Re: security: what does OpenBSD have, that FreeBSD doesn't have...
What make OpenBSD so secure ? Or can this kind of security be reproduced with FreeBSD ports ? I think of tools like: It's not the tools but the amount of time supposedly invested in improving security. I say supposedly because a lot of the buffer overflow issues they've dealt with haven't been actual, proven security holes per-se but rather just more examples of defensive programming. Sometimes it's actually preventative, other times it's just an exercise in replacing every strcpy() with strncpy() (and so on) because that's an easy thing to do. It's a bit like the approach of putting more locks on your front door. Maybe those extra locks will save your butt, maybe they'll just be expensive extras for a house with nothing worth stealing and maybe the thieves will use the window instead and just bypass the door altogether - it's very hard to say. What is certain is that having ANY faith in ANYONE'S security claims as a substitute for properly diligent system administration is just complete and utter foolishness. Most attacks I've seen, in fact, compromise *BSD (for all values of *BSD) and Linux equally through well-known 3rd party utilities, like popper or sendmail, rather than the OS itself. I doubt that any group has enough resources to completely audit even a small fraction of the 3rd party packages which users are likely to run and, even if they did, each revision of a package would necessitate auditing it all over again. Don't trust anyone's security claims, *especially* when they claim to be uncrackable or even extremely secure. Operating systems are built by engineers, the same sort of engineers who built unsinkable ships like the Titanic, and I think that pretty much says it all. :-) - Jordan To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: security: what does OpenBSD have, that FreeBSD doesn't have.
I'm not sure..I've been wandering through the openbsd source tree and merging useful diffs from binaries, but I haven't been too organised about it so far, and haven't encountered much in the way of important fixes. I'm sure there are some, though. While it can rightfully be said that OpenBSD has done extensive auditing, I think all that's required of us is some auditing of the auditing. :) If you don't take the changes wholesale but merely use them as very good hints in doing your own security auditing, I think you'll be off to an excellent start in exactly the right direction. Don't stop there though - there's every possibility that other eyes might catch something *they* missed, and that's something which can only benefit both groups. :) - Jordan To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
security: what does OpenBSD have, that FreeBSD doesn't have...
Hi ! Am currently discussing FreeBSD vs. OpenBSD in private e-mail. What make OpenBSD so secure ? Or can this kind of security be reproduced with FreeBSD ports ? I think of tools like: bjorb - secure TCP relay software, http://www.hitachi-ms.co.jp/bjorb/ bro - Bro is a system for detecting Network Intruders in real-time by the guys that brought you tcpdump, libpcap, and flex cfs - This is CFS, Matt Blaze's Cryptographic File System. It provides transparent encryption and decryption of selected directory trees. It is implemented as a user-level NFS server and thus does not require any kernel modifications. Under FreeBSD, the mount command for the CFS tree must include -o port=3049,nfsv2. fwtk- The TIS Firewall Toolkit is a set of programs and configuration practices designed to facilitate the building of network firewalls. skip- IP-Level Cryptography, Secure every application with one protocol. http://skip.incog.com stunnel - The stunnel program is designed to work as SSL encryption wrapper between remote client and local (inetd-startable) or remote server. stunnel can be used to add SSL functionality to commonly used inetd daemons like POP-2, POP-3 and IMAP servers without any changes in the programs' code. tcp_wrapper - With this package you can monitor and filter incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services. vscan - McAfee's evaluation VirusScan for FreeBSD, provides immediate scanning of MS-DOS files hosted on FreeBSD Unix systems. Could somebody please explain ? -- Andreas Klemm http://www.FreeBSD.ORG/~andreas http://www.freebsd.org/~fsmp/SMP/SMP.html powered by Symmetric MultiProcessor FreeBSD To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
RE: security: what does OpenBSD have, that FreeBSD doesn't have.
Hi Andreas =) On 23-May-99 Andreas Klemm wrote: Am currently discussing FreeBSD vs. OpenBSD in private e-mail. What make OpenBSD so secure ? Or can this kind of security be reproduced with FreeBSD ports ? I think of tools like: Ye missed one of the most important things: auditing of the sourcecode. The OpenBSD team does a lot wrt auditing of the complete sourcetree, but then the question is: is this valid concern or is this pure paranoia. OpenBSD does a lot of valid changes but borders (and sometimes crosses thta border) on paranoia, wrt code. A lot of the security tools can be get from the ports, but the true security of a system lies in the eye of the admin. I have known admins whom I would never trust mission critical security systems to. HTH, --- Jeroen Ruigrok van der Wervenasmodai(at)wxs.nl The FreeBSD Programmer's Documentation Project Network/Security Specialist http://home.wxs.nl/~asmodai *BSD: Accept no limitations... To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
RE: security: what does OpenBSD have, that FreeBSD doesn't have.
The OpenBSD team does a lot wrt auditing of the complete sourcetree, but then the question is: is this valid concern or is this pure paranoia. OpenBSD does a lot of valid changes but borders (and sometimes crosses thta border) on paranoia, wrt code. Given the number of postings to BUGTRAQ about array overflows and stack smashing, I think it's relevant to ask whether it possible to be *too* paranoid here. Personally, I think what the OpenBSD folks are doing is very important. A lot of the security tools can be get from the ports, but the true security of a system lies in the eye of the admin. I have known admins whom I would never trust mission critical security systems to. The true security of a system depends on the operating system itself, the applications, *and* the admin. You can be a very good and security conscious admin - but it won't help you much if the operating system is Windows 98. Steinar Haug, Nethelp consulting, sth...@nethelp.no To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
RE: security: what does OpenBSD have, that FreeBSD doesn't have.
On 23-May-99 sth...@nethelp.no wrote: The OpenBSD team does a lot wrt auditing of the complete sourcetree, but then the question is: is this valid concern or is this pure paranoia. OpenBSD does a lot of valid changes but borders (and sometimes crosses that border) on paranoia, wrt code. Given the number of postings to BUGTRAQ about array overflows and stack smashing, I think it's relevant to ask whether it possible to be *too* paranoid here. Personally, I think what the OpenBSD folks are doing is very important. Paranoia/security and freedom of use are opposites on the balance of use. If you make so much security restrictions to a system it's bound to make it less enjoyable where it concerns freedom. A lot of the security tools can be get from the ports, but the true security of a system lies in the eye of the admin. I have known admins whom I would never trust mission critical security systems to. The true security of a system depends on the operating system itself, the applications, *and* the admin. You can be a very good and security conscious admin - but it won't help you much if the operating system is Windows 98. Correct there Steinaur, I left those other two out. But then the admin most certainly knows that he has to replace that Win98 box with FreeBSD ;) --- Jeroen Ruigrok van der Wervenasmodai(at)wxs.nl The FreeBSD Programmer's Documentation Project Network/Security Specialist http://home.wxs.nl/~asmodai *BSD: Accept no limitations... To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
RE: security: what does OpenBSD have, that FreeBSD doesn't have.
On Sun, 23 May 1999 sth...@nethelp.no wrote: The OpenBSD team does a lot wrt auditing of the complete sourcetree, but then the question is: is this valid concern or is this pure paranoia. OpenBSD does a lot of valid changes but borders (and sometimes crosses thta border) on paranoia, wrt code. Given the number of postings to BUGTRAQ about array overflows and stack smashing, I think it's relevant to ask whether it possible to be *too* paranoid here. Personally, I think what the OpenBSD folks are doing is very important. One of my plans is to merge all of these changes into our tree (along with all the other minor changes/manpage corrections, etc). Longer term, I'd like to work on porting some of their kernel code like randomized sin_port selection and TCP initial sequence numbering, probably hidden behind sysctl knobs (defaulting to off to keep people happy). Kris - That suit's sharper than a page of Oscar Wilde witticisms that's been rolled up into a point, sprinkled with lemon juice and jabbed into someone's eye Wow, that's sharp! - Ace Rimmer and the Cat, _Red Dwarf_ To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: security: what does OpenBSD have, that FreeBSD doesn't have.
| One of my plans is to merge all of these changes into our tree (along with all | the other minor changes/manpage corrections, etc). | | Longer term, I'd like to work on porting some of their kernel code like | randomized sin_port selection and TCP initial sequence numbering, probably | hidden behind sysctl knobs (defaulting to off to keep people happy). I think that would be a great idea. I'd be willing spare a few hours on a weekend to help out with this. -Dan To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: security: what does OpenBSD have, that FreeBSD doesn't have.
In message pine.osf.4.10.9905232037320.11148-100...@mercury.physics.adelaide.edu.au Kris Kennaway writes: : One of my plans is to merge all of these changes into our tree : (along with all the other minor changes/manpage corrections, etc). Which ones are currently missing? Also, beware. Most of the patches will not come into the FreeBSD tree w/o some tweaking to pass the bruce filter. Warner To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: security: what does OpenBSD have, that FreeBSD doesn't have.
On Sun, 23 May 1999, Warner Losh wrote: In message pine.osf.4.10.9905232037320.11148-100...@mercury.physics.adelaide.edu.au Kris Kennaway writes: : One of my plans is to merge all of these changes into our tree : (along with all the other minor changes/manpage corrections, etc). Which ones are currently missing? I'm not sure..I've been wandering through the openbsd source tree and merging useful diffs from binaries, but I haven't been too organised about it so far, and haven't encountered much in the way of important fixes. I'm sure there are some, though. Also, beware. Most of the patches will not come into the FreeBSD tree w/o some tweaking to pass the bruce filter. I'm expecting that, but I'm willing to clean up what I bring across. Kris Warner - That suit's sharper than a page of Oscar Wilde witticisms that's been rolled up into a point, sprinkled with lemon juice and jabbed into someone's eye Wow, that's sharp! - Ace Rimmer and the Cat, _Red Dwarf_ To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message