OPENBSD 4.1 out

[CptnObvious999]

Eh, ultimately the only secured computer is one unplugged from the internet, locked away somewhere. For me, and most other people Linux is secure enough. I don't feel like my system is any less secure than BSD, Solaris, Mac OS X, or anything else out there. It just comes down to where your comfort zone lies. Where you draw the line between security and functionality, and security and convenience. I've been running Linux on my machines at home for 3 years now, and I have never gotten a virus, or hacked in any fashion to my knowledge.

Exactly, not to your knowledge? We can all agree the your ordinary, garden variety virus isn't going to break into your system. but that means that who ever does try and break into your system is sophisticated. Do you know how to detect a rootkit on your machine? do you run an IDS? All I'm trying to say is that I wouldn't get too comfortable.

It's possible to run ANY operating system securely, as long as the system administrator is competent. A fully patched Windows XP SP2 box can be more secure than an OpenBSD box that is full of security holes, and being run by a script kiddie who doesn't know what he's doing. The user is the most unpredictable and unstable element, and is really the biggest security threat.

Obviously security is a process and human beings are the weak link, but OpenBSD really isn't just hype. For example, OpenBSD by default incorporates propolice stack smashing protection and W^X memory page protection. Granted you can get something similar on Linux but you'd need to a specially patched 3.X series GCC to compile a patched kernel. I'm not sure there are any non-firewall distro of linux comes with both in the default install.

Also, just in general if you look at some of their kernel code, you can see how incredibly paranoid/careful/disciplined they are about every single memory allocation and pointer. If you want to see good C code, OpenBSD is where you should go.

The real question is, is the juice worth the squeez? If you are just someone that checks email and is pretty cautious on the internet running Linux I would say you have a 1% chance of getting a virus or getting hacked. Now if that 1% chance is too high for you then by all means, run OpenBSD. But for most people I think Linux is fine.

[Tsuroerusu]

Although OpenBSD is secure , there are a lot of security technology that is almost taken for granted in FreeBSD, linux and at least Solaris if not other systems , which is not available in OpenBSD.

Some of the technology missing in OpenBSD is mandatory access control,(MAC) filesystem Access Control List,(ACL) Basic Security Module,(BSM) Pluggable Authentication Modules (PAM) , system-level virtualization (eg. FreeBSD jails). WPA 1/2

Due to the missing above, quite a few people question OpenBSD's security....

The first thing I'll say about this, is that Wikipedia knows everything: http://en.wikipedia.org/wiki/List_of_OpenBSD_developers

I havn't counted how many names are listed in the table, but AFAIK from other sources, OpenBSD has roughly about 80 developers, or close to it.

FreeBSD has hundreds and hundreds of developers. There's a HUGE difference here!

OpenBSD's slow phase of development not only comes in handy for security and correctness, but they can also do a lot more stuff with less people I would think. And they do do a shitload of stuff! They do an entire OS and audit that, they do an SSH implementation, an NTP implementation, routing daemons, they're working on a CVS implementation of their own (OpenCVS) ...

I'm amazed at the amount of stuff they do.

I'll quote an OpenBSD developer for the rest:

What is the status of WEP/WPA/WPA2 support in OpenBSD 4.1?

Jonathan Gray: Most if not all drivers support some kind of hardware or software WEP. There is currently no working WPA support. WPA builds on 802.1X which in turns builds on EAP which came about due to PPP. Developers using wireless networks tend to prefer using authpf(8) for SSH based access control and IPsec if they require encryption.
From what I've heard, WPA is a compatibility nightmare, for instance to authenticate to a Cisco RADIUS server from a Windows machine you have to manually download a hotfix from Microsoft. No conference I've been to has ever required WPA/802.1X for network access, they don't want to deal with the pain of having to debug it.
So there are a few problems, one is that no one is terribly interested in developing the required code for it, and the other is that all the freely available 802.1X supplicants seem to be vastly overengineered. The focus is more towards having as much hardware as possible just working out of box than dealing with the pain of yet another IEEE state machine.

I fully understand that OpenBSD takes the simple security opposed to complex security.

OpenBSD tends to prefer solutions that are proven security, and not just add obscurity and/or more complexity.

Eh, ultimately the only secured computer is one unplugged from the internet, locked away somewhere. For me, and most other people Linux is secure enough. I don't feel like my system is any less secure than BSD, Solaris, Mac OS X, or anything else out there. It just comes down to where your comfort zone lies. Where you draw the line between security and functionality, and security and convenience. I've been running Linux on my machines at home for 3 years now, and I have never gotten a virus, or hacked in any fashion to my knowledge.

It's possible to run ANY operating system securely, as long as the system administrator is competent. A fully patched Windows XP SP2 box can be more secure than an OpenBSD box that is full of security holes, and being run by a script kiddie who doesn't know what he's doing. The user is the most unpredictable and unstable element, and is really the biggest security threat.

"Social Engineering - Because there is no patch to human stupidity."

"I don't have a problem with Linux; I just don't use it. Nor do I think it is a newer and better or brighter or has less calories; everything we build is turds, we just move them around or shine them or have a different view on which way they should be rolled." - Theo de Raadt.

I am surprised Troels has not spammed this board already with the news

Well, I'm extremely busy writing a paper which is a part of my exams in Danish, so I havn't had the chance to upgrade one or more of the three machines that I run OpenBSD on. Plus, I get the feeling, that I am the only OpenBSD user in here, so I've come to assume that people don't really care.

/gives Tsuro a great big hug.

I'm actually a big OpenBSD fan, since around 3.2. The only reason I don't run it currently is that my FreeBSD 4.11 server is insanely stable so I see no particular reason to change.

Well, if it ain't broken, don't fix it!
I generally tend to dislike the idea, of running an OS that is not supported with security patches, but that's of course just me. I know some OpenBSD developers have old versions running in various places, for the reason you mention.

Eh, ultimately the only secured computer is one unplugged from the internet, locked away somewhere. For me, and most other people Linux is secure enough. I don't feel like my system is any less secure than BSD, Solaris, Mac OS X, or anything else out there. It just comes down to where your comfort zone lies. Where you draw the line between security and functionality, and security and convenience. I've been running Linux on my machines at home for 3 years now, and I have never gotten a virus, or hacked in any fashion to my knowledge.

Exactly, not to your knowledge? We can all agree the your ordinary, garden variety virus isn't going to break into your system. but that means that who ever does try and break into your system is sophisticated. Do you know how to detect a rootkit on your machine? do you run an IDS? All I'm trying to say is that I wouldn't get too comfortable.

It's possible to run ANY operating system securely, as long as the system administrator is competent. A fully patched Windows XP SP2 box can be more secure than an OpenBSD box that is full of security holes, and being run by a script kiddie who doesn't know what he's doing. The user is the most unpredictable and unstable element, and is really the biggest security threat.

Obviously security is a process and human beings are the weak link, but OpenBSD really isn't just hype. For example, OpenBSD by default incorporates propolice stack smashing protection and W^X memory page protection. Granted you can get something similar on Linux but you'd need to a specially patched 3.X series GCC to compile a patched kernel. I'm not sure there are any non-firewall distro of linux comes with both in the default install.

Also, just in general if you look at some of their kernel code, you can see how incredibly paranoid/careful/disciplined they are about every single memory allocation and pointer. If you want to see good C code, OpenBSD is where you should go.

The real question is, is the juice worth the squeez?

Now I hate to be the one to point this out, but I seem to remember this little thing called buffer-overflows, which is the most common cause for security problems in both Windows and GNU/Linux.
ProPolice stack-smashing I would say is definitely worth it! Now things like encrypting your swap file, may be more of a thing that people like myself, who are paranoid about security, might do.
Stack-smashing can't elmiminate all buffer-overflows, but it can't hurt having it.

If you are just someone that checks email and is pretty cautious on the internet running Linux I would say you have a 1% chance of getting a virus or getting hacked. Now if that 1% chance is too high for you then by all means, run OpenBSD. But for most people I think Linux is fine.

In case you didn't know, this is exactly what Steve Gibson argues about Windows. Of course, to each his own. There are people out there, using Windows, who have never had one virus or malware infection, so for them, Windows is secure enough.

[mowestusa]

In case you didn't know, this is exactly what Steve Gibson argues about Windows. Of course, to each his own. There are people out there, using Windows, who have never had one virus or malware infection, so for them, Windows is secure enough.

I don't believe Windows XP to be more secure, nor do I prefer to run it over Linux. However, I have not installed a spyware finder program, and I once waited 6 months to renew my subscription to anti-virus software on a Windows XP laptop. I have never had spyware installed, nor have I ever gotten infected with a virus, trojan, or other malware. I was hooked to the internet, but I was also behind a hardware firewall. I don't run Outlook Express, Outlook, or IE. Otherwise I'm a pretty normal computer user.

I know that I'm probably not making the stupid user mistakes that get the majority of computers hacked out in the world. I know that a relative can't keep spyware and malware and viruses off of his computer even with anti-virus and anti-spyware software running. I'm relatively sure that this is related to user mistakes that let through spyware and viruses.

[allix]

OpenBSD's slow phase of development not only comes in handy for security and correctness, but they can also do a lot more stuff with less people I would think.

perhaps openbsd developers are more dedicated but releases do show more work in FreeBSD.

OpenBSD tends to prefer solutions that are proven security, and not just add obscurity and/or more complexity.

The implementations i mentioned in my last post is not obscurity, obscurity is a name given to security implementations that are not known like skype and can only be proprietary because how can free code be obscure if you can see it?

[Tsuroerusu]

OpenBSD's slow phase of development not only comes in handy for security and correctness, but they can also do a lot more stuff with less people I would think.

perhaps openbsd developers are more dedicated but releases do show more work in FreeBSD.

Perhaps you didn't read what I wrote in my last post:

The first thing I'll say about this, is that Wikipedia knows everything: http://en.wikipedia.org/wiki/List_of_OpenBSD_developers

I havn't counted how many names are listed in the table, but AFAIK from other sources, OpenBSD has roughly about 80 developers, or close to it.

FreeBSD has hundreds and hundreds of developers. There's a HUGE difference here!

OpenBSD tends to prefer solutions that are proven security, and not just add obscurity and/or more complexity.

The implementations i mentioned in my last post is not obscurity, obscurity is a name given to security implementations that are not known like skype and can only be proprietary because how can free code be obscure if you can see it?

There's a reason why OpenBSD don't want blobs. Because you can't audit them. And there's a reason why they're heavily against signing NDAs, because a driver written under an NDA doesn't have documentation stating why the driver code does what it does, nor does it tell what to do if you want to do something new.

[allix]

Perhaps you didn't read what I wrote in my last post:

i read it, you said 80 OpenBSD developers get more done than 80 FreeBSD developers....

There's a reason why OpenBSD don't want blobs. Because you can't audit them. And there's a reason why they're heavily against signing NDAs, because a driver written under an NDA doesn't have documentation stating why the driver code does what it does, nor does it tell what to do if you want to do something new.

All the security implementations i wrote a few posts back are available as source code, so how are they blobs?
BTW i totally agree with there stance on NDA's , i wish linux and all the *BSDS took the same position....

[Tsuroerusu]

Perhaps you didn't read what I wrote in my last post:

i read it, you said 80 OpenBSD developers get more done than 80 FreeBSD developers....

Oh, well that wasn't what I meant. What I meant was that with 80 people and a slower development phase, OpenBSD can do more things better than they could with 80 people and a fast development phase. I did not mean that they could do more with less people compared to FreeBSD.

But in any case, OpenBSD can do better, in terms of security and reliablity, with 80 people than Microsoft can do with 400, or however many, people they have working on the core and base OS.

There's a reason why OpenBSD don't want blobs. Because you can't audit them. And there's a reason why they're heavily against signing NDAs, because a driver written under an NDA doesn't have documentation stating why the driver code does what it does, nor does it tell what to do if you want to do something new.

All the security implementations i wrote a few posts back are available as source code, so how are they blobs?

My mentioning of blobs was an example of obscurity.

Drivers written under an NDA are described as "the source code version of a blob" by the OpenBSD people.

If you go and listen to episode 167 of TLLTS, there's an interview with a KDE/X developer named Zack Rusin. During that interview he mentions that even though Intel releases open source drivers, it can take quite some effort to figure them out, because you need to read and understand source code. Instead of just having a document that tells you "This is why this does that, and why that does this".

Just because something is available as source code, doesn't mean that it's obvious, or easy to understand.

BTW i totally agree with there stance on NDA's , i wish linux and all the *BSDS took the same position....

Good man!