Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, 18 Nov 2009 21:51:03 -0800 Ted Unangst wrote: > > How many people are aware that any X program can listen to the > keystrokes of any other X program? > Any machine running or accessed by an X-machine is fundamentally insecure to whatever level of perms the accessor has. Which doesn't mean that I don't use X, just that I assume, a-priori, that anything on X is common-wealth. Dhu
Re: OT: Have you hugged your local OpenBSD dev lately?
On Sat, 12 Dec 2009, Duncan Patton a Campbell wrote: On Wed, 18 Nov 2009 21:51:03 -0800 Ted Unangst wrote: How many people are aware that any X program can listen to the keystrokes of any other X program? Any machine running or accessed by an X-machine is fundamentally insecure to whatever level of perms the accessor has. Which doesn't mean that I don't use X, just that I assume, a-priori, that anything on X is common-wealth. So everything under X should be considered available to everything else under X. I presume new models for displays, or new ways to get some kind of privilege separation for X, have been discussed to death already. Is there any key discussion or publication? /Lars
Re: OT: Have you hugged your local OpenBSD dev lately?
On Sat, 12 Dec 2009 23:47:38 +0200 (EET) Lars Nooden wrote: > On Sat, 12 Dec 2009, Duncan Patton a Campbell wrote: > > On Wed, 18 Nov 2009 21:51:03 -0800 > > Ted Unangst wrote: > >> How many people are aware that any X program can listen to the > >> keystrokes of any other X program? > > > > Any machine running or accessed by an X-machine is fundamentally > > insecure to whatever level of perms the accessor has. Which doesn't > > mean that I don't use X, just that I assume, a-priori, that anything on > > X is common-wealth. > > So everything under X should be considered available to everything else > under X. > > I presume new models for displays, or new ways to get some kind of > privilege separation for X, have been discussed to death > already. Is there any key discussion or publication? > I assume you've been to x.org and are asking me for a qualitative assessment I'm not qualified to answer;-) Over the years this issue has re-emerged in various contexts with various proposals and I don't think any resolution better than a "vetted" code base has been agreed. Dhu > /Lars
Re: OT: Have you hugged your local OpenBSD dev lately?
On Sat, Dec 12, 2009 at 4:47 PM, Lars Nooden wrote: > So everything under X should be considered available to everything else > under X. > > I presume new models for displays, or new ways to get some kind of privilege > separation for X, have been discussed to death already. Is there any key > discussion or publication? I'm not sure what you're after, but two conceivable starting points would be the man pages for xauth and XSelectInput.
Re: OT: Have you hugged your local OpenBSD dev lately?
On Mon, Dec 14, 2009 at 06:08:30AM -0700, Duncan Patton a Campbell wrote: > On Sat, 12 Dec 2009 23:47:38 +0200 (EET) > Lars Nooden wrote: > > On Sat, 12 Dec 2009, Duncan Patton a Campbell wrote: > > > On Wed, 18 Nov 2009 21:51:03 -0800 > > > Ted Unangst wrote: > > >> How many people are aware that any X program can listen to the > > >> keystrokes of any other X program? > > > Any machine running or accessed by an X-machine is fundamentally > > > insecure to whatever level of perms the accessor has. Which doesn't > > > mean that I don't use X, just that I assume, a-priori, that anything on > > > X is common-wealth. > > So everything under X should be considered available to everything else > > under X. > > I presume new models for displays, or new ways to get some kind of > > privilege separation for X, have been discussed to death > > already. Is there any key discussion or publication? > I assume you've been to x.org and are asking me for a qualitative assessment > I'm not qualified to answer;-) Over the years this issue has re-emerged > in various contexts with various proposals and I don't think any resolution > better than a "vetted" code base has been agreed. Considering the design of X, I don't expect any valid security model to emerge out of it. If things are insecure, piling more protocols and more concepts on top of it is unlikely to make things better. The more complicated, the less secure. Look at recent X evolution. Tell me which way the wind blows ? The way I read things, they're mostly concerned with getting things faster, which can often be worthwhile. And adding more bloat to compete with Windows applications and eye-candy... that, in some lands, is considered worthwhile. >From past experience, I would expect much waving of hands over a two weeks periods, with lots of expert telling you "It's a complicated problem", running around in circle finding even MORE complicated problems to solve, and then things going back to its general state of apathy with respect to security issues.
Re: OT: Have you hugged your local OpenBSD dev lately?
> From past experience, I would expect much waving of hands over a two > weeks periods, with lots of expert telling you "It's a complicated problem", > running around in circle finding even MORE complicated problems to solve, > and then things going back to its general state of apathy with respect > to security issues. I don't believe it's apathy, as much as a realization that in general, the focus of the developers will always be on speed and eye candy to the expense of all else, including stability and security. As such we concentrate on looking at things that can mitigate somewhat, at least in the saner cases, such as when it is not an accellerated driver with full access to the machine. Then we at least have some "more secure by default" options. The fact is though, Monsterously accellerated X with full access to the machine hardware bypasseses much of the security protection openbsd provides. Do some people want/need it? sure. but they sould do so understanding that they are incurring a greater risk by using it. in this manner.
Re: OT: Have you hugged your local OpenBSD dev lately?
On 12/14/09 11:43 AM, Bob Beck wrote: From past experience, I would expect much waving of hands over a two weeks periods, with lots of expert telling you "It's a complicated problem", running around in circle finding even MORE complicated problems to solve, and then things going back to its general state of apathy with respect to security issues. I don't believe it's apathy, as much as a realization that in general, the focus of the developers will always be on speed and eye candy to the expense of all else, including stability and security. As such we concentrate on looking at things that can mitigate somewhat, at least in the saner cases, such as when it is not an accellerated driver with full access to the machine. Then we at least have some "more secure by default" options. The fact is though, Monsterously accellerated X with full access to the machine hardware bypasseses much of the security protection openbsd provides. Do some people want/need it? sure. but they sould do so understanding that they are incurring a greater risk by using it. in this manner. Well, Bob, this is much like the new study that just came out for kids, here replace kids by your favorite X users and X developers that wants these goodies. The conclusion is pretty much the same and can read like: "The Journal Of Child Psychology And Psychiatry has concluded that an estimated 98 percent of children under the age of 10 are remorseless sociopaths with little regard for anything other than their own egocentric interests and pleasures." http://www.theonion.com/content/news/new_study_reveals_most_children I just don't think in this case here that it is limited to Children only. (;> Peace, Daniel
Re: OT: Have you hugged your local OpenBSD dev lately?
> "The Journal Of Child Psychology And Psychiatry has concluded that an > estimated 98 percent of children under the age of 10 are remorseless > sociopaths with little regard for anything other than their own egocentric > interests and pleasures." > > http://www.theonion.com/content/news/new_study_reveals_most_children > > I just don't think in this case here that it is limited to Children only. > (;> The people who publish such research, and those that read it and find it "novel" have obviously never been parents themselves, or even someone's boss. People are at the core motivated by their own self-interest. Anyone who says they aren't is selling something.
Re: OT: Have you hugged your local OpenBSD dev lately?
+-- | On 2009-12-14 10:17:54, Bob Beck wrote: | | > http://www.theonion.com/content/news/new_study_reveals_most_children | | The people who publish such research, and those that read it and find | it "novel" have obviously never been parents themselves, or even | someone's boss. | | People are at the core motivated by their own self-interest. Anyone | who says they aren't is selling something. Yes, they're selling hilarity. It's The Onion, after all. -- bda cyberpunk is dead. long live cyberpunk.
Re: OT: Have you hugged your local OpenBSD dev lately?
> | People are at the core motivated by their own self-interest. Anyone > | who says they aren't is selling something. > > Yes, they're selling hilarity. It's The Onion, after all. Yes, but it's funny because it's true. Even OpenBSD developers are motivated by self interest...Ever wonder why the answers on misc@ are so taunting or dismissive for people who whine without producing code?
Re: OT: Have you hugged your local OpenBSD dev lately?
On Mon, Dec 14, 2009 at 05:03:40PM +0100, Marc Espie wrote: > Considering the design of X, I don't expect any valid security model to emerge > out of it. The "Competitors to X" section of the X11 Wikipedia page has some interesting comments about alternatives to X http://en.wikipedia.org/wiki/X_Window_System#Competitors_to_X Unfortunately, none of them are close to becoming a reality in the near future.
Re: OT: Have you hugged your local OpenBSD dev lately?
Ted Unangst wrote: > On Sat, Dec 12, 2009 at 4:47 PM, Lars Nooden wrote: >> So everything under X should be considered available to everything else >> under X. >> >> I presume new models for displays, or new ways to get some kind of privilege >> separation for X, have been discussed to death already. Is there any key >> discussion or publication? > > I'm not sure what you're after, but two conceivable starting points > would be the man pages for xauth and XSelectInput. Those help. I'm trying to get an idea, even an abstract one, of how individual windows could be kept from poaching i/o from each other. /Lars
Re: OT: Have you hugged your local OpenBSD dev lately?
On Fri, Dec 18, 2009 at 4:31 PM, Lars Nooden wrote: > Ted Unangst wrote: >> I'm not sure what you're after, but two conceivable starting points >> would be the man pages for xauth and XSelectInput. > > Those help. I'm trying to get an idea, even an abstract one, of how > individual windows could be kept from poaching i/o from each other. XGrabKeyboard. There's also a whole section on security in man xterm, sorry, forgot about it before. But it's no magic bullet. Suddenly, your window manager hotkeys stop working, so you can't really have a default current window grabs keyboard policy. Your screensaver also needs to grab the keyboard. So if your browser only grabs the keyboard while entering a password field, that essentially means the screen locker will never activate in that state. Rare, but totally confusing to users.
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, Nov 18, 2009 at 04:05:04PM -0800, Bryan wrote: > So glad we don't have these kinds of issues... > > https://bugzilla.redhat.com/show_bug.cgi?id=534047 > no one offered a diff to implement that feature on OpenBSD yet ? it can easily be done by writing a sudoKit policy :-) Gilles -- Gilles Chehade freelance developer/sysadmin/consultant http://www.poolp.org
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, Nov 18, 2009 at 04:05:04PM -0800, Bryan wrote: > So glad we don't have these kinds of issues... > > https://bugzilla.redhat.com/show_bug.cgi?id=534047 > Wow that's tremendously funny. -- DISCLAIMER: http://goldmark.org/jeff/stupid-disclaimers/ This message will self-destruct in 3 seconds.
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, Nov 18, 2009 at 16:55, Abel Abraham Camarillo Ojeda wrote: > On Wed, Nov 18, 2009 at 04:05:04PM -0800, Bryan wrote: >> So glad we don't have these kinds of issues... >> >> https://bugzilla.redhat.com/show_bug.cgi?id=534047 >> > > Wow that's tremendously funny. > > -- > DISCLAIMER: http://goldmark.org/jeff/stupid-disclaimers/ > This message will self-destruct in 3 seconds. > I particular like comment #8, where one of the devs basically says "this is a feature, not a bug"
Re: OT: Have you hugged your local OpenBSD dev lately?
Before everyone goes too bonkers, consider exactly how safe/dangerous this behavior actually is on a single user machine. Food for thought. Think to yourself: what *exactly* is the difference between the only user account on your machine and root? How are you "safe"? On Nov 18, 2009, at 4:05 PM, Bryan wrote: So glad we don't have these kinds of issues... https://bugzilla.redhat.com/show_bug.cgi?id=534047
Re: OT: Have you hugged your local OpenBSD dev lately?
> Before everyone goes too bonkers, consider exactly how safe/dangerous > this behavior actually is on a single user machine. Food for thought. > > Think to yourself: what *exactly* is the difference between the only > user account on your machine and root? How are you "safe"? Not everyone runs firefox as root, like you Ted. Blurring all the lines is the wrong assesment. Yes, a lot of safety is about hurdles. The sidewalk is raised to a different height than the road as a hurdle, and it has a safety benefit. It reduces the danger for pedestrians because drivers don't what want the hurdle of replacing their rims. That is safety. I prefer the hurdles.
Re: OT: Have you hugged your local OpenBSD dev lately?
2009/11/19 Ted Unangst : > Think to yourself: what *exactly* is the difference between the only user > account on your machine and root? How are you "safe"? And then you create a guest account on your netbook... Read the comments. There are some interesting exploits for this... Best Martin
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, 18 Nov 2009 17:08 -0800, "Bryan" wrote: > On Wed, Nov 18, 2009 at 16:55, Abel Abraham Camarillo Ojeda > wrote: > > On Wed, Nov 18, 2009 at 04:05:04PM -0800, Bryan wrote: > >> So glad we don't have these kinds of issues... > >> > >> https://bugzilla.redhat.com/show_bug.cgi?id=534047 > >> > > > > Wow that's tremendously funny. > > > > -- > > DISCLAIMER: http://goldmark.org/jeff/stupid-disclaimers/ > > This message will self-destruct in 3 seconds. > > > > I particular like comment #8, where one of the devs basically says > "this is a feature, not a bug" > Holy crap, you're right! This is funny as hell. I originally had not read the comments section. I especially liked; "I don't particularly care how UNIX has always worked." In other words; I don't particularly care about security you masturbating monkeys. :)
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, Nov 18, 2009 at 05:38:38PM -0800, Ted Unangst wrote: > Before everyone goes too bonkers, consider exactly how safe/dangerous > this behavior actually is on a single user machine. Food for thought. > > Think to yourself: what *exactly* is the difference between the only > user account on your machine and root? How are you "safe"? > > On Nov 18, 2009, at 4:05 PM, Bryan wrote: > >> So glad we don't have these kinds of issues... >> >> https://bugzilla.redhat.com/show_bug.cgi?id=534047 > well i think that the problem is that the new *feature* is enabled by default, it will definitely be useful on desktops/netbook/whatever. -- DISCLAIMER: http://goldmark.org/jeff/stupid-disclaimers/ This message will self-destruct in 3 seconds.
Re: OT: Have you hugged your local OpenBSD dev lately?
--- On Wed, 11/18/09, Bryan wrote: > From: Bryan > Subject: OT: Have you hugged your local OpenBSD dev lately? > To: "Misc OpenBSD" > Received: Wednesday, November 18, 2009, 7:05 PM > So glad we don't have these kinds of > issues... > > https://bugzilla.redhat.com/show_bug.cgi?id=534047 > > This is a blatant ID10T error. Comments 9 and 10 are my favorite. Last I looked it *was* insecure to let non-root users install software let alone do it by default and without a password! --- James A. Peltier james_a_pelt...@yahoo.ca __ Looking for the perfect gift? Give the gift of Flickr! http://www.flickr.com/gift/
Re: OT: Have you hugged your local OpenBSD dev lately?
On Nov 18, 2009, at 5:47 PM, Theo de Raadt wrote: Before everyone goes too bonkers, consider exactly how safe/dangerous this behavior actually is on a single user machine. Food for thought. Think to yourself: what *exactly* is the difference between the only user account on your machine and root? How are you "safe"? Not everyone runs firefox as root, like you Ted. It's the easiest way to nice it to -10... Blurring all the lines is the wrong assesment. Yes, a lot of safety is about hurdles. The sidewalk is raised to a different height than the road as a hurdle, and it has a safety benefit. It reduces the danger for pedestrians because drivers don't what want the hurdle of replacing their rims. That is safety. I prefer the hurdles.
Re: OT: Have you hugged your local OpenBSD dev lately?
If you give untrusted people unsupervised access to your laptop, I hope you have a better lock than I do. On Nov 18, 2009, at 5:45 PM, Martin SchrC6der wrote: 2009/11/19 Ted Unangst : Think to yourself: what *exactly* is the difference between the only user account on your machine and root? How are you "safe"? And then you create a guest account on your netbook... Read the comments. There are some interesting exploits for this... Best Martin
Re: OT: Have you hugged your local OpenBSD dev lately?
Not a change i would make, but for a desktop? Not a big deal. On Nov 18, 2009, at 5:48 PM, "Eric Furman" wrote: but making it *default* behaviour?? On Wed, 18 Nov 2009 17:38 -0800, "Ted Unangst" wrote: Before everyone goes too bonkers, consider exactly how safe/dangerous this behavior actually is on a single user machine. Food for thought. Think to yourself: what *exactly* is the difference between the only user account on your machine and root? How are you "safe"? On Nov 18, 2009, at 4:05 PM, Bryan wrote: So glad we don't have these kinds of issues... https://bugzilla.redhat.com/show_bug.cgi?id=534047
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, Nov 18, 2009 at 05:38:38PM -0800, Ted Unangst wrote: > Before everyone goes too bonkers, consider exactly how safe/dangerous > this behavior actually is on a single user machine. but did they also by default restrict the system to 1 user? it's not so much the idea that's laughable, but the way it was implemented. "What I contest is that to *undo* it you need to be an experienced system admin that knows how to write policykit policies and where to drop them. I think we can count the number of people able to do that on the tips of my fingers." - Simo Sorce, Software Engineer at Red Hat, Inc. -- jake...@sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org
Re: OT: Have you hugged your local OpenBSD dev lately?
To be sure, I don't think it's the best idea. But practically? For actual users running fedora? I doubt the change makes much difference for many of them. The reason I even brought this up is not because I like the idea, but because I think it is a good opportunity to reflect on what user permissions accomplish on a typical desktop machine. Consider where your "secrets", whatever they may be, are kept and how you access them. How many people are aware that any X program can listen to the keystrokes of any other X program? When you type your password into sudo, how do you know it's the real sudo? How do you know you aren't running badsudo because you're actually running badsh and it redirected your path? On Nov 18, 2009, at 8:49 PM, Jacob Meuser wrote: On Wed, Nov 18, 2009 at 05:38:38PM -0800, Ted Unangst wrote: Before everyone goes too bonkers, consider exactly how safe/dangerous this behavior actually is on a single user machine. but did they also by default restrict the system to 1 user? it's not so much the idea that's laughable, but the way it was implemented. "What I contest is that to *undo* it you need to be an experienced system admin that knows how to write policykit policies and where to drop them. I think we can count the number of people able to do that on the tips of my fingers." - Simo Sorce, Software Engineer at Red Hat, Inc. -- jake...@sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, 18 Nov 2009 16:05:04 -0800 Bryan wrote: > So glad we don't have these kinds of issues... New around here, but I'm noticing a lot of tooting of our own horn...so to speak. With all the possible vectors for compromising a system that are available it just sounds naive to keep touting how secure this or that is. Do you own the physical network that your bits traverse? Do you guard your computer 24-7? And on and on. I will say the Fedora has bigger issues than allowing users to install pkgs. I just went through trying out Fedora 11 and it was a nightmare to me. Doing simple things with the network has been made so painful that clawing out my eyes started to seem like relief. But maybe all flavors are going this way. Part of the never ending bloat.
Re: OT: Have you hugged your local OpenBSD dev lately?
On Thu, Nov 19, 2009 at 5:40 PM, rhubbell wrote: > On Wed, 18 Nov 2009 16:05:04 -0800 > Bryan wrote: > >> So glad we don't have these kinds of issues... > > New around here, but I'm noticing a lot of tooting of our own horn...so to > speak. With all the possible vectors for compromising a system that are > available it just sounds naive to keep touting how secure this or that is. > Do you own the physical network that your bits traverse? Do you guard your > computer 24-7? And on and on. You miss the point - the reason we toot that particular horn is that you don't have to worry about those sorts of things (well, apart from 24-7 guarding, that's an entirely separate problem that has nothing to do with OpenBSD or any OS for that matter). People report that they can get a novice colleague to set up an OpenBSD box using just the CD, copy the company's crown jewels to it and leave it for a year, knowing that it has never been compromised. > > I will say the Fedora has bigger issues than allowing users to install > pkgs. I just went through trying out Fedora 11 and it was a nightmare to > me. Doing simple things with the network has been made so painful that > clawing out my eyes started to seem like relief. But maybe all flavors > are going this way. Part of the never ending bloat. > > OpenBSD is one of a few OSes that aren't taking this path. If you want the bloat, you add it yourself - it isn't included out of the box. I used to run Ubuntu on my firewall - I found it easier to edit /etc/network/interfaces manually than to use GNOME's retarded GUI network config tool. I fired up OpenBSD 4.5 and haven't looked back. @Ted: you could always write a wrapper script that runs firefox at nice -10 and tell sudo to let you run it (and only it) without a password. Sudo is nice when it's configured properly (using wrapper scripts and only allowing access to them). Any sysadmin who gives users full root access in any way (or gives access for ordinary users to make modifications to the system) should not be allowed near a computer IMHO. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: OT: Have you hugged your local OpenBSD dev lately?
On Fri, 20 Nov 2009 12:02:51 +1100 Aaron Mason wrote: > On Thu, Nov 19, 2009 at 5:40 PM, rhubbell wrote: > > On Wed, 18 Nov 2009 16:05:04 -0800 > > Bryan wrote: > > > >> So glad we don't have these kinds of issues... > > > > New around here, but I'm noticing a lot of tooting of our own > > horn...so to speak. With all the possible vectors for compromising a > > system that are available it just sounds naive to keep touting how > > secure this or that is. Do you own the physical network that your bits > > traverse? Do you guard your computer 24-7? And on and on. > > You miss the point - the reason we toot that particular horn is that > you don't have to worry about those sorts of things (well, apart from Definitely not missing the point. Maybe you missed mine. Not "worrying" because you trust everything about OpenBSD and everyone that's worked on it and every package you've installed and every piece of hardware you've installed, etc., etc. It's naive to point elsewhere and say "see, they're not secure". For example should I trust you and the other "tooters" just because you insist OpenBSD's secure? > 24-7 guarding, that's an entirely separate problem that has nothing to > do with OpenBSD or any OS for that matter). People report that they > can get a novice colleague to set up an OpenBSD box using just the CD, > copy the company's crown jewels to it and leave it for a year, knowing > that it has never been compromised. How would you know if you've been compromised? If it's the crown jewels it may be worth it to remain undetected, right? Saying it's not possible to avoid detection is naive. > > > > > I will say the Fedora has bigger issues than allowing users to install > > pkgs. I just went through trying out Fedora 11 and it was a nightmare > > to me. Doing simple things with the network has been made so painful > > that clawing out my eyes started to seem like relief. But maybe all > > flavors are going this way. Part of the never ending bloat. > > > > > > OpenBSD is one of a few OSes that aren't taking this path. If you > want the bloat, you add it yourself - it isn't included out of the > box. Right, it's why I am trying it out. > > I used to run Ubuntu on my firewall - I found it easier to edit > /etc/network/interfaces manually than to use GNOME's retarded GUI > network config tool. I fired up OpenBSD 4.5 and haven't looked back. Yep, been there, used ubuntu for a while, recently tried Fedora11 and now here I am.
Re: OT: Have you hugged your local OpenBSD dev lately?
On Fri, Nov 20, 2009 at 2:06 PM, rhubbell wrote: > On Fri, 20 Nov 2009 12:02:51 +1100 > > Definitely not missing the point. Maybe you missed mine. Not "worrying" > because you trust everything about OpenBSD and everyone that's worked on > it and every package you've installed and every piece of hardware you've > installed, etc., etc. It's naive to point elsewhere and say "see, they're > not secure". For example should I trust you and the other "tooters" just > because you insist OpenBSD's secure? > That's a good point. However a story told on the testimonials page is a good reason not to take our word for it, because it's been demonstrated. A redhat server rooted but OpenBSD servers left after being probed is quite a feat. A P133 w/ 64mb of RAM being floodpinged by 900 hosts that only got a little slower from it is also a considerable achievement. > > How would you know if you've been compromised? If it's the crown jewels it > may be worth it to remain undetected, right? Saying it's not possible to > avoid detection is naive. > Usually when a machine is compromised, it is then used to attack other sites - that would be detected. A large sudden data transfer from a machine with the company's crown jewels on it would be a pretty good indicator as well. If the log files are sent offsite - a very wise move I believe - they could contain traces of the attack as well. I'm not naive though - you would actually have to be watching these, and if you're not, today's a good day to start. Hope this helps. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: OT: Have you hugged your local OpenBSD dev lately?
On Thu, 19 Nov 2009 19:06:53 -0800, rhubbell wrote: 8>< snipped for brevity. >> You miss the point - the reason we toot that particular horn is that >> you don't have to worry about those sorts of things (well, apart from > >Definitely not missing the point. Maybe you missed mine. Not "worrying" >because you trust everything about OpenBSD and everyone that's worked on >it and every package you've installed and every piece of hardware you've >installed, etc., etc. It's naive to point elsewhere and say "see, they're >not secure". For example should I trust you and the other "tooters" just >because you insist OpenBSD's secure? No. That isn't the point really. It's very rare for OpenBSD to have exploits against it but I don't hear any of the developers saying that it is impregnable, just that it's as good as they can make it for their own peace of mind. They are continually re-reading the source and using various tools to do audits to help make the code correct. Correct code is a foundation of security. As you are new here, you may not yet know that OpenBSD doesn't give a stuff about "market share" and is developed by the devs for their own use and if someone else likes it, it's a case of "Here's the ftp server or you can buy a CD and if it suits your purpose, that's fine. If it doesn't then we won't cry when you leave." That has suited me for about 8 years and it has guarded quite a few "crown jewels" for my clients in that time. Oh, and I'm a retired IBM Linux instructor so I have a pretty good insight into the relative merits of this community vs that one. The point of most chuckling about others (distros,versions, dev teams) silly actions is that the OpenBSD community doesn't suffer the stupidity du jour. Recent sightings elsewhere are binary blobs, proprietary drivers and the really stupid Debian key messup. Just a bit of Schaudenfreude really when you consider that their woe is self-inflicted. *** NOTE *** Please DO NOT CC me. I subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
Re: OT: Have you hugged your local OpenBSD dev lately?
On Thu, Nov 19, 2009 at 10:06 PM, rhubbell wrote: > It's naive to point elsewhere and say "see, they're not secure". Other similar systems are not as secure and that has been objectively demonstrated. Here's one example. See the chart at the top of page three: http://research.sun.com/projects/downunder/publications/documents/kca09.pdf If you care about these things, then you use OpenBSD. Brad
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, 18 Nov 2009 16:05:04 -0800 Bryan wrote: > So glad we don't have these kinds of issues... > > https://bugzilla.redhat.com/show_bug.cgi?id=534047 And finally... https://www.redhat.com/archives/fedora-devel-list/2009-November/msg01445.html Good fun though. -- Oliver PETER email: oli...@peter.de.com ICQ# 113969174 "I'm just a simple man trying to make my way in the universe." -- Jango Fett
Re: OT: Have you hugged your local OpenBSD dev lately?
On 11/20/09, rhubbell wrote: > Definitely not missing the point. Maybe you missed mine. Not "worrying" > because you trust everything about OpenBSD and everyone that's worked on > it and every package you've installed and every piece of hardware you've > installed, etc., etc. It's naive to point elsewhere and say "see, they're > not secure". For example should I trust you and the other "tooters" just > because you insist OpenBSD's secure? OpenBSD's security isn't affected at all if we, as users, insist on it. It's the proven record. While others get new GUIs with each new release of their OS of choice, we get tmux, and security fix of a remote vulnerability of a non-base package within 2 hours since it became known. We, non-technical users, see the no-nonsense attitude of devs on this very list. I haven't seen any "tooting" here, devs are busy with more important work than to campaign that our OS of choice is of different league from any other. We already know that.
Re: OT: Have you hugged your local OpenBSD dev lately?
2009/11/20 rhubbell : > Definitely not missing the point. Maybe you missed mine. Not "worrying" > because you trust everything about OpenBSD and everyone that's worked on > it and every package you've installed and every piece of hardware you've > installed, etc., etc. It's naive to point elsewhere and say "see, they're > not secure". For example should I trust you and the other "tooters" just > because you insist OpenBSD's secure? It's not about absolute trust, or faith, it's about playing the odds. You can choose a OS built with security as the primary focus at one extreme, or one that's insecure by default at the other. No OS will be absolutely secure, but at least one tries to be.
Re: OT: Have you hugged your local OpenBSD dev lately?
On Fri, 20 Nov 2009 14:37:36 +1100 Aaron Mason wrote: > On Fri, Nov 20, 2009 at 2:06 PM, rhubbell wrote: > > On Fri, 20 Nov 2009 12:02:51 +1100 > > > > Definitely not missing the point. Maybe you missed mine. Not "worrying" > > because you trust everything about OpenBSD and everyone that's worked > > on it and every package you've installed and every piece of hardware > > you've installed, etc., etc. It's naive to point elsewhere and say > > "see, they're not secure". For example should I trust you and the > > other "tooters" just because you insist OpenBSD's secure? > > > > That's a good point. However a story told on the testimonials page is > a good reason not to take our word for it, because it's been > demonstrated. A redhat server rooted but OpenBSD servers left after Maybe an OpenBSD tooter was the rooter? > being probed is quite a feat. A P133 w/ 64mb of RAM being floodpinged > by 900 hosts that only got a little slower from it is also a > considerable achievement. Agreed. > > > > > How would you know if you've been compromised? If it's the crown > > jewels it may be worth it to remain undetected, right? Saying it's not > > possible to avoid detection is naive. > > > > Usually when a machine is compromised, it is then used to attack other How much is an exploit worth? If you're going to reveal the fact you've compromised a system, it's not worth that much. > sites - that would be detected. A large sudden data transfer from a > machine with the company's crown jewels on it would be a pretty good > indicator as well. If the log files are sent offsite - a very wise > move I believe - they could contain traces of the attack as well. I'm > not naive though - you would actually have to be watching these, and > if you're not, today's a good day to start. > > Hope this helps. > > > -- > Aaron Mason - Programmer, open source addict > I've taken my software vows - for beta or for worse
Re: OT: Have you hugged your local OpenBSD dev lately?
On Fri, 20 Nov 2009 15:31:47 +1100 Rod Whitworth wrote: > On Thu, 19 Nov 2009 19:06:53 -0800, rhubbell wrote: > 8>< snipped for brevity. > >> You miss the point - the reason we toot that particular horn is that > >> you don't have to worry about those sorts of things (well, apart from > > > >Definitely not missing the point. Maybe you missed mine. Not "worrying" > >because you trust everything about OpenBSD and everyone that's worked on > >it and every package you've installed and every piece of hardware you've > >installed, etc., etc. It's naive to point elsewhere and say "see, > >they're not secure". For example should I trust you and the other > >"tooters" just because you insist OpenBSD's secure? > > No. That isn't the point really. It's very rare for OpenBSD to have > exploits against it but I don't hear any of the developers saying that How would you know though? Your argument has been compromised because it's presuming the exploit's detectable. > it is impregnable, just that it's as good as they can make it for their > own peace of mind. They are continually re-reading the source and using > various tools to do audits to help make the code correct. Correct code > is a foundation of security. > As you are new here, you may not yet know that OpenBSD doesn't give a > stuff about "market share" and is developed by the devs for their own > use and if someone else likes it, it's a case of "Here's the ftp server > or you can buy a CD and if it suits your purpose, that's fine. If it > doesn't then we won't cry when you leave." I'm finding it amusing that when folks on the list ask a question answered in the docs it's always RTFM. But when not asking for documented info it comes flwoing out. (^: > > That has suited me for about 8 years and it has guarded quite a few > "crown jewels" for my clients in that time. Guarded by which definition? Meaning as far as you know it was never compromised? > > Oh, and I'm a retired IBM Linux instructor so I have a pretty good > insight into the relative merits of this community vs that one. Too vague for me. > > > > The point of most chuckling about others (distros,versions, dev teams) > silly actions is that the OpenBSD community doesn't suffer the > stupidity du jour. Recent sightings elsewhere are binary blobs, > proprietary drivers and the really stupid Debian key messup. > > Just a bit of Schaudenfreude really when you consider that their woe > is > self-inflicted. Right so my point is that I still find it interesting that these threads about "look at them" are just some hand-waving. "Look over there, look how they are, hahaha." That to me is a red flag to be more vigilant and to not look over there, but they seem to be trying to distract from vigilance.
Re: OT: Have you hugged your local OpenBSD dev lately?
On Fri, 20 Nov 2009 08:22:45 -0500 Brad Tilley wrote: > On Thu, Nov 19, 2009 at 10:06 PM, rhubbell wrote: > > > It's naive to point elsewhere and say "see, they're not secure". > > Other similar systems are not as secure and that has been objectively > demonstrated. Here's one example. See the chart at the top of page Ok, since you say it's objective it must be.
Re: OT: Have you hugged your local OpenBSD dev lately?
On Fri, 20 Nov 2009 18:22:08 +0100 soko.tica wrote: > On 11/20/09, rhubbell wrote: > > Definitely not missing the point. Maybe you missed mine. Not "worrying" > > because you trust everything about OpenBSD and everyone that's worked > > on it and every package you've installed and every piece of hardware > > you've installed, etc., etc. It's naive to point elsewhere and say > > "see, they're not secure". For example should I trust you and the > > other "tooters" just because you insist OpenBSD's secure? > > OpenBSD's security isn't affected at all if we, as users, insist on it. I insist on things all the time.
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, 25 Nov 2009 00:00:08 +1100 SJP Lists wrote: > 2009/11/20 rhubbell : > > > Definitely not missing the point. Maybe you missed mine. Not "worrying" > > because you trust everything about OpenBSD and everyone that's worked > > on it and every package you've installed and every piece of hardware > > you've installed, etc., etc. It's naive to point elsewhere and say > > "see, they're not secure". For example should I trust you and the > > other "tooters" just because you insist OpenBSD's secure? > > It's not about absolute trust, or faith, it's about playing the odds. > > You can choose a OS built with security as the primary focus at one > extreme, or one that's insecure by default at the other. > > No OS will be absolutely secure, but at least one tries to be. > I know.
Re: OT: Have you hugged your local OpenBSD dev lately?
On Thu, Nov 26, 2009 at 2:10 PM, rhubbell wrote: > On Fri, 20 Nov 2009 08:22:45 -0500 > Brad Tilley wrote: > >> On Thu, Nov 19, 2009 at 10:06 PM, rhubbell wrote: >> >> > It's naive to point elsewhere and say "see, they're not secure". >> >> Other similar systems are not as secure and that has been objectively >> demonstrated. Here's one example. See the chart at the top of page > > Ok, since you say it's objective it must be. It's as objective as you'll find. OpenSolaris is based on Solaris which is Sun's OS (Sun sponsored the research) and they treated OpenSolaris just like the others. One concern was the amount of change compared to the amount of bugs. From the paper, "... The Linux kernel has been checked with the Coverity Prevent tool in multiple years. It was surprising to us to find that many bugs in code we thought to be clean, however, the churn rate in the Linux community is higher than that in the other two communities." Rate of change is crucial. I just saw this quote from Greg Kroah-Hartman in an interview at http://howsoftwareisbuilt.com: "Well, just to touch back on that rate of change that I mentioned before, I just looked it up, and we add 11,000 lines, remove 5500 lines, and modify 2200 lines every single day [to the Linux kernel]." Systems with that amount of change are more prone to failure. I would not want to fly on an airplane that got a new, different engine bolted on every week. I think that's the point of the comparisons. Nothing against other systems, they are fine for certain things and thank goodness for companies such as RedHat that tame that change into something manageable. Brad