Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-17 Thread bytevolcano 
On Mon, 17 Oct 2016 14:38:00 +0300
Gregory Edigarov  wrote:

> On 14.10.16 22:48, Raul Miller wrote:
> > On Fri, Oct 14, 2016 at 2:50 PM, thrph.i...@gmail.com
> >  wrote:  
> >> " The only truly secure system is one that is powered off, cast in
> >> a block of concrete and sealed in a lead-lined room with armed
> >> guards - and even then I have my doubts."  
> > Powered off works surprisingly well for some other operating
> > systems. 
> well, not any more, in the presence of Intel AMT...

It's not just Intel either:
https://www.amd.com/en-us/innovations/software-technologies/security
Catering to low-level laziness at the expense of everyone who dares use
these chips.


There appears to be a niche market possibly emerging in Russia as
a result of this kind of thing.
http://russia-insider.com/en/technology/russias-next-generation-elbrus-8c-chips-be-ready-2016/ri7551
https://meduza.io/en/feature/2015/06/02/when-there-s-no-shame-in-made-in-russia

Disclaimer: do not ignore the possibility of Russian backdoors. Still,
it would be nice if they would ship it worldwide, we may even have
OpenBSD/elbrus.

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-17 Thread Gregory Edigarov 

On 14.10.16 22:48, Raul Miller wrote:

On Fri, Oct 14, 2016 at 2:50 PM, thrph.i...@gmail.com
 wrote:

" The only truly secure system is one that is powered off, cast in a block of 
concrete and sealed in a lead-lined room with armed guards - and even then I have my 
doubts."

Powered off works surprisingly well for some other operating systems.


well, not any more, in the presence of Intel AMT...

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-17 Thread Otto Moerbeek 
On Sun, Oct 16, 2016 at 08:37:54PM +0200, Peter Janos wrote:

> use S for extras security at the expense of performance. Use other options
> only if you know what you are doing and have specific needs.
> BTW, ssh and sshd enable S by themselves.
>  
> -Otto

Some background on the current state of affairs:

S enables CJG and reduces the cache size to zero. Especially G and a
disabling of the cache are somewhat expensive.

If you insist, I'd say just C and J are pretty good too and not as
expensive as the full S. And C will get better with the diff I've sent
ot to tech@

Note that during the years, we have made improvements to malloc and
its options. We will continue to do so, don't quote mails from years
ago as a fact.

-Otto

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-16 Thread Otto Moerbeek 
On Sun, Oct 16, 2016 at 07:10:54PM -0500, Patrick Dohman wrote:

> 
> > nonsense. daily security is mailed *if it is non-empty*. Same goes for
> > weekly and mothly.
> > 
> > -Otto
> 
> i guess that’s explains why the output of who was omitted from the insecurity 
> out

either be specific, provide details of what you
are seeing or stop sending useless mails.

-Otto

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-16 Thread Aaron Mason 
There needs to be a new law like Godwin's Law that states that any
technical discussion will eventually and inevitably lead to
Hitchhiker's Guide references.

But to follow on from what Raul said, it may be impossible to make
your system 100% secure without violating part 15 of the FCC rules,
probably along with several other parts.

On Sun, Oct 16, 2016 at 8:32 AM,   wrote:
> On Fri, 14 Oct 2016 20:50:20 +0200
> "thrph.i...@gmail.com"  wrote:
>
>> or this kind...
>>
>> " The only truly secure system is one that is powered off, cast in a
>> block of concrete and sealed in a lead-lined room with armed guards -
>> and even then I have my doubts. "
>>
>
> It needs to be stored under a filing cabinet in a disused lavatory with
> a sign on the door saying Beware of the Leopard.
>



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-16 Thread Patrick Dohman 
> nonsense. daily security is mailed *if it is non-empty*. Same goes for
> weekly and mothly.
>
>   -Otto

i guess that’s explains why the output of who was omitted from the
insecurity out

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-16 Thread Peter Janos 
use S for extras security at the expense of performance. Use other options
only if you know what you are doing and have specific needs.
BTW, ssh and sshd enable S by themselves.
 
-Otto

 
-> so "S" is the best way, Thanks! :)
 
Sent: Friday, October 14, 2016 at 12:20 PM

From: "Otto Moerbeek" 
To: "Peter Janos" 
Cc: "openbsd misc" 
Subject: Re: What are the security features in OpenBSD 6.0 that are by
default disabled?
On Fri, Oct 14, 2016 at 09:21:24AM +0200, Peter Janos wrote:

> Hello,
>
> I know some features that can give additional security isn't turned on due
to
> because of the bad quality of the code in ports and some also decreases
> performance (or disables a feature, ex.: screenlock doesn't work if nosuid
> set, but if feature not used, nousid can be used).
>
> I only know about these "security hardenings", hopefully all are ok (if
not,
> please say/argue!):
>  
> ==
> ln -s GJU /etc/malloc.conf

$ man man.conf | grep security

-Otto
 

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-16 Thread Mihai Popescu 
...

Still nothing about NSA or other conspiracies in security field?

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-15 Thread Otto Moerbeek 
On Sat, Oct 15, 2016 at 03:57:57PM -0500, Patrick Dohman wrote:

> The daily security out being emailed is also default disabled ;)
> 
> The monthly & weekly outs never seem to work either.

nonsense. daily security is mailed *if it is non-empty*. Same goes for
weekly and mothly.

-Otto

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-15 Thread bytevolcano 
On Fri, 14 Oct 2016 20:50:20 +0200
"thrph.i...@gmail.com"  wrote:

> or this kind...
> 
> " The only truly secure system is one that is powered off, cast in a
> block of concrete and sealed in a lead-lined room with armed guards -
> and even then I have my doubts. "
> 

It needs to be stored under a filing cabinet in a disused lavatory with
a sign on the door saying Beware of the Leopard.

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-15 Thread Patrick Dohman 
The daily security out being emailed is also default disabled ;)

The monthly & weekly outs never seem to work either.

Regards
Patrick


> On Oct 15, 2016, at 11:20 AM, Peter Janos  wrote:
> 
> remote supervisor/console solutions are still turned on while the server
> is off, so simply powering off the OS isn't enough.there were/will be
> many bugs for these remote console solutions too Sent: Friday, October
> 14, 2016 at 9:48 PM
> From: "Raul Miller" 
> To: "thrph.i...@gmail.com" 
> Cc: "OpenBSD general usage list" 
> Subject: Re: What are the security features in OpenBSD 6.0 that are by
> default disabled?On Fri, Oct 14, 2016 at 2:50 PM, thrph.i...@gmail.com
>  wrote:
>> " The only truly secure system is one that is powered off, cast in a
> block of concrete and sealed in a lead-lined room with armed guards - and
> even then I have my doubts. "
> 
> Powered off works surprisingly well for some other operating systems.
> 
> --
> Raul

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-15 Thread Raul Miller 
If that is a real issue for you, you should be building your own
hardware and monitoring the electromagnetic spectrum.

-- 
Raul



On Sat, Oct 15, 2016 at 12:20 PM, Peter Janos  wrote:
> remote supervisor/console solutions are still turned on while the server is
> off, so simply powering off the OS isn't enough.
> there were/will be many bugs for these remote console solutions too
>
> Sent: Friday, October 14, 2016 at 9:48 PM
> From: "Raul Miller" 
> To: "thrph.i...@gmail.com" 
> Cc: "OpenBSD general usage list" 
> Subject: Re: What are the security features in OpenBSD 6.0 that are by
> default disabled?
> On Fri, Oct 14, 2016 at 2:50 PM, thrph.i...@gmail.com
>  wrote:
>> " The only truly secure system is one that is powered off, cast in a block
>> of concrete and sealed in a lead-lined room with armed guards - and even
>> then I have my doubts. "
>
> Powered off works surprisingly well for some other operating systems.
>
> --
> Raul

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-15 Thread Peter Janos 
remote supervisor/console solutions are still turned on while the server
is off, so simply powering off the OS isn't enough.there were/will be
many bugs for these remote console solutions too Sent: Friday, October
14, 2016 at 9:48 PM
From: "Raul Miller" 
To: "thrph.i...@gmail.com" 
Cc: "OpenBSD general usage list" 
Subject: Re: What are the security features in OpenBSD 6.0 that are by
default disabled?On Fri, Oct 14, 2016 at 2:50 PM, thrph.i...@gmail.com
 wrote:
> " The only truly secure system is one that is powered off, cast in a
block of concrete and sealed in a lead-lined room with armed guards - and
even then I have my doubts. "

Powered off works surprisingly well for some other operating systems.

--
Raul

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-14 Thread Bryan Linton 
On 2016-10-15 02:03:54, Joel Sing  wrote:
> 
> The number of rounds specified for bcrypt_pbdkf(3) is linear, not logarithmic 
> (unlike bcrypt(3)). That said, the processing required for each round is 
> significantly higher than that of pkcs5_pbkdf2(3) (using `bioctl -r auto -v` 
> will tell you rounds your machine will do in ~1s).
>  

Ah, good to know.  Thank you for the correction!

-- 
Bryan

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-14 Thread Raul Miller 
On Fri, Oct 14, 2016 at 2:50 PM, thrph.i...@gmail.com
 wrote:
> " The only truly secure system is one that is powered off, cast in a block of 
> concrete and sealed in a lead-lined room with armed guards - and even then I 
> have my doubts. "

Powered off works surprisingly well for some other operating systems.

-- 
Raul

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-14 Thread thrph.i...@gmail.com 
On Fri, 14 Oct 2016 21:20:23 +0300
Mihai Popescu  wrote:

> > ...
> 
> Prepare now for posts on this thread showing that if he/she runs a
> proper OS, everybody can be a security expert.
> 
> Have fun!
> 

or this kind...

" The only truly secure system is one that is powered off, cast in a block of 
concrete and sealed in a lead-lined room with armed guards - and even then I 
have my doubts. "

-- 
thrph.i...@gmail.com

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-14 Thread Mihai Popescu 
> ...

Prepare now for posts on this thread showing that if he/she runs a
proper OS, everybody can be a security expert.

Have fun!

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-14 Thread Joel Sing 
On Friday 14 October 2016 18:19:21 Bryan Linton wrote:
> On 2016-10-14 09:21:24, Peter Janos  wrote:
> > Hello,
> > 
> > [snip]
> > 
> > ps.: it would be nice to have a feature in the default installer to
> > install
> > with full disc encryption :) we still have to escape to shell during
> > install and ex.:
> > 
> > install60.iso
> > (S)hell
> > dmesg | grep MB # or: sysctl hw.disknames
> > dd if=/dev/urandom of=/dev/rsd0c bs=1m # not needed, only for paranoids
> > dd if=/dev/zero of=/dev/rsd0c bs=1m count=1
> > fdisk -iy sd0
> > disklabel -E sd0
> > a a
> > enter
> > enter
> > RAID
> > w
> > q
> > bioctl -c C -l /dev/sd0a -r 2000 softraid0
> > # use a random high iteration number x > 10 000 000
> 
> I just want to point out (for the archives as well as others) that
> the softraid crypto discipline has recently been switched from
> PBKDF2 to bcrypt.
> 
> http://marc.info/?l=openbsd-cvs=147430724911779=2
> http://www.openbsd.org/faq/current.html#r20160919
> 
> Since bcrypt calculates its rounds based on the exponentiation of
> the number (i.e. the default of 16 rounds actually performs 2^16
> rounds or 65536 rounds), the default number of "rounds" was
> reduced from 8192 to only 16.  If you were to use 20 million
> "rounds" with the new bcrypt algorithm, I wouldn't be surprised if
> it took weeks, months, or even YEARS to actually mount your disk
> after inputting your password.
>
> For reference, I tried to simply calculate 2^20 millionth power
> using dc for my own amusement and gave up after it crunched numbers
> for over a minute with no answer returned.
> 
> A value of 24 (2^24 or 16,777,216) or 25 (2^25 or 33,554,432)
> would probably be closer to what you actually want.

The number of rounds specified for bcrypt_pbdkf(3) is linear, not logarithmic 
(unlike bcrypt(3)). That said, the processing required for each round is 
significantly higher than that of pkcs5_pbkdf2(3) (using `bioctl -r auto -v` 
will tell you rounds your machine will do in ~1s).
 
> > exit
> > Start install to the newly created bioctl/crypt raid device: sdX, where X
> > is ex.: 2...
> > 
> > with a random (but very high) number for iteration, afaik iteration only
> > counts when typing in the password, much higher iteration would slow down
> > brute-force attackers.
> 
> Indeed it would.  Quite significantly in fact.

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-14 Thread Otto Moerbeek 
On Fri, Oct 14, 2016 at 09:21:24AM +0200, Peter Janos wrote:

> Hello,
> 
> I know some features that can give additional security isn't turned on due to
> because of the bad quality of the code in ports and some also decreases
> performance (or disables a feature, ex.: screenlock doesn't work if nosuid
> set, but if feature not used, nousid can be used).
> 
> I only know about these "security hardenings", hopefully all are ok (if not,
> please say/argue!):
>  
> ==
> ln -s GJU /etc/malloc.conf

$ man man.conf | grep security

-Otto

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-14 Thread Stuart Henderson 
On 2016-10-14, Peter Janos  wrote:
> Make as many files immutable with "chflags schg filenamehere" as you can.

This could be seen as an *in*security feature because now it's an utter
pain to update software that has bugs.

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-14 Thread Bryan Linton 
On 2016-10-14 09:21:24, Peter Janos  wrote:
> Hello,
> 
> [snip]
>
> ps.: it would be nice to have a feature in the default installer to install
> with full disc encryption :) we still have to escape to shell during install
> and ex.:
> 
> install60.iso
> (S)hell
> dmesg | grep MB # or: sysctl hw.disknames
> dd if=/dev/urandom of=/dev/rsd0c bs=1m # not needed, only for paranoids
> dd if=/dev/zero of=/dev/rsd0c bs=1m count=1
> fdisk -iy sd0
> disklabel -E sd0
> a a
> enter
> enter
> RAID
> w
> q
> bioctl -c C -l /dev/sd0a -r 2000 softraid0
> # use a random high iteration number x > 10 000 000
>

I just want to point out (for the archives as well as others) that
the softraid crypto discipline has recently been switched from
PBKDF2 to bcrypt.

http://marc.info/?l=openbsd-cvs=147430724911779=2
http://www.openbsd.org/faq/current.html#r20160919

Since bcrypt calculates its rounds based on the exponentiation of
the number (i.e. the default of 16 rounds actually performs 2^16
rounds or 65536 rounds), the default number of "rounds" was
reduced from 8192 to only 16.  If you were to use 20 million
"rounds" with the new bcrypt algorithm, I wouldn't be surprised if
it took weeks, months, or even YEARS to actually mount your disk
after inputting your password.

For reference, I tried to simply calculate 2^20 millionth power
using dc for my own amusement and gave up after it crunched numbers
for over a minute with no answer returned.

A value of 24 (2^24 or 16,777,216) or 25 (2^25 or 33,554,432)
would probably be closer to what you actually want.

> exit
> Start install to the newly created bioctl/crypt raid device: sdX, where X is
> ex.: 2...
> 
> with a random (but very high) number for iteration, afaik iteration only
> counts when typing in the password, much higher iteration would slow down
> brute-force attackers.
> 

Indeed it would.  Quite significantly in fact.

-- 
Bryan

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-14 Thread Simon Mages 
Hi,

i just want to say that those security messures you describe here don't
improve the security for every user or use case. Everybody should know exactly
what he is doing bevore enabling or changing them. I think if you use such
security messures you better should be able to help yourself if you have
problems. Not every knob is meant to be pressed by a user, the system can get
unstable.

Im writing this because this is misc@ and i think the title of your mail could
confuse users without a deep understanding of the system. They could even end
up with a less secure system because of workarounds they use to get back some
convenience they lost due to some "security" messures they implemented which
they don't fully understand.

But its interessting to see how people try to improve their security, so please
go on collecting ideas.

BR
Simon


2016-10-14 9:21 GMT+02:00, Peter Janos :
> Hello,
>
> I know some features that can give additional security isn't turned on due
> to
> because of the bad quality of the code in ports and some also decreases
> performance (or disables a feature, ex.: screenlock doesn't work if nosuid
> set, but if feature not used, nousid can be used).
>
> I only know about these "security hardenings", hopefully all are ok (if
> not,
> please say/argue!):
>
> ==
> ln -s GJU /etc/malloc.conf
> ==
> Remove wxallowed from /etc/fstab
> ==
> echo 'kern.stackgap_random=16777216' >> /etc/sysctl.conf
> ==
> Remove all SUID and SGID permissions and all FS must have "nosuid".
> ==
> Add noexec, nodev where you can in fstab, but can be bypassed..
> ==
> All filesystems that are only modified during software install and removal
> need to be read-only.
> They can be only rw if sw install/removal happens.
> ==
> Remove all files that is not needed for the machine to operate/do its
> purpose.
> ==
> echo "sysctl kern.securelevel=2" > /etc/rc.securelevel
> ==
> Make as many files immutable with "chflags schg filenamehere" as you can.
> ==
> If using X (so desktop) only use dangerous softwares (webbrowser, any
> viewer
> software: pdf, video, audio, torrent client, etc.) with another (limited)
> user!
> ==
>
> The purpose of this mail to find more... what are the other security
> features
> that are disabled in the default install?
>
> -
> ps.: it would be nice to have a feature in the default installer to install
> with full disc encryption :) we still have to escape to shell during
> install
> and ex.:
>
> install60.iso
> (S)hell
> dmesg | grep MB # or: sysctl hw.disknames
> dd if=/dev/urandom of=/dev/rsd0c bs=1m # not needed, only for paranoids
> dd if=/dev/zero of=/dev/rsd0c bs=1m count=1
> fdisk -iy sd0
> disklabel -E sd0
> a a
> enter
> enter
> RAID
> w
> q
> bioctl -c C -l /dev/sd0a -r 2000 softraid0
> # use a random high iteration number x > 10 000 000
> exit
> Start install to the newly created bioctl/crypt raid device: sdX, where X
> is
> ex.: 2...
>
> with a random (but very high) number for iteration, afaik iteration only
> counts when typing in the password, much higher iteration would slow down
> brute-force attackers.
> -
>
> Many thanks.

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-14 Thread Theo de Raadt 
You forgot one item:

Don't file bug reports to the project, because your system is too far
away from what the developers use & maintain; and we cannot diagnose
the failure conditions you have inadvertently created.

So, if you are willing to accept that limitation -- knock yourself
out.  Change anything you want.  But do NOT tell us what bothers you,
until you repeat the problem on a *stock install*.

We simply cannot accept the cost of becoming fixit buddies for
everyone's private mistake.  It's like fixing the printer at grandma's
house.  It's not our job.

> I know some features that can give additional security isn't turned on due to
> because of the bad quality of the code in ports and some also decreases
> performance (or disables a feature, ex.: screenlock doesn't work if nosuid
> set, but if feature not used, nousid can be used).
> 
> I only know about these "security hardenings", hopefully all are ok (if not,
> please say/argue!):
>  
> ==
> ln -s GJU /etc/malloc.conf
> ==
> Remove wxallowed from /etc/fstab
> ==
> echo 'kern.stackgap_random=16777216' >> /etc/sysctl.conf
> ==
> Remove all SUID and SGID permissions and all FS must have "nosuid".
> ==
> Add noexec, nodev where you can in fstab, but can be bypassed..
> ==
> All filesystems that are only modified during software install and removal
> need to be read-only.
> They can be only rw if sw install/removal happens.
> ==
> Remove all files that is not needed for the machine to operate/do its
> purpose.
> ==
> echo "sysctl kern.securelevel=2" > /etc/rc.securelevel
> ==
> Make as many files immutable with "chflags schg filenamehere" as you can.
> ==
> If using X (so desktop) only use dangerous softwares (webbrowser, any viewer
> software: pdf, video, audio, torrent client, etc.) with another (limited)
> user!
> ==
> 
> The purpose of this mail to find more... what are the other security features
> that are disabled in the default install?
>  
> -
> ps.: it would be nice to have a feature in the default installer to install
> with full disc encryption :) we still have to escape to shell during install
> and ex.:
> 
> install60.iso
> (S)hell
> dmesg | grep MB # or: sysctl hw.disknames
> dd if=/dev/urandom of=/dev/rsd0c bs=1m # not needed, only for paranoids
> dd if=/dev/zero of=/dev/rsd0c bs=1m count=1
> fdisk -iy sd0
> disklabel -E sd0
> a a
> enter
> enter
> RAID
> w
> q
> bioctl -c C -l /dev/sd0a -r 2000 softraid0
> # use a random high iteration number x > 10 000 000
> exit
> Start install to the newly created bioctl/crypt raid device: sdX, where X is
> ex.: 2...
> 
> with a random (but very high) number for iteration, afaik iteration only
> counts when typing in the password, much higher iteration would slow down
> brute-force attackers.
> -
> 
> Many thanks.

What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-14 Thread Peter Janos 
Hello,

I know some features that can give additional security isn't turned on due to
because of the bad quality of the code in ports and some also decreases
performance (or disables a feature, ex.: screenlock doesn't work if nosuid
set, but if feature not used, nousid can be used).

I only know about these "security hardenings", hopefully all are ok (if not,
please say/argue!):
 
==
ln -s GJU /etc/malloc.conf
==
Remove wxallowed from /etc/fstab
==
echo 'kern.stackgap_random=16777216' >> /etc/sysctl.conf
==
Remove all SUID and SGID permissions and all FS must have "nosuid".
==
Add noexec, nodev where you can in fstab, but can be bypassed..
==
All filesystems that are only modified during software install and removal
need to be read-only.
They can be only rw if sw install/removal happens.
==
Remove all files that is not needed for the machine to operate/do its
purpose.
==
echo "sysctl kern.securelevel=2" > /etc/rc.securelevel
==
Make as many files immutable with "chflags schg filenamehere" as you can.
==
If using X (so desktop) only use dangerous softwares (webbrowser, any viewer
software: pdf, video, audio, torrent client, etc.) with another (limited)
user!
==

The purpose of this mail to find more... what are the other security features
that are disabled in the default install?
 
-
ps.: it would be nice to have a feature in the default installer to install
with full disc encryption :) we still have to escape to shell during install
and ex.:

install60.iso
(S)hell
dmesg | grep MB # or: sysctl hw.disknames
dd if=/dev/urandom of=/dev/rsd0c bs=1m # not needed, only for paranoids
dd if=/dev/zero of=/dev/rsd0c bs=1m count=1
fdisk -iy sd0
disklabel -E sd0
a a
enter
enter
RAID
w
q
bioctl -c C -l /dev/sd0a -r 2000 softraid0
# use a random high iteration number x > 10 000 000
exit
Start install to the newly created bioctl/crypt raid device: sdX, where X is
ex.: 2...

with a random (but very high) number for iteration, afaik iteration only
counts when typing in the password, much higher iteration would slow down
brute-force attackers.
-

Many thanks.