Re: The OpenBSD talk at 36c3

[eecd]

> seem to even know that stable exists. My original thought was that there 
were mal \
> intent. I think not now, unless it has been shaped by criticism. It is a 
highly \


no i think your first thought was right. there's clearly malice he just 
lacks

the maturity to be forthright and honest about it and instead chose to be
passive-aggressive with his deceptive and snide remarks, childish tshirt 
and
denigrating presentation. this entire pretense from the moment he got 
butthurt

over someone on irc for favoring OpenBSD to his URL and website has been
derogatory

> as possible. He could lose a bit of arrogance and is wrong in a few 
places. I don't \
> actually even agree with his security quotes entirely as with everything 
it depends \
> on context like mitigations cannot be taken alone, without the context 
of other \

> mitigations, older hardware etc..

you're right about this. he misses the forest for the trees by almost 
entirely

disregarding the context of OpenBSD as an operating system

> Perhaps I missed the point but attacks not being currently used is a 
false metric as \
> they could still be used, if allowed. I think he has done quite well 
considering and \


that part was really stupid. he must also think that because python2 has 
reached
its EOL you no longer have to worry about bugs that affect 2.x codebases 
jajaja


> clearly has some knowledge around attack vectors. His biggest mistake is 
he should be \
> asking questions considering his limited knowledge of OpenBSD and not 
making arrogant \
> statements. It was an interesting talk atleast and re-evaluation is 
almost always \


if he was coming from a place of sincerity than you'd expect him to have at
least reached out on the mailing list but its clear his intentions were 
entirely

motivated by malice from the start

> issue. If so, then that is a naive view. More likely, he is just in 
transition to \

OpenBSD :-)

i wouldn't be surprised to know he is a kali user


At moment, I want my privacy to be protected.
https://mytemp.email/

Re: The OpenBSD talk at 36c3

[Kevin Chadwick]

On 2019-12-31 05:19, g...@isdaq.com wrote:
> he completely misses the mark.
> rather than think "hmm 75% of commits are only 20 chars or less which seem

Having watched the video now, that particular part of the talk is poor. He 
doesn't seem to even know that stable exists. My original thought was that 
there were mal intent. I think not now, unless it has been shaped by criticism. 
It is a highly complex talk and I am sure there are parts where he is short on 
knowledge but got threw in the deep end of making a talk comprehensive and 
trying to look as competent as possible. He could lose a bit of arrogance and 
is wrong in a few places. I don't actually even agree with his security quotes 
entirely as with everything it depends on context like mitigations cannot be 
taken alone, without the context of other mitigations, older hardware etc..

Though, I don't even agree with the security triangle entirely ;-)

Perhaps I missed the point but attacks not being currently used is a false 
metric as they could still be used, if allowed. I think he has done quite well 
considering and clearly made an effort surrounded by voices likely from 
competitive projects. He clearly has some knowledge around attack vectors. His 
biggest mistake is he should be asking questions considering his limited 
knowledge of OpenBSD and not making arrogant statements. It was an interesting 
talk atleast and re-evaluation is almost always useful. OTOH hand, it may stem 
from attempting to make the case that if Linux does priv sep/drop, unveil and 
pledge then Linux is good and the Linux kernel, is not an issue. If so, then 
that is a naive view. More likely, he is just in transition to OpenBSD :-)

Re: The OpenBSD talk at 36c3

[gbcd]

Case in point: commit messages. as claudio proved, he posited inaccurate 
and

blatantly false assertions that any objective researcher would immediately
realize is obviously wrong but because he's seeking data that confirms his
preconceived notion that "HUR DUR OPENBSD BAD!" he completely misses the 
mark.

rather than think "hmm 75% of commits are only 20 chars or less which seems
unusual let's take a closer look" he shouts "HAH I KNEW IT! OPENBSD d3vZ 
sUx0r!"
classic confirmation bias. my pops, god bless his soul, used to say the way 
you
do one thing is the way you do everything. and the way this kid shows his 
true
colors with this example is the way he approached this whole eisegetic 
charade:
subjectively. and with the burning desire to make you see OpenBSD the way 
he
_feels_ about OpenBSD. not how it is. not what it does or doesn't do. not 
the
uniformly positive experience by its userbase. just how those notoriously 
mean
badguys made him feel that time he kept submitting ports that were rejected 
for
not being up to standard. he made numerous spurious remarks with no 
evidence to
support their veracity. and childish criticisms of development practices 
simply

because he doesn't like it not for any objectively quantifiable metrics of
quality or productivity or security. it really vexes him that OpenBSD 
doesn't
use github and patchwork doesn't it. the only real interest i have in the 
talk
is what exactly was it that hurt him so much that he harbors all this 
resentment
and bitterness. its obvious he's upset because if he had any genuine desire 
to
empower and help people like he said he would make efforts to improve 
something

he saw he could improve rather than spread FUD


At moment, I want my privacy to be protected.
https://mytemp.email/

Re: The OpenBSD talk at 36c3

[gbcd]

frankly the impression the speaker gives is of someone who feels aggrieved
by an OpenBSD dev or more likely some story he heard about Theo or some similar
event affronted this boy's sensibilities and his first instinct was to lash
out as most children do and say "but you're wrong!". it's like a child's
version of tall poppy syndrome where the kid sees someone else getting praise
or attention and they resent it so they start throwing their toys around

his demeanor and metacommunication are telling specially when viewed in the
context of his statements on https://isopenbsdsecu.re/about/

  Because the OpenBSD community is notorious for not being nice and welcoming:
  They’re proud of not having a code of conduct, and were mocking FreeBSD for 
adopting one.
  Theo is known to routinely call people names and being harsh, calling people 
assholes, inaccurate jerk

not having a code of conduct has clearly offended this boy which is slightly
droll. i for one definitely consider it a positive that OpenBSD doesn't have
a coc. people who want to regulate adult behavior are usually very insecure and
incompetent so seek to obtain power by way of decree because they lack the
ability to influence the world in any other capacity

and his presentation can hardly be considered quantitative research but an
arbitrary cherrypick of statements in some weird appeal to authority flex that
misses the mark

i can't help but smile at the audacity the kid has to think he's even capable
of considering things that actual systems developers with more years experience
than he's even been alive haven't cogitated and debated among each other for
exponentially more hours on just one of the mitigations he thinks he's cleverly
dissected than he spent on the entirety of his collective "research". it was a
good laugh but he really should invest his time into building something rather
than trying to tear something down that has contributed immeasurable value to
the community with just one of their many innovations


At moment, I want my privacy to be protected.
https://mytemp.email/

Re: The OpenBSD talk at 36c3

[Karl Pettersson]

On Mon, Dec 30, 2019 at 11:46:58AM +0100, Claudio Jeker wrote:
 
> Sorry but 25k is no where close to 75% of 202198.
> Seems he did count words not characters.
> 

Yes, the author has published code for generating the chart:
https://isopenbsdsecu.re/mitigations/development_practises/

The count is generated by "awk '{ print NF}'", which should count words
separated by space if no field separator is specified.

> -- 
> :wq Claudio
> 

Re: The OpenBSD talk at 36c3

[Edgar Pettijohn]

On Dec 30, 2019 5:31 AM, Kevin Chadwick  wrote:
>
>
> > I liked the presentation.  An excerpt from https://isopenbsdsecu.re/about/:
> >> This website was done because studying mitigations is fun, not to get 
> >> involved in a huge flamewars or endless bike-shedding on mailing lists.
>
> It is not my place to comment, however I will say that it did not read to me 
> as
> unbiased. Perhaps things like embargos were mentioned in the video. There are
> significant mis-understandings and perhaps mis-informations, with at times
> oppositional mistakes in the slides. My initial opinion is that very limited
> research effort happened to aid credibility, not in order to create a fair and
> comprehensive report.
>
> I welcome the praise on unveil and pledge though. It would be nice, if there 
> was
> an OpenBSD version of GCP app engine for the less serious but easily scalable
> web services!
>

Even on points where they showed OpenBSD as being late to the game they always 
finished first. I researched Linux seccomp awhile back. It is a mess to use 
compared to a couple of lines of pledge/unveil. Much better long term to get it 
right so it's useable.

Edgar

Re: The OpenBSD talk at 36c3

[Martijn van Duren]

On 12/30/19 11:46 AM, Claudio Jeker wrote:
> On Sun, Dec 29, 2019 at 01:29:12PM +0100, Henry Jensen wrote:
>> Greetings,
>>
>> for those who didn't watched it, there is an accompanied site at
>> https://isopenbsdsecu.re/
>>
>> Summary: There are a lot of claims. The speaker basically said, that
>> some mitigations are "cool", but other, more or less, useless.
>>
>> Further accusations are, that OpenBSD still uses e-mail and cvs and not
>> more advanced CI tools.
>>
>> I can't say anything to the more technical claims about useless
>> mitigations, since I am not a OS developer. Is there going to be a
>> response from the OpenBSD team?
>>
> 
> One thing that everyone can check is the claim that 50% of our commit
> messages are less than 10 chars long and 75% are less than 20 chars.
> Using the git repo you can run something like this and get the numbers
> yourself.
> 
> openbsd-git> git log --log-size --format="%B" | grep '^log size ' | cut -f
> 3 -d ' ' | awk '{ t++; if ($1 <= 10) s++; if ($1 <= 20) m++; else l++; }
> END { print s " <= 10 char"; print m " <= 20 char"; print l " rest"; print
> t " total" }'
> 
> 12386 <= 10 char
> 25894 <= 20 char
> 176304 rest
> 202198 total
> 
> Sorry but 25k is no where close to 75% of 202198.
> Seems he did count words not characters.
> 
And of those messages the vast majority are sync and regen which are
done to whip the built/sets infrastructure back into shape after a major
change (addition or deletion) and don't need any additional information.

$ git log --log-size --format="%B" | \
awk '/^log size/{
  if (matches == 1) {messages[line]++; line = ""}
  matches = 0;
  if ($3 <= 10) { matches = 1}
}
{
  if (matches == 1 && $0 !~ /^log size/) {line = line tolower($0)}
}
END {
  for (line in messages){ print messages[line]": "line}
}' | \
sort -n | tail
107: tweaks;
115: spelling
117: regen.
135: indent
183: oops
249: spacing
416: knf
441: typo
1902: regen
4915: sync

Re: The OpenBSD talk at 36c3

[Kevin Chadwick]

> I liked the presentation.  An excerpt from https://isopenbsdsecu.re/about/:
>> This website was done because studying mitigations is fun, not to get 
>> involved in a huge flamewars or endless bike-shedding on mailing lists.

It is not my place to comment, however I will say that it did not read to me as
unbiased. Perhaps things like embargos were mentioned in the video. There are
significant mis-understandings and perhaps mis-informations, with at times
oppositional mistakes in the slides. My initial opinion is that very limited
research effort happened to aid credibility, not in order to create a fair and
comprehensive report.

I welcome the praise on unveil and pledge though. It would be nice, if there was
an OpenBSD version of GCP app engine for the less serious but easily scalable
web services!

Re: The OpenBSD talk at 36c3

[Claudio Jeker]

On Sun, Dec 29, 2019 at 01:29:12PM +0100, Henry Jensen wrote:
> Greetings,
> 
> for those who didn't watched it, there is an accompanied site at
> https://isopenbsdsecu.re/
> 
> Summary: There are a lot of claims. The speaker basically said, that
> some mitigations are "cool", but other, more or less, useless.
> 
> Further accusations are, that OpenBSD still uses e-mail and cvs and not
> more advanced CI tools.
> 
> I can't say anything to the more technical claims about useless
> mitigations, since I am not a OS developer. Is there going to be a
> response from the OpenBSD team?
> 

One thing that everyone can check is the claim that 50% of our commit
messages are less than 10 chars long and 75% are less than 20 chars.
Using the git repo you can run something like this and get the numbers
yourself.

openbsd-git> git log --log-size --format="%B" | grep '^log size ' | cut -f
3 -d ' ' | awk '{ t++; if ($1 <= 10) s++; if ($1 <= 20) m++; else l++; }
END { print s " <= 10 char"; print m " <= 20 char"; print l " rest"; print
t " total" }'

12386 <= 10 char
25894 <= 20 char
176304 rest
202198 total

Sorry but 25k is no where close to 75% of 202198.
Seems he did count words not characters.

-- 
:wq Claudio

Re: The OpenBSD talk at 36c3

[Neeraj Pal]

Hi Henry,

Thanks for sharing the link.

> for those who didn't watched it, there is an accompanied site at
> https://isopenbsdsecu.re/

Here is the video link, if anyone wants to see.

Video link:
https://media.ccc.de/v/36c3-10519-a_systematic_evaluation_of_openbsd_s_mitigations

-- 

Thank you!
Sincere regards;

Neeraj Pal

Re: The OpenBSD talk at 36c3

[Peter Nicolai Mathias Hansteen]

> 29. des. 2019 kl. 13:29 skrev Henry Jensen :
> 
> Summary: There are a lot of claims. The speaker basically said, that
> some mitigations are "cool", but other, more or less, useless.
> 
> Further accusations are, that OpenBSD still uses e-mail and cvs and not
> more advanced CI tools.
> 
> I can't say anything to the more technical claims about useless
> mitigations, since I am not a OS developer. Is there going to be a
> response from the OpenBSD team?

I did not attend the talk, I only leafed through the slides (thanks for posting 
the link!), so my impression is likely colored by that. I wouldn’t hold my 
breath for an «official» response.

That said, this all reminds me of several earlier talks and rants where the 
speaker seems to be unaware that OpenBSD commonly has been the first to 
implement a security feature as *the default* and in a way that it would be 
extremely hard to disable without a system rebuild, likely breaking seemingly 
unrelated bits in the process. If you look closer, a lot of the firsts listed 
more often than not are «feature introduced as a non-default option».

As to the lack of «public» review, keep in mind that OpenBSD was the first to 
make its version control (cvs then, cvs still) world-readable and visible in 
real time. At the time the normal mode of operation for open source projects 
was occasional release tarballs thrown over the wall with almost complete 
silence between. For public discussion of code, OpenBSD has tech@. Private 
mailing lists exist (invite-only, developer-only) as far as I am aware mainly 
used for discussions that would benefit from being out of the public eye for 
now.

Slide 43 has me thinking this person can not actually have been reading tech@ 
much at all, and the note about «systematic security engineering» subjectively 
reminds me of several earlier similar posts about OpenBSD practices not 
following to the letter somebody’s favorite «formal verification» model or what 
the buzzword du jour turns out to be.

That said, even OpenBSD probably has areas with potential for improvement, I’m 
just not all that convinced the presenter has actually been looking in the 
right places.

Slides for my sometimes-repeated propaganda piece (now probably in need of 
refreshing here and there) at https://home.nuug.no/~peter/openbsd_and_you/ 
 contains links to relevant 
material, at least. Please feel free to refer there or directly to the material 
itself.

All the best,
Peter

—
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.






signature.asc
Description: Message signed with OpenPGP

Re: The OpenBSD talk at 36c3

[Johnathan M.]

Hi Henry,

I liked the presentation.  An excerpt from https://isopenbsdsecu.re/about/:
> This website was done because studying mitigations is fun, not to get 
> involved in a huge flamewars or endless bike-shedding on mailing lists.


On Sun, Dec 29, 2019 at 8:55 AM Henry Jensen  wrote:
>
> Greetings,
>
> for those who didn't watched it, there is an accompanied site at
> https://isopenbsdsecu.re/
>
> Summary: There are a lot of claims. The speaker basically said, that
> some mitigations are "cool", but other, more or less, useless.
>
> Further accusations are, that OpenBSD still uses e-mail and cvs and not
> more advanced CI tools.
>
> I can't say anything to the more technical claims about useless
> mitigations, since I am not a OS developer. Is there going to be a
> response from the OpenBSD team?
>
> Regards,
>
> Henry
>

Re: The OpenBSD talk at 36c3

[Peter J. Philipp]

On Sun, Dec 29, 2019 at 01:29:12PM +0100, Henry Jensen wrote:
> Greetings,
> 
> for those who didn't watched it, there is an accompanied site at
> https://isopenbsdsecu.re/
> 
> Summary: There are a lot of claims. The speaker basically said, that
> some mitigations are "cool", but other, more or less, useless.
> 
> Further accusations are, that OpenBSD still uses e-mail and cvs and not
> more advanced CI tools.
> 
> I can't say anything to the more technical claims about useless
> mitigations, since I am not a OS developer. Is there going to be a
> response from the OpenBSD team?
> 
> Regards,
> 
> Henry

Hi Henry,

Thanks for sharing this, the writer of the web site was very detailed in
explaining Windows, Linux and OpenBSD (and perhaps others?) who mitigate
vulnerabilities.  I for one was able to learn a bit off this, but I'm gonna
keep an open mind about it all.  I don't see it as accusations as noone is
being accused here.  Security in my view is hard to get right, and in my
view OpenBSD strives to do everything right.  Mistakes happen everywhere.

Let's not forget that OpenBSD is an open source project and as such isn't
like Microsoft who is closed source.  Also there is differences in licensing
with regard to Linux.  I'd like to point to the last line of this website:

"This could likely be improved with systematic security engineering."

I think OpenBSD does a very good job already, read Theo's commits.  If they
aren't systematic then I don't know what is.  Also consider the difficulties
an open source project faces in a capitalist world.  Even in the communist
world it would struggle, so let me repeat, consider the difficulties an open
source project faces _in the world_.  Time is the master here, and OpenBSD
has finite time and resources, much less than Microsoft has.  So even
comparing Windows with OpenBSD is not a fair scale.

I'm glad I was able to give my biggest donation this year.  Next year will
not be as high I think but I will try to match next decade with this last
decade.  Should be fun, and I hope everyone else has fun too.

Regards (and happy new year/decade to all),
-peter

The OpenBSD talk at 36c3

[Henry Jensen]

Greetings,

for those who didn't watched it, there is an accompanied site at
https://isopenbsdsecu.re/

Summary: There are a lot of claims. The speaker basically said, that
some mitigations are "cool", but other, more or less, useless.

Further accusations are, that OpenBSD still uses e-mail and cvs and not
more advanced CI tools.

I can't say anything to the more technical claims about useless
mitigations, since I am not a OS developer. Is there going to be a
response from the OpenBSD team?

Regards,

Henry