braun yellowgoldm...@gmail.com wrote: As we all know on the front page of OpenBSD it says Only two remote holes in the default install, in a heck of a long time. I don't understand why this is such a big deal. Because their shit don't stink? Unlike other distributions that are defective upon install? You cannot understand why that is not a big deal? https://lists.debian.org/debian-user/2014/03/msg00795.html On Mar 13, 2014 11:06 PM, Martin Braun yellowgoldm...@gmail.com wrote: Hi I have recently experienced a server being hacked due to a security problem with a PHP application that made it possible for the hacker to gain a web shell. Software security is a tricky thing. If Martin's PHP got hacked, it is likely he does not have a strong understanding of the underpinnings of how holing happens. That's fine. I don't tune my engine either. 1) Some attacks are possible because of rather simple logic errors in the software. ( everyone makes logic errors...) 2) Other attacks involve extremely complex mechanisms and, depend upon memory layout conditions that can be guessed or controlled by an attacker. This attack surface received significant attention starting around 2001. ( this is where OpenBSD's efforts have focused attention, with tremendous effect, meaning the mitigations we trailed are now proven enough your phones have them enabled system-wide, but your Linux boxes do not.) 3) Other attack mechanisms are based on configuration errors, and sometimes default configuration processes trick people into those mistakes ( our group argues for simpler setups, shrug) 4) The list goes on, but the above 3 cover the most serious penetrations. None of us know which particular combination of things got Martin's environment fried. I hazard a guess that he can't believe that a group exists who have focused on this for 20 years, with such success over 10 years. Obviously other software groups are better financed... Anyways, it is possible to succeed. The explanation is simple, we traded about 5% of application performance for built-in ALWAYS-ENABLED security mitigations that we found in research papers, or elsewhere, or invented ourselves. Because machines keep getting faster, our community barely noticed the performance loss. But they notice that they were not getting holed. That's worth praising. Good god, Ubuntu says you can Start, drag, drop, deploy, done! Unbelievable, how pathetic a claim. You go get 'em, Martin...
