Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-13 Thread Marko Cupać

On 2020-05-13 11:02, i...@aulix.com wrote:

(all your emails to @misc)


Dear Info,

the best way to get answers to all of your questions regarding OpenBSD 
is to try and run OpenBSD for a few years trying to make it help with 
your real-world needs, such as personal laptop, home gateway, personal 
email or web server etc. After some time, you will be able to decide 
wheather OpenBSD is the right choice for you.


You should be able to find majority of answers to your questions 
regarding OpenBSD in manpages, FAQ, and books similar to "Absolute 
OpenBSD", "The Book of PF" etc. There are also various blogs from 
OpenBSD users, whose quality varies from very bad to very good.


As for idle gossip, I can suggest local bars, which is what I use. I 
understand they are all closed now due to current situation with 
pandemic, but @misc mailing list is really poor substitute.


Regards,
--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-13 Thread info
> This is "testing the waters" racism.

Where did you find an indication of a racism?



Re: OpenSSH FIDO (Nitrokey) support (Was: Re: OpenBSD insecurity rumors from isopenbsdsecu.re)

2020-05-13 Thread info
Btw, thanks for this site link, may be something like:

https://web.archive.org/web/20200513115537/https://undeadly.org/cgi?action=article=20190302235509

could work.

> On Wed, May 13, 2020 at 12:59:26PM +0200, i...@aulix.com wrote:
> 
>> Thanks for your suggestion,
>>
>> but googling for keys: +openbsd +nitrokey
>>
>> does not indicate anything interesting except a few of my own questions on 
>> the Nitrokey support forum.
> 
> I had to look up "Nitrokey" to verify that it was what I thought it was, but 
> that had me
> do a quick search for "OpenSSH FIDO support", which turned up among other 
> things this
> article: https://undeadly.org/cgi?action=article;sid=20191115064850 as well 
> as a number
> of blog posts and HOWTO-ish pieces that seem to indicate that quite likely 
> the combination
> would work.
> 
> I haven't tried the thing myself, but you should be able to find the same 
> stuff I did
> on the web. Then you could probably find a way to test with an OpenBSD setup 
> in a way
> that does not break things too horribly in case anything fails.
> 
> All the best,
> 
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-13 Thread Paul Wisehart
On Tue, May 12, 2020 at 05:09:16AM +0200, i...@aulix.com wrote:
> Treat it as my secret, I want and that is why I ask because I can, I wish you 
> tell me the answer without a knowledge of "why I ask",
> it is a very long discussion of answering by a question to question in your 
> Jewish style, is not it?

NOPE.
This is "testing the waters" racism.  NOPE NOPE NOPE.
We have this in the US right now all over the place.
This is casual "slip in some comment and see" if I can ramp it up.

It might not seem like a big deal, but I'm seeing nazi flags and 
confederate flags IRL now, and I think this right here is how it 
starts.

GTFO



Re: OpenSSH FIDO (Nitrokey) support (Was: Re: OpenBSD insecurity rumors from isopenbsdsecu.re)

2020-05-13 Thread info
Thanks for suggestion, I already have seen it and even contacted SSH developer 
Damien Miller regarding FIDO key support a few weeks ago.

What I am looking for right now is something different, it is if 
ssh-pkcs11-helper works with SSHD daemon on OpenBSD to store there its server 
private key in a general Nitrokey Pro 2 (not HSM).

Btw, I am going to use several client side dongles at once for a single SSH 
session like Rutoken ECP2, FIDO2, and Nitrokey Pro 2 only on the server yet.


> On Wed, May 13, 2020 at 12:59:26PM +0200, i...@aulix.com wrote:
> 
>> Thanks for your suggestion,
>>
>> but googling for keys: +openbsd +nitrokey
>>
>> does not indicate anything interesting except a few of my own questions on 
>> the Nitrokey support forum.
> 
> I had to look up "Nitrokey" to verify that it was what I thought it was, but 
> that had me
> do a quick search for "OpenSSH FIDO support", which turned up among other 
> things this
> article: https://undeadly.org/cgi?action=article;sid=20191115064850 as well 
> as a number
> of blog posts and HOWTO-ish pieces that seem to indicate that quite likely 
> the combination
> would work.
> 
> I haven't tried the thing myself, but you should be able to find the same 
> stuff I did
> on the web. Then you could probably find a way to test with an OpenBSD setup 
> in a way
> that does not break things too horribly in case anything fails.
> 
> All the best,
> 
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.



OpenSSH FIDO (Nitrokey) support (Was: Re: OpenBSD insecurity rumors from isopenbsdsecu.re)

2020-05-13 Thread Peter N. M. Hansteen
On Wed, May 13, 2020 at 12:59:26PM +0200, i...@aulix.com wrote:
> Thanks for your suggestion, 
> 
> but googling for keys: +openbsd +nitrokey
> 
> does not indicate anything interesting except a few of my own questions on 
> the Nitrokey support forum.

I had to look up "Nitrokey" to verify that it was what I thought it was, but 
that had me
do a quick search for "OpenSSH FIDO support", which turned up among other 
things this
article: https://undeadly.org/cgi?action=article;sid=20191115064850 as well as 
a number
of blog posts and HOWTO-ish pieces that seem to indicate that quite likely the 
combination
would work.

I haven't tried the thing myself, but you should be able to find the same stuff 
I did
on the web. Then you could probably find a way to test with an OpenBSD setup in 
a way
that does not break things too horribly in case anything fails.

All the best,

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-13 Thread info
Thanks for your suggestion, 

but googling for keys: +openbsd +nitrokey

does not indicate anything interesting except a few of my own questions on the 
Nitrokey support forum.

I would like to hear from some real OpenBSD user about he is happy with 
Nitrokey on OpenBSD.

Another my point is about hardware security, it does not matter how long 
someone uses an operation system like OpenBSD (10 or 20 years)
unless he has a very special knowledge he will not determine any hardware 
insecurities without external help.

> On 2020-05-13 11:02, i...@aulix.com wrote:
> 
>>> (all your emails to @misc)
> 
> Dear Info,
> 
> the best way to get answers to all of your questions regarding OpenBSD
> is to try and run OpenBSD for a few years trying to make it help with
> your real-world needs, such as personal laptop, home gateway, personal
> email or web server etc. After some time, you will be able to decide
> wheather OpenBSD is the right choice for you.
> 
> You should be able to find majority of answers to your questions
> regarding OpenBSD in manpages, FAQ, and books similar to "Absolute
> OpenBSD", "The Book of PF" etc. There are also various blogs from
> OpenBSD users, whose quality varies from very bad to very good.
> 
> As for idle gossip, I can suggest local bars, which is what I use. I
> understand they are all closed now due to current situation with
> pandemic, but @misc mailing list is really poor substitute.
> 
> Regards,
> 
> --
> Before enlightenment - chop wood, draw water.
> After enlightenment - chop wood, draw water.
> 
> Marko Cupać
> https://www.mimar.rs/



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-13 Thread info
> Free advice from a fellow East European who might better understand
your obnoxious behaviour on this list:

I find behavior of commenters like you much more obnoxious and simply trolling 
me and the whole topic of this thread and some interesting facts mentioned here 
which might not please people (agents?) like you.

>This community's motto is "Shut up and hack!". 
Is not it idiotic to hack (work on it, spend time and resources on it) 
something until you know exactly if it really solves your problem?

>You are just talking a lot about OpenBSD and not hacking at all on OpenBSD 
>stuff. 

See answer above. I would not spend a single second of my life for working on 
something before I try to verify it is useful enough for me and makes me some 
type of a profit.

> By now, probably lots of people just ignore you, because your frequent (and
sometimes naive) emails amount to spam for most of them, especially
the most knowledgeable.

Trolls like you often like to say from a position of "all", though you are NOT 
all even in a very nearest approach. Actually you a minority opinions of whom 
is not interesting for me and most likely harmful and trying to create wrong 
beliefs for me.

I am interested only in answers of positive minded people who are willing to 
help and prefer to ban out trolls like you from my thread, though it is obvious 
if even trolls have power to blacklist my e-mail I can automate with 
ZennoPoster or pure DotNet/Mono a routing to register under a new account in a 
about 1 min under a new e-mail with new domain and continue discussion only 
with a positive part of the community.



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-12 Thread slackwaree
And who the fuck gave you permission to talk cockbreath?

‐‐‐ Original Message ‐‐‐
On Monday, May 11, 2020 8:03 PM, Daniel Jakots  wrote:

> On Mon, 11 May 2020 17:27:24 +, slackwaree
> slackwa...@protonmail.com wrote:
>
> > I wish if the someone who took the time to make this page at least
> > would make an antisystemD page instead.
>
> I doubt anyone asked you how they should spend their time.
>
> > Let's face it how much time that old fart linus has, maybe
> > COVID takes him too.
>
> Are you really saying you hope he dies?

No I don't hope that this shithill dies, I hope half of the world population 
dies because they ain't good for anything. Eating shitting fuckmachines. All 
they know how to shit out retards like you. You surely ain't come out on the 
front hole but the back go back sit in a corner.


> What the fuck is wrong with you?
>
> > I couldn't care less either, all I care is my
> > BSD servers uptime 600+ days and not 1 day I worry about their
> > security.
>
> You are clearly clueless.

Ain't worth my time maggot, kind of you should die in COVID with their tard 
family.


>
> Please refrain from posting again such shitty emails.
>
> Thanks,
> Daniel




Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-12 Thread Florian Obser
Please leave, optionally seek professional help and never come back.

-- 
I'm not entirely sure you are real.



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-12 Thread info
> What exactly does your budget mean? These are all free, open source
> operating system. You may sell both OpenBSD and any installations and
> consulting. That could improve your income for your budget.

I am in the process of trying to find a devops remote work, may be it will 
improve my budget, 
actually I am not familiar with current global market and my position in it and 
not sure 
if I have enough time to get a secure working place 
before I will have to look for cheaper and less qualified job alternatives 
not so sensitive to my working place security. 

> Open source means that most developers work for free and fun or to
> obtain something they in particular want. Convince some developers to
> work on your own desires, whether with OpenBSD or elsewhere.

I am just trying to get a help at least with a simple question  if 
Orange PI ONE (Cortex A7 free of Spectre issue) + Nitrokey Pro 2 + OpenBSD
 is enough for a secure SSH server and client end points, 
still nobody told anything related to it.
Or may be anyone knows are there any better alternatives? 

> 
>> I guess it is a huge work to harden Linux installation to a level compared 
>> to OpenBSD, there is some interesting work which is by Whonix but 
>> unfortunately with systemd, and it seems someone from that community is 
>> referring to isopenbsdsecu.re site, so it looks to me like a OpenBSD vs 
>> Whonix dispute, excuse me if I am wrong.
> 
> Linus actively discourages security work. OpenBSD is thrilled to
> actively work on security. A major compenent that brings security
> benefits is simple auditing of code, not for security but for
> correctness.
> If you are seeking perfect security, YOU CAN'T HAVE IT!
> It is impossible. Not even agencies such as the NSA, etc have it.
> Remember Edward Snowden? All systems can be breached. Period.

Then how can I provide a good level of security for my remote client if 
everything can be broken?
How much does it cost to break remotely into a SSH server running  OpenBSD on 
Orange PI ONE 
with SSH private keys stored in Nitrokey Pro 2?
If I connect to it from my home from a similar dedicated console (say 
Cubietruck + Nitrokey Pro 2 + OpenBSD)  
without any other spare software on that board? It will be dedicated only for 
devops activity.
On both side of the channel would be a firewall which allows connection only 
for specified IP addresses (me and the client).

Local physical perimeter is secured at least against external threats, I cannot 
protect from a teleportation :) 
But presumably it is not possible to reflash Orangle PI Boot ROM or Nitrokey 
Pro 2 anyway 
and I can periodically verify integrity of OpenBSD installation on the SD card.
Any other applications except SSH and ansible like browsers would be running 
from another computers or cloud VM.

> 
> My suggestion is to stop taking a confrontational attitude ( you may not
> even realize you are doing it) and try to take a congenial attitude. It
> will always produce more good results than confrontation.

Good point, I am just trying to, OpenBSD chat and community is very nice, it is 
very interesting to talk to such high qualified persons,

Thank you



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-12 Thread Chris Bennett
On Tue, May 12, 2020 at 07:17:44AM +0200, i...@aulix.com wrote:
> I would prefer to begin from grsecurity, but it is not available up to date 
> for my budget.
> 
What exactly does your budget mean? These are all free, open source
operating system. You may sell both OpenBSD and any installations and
consulting. That could improve your income for your budget.

> I would also try HardenedBSD, but it is only amd64 now? And how many active 
> developers there are? one or two?
> 

I run two intel based servers with OpenBSD amd64. They run flawlessly.

> OpenBSD looks as the only viable option for me right now, may be one another 
> is a systemd free distro like Devuan with a hardened kernel like by @anthrax, 
> but I am too unskilled even to understand what are improvements of @anthrax 
> kernel for me without a good doc for it in the existence, and on the other 
> hand OpenBSD is famous with its very good documentation. 

Open source means that most developers work for free and fun or to
obtain something they in particular want. Convince some developers to
work on your own desires, whether with OpenBSD or elsewhere.

> 
> I guess it is a huge work to harden Linux installation to a level compared to 
> OpenBSD, there is some interesting work which is by Whonix but unfortunately 
> with systemd, and it seems someone from that community is referring to 
> isopenbsdsecu.re site, so it looks to me like a OpenBSD vs Whonix dispute, 
> excuse me if I am wrong.
>

Linus actively discourages security work. OpenBSD is thrilled to
actively work on security. A major compenent that brings security
benefits is simple auditing of code, not for security but for
correctness.
If you are seeking perfect security, YOU CAN'T HAVE IT!
It is impossible. Not even agencies such as the NSA, etc have it.
Remember Edward Snowden? All systems can be breached. Period.

My suggestion is to stop taking a confrontational attitude ( you may not
even realize you are doing it) and try to take a congenial attitude. It
will always produce more good results than confrontation.

Chris Bennett

PS. Please format your emails to 80 or 72 character width.
Your long lines are mildly irritating and non-standard in the Unix-like
world. Or just hit enter more often.




Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-12 Thread info
>Also NSA controls your brain with 5G radio waves. Go burn some towers in
the name of the Freedom!

Would not just a foil hat help? Do you have some OpenBSD edition?



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-12 Thread Ottavio Caruso
On Tue, 12 May 2020 at 09:47,  wrote:

>
> Is not systemd one of such backdoors? Does it include any interesting 
> "features"  except so called "init system"?

1) You're asking in the wrong place
2) It's off topic
3) If you need to ask, it means you don't have a clue. It's ok to ask,
but don't make sweeping statements if you don't have a clue
4) Learn how to quote a message.



-- 
Ottavio Caruso



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-12 Thread Ottavio Caruso
On Tue, 12 May 2020 at 02:13,  wrote:
>
> Linux GNU software has hardly visible NSA backdoors

If you have the technical skills to back this argument up, please look
in the "Linux GNU software" source, find the backdoors and report
back.

-- 
Ottavio Caruso



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-12 Thread Consus
On Tue, May 12, 2020 at 10:47:48AM +0200, i...@aulix.com wrote:
> Sure I do not have such skills, I am a very noob trying to build a
> secure console and router, but most likely IMHO the backdoors are
> targeted to be used from invisible virtualization trojans on X86? I
> was even suggested to avoid Libreboot on X86 because it is GNU, though
> for me it is sometimes difficult to understand where trolling is in
> this area of my interest.
> 
> Is not systemd one of such backdoors? Does it include any interesting
> "features"  except so called "init system"?

Also NSA controls your brain with 5G radio waves. Go burn some towers in
the name of the Freedom!



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-12 Thread info
Sure I do not have such skills, I am a very noob trying to build a secure 
console and router, but most likely IMHO the backdoors are targeted to be used 
from invisible virtualization trojans on X86? I was even suggested to avoid 
Libreboot on X86 because it is GNU, though for me it is sometimes difficult to 
understand where trolling is in this area of my interest.

Is not systemd one of such backdoors? Does it include any interesting 
"features"  except so called "init system"?



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-12 Thread doug
 Original Message 
Subject: Re: OpenBSD insecurity rumors from isopenbsdsecu.re
From: i...@aulix.com
Date: Mon, May 11, 2020 9:18 pm
To: Philip Guenther 
Cc: OpenBSD misc 

It is IMHO rather not a matter of trusting your questions, but not my
willingness to answer them right now, but I can answer them later if I
want, it is not a matter of trust but rather a tactics of choosing a
sequence of what to answer and when.

You know there is no a lot of secure enough alternatives to choose from
except OpenBSD, and your commits alone shall not be of that a big problem
and reason to reject OpenBSD since the code is being reviewed by other
OpenBSD participants?

Do you think there are less committers like you in many many Linux
components like Linux kernel, AppArmor, a Linux distro and is there any
other choice for me except OpenBSD and some type of a hardened Linux
without systemd like Devuan or Alpine?

Is not it a childish behavior of yours that is if I do not follow your
method of discussion then I shall not use your work, you ban me from
allowed users at least mentally by your ultimatum not practically of
course as you cannot prohibit me to use any open source products like
OpenBSD or Linux distros.

**

To give a quick answer and to the point, when OpenBSD originally split
from NetBSD, cryptographic software with any part of it written by US
citizens could not be distributed outside the US without explicit
government approval and licensure. If any revisions are made by US
citizens, the entire code base would also be considered to prohibited to
anyone outside the US without explicit government approval.

If you want further details of the restrictions, lookup ITAR in your
favorite search engine. I do not choose to further test the patience of
most of the other users of the listserve, many of whom are already aware
of this.


Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-12 Thread info
There is a single place to take buzzwords from (not random as you said):

http://www.freezepage.com/1589263204VJFCCPNUBQ

https://hardenedbsd.org/content/easy-feature-comparison



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-11 Thread Anders Andersson
On Tue, May 12, 2020 at 7:19 AM  wrote:
>
> I would prefer to begin from grsecurity, but it is not available up to date 
> for my budget.
>
> I would also try HardenedBSD, but it is only amd64 now? And how many active 
> developers there are? one or two?
>
> OpenBSD looks as the only viable option for me right now, may be one another 
> is a systemd free distro like Devuan with a hardened kernel like by @anthrax, 
> but I am too unskilled even to understand what are improvements of @anthrax 
> kernel for me without a good doc for it in the existence, and on the other 
> hand OpenBSD is famous with its very good documentation.
>
> I guess it is a huge work to harden Linux installation to a level compared to 
> OpenBSD, there is some interesting work which is by Whonix but unfortunately 
> with systemd, and it seems someone from that community is referring to 
> isopenbsdsecu.re site, so it looks to me like a OpenBSD vs Whonix dispute, 
> excuse me if I am wrong.

You keep swallowing up buzzwords from completely random places without
taking the time to understand what everything means or how it affects
you.

There's no silver bullet. Figure out and enumerate *your* threat
model, then find a solution that you understand.



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-11 Thread Raul Miller
On Mon, May 11, 2020 at 9:17 PM  wrote:
> I was told on the chat that Linux GNU software has hardly visible NSA 
> backdoors and IMHO most funding for Linux seems to be from USA ?

This is beyond incompetent. You've got the wrong mailing list for this
kind of issue, you haven't identified the version with the problem,
you haven't even identified the problem.

All you are doing is citing vague rumor.

Why are you doing this?

-- 
Raul



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-11 Thread info
I would prefer to begin from grsecurity, but it is not available up to date for 
my budget.

I would also try HardenedBSD, but it is only amd64 now? And how many active 
developers there are? one or two?

OpenBSD looks as the only viable option for me right now, may be one another is 
a systemd free distro like Devuan with a hardened kernel like by @anthrax, but 
I am too unskilled even to understand what are improvements of @anthrax kernel 
for me without a good doc for it in the existence, and on the other hand 
OpenBSD is famous with its very good documentation. 

I guess it is a huge work to harden Linux installation to a level compared to 
OpenBSD, there is some interesting work which is by Whonix but unfortunately 
with systemd, and it seems someone from that community is referring to 
isopenbsdsecu.re site, so it looks to me like a OpenBSD vs Whonix dispute, 
excuse me if I am wrong.



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-11 Thread Louis Fredrickson
You are acting a fool.
If you admit to seeing how they eat their own dog food and the quality of
the project because of their own way, but only when it suits your internet
arguments, then you may as well just buy security from a big corporate
Linux.
It's not about $100 words hiding a children's tantrum after being told it's
up to you, it's about understanding that *it's up to you*.


On Tue, May 12, 2020, 4:20 PM  wrote:

> It is IMHO rather not a matter of trusting your questions, but not my
> willingness to answer them right now, but I can answer them later if I
> want, it is not a matter of trust but rather a tactics of choosing a
> sequence of what to answer and when.
>
> You know there is no a lot of secure enough alternatives to choose from
> except OpenBSD, and your commits alone shall not be of that a big problem
> and reason to reject OpenBSD since the code is being reviewed by other
> OpenBSD participants?
>
> Do you think there are less committers like you in many many Linux
> components like Linux kernel, AppArmor, a Linux distro and is there any
> other choice for me except OpenBSD and some type of a hardened Linux
> without systemd like Devuan or Alpine?
>
> Is not it a childish behavior of yours that is if I do not follow your
> method of discussion then I shall not use your work, you ban me from
> allowed users at least mentally by your ultimatum not practically of course
> as you cannot prohibit me to use any open source products like OpenBSD or
> Linux distros.
>
>


Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-11 Thread info
It is IMHO rather not a matter of trusting your questions, but not my 
willingness to answer them right now, but I can answer them later if I want, it 
is not a matter of trust but rather a tactics of choosing a sequence of what to 
answer and when.

You know there is no a lot of secure enough alternatives to choose from except 
OpenBSD, and your commits alone shall not be of that a big problem and reason 
to reject OpenBSD since the code is being reviewed by other OpenBSD 
participants?

Do you think there are less committers like you in many many Linux  components 
like Linux kernel, AppArmor, a Linux distro and is there any other choice for 
me except OpenBSD and some type of a hardened Linux without systemd like Devuan 
or Alpine?

Is not it a childish behavior of yours that is if I do not follow your method 
of discussion then I shall not use your work, you ban me from allowed users at 
least mentally by your ultimatum not practically of course as you cannot 
prohibit me to use any open source products like OpenBSD or Linux distros.



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-11 Thread Philip Guenther
On Mon, May 11, 2020 at 6:09 PM  wrote:
...

> > And why would *you* care about those ways? If you can't tell us why you
> would care, how can we answer your _real_ question?


> Treat it as my secret, I want and that is why I ask because I can, I wish
> you tell me the answer without a knowledge of "why I ask",
> it is a very long discussion of answering by a question to question in
> your Jewish style, is not it?
>

I considered treating your questions in good faith, but then you said
this.  If my questions have you spouting this nonrational drivel them you
should stay away from OpenBSD because I am a committer and if you can't
trust my questions then you shouldn't trust my code.




Philip Guenther


Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-11 Thread info
> I'm not sure what that sentence even means. What would a "trust relationship" 
> between OpenBSD and "current USA" actually mean in terms of a CHANGE IN 
> BEHAVIOR?

"CHANGE IN BEHAVIOR" of whom or of what?

> Hell, what does "current USA" even _mean_?!? 
Very high activity of NSA to embed their backdoors eveywhere they can.

>Did you mean to say "the US Federal Government"? If so, what would "trust 
>between OpenBSD and the US Federal Government" actually mean in terms of a 
>change in behavior that you, i...@aulix.com, could actually detect?

How does it matter if I can detect something?

Do you mean i...@aulix.com is too Untermensch just to even wonder and ask such 
questions?

Can anyone detect this?

https://web.archive.org/web/20190624163342/https://www.rlighthouse.com/targeted-individuals.html

Does OpenBSD project according to:

https://web.archive.org/web/20200512025352/https://www.openbsd.org/crypto.html

prohibit american people to work on OpenBSD cryptography?


> 
> And why would *you* care about those ways? If you can't tell us why you would 
> care, how can we answer your _real_ question?

Treat it as my secret, I want and that is why I ask because I can, I wish you 
tell me the answer without a knowledge of "why I ask",
it is a very long discussion of answering by a question to question in your 
Jewish style, is not it?

> 
> There is cryptographic software in OpenBSD that was developed in part by 
> someone who is/was a US citizen, in OpenSSH even, as a check of 
> copyright/license statements on source files show. How does that change your 
> world view?

I told you not about the past, but about the CURRENT (TODAY not EARLIER) state 
of things, and OpenBSD ban on americans to work on its crypto, you see?



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-11 Thread Philip Guenther
On Mon, May 11, 2020 at 4:28 PM  wrote:

> Is not a prohibition for USA citizens to work on OpenBSD cryptography
> software parts an indication of trust relationship between current OpenBSD
> and current USA?
>

I'm not sure what that sentence even means.  What would a "trust
relationship" between OpenBSD and "current USA" actually mean in terms of a
CHANGE IN BEHAVIOR?  Hell, what does "current USA" even _mean_?!?  Did you
mean to say "the US Federal Government"?  If so, what would "trust between
OpenBSD and the US Federal Government" actually mean in terms of a change
in behavior that you, i...@aulix.com, could actually detect?

And why would *you* care about those ways?  If you can't tell us why you
would care, how can we answer your _real_ question?

There is cryptographic software in OpenBSD that was developed in part by
someone who is/was a US citizen, in OpenSSH even, as a check of
copyright/license statements on source files show.  How does that change
your world view?


Philip Guenther


Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-11 Thread info
> If any widely-used open source software had government backdoors in it, 
> nobody in the know would be telling folks about it in random IRC chat rooms.

I do not understand your argument, are you trolling to hide how actual things 
are going to?



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-11 Thread Brian Waters
If any widely-used open source software had government backdoors in it, nobody 
in the know would be telling folks about it in random IRC chat rooms.



BW







 On Mon, 11 May 2020 18:13:35 -0700   wrote 


I was told on the chat that Linux GNU software has hardly visible NSA backdoors 
and IMHO most funding for Linux seems to be from USA ? 
 
Only single Linus person alone is paid about 30 times more per year by Linux 
foundation than the whole OpenBSD foundation total fundraising goal, not sure 
if it is an indication of Linux be more corporation sponsored and oriented.Is 
not USA a beneficiary of big transnational corporation and capital?


Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-11 Thread info
Is not a prohibition for USA citizens to work on OpenBSD cryptography software 
parts an indication of trust relationship between current OpenBSD and current 
USA?



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-11 Thread info
I was told on the chat that Linux GNU software has hardly visible NSA backdoors 
and IMHO most funding for Linux seems to be from USA ?

Only single Linus person alone is paid about 30 times more per year by Linux 
foundation than the whole OpenBSD foundation total fundraising goal, not sure 
if it is an indication of Linux be more corporation sponsored and oriented.Is 
not USA a beneficiary of big transnational corporation and capital?



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-11 Thread Christian Weisgerber
On 2020-05-11, Stuart Longland  wrote:

> BSD came from the US (University of California), but most of today's
> implementations have been very significantly changed since then.

BSD built on top of AT UNIX, which came from Bell Labs in New Jersey.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-11 Thread slackwaree
I wish if the someone who took the time to make this page at least would make 
an antisystemD page instead. This is just a pointless brainless monkey(s) 
wasting our time webpage, it is not even funny and we are passed April 1 a long 
time ago.

However I never knew linus said such things:

"I think the OpenBSD crowd is a bunch of masturbating monkeys"

I guess this is just another reason for ditching linux in favor of BSDs. Let's 
face it how much time that old fart linus has, maybe COVID takes him too. I 
couldn't care less either, all I care is my BSD servers uptime 600+ days and 
not 1 day I worry about their security.


Sent with ProtonMail Secure Email.

‐‐‐ Original Message ‐‐‐
On Thursday, May 7, 2020 4:00 PM,  wrote:

> Dear OpenBSD fans,
>
> Can you please comment negative appraisal from the following website:
>
> https://isopenbsdsecu.re/quotes/
>
> I did not want to hurt anyone, just looking for a secure OS and OpenBSD 
> looked very nice to me before I have found this website.
>
> Kind Regards




Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-11 Thread Stuart Longland
On 11/5/20 5:00 am, i...@aulix.com wrote:
> Btw, does not it look like a PR competition of Linux from USA vs OpenBSD from 
> Canada/London?

Actually, I think you'll find both OSes have significant contributions
from all around the world.

Linux (which is a kernel, not an OS) originated from Finland.

BSD came from the US (University of California), but most of today's
implementations have been very significantly changed since then.

In any case, I don't think it's helpful to characterise an OS by its
country of origin.  Even less so, when it's an open-source OS with
contributions that are sourced globally.
-- 
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.

Help fund COVID-19 research:
https://stuartl.longlandclan.id.au/blog/2020/04/20/who-covid19/



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-11 Thread info
There are already enough funny pages about systemd technical deviations, e.g.:

https://dev1galaxy.org/viewtopic.php?id=3427



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-11 Thread Kevin Chadwick
Here's a game.

Name as many operating systems as you can that encrypt the page file or swap
space by default?



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-11 Thread Daniel Jakots
On Mon, 11 May 2020 17:27:24 +, slackwaree
 wrote:

> I wish if the someone who took the time to make this page at least
> would make an antisystemD page instead.

I doubt anyone asked you how they should spend their time.

>  Let's face it how much time that old fart linus has, maybe
> COVID takes him too.

Are you really saying you hope he dies?
What the fuck is wrong with you?

> I couldn't care less either, all I care is my
> BSD servers uptime 600+ days and not 1 day I worry about their
> security.

You are clearly clueless.


Please refrain from posting again such shitty emails.

Thanks,
Daniel



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-10 Thread Stéphane Aulery

Le 10/05/2020 à 21:00, i...@aulix.com a écrit :

Also that said, all mothafuckaaa which keep send posts like this, put your head 
within your ass and just accept:  you are OpenBSD user!


Taking into account your earlier kind detailed counter explanation about many 
mentioned issues and mitigations I would not agree that OpenBSD community is 
unwelcome, so that issue seems to be not true too :)

Btw, does not it look like a PR competition of Linux from USA vs OpenBSD from 
Canada/London?

OpenBSD prohibits USA citizens to work on its crypto?


I doubt it, but as I am French I have no opinion on these questions.

Serurity is not the only goal of OpenBSD and should not be your only 
criteria.




-Extract from the FAQ

About OpenBSD



The OpenBSD project produces a freely available, multi-platform 
4.4BSD-based UNIX-like operating system. Our goals place emphasis on 
correctness, security, standardization, and portability.




https://www.openbsd.org/faq/faq1.html#WhatIs

--

If you are looking for, try the OSes that attracts you and make the 
choice that suits you (it can be several). Even if a Ferrari is better 
than a Renault on a theoretical aspect, I prefer my Renault because it 
is good enough to go to work and will always cost me less. If you made a 
mistake you can always go back on your choice or even change your mind.


With practical knowledge and hindsight you will be in a better position 
to form an opinion on this subject that worries you.


Regards,

--
Stéphane Aulery



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-10 Thread info
>Also that said, all mothafuckaaa which keep send posts like this, put your 
>head within your ass and just accept:  you are OpenBSD user! 

Taking into account your earlier kind detailed counter explanation about many 
mentioned issues and mitigations I would not agree that OpenBSD community is 
unwelcome, so that issue seems to be not true too :)

Btw, does not it look like a PR competition of Linux from USA vs OpenBSD from 
Canada/London?

OpenBSD prohibits USA citizens to work on its crypto?



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-10 Thread R0me0 ***
That Talk of isopen ... is a joke! He start agreeing  with puffy supremacy.

All these years I have made jokes with fbsd guys and some "hax0rs" during
event's. The reason is simple, they attack OpenBSD community and then
always end with a lack of arguments.

Even with Qualys recent discoveries, which in my personal opinion they
could send all issues together, they preferred to do on that way.

That said, I still asking, why the other projects do not try at least start
to make their operating system more secure by default? OpenBSD since the
begin  the main focus is paranoid security.

They will take years to have a solid rock like OpenBSD.

Also that said, all mothafuckaaa which keep send posts like this, put your
head within your ass and just accept:  you are OpenBSD user!





Em dom., 10 de mai. de 2020 às 01:45, Stéphane Aulery 
escreveu:

> Hello,
>
> Le 07/05/2020 à 16:00, i...@aulix.com a écrit :
> >
> > Can you please comment negative appraisal from the following website:
> >
> > https://isopenbsdsecu.re/quotes/
> >
> > I did not want to hurt anyone, just looking for a secure OS and OpenBSD
> looked very nice to me before I have found this website.
> >
>
> This explanation [1] from the author of the site should be enough for you:
>
> 
> Why was this website created?
>
> Someone was bragging on IRC about how secure OpenBSD is compared to
> everything else, but this came without concrete evidences.
>
> Tired of having to endure this once too often, time was spent
> documenting OpenBSD’s security features:
>
>  where are they coming from?
>  against what are they defending?
>  how successful are they?
>
> Because, in the words of Ryan Mallon:
>
>  Threat modelling rule of thumb: if you don’t explain exactly what
> you are securing against and how you secure against it, the answers can
> be assumed to be: “bears” and “not very well”.
> 
>
> The quotes were chosen to be especially aggressive but we could find as
> many against other operating systems.
>
> For me it's on the same level as "The UNIX-HATERS Handbook" [2], just a
> big ball of hate and FUD.
>
> After full reading, out of 52 exposed points there are 4 frankly against
> OpenBSD, 12 for OpenBSD and all the rest is opinion and filling.
>
> It wants to be impressive, but it’s just swank of a meticulous hater.
>
> Regards,
>
> 
>
> [1] https://isopenbsdsecu.re/about/
> [2] https://web.mit.edu/~simsong/www/ugh.pdf
>
> 
>
> Mitigations
>
>  Arc4random
>
> [...] Nowadays, arc4random in userland is available on various
> platforms, even when not being natively implemented, thanks to libbsd.
> NetBSD, FreeBSD, Linux, … have all moved to a ChaCha20-based CSPRNG.
> Even Tor is now using some of its code, for performance reasons.
>
> OpenBSD took inspiration from Linux two decades ago, but nowadays, it’s
> the other way around, OpenBSD is driving the CSRPNG game!
>
> OK.
>
>  ASLR
>
> [...] OpenBSD randomizing everything is neat, and forces attackers to
> find/create better leaks. But nowadays, all the modern operating systems
> have those kind of mitigations, are are now focusing on killing bugs
> exploitable when an attacker has some reading capabilities.
>
> And what are these modern OSes? OpenBSD is a fossilized and archived OS
> on archive.org?
>
>  Atexit hardening
>
> [...] In the glibc, the pointers to the function are obfuscated with a
> rol+xor via the PTR_MANGLE macro against a secret, which is roughly
> equivalent to what Windows is doing. This mitigation is completely
> bypassed with an arbitrary read: get the secret, obfuscate the pointer
> to your payload, done.
>
> Musl has no hardening at all
>
> On OpenBSD, the pointers are stored in a read-only memory zone, only
> made writeable when __cxa_atexit is called. To bypass this, an attacker
> would need to get code execution to modify the permissions of the memory
> zone.
>
> Where is the point?
>
>
>  Development practises - Development practises
>
> OpenBSD got no continuous integration system, and apparently build
> breakage are, according to the FAQ, happening from time to time [...]
>
> There is a code style, but since it’s not automatically enforced, if
> only because there is no CI.
>
> The VCS used is CVS, the Concurrent Versions System [...]
>
> This is not what makes security!
>
>  Development practises - Code reviews
>
> OpenBSD claims that they have “between six and twelve members who
> continue to search for and fix new security holes”, but it seems that
> this doesn’t prevent low-hanging bugs from entering the codebase, for
> example: [...]
>
> Ah, because those who don't read their code are more likely to find errors?
>
>  Development practises - Security advisories
>
> OpenBSD is publishing security issues on its Errata pages, but doesn’t
> provide much context nor analysis. [...]
>
> 

Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-09 Thread Stéphane Aulery

Hello,

Le 07/05/2020 à 16:00, i...@aulix.com a écrit :


Can you please comment negative appraisal from the following website:

https://isopenbsdsecu.re/quotes/

I did not want to hurt anyone, just looking for a secure OS and OpenBSD looked 
very nice to me before I have found this website.



This explanation [1] from the author of the site should be enough for you:


Why was this website created?

Someone was bragging on IRC about how secure OpenBSD is compared to 
everything else, but this came without concrete evidences.


Tired of having to endure this once too often, time was spent 
documenting OpenBSD’s security features:


where are they coming from?
against what are they defending?
how successful are they?

Because, in the words of Ryan Mallon:

Threat modelling rule of thumb: if you don’t explain exactly what 
you are securing against and how you secure against it, the answers can 
be assumed to be: “bears” and “not very well”.



The quotes were chosen to be especially aggressive but we could find as 
many against other operating systems.


For me it's on the same level as "The UNIX-HATERS Handbook" [2], just a 
big ball of hate and FUD.


After full reading, out of 52 exposed points there are 4 frankly against 
OpenBSD, 12 for OpenBSD and all the rest is opinion and filling.


It wants to be impressive, but it’s just swank of a meticulous hater.

Regards,



[1] https://isopenbsdsecu.re/about/
[2] https://web.mit.edu/~simsong/www/ugh.pdf



Mitigations

Arc4random

[...] Nowadays, arc4random in userland is available on various 
platforms, even when not being natively implemented, thanks to libbsd. 
NetBSD, FreeBSD, Linux, … have all moved to a ChaCha20-based CSPRNG. 
Even Tor is now using some of its code, for performance reasons.


OpenBSD took inspiration from Linux two decades ago, but nowadays, it’s 
the other way around, OpenBSD is driving the CSRPNG game!


OK.

ASLR

[...] OpenBSD randomizing everything is neat, and forces attackers to 
find/create better leaks. But nowadays, all the modern operating systems 
have those kind of mitigations, are are now focusing on killing bugs 
exploitable when an attacker has some reading capabilities.


And what are these modern OSes? OpenBSD is a fossilized and archived OS 
on archive.org?


Atexit hardening

[...] In the glibc, the pointers to the function are obfuscated with a 
rol+xor via the PTR_MANGLE macro against a secret, which is roughly 
equivalent to what Windows is doing. This mitigation is completely 
bypassed with an arbitrary read: get the secret, obfuscate the pointer 
to your payload, done.


Musl has no hardening at all

On OpenBSD, the pointers are stored in a read-only memory zone, only 
made writeable when __cxa_atexit is called. To bypass this, an attacker 
would need to get code execution to modify the permissions of the memory 
zone.


Where is the point?


Development practises - Development practises

OpenBSD got no continuous integration system, and apparently build 
breakage are, according to the FAQ, happening from time to time [...]


There is a code style, but since it’s not automatically enforced, if 
only because there is no CI.


The VCS used is CVS, the Concurrent Versions System [...]

This is not what makes security!

Development practises - Code reviews

OpenBSD claims that they have “between six and twelve members who 
continue to search for and fix new security holes”, but it seems that 
this doesn’t prevent low-hanging bugs from entering the codebase, for 
example: [...]


Ah, because those who don't read their code are more likely to find errors?

Development practises - Security advisories

OpenBSD is publishing security issues on its Errata pages, but doesn’t 
provide much context nor analysis. [...]


Ok, that's a point, but is it necessary to point to the way of 
reproducing an exploit after having patched it? It is a practice, 
nothing more, which neither adds to nor takes anything away from security.


Disk encryption

[...] This is looking like a solid design, pretty similar to what LUKS 
is doing.


Unfortunately, it doesn’t support using a TPM or an enclave (like 
Intel’s SGX, AMD’s SEV, …) to perform key-derivation and prevent offline 
bruteforcing.


Pathetic.

Embargoes handling

OpenBSD isn’t usually included in security embargoes anymore, likely 
because they have the bad habit of not playing well with them, although 
they never technically broken one. [...]


And should we play the game of the one with the cleanest ass?

Explicit_bzero and bzero

[...] While it might get optimized away when using static linking with 
LTO, it’s sill a neat way of improving forward secrecy, by trying to 
remove cryptographic materials from memory as soon as possible.


Where is the problem? OBSD +1

Fork 

Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-09 Thread Brian Waters
At risk of responding without having read through the entire website, it seems 
to mostly be about OpenBSD's exploit mitigations, and nothing else. But OpenBSD 
does a lot of other things well, like doing lots of code reviews, having a 
culture of writing code with an eye toward security in the first place, 
providing API's that are more difficult for developers to misuse (strlcat, 
pledge), and generally good design like building things with privilege 
separation in lots of places.



OpenBSD also has lots of mitigations, but then so do other OS'es. Mitigations 
have always been and will probably always be a controversial and fraught topic. 
That's because mitigations are just that - they're *mitigations*. For the most 
part they're not supposed to provide more-or-less impenetrable security 
barriers like with privilege separation, memory safe languages, etc. They're 
just there to make an attacker's life harder and their chances of success lower 
than otherwise. For this reason, they're subject to an endless arms race, with 
developers always introducing new and interesting mitigations, and exploit 
writers always researching fun and bizarre ways to work around them. The best 
an OS can do is to stay as close to the state of the art as possible.



So, there's probably some valid criticisms in there (I haven't read through 
them all), but "some of OpenBSD's exploit mitigations have some issues" is not 
grounds to say that OpenBSD is bad or insecure, as a blanket statement. OpenBSD 
has a lot of great things going for it.



My 2 cents,

BW








 On Thu, 07 May 2020 07:00:15 -0700   wrote 



Dear OpenBSD fans, 
 
Can you please comment negative appraisal from the following website: 
 
https://isopenbsdsecu.re/quotes/ 
 
I did not want to hurt anyone, just looking for a secure OS and OpenBSD looked 
very nice to me before I have found this website. 
 
Kind Regards


Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-08 Thread Kristjan Komlosi
I got mixed feelings...

This list seems very cherry-picked from people with a predetermined
disliking of OpenBSD. If you check out the mitigations tab, you won't be
able to find anything new or undocumented there. It looks like we as a
community triggered a guy who retaliated by key-smashing together a
rather nonconstructive criticism of OpenBSD's security and code
development process. At 17, I might not be experienced enough for my
opinion to count very much, but this seems like bait to make people
angry rather than a security effort worth mentioning. The difference
between security researchers and that guy IMO is that researchers help
fix the problems, that guy only points the problems out. We got a bully
on our hands here.

To any OpenBSD developers reading this, you rock! Keep up the good work.

Kristjan

On 5/7/20 4:00 PM, i...@aulix.com wrote:
> Dear OpenBSD fans,
>
> Can you please comment negative appraisal from the following website:
>
> https://isopenbsdsecu.re/quotes/
>
> I did not want to hurt anyone, just looking for a secure OS and OpenBSD 
> looked very nice to me before I have found this website.
>
> Kind Regards
>



signature.asc
Description: OpenPGP digital signature


Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-08 Thread Aisha Tammy
On 5/7/20 7:02 PM, Aaron Mason wrote:
> On Fri, May 8, 2020 at 2:30 AM jeanfrancois  wrote:
>>
>> As long as there's no material published it's worth just any other word.
>>
> 
> To quote Douglas Adams on whether you can trust people on the
> internet, "of course not, it's just people talking".
> 


wait a minute. you are on the internet, I am on the internet.
I CAN"T TRUST ANYONE. MY LIFE IS FALLING APART.
but then I shouldn't trust what you said too.
Ah, okok, i'll not trust what you said
*promptly goes to the nearest zebra crossing to get killed*

(sorry I just had to)



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-07 Thread Aaron Mason
On Fri, May 8, 2020 at 2:30 AM jeanfrancois  wrote:
>
> As long as there's no material published it's worth just any other word.
>

To quote Douglas Adams on whether you can trust people on the
internet, "of course not, it's just people talking".

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-07 Thread Aisha Tammy
On 5/7/20 11:11 AM, Kevin Chadwick wrote:
> On 2020-05-07 14:10, Consus wrote:
>> On Thu, May 07, 2020 at 04:00:15PM +0200, i...@aulix.com wrote:
>>> Dear OpenBSD fans,
>>>
>>> Can you please comment negative appraisal from the following website:
>>>
>>> https://isopenbsdsecu.re/quotes/
>>>
>>> I did not want to hurt anyone, just looking for a secure OS and
>>> OpenBSD looked very nice to me before I have found this website.
>>
> 
> Perhaps you could cite which part as the parts I read should seem without 
> merit
> to anybody?
> 
>> The fun thing to do: offer $50k rewards for code execution
>> vulnerabilities and wait for results.
>>
> 
> "Apple has lately been slapping proprietary mitigations around like there’s no
> tomorrow. But thing is, mitigations are often delicate creatures, with rather
> fragile assumptions. Having too many of them in one place can easily make them
> break one another, as happened here with execute-only memory vs PAN."
> 
> I am sure that examples of mitigations leveraging and protecting each other, 
> or
> an exploit failing because of multiple mitigations is far more common than 
> them
> hurting each other.
> 
> "I put a lot more faith in privilege separation and reduction than in all the
> mitigations. I’d be really impressed by a move to a safe language… most 
> everyone
> is late to that party, so it’s a chance for someone to pull ahead if they 
> wanted
> bragging rights"
> 
> I wouldn't want to read an OS written in Rust and I would love to see secure
> developments in C even if it hampers potential performance. Things like Go are
> not suitable for an OS with many small programs.
> 
Curious about why... though admittedly I have never written or read rust in 
great detail.
Genuinely curious why, I thought it was supposed to be pretty nice with thread 
safety and
all that jazz.

> Also, OpenBSD is one of the pioneers of privilege separation and most Go
> programs are not privilege separated at all.
> 
> I quickly lost interest, sorry. IMO, the main thing that causes exploitations 
> is
> carelessness. OpenBSD cares and is careful!
> 

Aisha



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-07 Thread Nick Holland
On 2020-05-07 10:00, i...@aulix.com wrote:
> Dear OpenBSD fans,
> 
> Can you please comment negative appraisal from the following
> website:
> 
> https://isopenbsdsecu.re/quotes/
> 
> I did not want to hurt anyone, just looking for a secure OS and
> OpenBSD looked very nice to me before I have found this website.

Rule of life #1: when lots of people hate you, you are either doing
something very wrong...or very right.  People don't waste their time
on people who are average-ish.

That's actually how I found OpenBSD -- reading through a once
popular chat website, saw people spending a lot of time throwing a
lot of hate and personal attacks at Theo and his team.  Well, by my
figuring, anyone who gets that much venom tossed at them needs a
looking at!  That was 22+ years ago. No regrets.  You have to decide
for yourself if OpenBSD is very right or very wrong for you (not a
lot of people in the middle, and that's fine.)


Looking at the quotes, I see...
* Jealousy
* competitors
* broad, general statements
* Blablabla
* People with a self contradictory titles.
* people hiding behind pseudonyms
* People that have All The Answers, just waiting for someone to
do what they say.
* Name callers
* "No shit Sherlock"ers
* "OpenBSD sucks, I like your website!"
* "OpenBSD does what it set out to do, I like your website"
* People "removing all doubt" (as in, "Better to be thought a
fool than to open your mouth and remove all doubt")
* "if it isn't popular, it's not good"er
* unbacked claims.
* another, this one thinks only about fighting the past wars.
* more unbacked claims, this one, totally anonymous. 
* A person wanting YOU to find exploits in OSs.  Guess they are all
pretty secure if they aren't finding them themselves.

Seriously, if you understand OpenBSD's work, you would take
many of those quotes as complements.  OpenBSD's security mitigations
broke a "secure" language?  Maybe you should check your assumptions.
Elsewhere on that website, he mocks OpenBSD for calling someone
"inaccurate jerks" -- I happened to click on that, since it didn't
exactly roll off the tongue, and what is the actual context?  Theo
saying, "No, that's not a hardware problem, that's an OpenBSD problem
and it should be fixed".  You were not supposed to look at the
context, I guess.  The line about "Insults" is actually someone mock-
complaining about doas not insulting users like sudo does.The
more stuff I click on, the more I start to think, this is an irony
site!  This guy LOVES OpenBSD!  Well, fudge.  I just wasted a lot of
time writing this!)

Nick.



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-07 Thread jeanfrancois

Good evening,

As long as there's no material published it's worth just any other word.

You can state anything you like granted this collection has value, so no
there are no clear points, nothing really worthwhile can emerge.

When I feel lost in any Unix system calls I just open an OpenBSD's man
page and there you go, things are clear, well explained, and make sense.

This above response just any other words too, but actually that's why
we like it, this OS and environment just makes sense.

Regards

J.F.


Le 07/05/2020 à 16:00, i...@aulix.com a écrit :

Dear OpenBSD fans,

Can you please comment negative appraisal from the following website:

https://isopenbsdsecu.re/quotes/

I did not want to hurt anyone, just looking for a secure OS and OpenBSD looked 
very nice to me before I have found this website.

Kind Regards





Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-07 Thread Kevin Chadwick
On 2020-05-07 14:48, Aisha Tammy wrote:
>> I wouldn't want to read an OS written in Rust and I would love to see secure
>> developments in C even if it hampers potential performance. Things like Go 
>> are
>> not suitable for an OS with many small programs.
>>
> Curious about why... though admittedly I have never written or read rust in 
> great detail.
> Genuinely curious why, I thought it was supposed to be pretty nice with 
> thread safety and
> all that jazz.
> 

It was more the privilege separation part that I found made the comment show a
lack of understanding. Privsep really has more to do with design than a
language. Aside from the Go/Linux Kernel seteuid bug.

https://github.com/golang/go/issues/1435

There have been many proposals for many years to reduce the care needed to write
good C and performance or feature support like breaking some pointer use cases,
always seems to win the argument upstream. A paper/plugin/extension is written
and rarely makes the mainstream compilers, even as a flag.

Admittedly, I don't have much Rust experience, either. Ada seems more applicable
to avoiding dynamic memory on micro processors and I don't have the time to
sacrifice, even on ADA with GCC support or on maintaining tooling and porting
code bases.

To me, Rust reads like C++ on steroids and I never liked C++ and so I lost all
interest very quickly. I just have too many questions when reading it. I rarely
like abstraction. Ada looks nicer to read to me but perhaps it wouldn't have
that thread safety that you mention or the momentum Rust seems to have gained?

Didn't Linus push back against C++ too?

I guess I like Go and Ada because they are more similar to C and fairly simple
in their core.

I think Reyk tweeted about not liking Rust or it being a real pain and now seems
to have tweeted about quite liking it. I am not closed minded but more skeptical
of ever taking to it.



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-07 Thread Kevin Chadwick
On 2020-05-07 14:10, Consus wrote:
> On Thu, May 07, 2020 at 04:00:15PM +0200, i...@aulix.com wrote:
>> Dear OpenBSD fans,
>>
>> Can you please comment negative appraisal from the following website:
>>
>> https://isopenbsdsecu.re/quotes/
>>
>> I did not want to hurt anyone, just looking for a secure OS and
>> OpenBSD looked very nice to me before I have found this website.
> 

Perhaps you could cite which part as the parts I read should seem without merit
to anybody?

> The fun thing to do: offer $50k rewards for code execution
> vulnerabilities and wait for results.
> 

"Apple has lately been slapping proprietary mitigations around like there’s no
tomorrow. But thing is, mitigations are often delicate creatures, with rather
fragile assumptions. Having too many of them in one place can easily make them
break one another, as happened here with execute-only memory vs PAN."

I am sure that examples of mitigations leveraging and protecting each other, or
an exploit failing because of multiple mitigations is far more common than them
hurting each other.

"I put a lot more faith in privilege separation and reduction than in all the
mitigations. I’d be really impressed by a move to a safe language… most everyone
is late to that party, so it’s a chance for someone to pull ahead if they wanted
bragging rights"

I wouldn't want to read an OS written in Rust and I would love to see secure
developments in C even if it hampers potential performance. Things like Go are
not suitable for an OS with many small programs.

Also, OpenBSD is one of the pioneers of privilege separation and most Go
programs are not privilege separated at all.

I quickly lost interest, sorry. IMO, the main thing that causes exploitations is
carelessness. OpenBSD cares and is careful!



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-07 Thread Per Gunnarsson
I don't claim to be an fan of OpenBSD security myself, but as long ås somebody 
än effort to collevt quotes aboit it's insrcurity I guess  it provides decent 
security to the average pimp on the block.

On 7 May 2020 16:00:15 CEST, i...@aulix.com wrote:
>Dear OpenBSD fans,
>
>Can you please comment negative appraisal from the following website:
>
>https://isopenbsdsecu.re/quotes/
>
>I did not want to hurt anyone, just looking for a secure OS and OpenBSD
>looked very nice to me before I have found this website.
>
>Kind Regards

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.


Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-07 Thread Peter J. Philipp
On Thu, May 07, 2020 at 04:00:15PM +0200, i...@aulix.com wrote:
> Dear OpenBSD fans,
> 
> Can you please comment negative appraisal from the following website:
> 
> https://isopenbsdsecu.re/quotes/
> 
> I did not want to hurt anyone, just looking for a secure OS and OpenBSD 
> looked very nice to me before I have found this website.
> 
> Kind Regards

16 people there.  I only heard of two (Linus Torvalds, Ilja van Sprundel).

Who cares?

-peter



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-07 Thread Consus
On Thu, May 07, 2020 at 04:00:15PM +0200, i...@aulix.com wrote:
> Dear OpenBSD fans,
> 
> Can you please comment negative appraisal from the following website:
> 
> https://isopenbsdsecu.re/quotes/
> 
> I did not want to hurt anyone, just looking for a secure OS and
> OpenBSD looked very nice to me before I have found this website.

The fun thing to do: offer $50k rewards for code execution
vulnerabilities and wait for results.