On Tue, 15 Apr 2008 13:45:14 +0200 "Jernej Makovsek" <[EMAIL PROTECTED]> wrote:
Please just ignore this post! > As I said in my first post "Now with this post I don`t want to start > any wars. I know that nothing > is bullet proof and so on but as a wannabe OBSD user I`m "just" > interested in if this compromise was analysed and especially how the > code has changed from then, what did you do to make sure that this > does not repeat" > > Now why did I post the Wired story? Because when I read the archive I > was expecting that the penetration has been taken seriously and > analysed publicly in detail. But instead it was dismissed as a joke. > And it doesn`t matter if it`s form 2002, what`s important to me is how > you deal with the problem. One can get flawed picture that this is how > you deal with remote exploits. I was really looking forward to read > your comments on how that and that developer did that and that error > in analyizing the situation and how the changes you made to the > exploited program changed other programs and such but instead ppl feel > endangered. > > Ok, thanks for all the info. Flaming is starting, I have better things > to do.. like make X work on OBSD. > > Bye > > On Tue, Apr 15, 2008 at 12:42 PM, Richard Toohey > <[EMAIL PROTECTED]> wrote: > > What's your point? > > > > Is OpenBSD perfect? No. > > > > Does it have flaws? Yes. > > > > Can it be broken? Yes, and you've dug something out > > from six years ago that may or not prove that. But the same can > > be said of Linux, Windows, Mac OS, etc., etc. > > > > Has every flaw/bug been discovered? No. > > > > Will there be more issues found? Yes. > > > > Does it tackle security pro-actively? Yes. > > > > Does it prefer security and openness and doing things correctly > > over bells & whistles and best performance whatever the cost? Yes > > - security and correctness are priorities - but you could find that > > out from http://www.openbsd.org/goals.html. Does that mean that > > it will be perfect? No. > > > > Are the developers/leaders perfect? No. > > > > Is OpenBSD the One True Secure High Performance Operating System > > for every imaginable task? No ... but then nor is anything else. > > > > Is OpenBSD for you? Only you can decide ... and even if it is, it > > may not be the best tool for EVERY job. > > > > HTH. > > > > > > > > On 15/04/2008, at 10:28 PM, Jernej Makovsek wrote: > > > > > Reading the archive it seems to me that el8 was taken as a joke: > > > > > > List: openbsd-misc > > > Subject: Re: main openbsd server compromised ? > > > From: e <eliab () spack ! org> > > > Date: 2002-08-15 17:11:01 > > > [Download message RAW] > > > > > > no, el8 is not a serious zine, it's a joke, i'm sure reading a > > > little more of the zine would have made that obvious > > > > > > List: openbsd-misc > > > Subject: Re: main openbsd server compromised ? > > > From: e <eliab () spack ! org> > > > Date: 2002-08-16 18:40:17 > > > [Download message RAW] > > > > > > * dayioglu ([EMAIL PROTECTED]) wrote: > > > > > > > On Thu, 2002-08-15 at 20:11, e wrote: > > > > > > > > > no, el8 is not a serious zine, it's a joke, i'm sure reading > > > > > a little more of the zine would have made that obvious > > > > > > > > > > > > > Not to cause a flame-war but the disclosed mail traffic of K2 > > > > seem very "normal". I did read the whole thing and to create so > > > > many "joke mails" is, err, at least unusual. > > > > > > > > Are you sure you read it all? > > > > > > > > > > quite sure, el8 has been known to do this same type of thing > > > before. > > > > > > > > > And that`s that. But > > > onhttp://www.wired.com/culture/lifestyle/news/2002/08/54400 I read > > > that "OpenBSD co-founder Theo de Raadt, cited as a top el8 target, > > > angrily refused to discuss the compromise (link > > > http://www.openssh.com/txt/trojan.adv) in late July of a file > > > server maintained by the open-source, Unix-based operating-system > > > project. On Aug. 1, a dangerous Trojan horse program was > > > discovered amid the code for OpenBSD, which is used by thousands > > > of organizations and renowned for its security.". > > > > > > And: > > > "Christopher "Ambient Empire" Abad, a security expert with Qualys, > > > confirmed that excerpts of e-mails and other files stolen from his > > > directory on a server were published in el8's latest zine". > > > > > > So it appears to me that what el8 posted wasn`t a joke. Did I > > > missed something again? > > > > > > With regards, > > > Jernej > > > > > > On Tue, Apr 15, 2008 at 1:59 AM, Ted Unangst > > > <[EMAIL PROTECTED]> > > wrote: > > > > > > > On 4/14/08, Jernej Makovsek <[EMAIL PROTECTED]> wrote: > > > > > > > > > Now with this post I don`t want to start any wars. I know > > > > > that > > nothing > > > > > is bullet proof and so on but as a wannabe OBSD user I`m > > > > > "just" interested in if this compromise was analysed and > > > > > especially how the code has changed from then, what did you > > > > > do to make sure that this does not repeat. And if it was a > > > > > third party app, why wasn`t it configured within a jail? Ok, > > > > > I learned that sysjail was announced on May 22 2006, but > > > > > surely you have chroot capability. And sysjail is connected > > > > > with systrace... Well again, don`t want to start any flame, > > > > > just interested how your community responded and responds to > > > > > issues like that. > > > > > > > > > > > > > Sure, I'll just sum up 6 years of pretty continuous > > > > development for you. Unfortunately, it would take too long to > > > > read and I don't want to waste any of your time, so I'll just > > > > summarize it as "lots of changes".