Theo de Raadt Responds 261
A book on code auditing?
by LizardKing
Would you and/or other members of the OpenBSD coders consider writing a book on secure, bug-free coding and auditing? Most programming books feature sample code that is written for pedagogical purposes. Quite often this runs contrary to how secure code should be written, leaving a gap in many a programmers knowledge. A book on audinting and how to avoid security pitfalls when coding would also make your life easier - less code to audit for OpenBSD, and more time top concentrate on nifty new features!!!
Theo:
There is perhaps a split between the two issues you bring up. On the one side is secure coding, as in code written to be secure by the original author(s). On the other side, auditing, which is where an outsider (or an insider) later on goes and tries to clean up the mess which remains. And there is always a mess. Perhaps part of the problem is that a huge gap lies between these two. In the end though, I think that a book on such a topic would probably have to repeat the same thing every second paragraph, throughout the book: Understand the interfaces which you are coding to! Understand the interfaces which you are coding to! Most of the security (or simply bug) issues we audited out of our source tree are just that. The programmer in question was a careless slob, not paying attention to the interface he was using. The repeated nature of the same classes of bugs throughout the source tree, also showed us that most programmers learn to code by (bad) examples. A solid systems's approach should not be based on "but it works". Yet, time and time again, we see that for most people this is the case. They don't care about good software, only about "good enough" software. So the programmers can continue to make such mistakes. Thus, I do not feel all that excited about writing a book which would simply teach people that the devil is in the details. If they haven't figured it out by now, perhaps they should consider another occupation (one where they will cause less damage).
Making the rest secure
by squiggleslash
OpenBSD has a well deserved reputation for security "out of the box" and for the fact the inbuilt tools are as secure as they're ever likely to be. However, the Ports system is, perhaps, an example of where the secure approach currently has limitations - an installation of OpenBSD running popular third-party systems like INN can only be so secure because the auditing of INN, and other such software, is outside the scope of the BSD audit.
My question is, has the OpenBSD team ever proposed looking into how to create a 'secured ports' tree, or some other similar system, that would ensure that many of the applications people specifically want secure platforms like OpenBSD to run could be as trusted as the platforms themselves?
Theo:
We have our hands already pretty full, just researching new ideas in our main source tree, which is roughly 300MB in size. We also lightly involved ourselves in working with the XFree86 people a while back for some components there. Auditing the components outside of this becomes rather unwieldly. The difficulty lies not only in the volume of such code, but also in other issues. Sometimes communication with the maintainers of these other packages is difficult, for various reasons. Sometimes they are immediately turned off because we don't use the word Linux. Some of these portable software packages are by their nature never really going to approach the quality of regular system software, because they are so bulky.
But most importantly, please remember that we are also human beings, trying to live our lives in a pleasant way, and don't ussually get all that excited about suddenly burning 800 hours in some disgusting piece of badly programmer trash which we can just avoid running. I suppose that quite often some of our auditors look at a piece of code and go "oh, wow, this is really bad", and then just avoid using it. I know that doesn't make you guys feel better, but what can we say...
OpenBSD, security, et al.
by jd
With the release of SGI's B1 code, and the attempts by many U*ixen to secure their contents via capabilities, ACL's, etc, ad nausium, how is OpenBSD approaching the issue of resource control?
On a side note, is OpenBSD likely to ever head in the direction of being a distributed kernel? And, if so, how would security and resource management be maintained? (It's hard enough on a central kernel system.)
Theo:
On the first question, I think there is great confusion in the land of Orange Book. Many people think that is about security. It is not. Largely, those standards are about accountability in the face of threat. Which really isn't about making systems secure. It's about knowing when your system's security breaks down. Not quite the same thing. Please count the commercially deployed C, B, or even A systems which are actually being used by real people for real work, before foaming at the mouth about it all being "so great". On the other hand, I think we wil see if some parts of that picture actually start to show up in real systems, over time. By the way, I am surprised to see you list ACLs, which don't really have anything to do with B1 systems.
As to the second issue, I have no idea what a distributed kernel is, nor do I see how anything like that would improve security or quality of a system.
Forks and cooperation
by PapaZit
A lot of people know that OpenBSD forked from NetBSD, and there's still some animosity between the two groups. Personally, I think that the competition has helped both groups (NetBSD now ships with far fewer open services, for example).
Egos are delicate things, but do you see any chance for greater cooperation in the future, or do you see more forking and division as inevitable?
Theo:
Considering that NetBSD has maintained a black-hole route to the OpenBSD project networks for roughly four years, I don't see how any cooperation at higher levels are possible. However, there are developers who work on multiple projects. Some of them used to complain about having troubles from various groups. Nowadays, I think they've got it easier. Politics do not dictate developer relationships these days.
In Linux land, it appears that projects fork for financial reasons. In BSD land, it appears that the forks that have happened were purely political reasons. I don't know what will happen. It's been 5 years since the last fork in the BSD camp. Why are you guys so fork paranoid? Do you want everyone to vote for the same political party, too?
Kernel design
by laertes
I have only been using OpenBSD for a short while now, so forgive me if this question is based upon some incorrect assumtions.
OpenBSD's kernel design seems to be of the monolithic species. OpenVMS (no relation) and NT are two prominent operating systems that use a microkernel archetecture. The microkernel design seems to me to be fundamentally more secure, since there is less priveledged code. Further, if one of the servers is compromised, the damage is minimezed.
My question is this: Is the OpenBSD design fundamentally secure, or is it only a very well done implementation of a basically flawed design?
Theo:
I don't think it makes any difference, whatsoever. I think your computer science teachers are still teaching you from books written in the 80's, when the word "micro-kernel" was associated with a future utopia. We do not think that NT is a microkernel, and are you really so sure that OpenVMS is? A microkernel is not a kernel that does things through loadable modules. As well, I don't think it makes any difference, as long as a system does what it is supposed to do.
Where Did You Learn Your Code Audit Discipline?
by EXTomar
Did the drive to audit code come from the need or the design of BSD? Or was it initially a whim? More imporantly, where did you learn it from? Is their some "mentor" you looked too for ridge design? I have to admire your team's daunting code reviewing...I wonder if I'll ever have that kind of meticulous coding nature.
Theo:
The auditing process developed out of a desire to improve the quality of our operating system. Once we started on it, it becames fascinating, fun, and very nearly fanatical. About ten people worked together on it, basically teaching ourselves as things went along. We searched for basic source-code programmer mistakes and sloppiness, rather than "holes" or "bugs". We just kept recursing through the source tree everytime we found a sloppiness. Everytime we found a mistake a programmer made (such as using mktemp(3) in such a way that a filesystem race occured), we would go throughout the source tree and fix ALL of them. Then when we fix that one, we would find some other basic mistake, and then fix ALL of them. Yes, it's a lot of work. But it has a serious payback. Can you imagine if a Boeing engineer didn't fix ALL of the occurances of a wiring flaw? Why not at least try to engineer software in the same way?
Firewall/NAT box
by yamla
Linux has FreeSco, a product that fits on a 3.5 inch floppy disk and acts as a router and NAT (Network Address Translation). I always thought something like this would be ideal for OpenBSD. After all, I would rather trust OpenBSD than Linux for this.
Are there any plans to produce something like this? Something with a very simple user interface that is quick and easy to get set up? I'd love to play with OpenBSD and do it by hand but I simply do not have the time.
Theo:
I must say that I am not a fan of these floppy-based routers. Essentially, you are taking one of the most unreliable pieces of storage known to man, and trying to build security infrastructure on it. That's madness. Just buy a small disk. Perhaps somethings based on a CD plus some other (non-floppy) persistant storage might be sane. But please. Not floppies. Are you mad?
Code-auditing
by AT
Any advise for code auditers? Can you share any tips or techniques you have found useful in uncovering bugs? What do you first look for in a fresh piece of code? What about a mature piece of code?
Theo:
I suppose the biggest tip would be to become a better programmer. In particular, study what functions that programs are calling, and ensure that the calling code is following the rules of those functions 100%. How many of you understand the complete & correct semantics of every function in libc, or even just the libc functions being called by the program you are looking? (I mean, we went through our entire source tree, and about half the strncat() and strncpy() calls were subtly wrong, even if it only meant they copied a character extra and then zero'd it out -- it is still sloppy).
When you know exactly what the APIs are, you'll spot the bugs very easily. In my mind, it is the same as any other job that requires diligence. Be careful. Humans learn from examples, and yet, in this software programming environment, the tremendous complexity breeds non-obvious mistakes, which we carry along with us, and copy into new chunks of code. We've even found in manual pages where functions were mis-described, and when we found those, lots of programmers had followed the instructions incorrectly...
Dual Processor Support
by dragonfly_blue
Although there has been some indication that people are interested in running OpenBSD on machines with dual or quad processors, it appears that there are not enough resources and volunteers available to make this a reality. Although I use OpenBSD for my web server, I am by no means an expert, at this, but I'm curious nonetheless.
From what I've heard, multiprocessing support is going to be a very tricky thing to implement, because it gives rise to so many possible exploits, particularly with regards to race conditions. I also understand that it would take a remarkable amount of effort and time to rewrite much of the code base for SMP without compromising the OS's integrity.
With that in mind, what kind of resources would you need before you could seriously consider attempting dual or quad processor support? And, if you were given unlimited access to those resources, how long would it take before a -stable release would be ready? I would really like to see this feature get implemented, although I know that at this point your developer team is busy enough as it is.
Theo:
At this time, we are not working on SMP. It's a lot of work, and not considered the most interesting thing to our developers. Sorry.
Time warp
by rho
Thanks for your work, Theo. I use OBSD every day as a workstation and as a firewall, and the Cop-chasing-script-kiddie t-shirt is the best.
If you could time warp back to the beginning of OpenBSD's development (ignoring the scism that brought you to that point), what would you do differently? Would you have chosen a more commercial focus? Pushed SMP development earlier? Run around in circles waving your hands in the air?
On another note, what's your feeling about commercial use of OpenBSD? i.e., do you support it, tolerate it, or what? (better example, I make a set-top box running OpenBSD, and I need the OS to do "X". If I called you and said, "Theo, I need OpenBSD to support 'X'", would I be told to piss up a rope, write it myself, or would the OpenBSD team do it for a price?)
Theo:
The licence on our code is pretty clear. We want vendors to use our code. We want commercial operating systems to ship with OpenSSH. Not shipping with an SSH varient causes great grief, and it is time that ends.
Same goes for OpenBSD. We would prefer if companies building commercial network appliances used OpenBSD, rather than writing their own operating systems. Typically, these companies are very comfortable with solving the problems within their application space. Yet, there is a history of these companies writing their own cruddy operating systems, and at the same time writing worse applications.
It would be better if routers, firewalls, telephone switches, fileservers, and whatever else used reliable components, designed by people who care.
So go ahead, use any parts of OpenBSD as parts of commercial systems.
Full Disclosure And Version Numbering
by Effugas
First of all, I want to thank you for the hard work you've done building OpenBSD. It truly is a wonderful package.
Much of the security in OpenBSD lies under the hood in the work you've done cleansing the source of unsafe library calls. While this work is appreciated, I've become more and more concerned lately about the fact that these changes are not necessarily documented and certainly not reflected in the version number of an application or utility.
Version numbers reflect a snapshot in the life of a codebase. They're used to reference unsafe editions or particularly stable builds. Major number reflect code branches, but minor numbers reflect specific states of the code -- such is the expectation of a user or an administrator when a version number is detected. Without granularity of versioning, I have no reason to trust or distrust a given application by its number; I must personally audit its source -- and end up giving it a number of my own.
You and your team are code auditing masters. Rather than pollute the namespace by making indistinguishable your securely built modified code and the original(and, by extension, your secure code and numerous unnamed distributions' "just get it to compile" modifications), wouldn't it be appropriate for OpenBSD to apply a name extension to any package which it has modified, and in the interests of full disclosure, to provide a reasonable CHANGELOG of the fixes contained therein?
Theo:
Two numbers exist for every component of OpenBSD. One number is the release that the piece came in, ie. 2.8.
The other number exists in each source file that was built. And that number is also in each binary that was built from those files. You can use the what(1) command to determine the revisions of source files which make up each binary.
As to the "original" you talk about, there is no original. OpenBSD uses it's own components. I don't know what packages you are talking about. cat is cat. ftpd is ftpd. tar is tar. It's the one that came with a certain release. In the systems approach, the version numbering that other groups do is sometimes invalid, because pieces (such as libraries) are all part of the picture.
Was the last plane you were on using front wheel version 2.7 or 2.9? You don't care. You do however care greatly that a "systems approach" was used to ensure that it was whole. And in the OpenBSD case, that means pick a version, and install the patches.
Asking for more means that you want us to do less work on the system, and more version numbering.
Where does the money go?
by MrSparkler
I've seen reports of estimated CD sales per release at being as high as 10000. Add in t-shirt/poster sales and donations and a relatively considerable sum of money is flowing around OpenBSD. Combine this with the fact that checks are to be written to Mr. de Raadt and I get curious as to how the finances are handled. Not that I'm suggesting any misappropriation is occurring, I would just like to know who is in charge of the money and whether or not the OpenBSD project is registered as a non-profit organization (and if it is then checks should be made out to - and the CD image should be copyrighted to - that organization). Also, I would like to see a small financial report put out (as would be required if it were a non-profit organization in Alberta) so that users can see where their money is going. Plus, I would also like know exactly how many CDs are sold per release.
I greatly appreciate the work that the OpenBSD project developers have put in, and I plan on continuing to use, purchase, and donate to OpenBSD (and maybe even contribute when I get the technical skills) regardless of the answer to this question: Where exactly does the money go?
Theo:
We've not yet sold 10,000 CDs in a release. Hopefully we will soon. The project ends up with a bit less than 50% of the revenues from CD sales. The tshirt business is doing OK, but you make a lot less selling textiles. With posters we operate just above break-even. Even though some are sold on the web, most turn out to be free handouts at most conferences. That is how I planned the posters to operate.
We have thought about becoming a non-profit organization, but it is not really a good idea. It would not provide any real benefit -- to you -- as the masses. Especially in Canada, there are costs and serious responsibilities associated with doing such a thing. We would be giving up a lot of freedom, and would need to hire someone to do a lot of accounting. Also, since many of our donations come from outside Canada, we still could not really generate taxable benefits to you. (And I must ask, why are people so cheap, that they only give donations when it provides a partial reduction in their taxes, rather than a real donation? I actually find that pretty fake.)
Money from the project goes to various things. First off, it ensures that I can work full time on OpenBSD, and not need another job. I am also hoping to do the same for other developers in the project, who have indicated that they are interested in doing so. Secondly, certain grimey, unenjoyable, and very important development tasks sometimes put a bit of money in developer pockets. Some OpenSSH work was funded by matching OpenBSD money against donations from a Van Dyke. Thirdly, the project buys a fair amount of hardware: In powerpc land alone, 4 machines this year. Fourth, shipping costs to conferences sometimes severely cut into profits from sales. And finally, when developers get together to do hacking, project money sometimes pays for various things, like airplane tickets, accomodation, and sometimes even some beer. And beer results in ideas, which results in new code.
--------------
Before you ask: yes, we'll be doing Slashdot interviews with people from other *BSD projects in the near future - Robin
Re:But he doesnt follow his own advice (Score:1)
Re:But he doesnt follow his own advice (Score:2)
In the end, I felt an interview would not *help* the OpenBSD community really, because someone would find fault in *something* and draw it out, enhance it, to really no good point at all. Well, it seems that CyberKNet's post is a nice example of that. It's classic
You think his answers were belittling? Look at your questions, for crying out loud:
LizardKing's Q on a code auditing book--Answered on the OBSD newsgroup already. Search deja.
Making Ports Secure--Gee, let's ask a question to the person resonsible for OS security about ALL program security that might run on the OS. iow, if there was an interview with Linus, it would be like asking him why perl on some Linux distributions had a security hole because the developers were stupid enough to hard code
B1 and OpenBSD Q--Asked and answered when Trusted BSD came out. Search deja and misc.
Working with other BSD distributions--Communication is a two way road. Look, this is a silly question to ask, not because of the question, but because the answer is so readily apparant. The comments by the NetBSD and FreeBSD groups as well as users is plain to see on the newsgroups, on web pages, etc. It's all *very* public.
SMP and dual-processor support--Search the mailing lists. Asked and answered.
Version numbering--Already addressed when there were comments about the lack of a stable branch in OBSD.
$ issues--Lovely. As if that wasn't an insulting question.
The "I don't want to teach you" mentality is really the "No, I don't want to feed you with a spoon." No one, including the moderators, checked to see if these questions were asked and answered by simply grepping an email archive. No Linux user in the community is going to point out that, "Hey, last year or so, there was a posting on a Debian mailing list about developers getting sick of answering lame questins too."
As to the BSD and Linux community differences, well, they are different communities. I moved away from Linux because the communities just got bogged down *for my tastes*. My take is that the Linux community is *incredibly* ignorant of the BSD community, not vice versa.
filtering by FreeBSD/NetBSD (Score:3)
> a black-hole route to the OpenBSD
> project networks for roughly four years,
Those who do not familiar with Mr. Theo de Raadt's usual action about BSDs should know the following history about the mail filtering.
This issue is once raised by a OpenBSD developer in DaemonNews forum [daemonnews.org] which has neutral position between FreeBSD, NetBSD and OpenBSD, and its conclusion is that the forum should never have posted the topic [daemonnews.org]. I don't know why Mr. de Raadt mentioned this filtering again in slashdot. Perhaps He'd like to show that he is still ready to post mail bomb to FreeBSD/NetBSD mailing list?
Re:Theo: Version Number Specifics (Score:3)
Re:Theo and Microkernels (Score:2)
Secondly, pay attention to what Theo is saying: most security problems come from incorrect use of interfaces. In the microkernel world, you may indeed have fewer interfaces to the kernel, but understanding how to use those interfaces can be an extremely daunting tasks (just ask anyone who's hacked on Mach before). Furthermore, you still need interfaces to all the userland code that's running on top of the kernel (i.e., if you need to interface with the filesystem, it doesn't matter whether it's in the kernel or not, you can still get the interface wrong and thereby create a security problem). In HURD, for example, the interfaces and interdependancies between modules are MORE complex, particularly given that you have to allow for an infinite number of implementations of said interfaces.
Re:Working with microkernels (Score:2)
Econ 102... (Score:3)
The big "merit" in the "donation" thing is if this allows the organization to receive individual contributions from individuals that wouldn't otherwise be able to "deduct" the payment for tax purposes.
While, when you add this sort of thing up across thousands of churches, it adds up to real money, it's not going to be spectacularly worthwhile for a software project that might get $30K in donations and have to spend a chunk of that on organizational costs.
A reply to his reply to my questions. :) (Score:3)
However, some form of resource control is essential to preventing users authorised for one thing from doing something else.
ACL's are -one- way of doing this, the schemes described in B1 are another. You're again 100% right that they're not the same thing. However, they both attempt to deliniate exactly what a user is and is not able to do.
(As for foaming at the mouth, I'm going to go out on a limb here and guess you've met some pseudo-nerds who're drunk on a mix of power & Agent Orange, and who believe that if it's "Official", it's somehow "better" or mysteriously "all-encompasing". I'm not about to start a cult to the Mighty OB1. :)
Distributed Kernels are kernels which divide low-level tasks between sub-kernels, where each sub-kernel runs on a seperate processor or even a seperate machine.
Distributed Kernels are one way of doing hardware-independent parallel processing. You're not tied to SMP, you're not tied to a single motherboard, you're not even tied to a specific manufacturer.
From a security standpoint, it has two major impacts. On the one hand, breaking one component of the system does NOT necessarily compromise any other component. They run on seperate CPUs, after all. This means that you can have secure intrusion detection at the kernel level, with secure fail-over to a non-compromised system in the event of intrusion.
On the other, you're now ferrying very low-level data across a network of unknown security. The risk of someone compromising the system by compromising the network is obviously much higher than for a stand-alone kernel.
Last, but not least, to anyone who may be critical of him, Theo de Raadt is perhaps the most brilliant guy in the BSD world and I'd place him as one of the top 3 coders in the world.
As for his infamous "moods" - if he's bipolar, HFA or AS, then his moods (and his brilliance) are entirely explicable and nothing to condemn him for.
Re:No plans for SMP... (Score:2)
Exactly, Choice is good. The important fact is that all of these OSes are a mere hop, skip, and a jump from each other. All of them also have their technical advantages as well.
And yes, that includes Linux.
The beautty is that once compatibility is out of the picture you are free to choose your OS for purely technical reasons.
Re:No plans for SMP... (Score:5)
SMP is plenty interesting to the Linux crowd. They have spent a huge amount of time working on it. The fact that it isn't interesting to Theo and the folks working on OpenBSD simply highlights one of the benefits to the Open Source way of getting things done.
If you start your project on OpenBSD and decide that you need SMP to get the performance you need "porting" to Linux shouldn't be much harder than moving your source to a Linux box and typing "make." If, on the other hand, you develop on Linux and then decide that Linux's security isn't good enough for implementation, you can just as easily port to OpenBSD.
There is never going to be an Uber OS that is specialized for every task (although the generic Unix way of recompiling the kernel does come close). That's why standardized APIs are so important. That way you can change your OS midstream if it isn't giving you what you need. The Open Source community has done a pretty good job of matching up APIs.
Re:No upstream (Score:2)
OpenBSD is not "300MB of source" that Theo thought up. There's quite a bit--likely a majority--of stuff brought in from other coders *WHICH RETAIN IDENTICAL VERSION INFORMATION*.
Go query Perl. Or vi. Or httpd. They're all external packages, with their own internal version. If Theo wanted to reversion them to "Perl OBSD 2.8" and "Apache OBSD 2.8" and so on, that's fine. But that Perl ain't 5.6.0 unless it was built from the 5.6.0 tree.
--Dan
Re:No upstream (Score:2)
Now, why would I put the question to the number one distribution known for doing it right, when everybody else does it to?
To redefine that which is known as "doing it right", so we don't get any more Debian Secret Backported Bugfixes.
:-)
--Dan
Re:Theo: Version Number Specifics (Score:2)
Yes, I can definitely hunt down the changes, and Theo is well within his rights to change the source. Hell, I'm thrilled he's fixing problems.
But should I have to check a changelog to know there's a change?
That's the bottom line question. Should not a version reflect a snapshot of code? Should not I be able to trust a given codebase by its version alone, rather than have to audit the source by hand?
If a version *doesn't* refer to a snapshot of code...well, what does it refer to?
--Dan
Re:Security... (Score:2)
Because I wanted command completion. What, you think sh is the height of security? Among other things, *any* shell can be trojan'd to attack replace su, or even
You are correct, of course. Most things shouldn't be done as root. I could theoretically have checked versions without it. This is somewhat on the order of a spelling flame, but I'll take it in stride.
As for my qualifications, feel free to scan my BugTraq posts, and thank you for helping to prevent my ego from growing too large.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Re:No upstream (Score:2)
Still, I question if the version number should stay stable. Suppose, for a moment, that the rest of the world finally discovers major holes in 5.6.0. Should OpenBSD administrators have to root around the Changelogs to realize they're running a safe build? Wouldn't it be better for them to be running 5.6.0_OB2.7 and see that, heh, the Changelog shows that the new stuff protects them?
===
$ perl -v
This is perl, v5.6.0 built for sparc-openbsd
Copyright 1987-2000, Larry Wall
Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5.0 source kit.
Complete documentation for Perl, including FAQ lists, should be found on
this system using `man perl' or `perldoc perl'. If you have access to the
Internet, point your browser at http://www.perl.com/, the Perl Home Page.
$ perl -V
Summary of my perl5 (revision 5.0 version 6 subversion 0) configuration:
Platform:
osname=openbsd, osvers=2.7, archname=sparc-openbsd
uname='openbsd'
config_args='-Dopenbsd_distribution=defined -dsE'
hint=recommended, useposix=true, d_sigaction=define
usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef
useperlio=undef d_sfio=undef uselargefiles=define
use64bitint=undef use64bitall=undef uselongdouble=undef usesocks=undef
Compiler:
cc='cc', optimize='-O2', gccversion=2.95.2 19991024 (release)
cppflags='-fno-strict-aliasing -I/usr/local/include'
ccflags ='-fno-strict-aliasing -I/usr/local/include'
stdchar='char', d_stdstdio=undef, usevfork=true
intsize=4, longsize=4, ptrsize=4, doublesize=8
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=8
ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
alignbytes=8, usemymalloc=n, prototype=define
Linker and Libraries:
ld='ld', ldflags =''
libpth=/usr/lib
libs=-lm -lc
libc=/usr/lib/libc.a, so=so, useshrplib=true, libperl=libperl.so.6.0
Dynamic Linking:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=define, ccdlflags=' '
cccdlflags='-DPIC -fPIC ', lddlflags='-Bshareable '
Characteristics of this binary (from libperl):
Compile-time options: USE_LARGE_FILES
Built under openbsd
Compiled at May 5 2000 12:35:29
@INC:
.
===
Re:No upstream (Score:2)
YES! It IS! It's too hard for me to read the source code to every app I run. I admit it. I want to trust Theo. I want to believe his prying eyes are protecting me from danger. I don't *want* to have to go diving into the code he writes or even the fixes he claims when a new vulnerability comes out. I want to know: Is this the exact same code that is vulnerable everywhere else? Then upgrade. Is this NOT the exact same code, and therefore I should check the Changelog?
I'm not asking alot. I'm merely asking the question: What do version numbers mean, if they *aren't* snapshots of code?
--Dan
Re:No upstream (Score:2)
--Dan
Re:No upstream (Score:2)
--Dan
Theo: Version Number Specifics (Score:5)
I don't think it's fair to say, as you did, that "ftpd is ftpd" or "tar is tar" for all of OpenBSD. Examples from version lines throughout OpenBSD:
spork# perl -v
This is perl, v5.6.0 built for sparc-openbsd
bash-2.04#
GNU troff version 1.15
bash-2.04# nawk -V
awk version 19990620
bash-2.04# gcc -v
Reading specs from
gcc version 2.95.2 19991024 (release)
bash-2.04#
Concurrent Versions System (CVS) 1.10.7 (client/server)
[vi
Version 1.79 (10/23/96) The CSRG, University of California, Berkeley.
bash-2.04#
tcpdump version 3.4.0
libpcap version 0.5
bash-2.04#
Server version: Apache/1.3.12 (Unix)
Server built: May 5 2000 14:44:59
Look. Some of these you modified. Maybe all of em. Maybe one of em(I *know* you touched Perl.) Lets take the example of tires, why don't we. If I've got Firestone Model X432LFR tires on my car, and I run down to the dealership asking why I'm driving a deathtrap, is he allowed to laugh at me because "Of course *we'd* never put the deadly X432LFR tires on your car, we'd only put the *good* X432LFR tires on! Stupid customer."
That's essentially what happened with Debian a while back, and it was infuriatingly unfair.
I'm not asking you to do more work, Theo--you've *done* the work. I'm asking you to admit it, mark it, brand it in such a way that we know you've been forced to do something to it to make it secure. And then all of us can bitch and moan to the author's of whatever package you've taken and say, "Heh, he changed your stuff, maybe there's something you should look at." Maybe we'll be ignored. But, in the end, *you* did the right thing.
Theo: You and your team rewrote much of an early build of SSH. Technically, you could have said, "Here's SSH1.2.1x, as part of the OpenBSD system." But then nobody would have known what you had pulled off, and people would have had trouble finding your specific improvements. I'm not saying you need to rename every package to show how much you've added. But to keep the original version numbers is to conflate your secure and solid version with whatever bugs you *know* lurk in other people's code. When Foobar 1.2 comes out with a remote root, and OpenBSD ships with Foobar 1.2, do you like--or enjoy--when system administrators frantically upgrade your *already fixed version* of Foobar 1.2 with the original author's possibly broken Foobar 1.3?
Because that's what your version numbers cause.
They're easy to fix, Theo. It's just a tag to let us know you fixed something. It's something for us to differentiate your code with. (Incidentally--what does little on my 2.7 Sparc build.) Consider this: As much as you say you've only dealt with the system, I *know* many of the packages from Ports have had patches that didn't modify version numbers--and I have *no* idea if anything's been modified in your packages section. I just don't know.
This is not a problem specific to you, but I think OpenBSD is in the right place to change what I consider to be a particularly pernicious industry practice. I believe in your systems approach, but a secure system cannot be built from insecure parts. If you've secured your parts--show this, and perhaps let us know where to look to find out how.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Re:Theo and Microkernels (Score:2)
What userland protection helps is stability ; less code that can deref a bad pointer, etc. What it can't help is the quality of the code. At the end of the day, an attempted attack will try to make the code make the wrong decision; i.e. allow something to happen that shouldn't have, or do something that is shouldn't have. That has nothing to do with whether or not it causes a segfault somewhere else.
Although some attacks could make monolithic kernel code do something to other code segments somewhere else, it really isn't all that likely or often used. Attacks tend to be against making code call the wrong routine, set a variable the wrong way, etc. That stuff can't be helped with microkernels.
Sorry, all microkernels are really good for are (1) loadable features (no recompiling), (2) crash protection. But, they do the traditional tradeoff of speed for it (multiple context switches for a single system call, etc.).
But, anyone else get the feeling that a good portion of the questions Theo did respond to were all asking the same thing: what common errors do you end up fixing? Not a horrible question to answer by far. Sure you could say 'bad code,' but a list of good examples of security-critical mistakes are far more helpful.
--
"But it works." (Score:3)
See also: the "HTML" on the supposed "geek web site" called Slashdot. (as well as, to be fair, the rest of the web.)
Hey, where's my question? (Score:3)
Mac OS X & BSD [slashdot.org]
I'm curious about how the BSD folks view the impending couple million new users they've got heading their way when MacOS X is released.
Please, no Mac-rants, they're trite & off-topic. I just wanna know about the question.
Re: (Score:2)
No upstream (Score:4)
As a Linux user, one comment Mr de Raadt made surprised me:
In Linuxland, cat is GNU cat, tar is GNU tar, httpd comes from the Apache project, rpm comes from Red Hat, and so on. There is always an upstream maintainer for any particular package and no distributor (AFAIK) tries to maintain its 'own' releases of things. If a bug is found, the fix tries to swim upstream to the breeding ground, where it can add itself to the gene pool for future releases of all distributions. (Alas, I do not have a ten-man team auditing my comments for dodgy metaphors.)
I suppose it makes sense in a way to have your own codebase, especially if you are concentrating more on security than on adding new features. You have control over every line of code that goes in, and you don't mind missing out on new versions of stuff that is released. Also, if your original 'upstream source' is a group of people you split acrimoniously from, you might prefer not to rely on them. (Although I can't help feeling that if the OpenBSD and NetBSD people made more of an effort to commonize code in both directions, the feud wouldn't have lasted as long. This sort of thing going on between two Linux distros - eg Mandrake and RedHat - would be unthinkable.)
But not relying on an upstream maintainer for packages does not mean you can't contribute your fixes back. All the BSDs originate from a common code base, right? There must surely be at least 95% common code in the shell and shell utilities (which change relatively slowly), even if the kernels have diverged. So what effort do they make to avoid reinventing the wheel? And when OpenBSD fixes a set of bugs, do they report them to the maintainers of the original package?
Perhaps the problem would be that they couldn't agree on who should be the original source. Imagine if NetBSD claimed that they were now the 'official' maintainers of BSD make, for example. Would OpenBSD accept that? Perhaps some neutral 'BSD Foundation', with support from all three free BSDs, could take over maintenance of the common or fairly-common BSD code. Or somebody from Berkeley (Bill Joy perhaps?) could make a ceremonial proclamation.
About a secure ports tree (Score:2)
Re:This is ridiculous. (Score:2)
Perserverence is not always a sign of strength or skill. Once you learn how to add, you move on to multiplication.
I have a similar tendency to like DOS. I have spent a whole lot of time playing with it, and am not afraid to say that I know it well. DOS is very simple, but very stable, meaning that there is rarely anything new for it. I know that the latest version of Norton Utilities for DOS will be 8.0, and the latest version of NC will always be 5.0. I know how to fix things in it.
However, I also know that it is old and not good, which is why I don't use it anymore (except for the occasional 5-day contract at some company with a bunch of 386es). I am instead trying new things.
Single processor x86 Unix and C are nice and safe. SMP is new stuff, and you no longer feel warm and comfy there, sort of like getting out of bed on a winter morning. But you have to get out of bed... that's the way the whole thing works. :-)
--
Re:Working with microkernels (Score:2)
Microkernels are just a whole lot more work to implement... they don't have the resources or the interest.
I think OpenBSD just wants to produce a simple and secure BSD variant for uniprocessor micros... not be the Ultimate OS.
"Free your mind and your ass will follow"
Theo misses a point (Score:3)
system (firewall/router, et.al.) is not to use
the floppy, but, to make it simpler to configure
than "BOOTP/Diskless".
In a floppy-based system like that (firewall), the
floppy would be used to boot the host, that is all. The goal is to have *NO* disks, or any other
moving parts.
Re:No upstream (Score:2)
* http://www.se.openbsd.org/security.html
And maybe this page:
* http://www.se.openbsd.org/plus.html
For Debian I have:
* http://www.debian.org/security/
If I need to get the code difference I use diff either on the OpenBSD source tree of the debian source tree. But when there comesa security hole it's usally a note on what OS the hole works on. If a patchg exists the time to find out if one need to add the patch is usally very small. (Actually it's selldom upgrade to this new version that has this fix and all this new features...)
Re:GPL? (Score:2)
Re:BAH! (Score:2)
Question:
How do I became a good refeeree?
Answer:
I suppose the best tip is to go a loot of fights.
(Even thous one could wonder if this fits to boxing.)
/ Balp
Re:Pizza 'n' Beer (Score:2)
Pizza maybe, I've never seen beer associated with geekdom. Bunch of namby-pambies with their Jolt Cola usually, I prefer to code with a nice thick guiness in hand (tho not with beer, i like fat tire with my pizza)
For the record, I also hate twinkies.
--
Re:Theo and Microkernels (Score:2)
In theory. In theory, microkernels could just swap out pieces of the system for independently developed implementations, and a change in one component need only affect that component (orthogonality). In practice, microkernels tend to just replace function calls with messages and their components remain tightly coupled as ever, so a failure (such as a security flaw) in one will tend to cascade to the other components in the system. Projects like OSKit offer hope for a more orthogonal OS design, but I'm not holding my breath.
--
Re:But he doesnt follow his own advice (Score:2)
An all-too appropriate word, considering the word means "nowhere". Show me paradise in any OS today. Lead me to the Buddha in the machine.
--
Re:Where the money goes (Score:2)
Just because Americans can't make beer that doesn't taste like mouldy water doesn't mean that Canadians are equally challenged.
Next time you're up in the great white north try and get your hands on something made by Big Rock breweries of Calgary. That's good beer.
Never heard of them. Just as you've likely never heard of Left Hand or Wynkoop or Broadway Brewing or any of the HUNDREDS of craft breweries in the US, probably an order of magnitude more than any other country in the world. Those three are just three ones in Colorado alone (home of Coors, lightly flavored spring water in a can) that I could name off the top of my head.
We all carry six-shooters and wear stetson hats too, you know?
--
Re:filtering by FreeBSD/NetBSD (Score:2)
YHBT. HAND. This guy you responded to is a troll who posts the exact same post in every single BSD article. Just ignore him, he's just another reason I normally browse at threshold 2 til I get bored.
--
Re:A reply to his reply to my questions. :) (Score:2)
Bill Joy was one of the original authors of BSD. And vi too (*sigh*).
--
Re:Mr.Sparkler (Score:2)
So that he doesn't get taxed as a for-profit business. Non-profit doesn't mean you can't draw a reasonable (or even comparatively handsome) salary if you choose to take one.
--
Re:why bother? (Score:2)
You want documentation written by people who needed the documentation in the first place and didn't get any? Neat trick. I think I'll write a treatise on nuclear physics in order to teach myself.
See Dick
--
Re:why bother? (Score:2)
--
Why you should be afraid of forking. (Score:3)
snip
Why are you guys so fork paranoid?
Looks to me like you've already answered your own question, Theo.
-
Before flaming Theo ... (Score:5)
And what's wrong with that?
OK, he's no "Dear Abby", but neither is RMS. I know many here aren't big RMS fans, but are you insecure enough about your own little world that when someone says, "Quit bothering me with stupid details, just write the code" you start flipping out? I attended Supercomputing '99 and went to a talk by Thomas Sterling, one of the original Beowulf pioneers at NASA. A good chunk of his talk was spent complaining about "Linux cruftiness" and "why are you people here when you could be writing code"? I admit I was somewhat pissed coming out of it, but it did have the effect of motivating me to start programming again. I think sometimes we just need a swift kick in the arse from someone (hi Greg!) to get motivated.
Bottom line: ignore the stupid "Are you mad?" comments from someone whose ego is a bit too big to take the time to be polite, and focus on the "learn your APIs, understand your APIs, and stop writing shitty code." Learn the message, ignore the messenger.
-jdm
(I'm ready for my big Mod-down, Mr. Director :)).
Missing the point on floppy-based routers? (Score:5)
Flash RAM would be perferred, but flash disks are hardly ubiquitous and free-for-the-taking x86 systems that work great as routers don't generally have flash-based disks installed. A floppy drive is almost a given in any system.
The hardware advantage of a system without a hard disk is the reduction of heat generation, meaning they're easier to put in heat-hostile environments like telephone closets. System upgrades are a snap, since you just move the disk to another platform.
As far as security goes, other than floppy disks general lack of reliability, what's the problem with them? They're physically write-protecable, which many IDE disks aren't. Sure it's easier to swap a floppy out than a HD, but if your machine doesn't have physical security to begin with you've failed the first checklist item for security.
BAH! (Score:3)
Any advise for code auditers?
Theo:
I suppose the biggest tip would be to become a better programmer.
Bah Humbug! Thats equivalent to
Question:
How do I become a better sprinter??
Theo:
I suppose the biggest tip would be to just to run faster
Re:No upstream (Score:2)
In addition, every packages has a Debian.changelog that should have information about what changes have been added in the Debian version.
Yeah kinda how the 'original' unix forked... (Score:2)
Unneeded complexity is bad, mkay?
GPL? (Score:2)
Re:This is ridiculous. (Score:3)
Maybe being able to use a system as a firewall/gateway that makes me sleep at night because i feel confident that it will not get h4X0red.
I really don't give a fsck if it doens't have SMP support. What's the REAL percentage of online SMP boxes anyway? I'll admit the it is really nice (and usefull) but i'm sure there's a majority of sites that simply don't need it (yet).
---------------------------
"What is the most effective Windows NT remote management tool?
Re:I/O bound? (Score:2)
That's the key point - I wouldn't really use OpenBSD for what you describe; probably one of the commercial unices which are tuned to the specific multi-proc hardware that they run on.
For x86 and single-proc Sparcs though (the only archs I've used OpenBSD on), it rocks hard! SMP would be 'nice', but certainly not something I'd lose sleep over not having. Also, I would prefer it to be implemented properly, and not with horrible global kernel locks lying all over the place
Re:This is ridiculous. (Score:4)
Uh, right. So go ahead and write an entire operating system in a new language then. Don't forget to design the language first though! Remember the C-bashing thread on Bugtraq over the summer? Whatever its limitations, we are stuck with C
2. The proper approach seems to be a very limited operating system, perhaps in C, with a virtual machine over that which is proven secure, thereby giving at least strong security to every application then running ontop of that VM.
Nice theory, much like many of the other 'ground-up' papers I've read. And meanwhile, while you sit posting and postulating on the great designs that will rule the operating systems world, I'll just use OpenBSD, and be happy with the stability and reliability of the system. Perhaps I'll look you up in ten years when you've finished this idea?
What is the point? Why bother if you aren't even going to put in SMP?
I really, really don't care whether or not OpenBSD has SMP. If I need a faster box, I'll just upgrade to a faster processor. The majority of server systems these days are either I/O or connectivity bound these days.
Re:So You WANT to Be Exploited? (Score:2)
Why are you so shocked? It's BSD.
It is NOT exploitation. Nothing is stolen.
The CVS repository does not disappear when a commercial company uses the software it contains.
The people behind a given project continue to work on their project. That does not suddenly stop because some company is selling it or something based on it.
6 months later the project releases a new version. The company is still behind. They could work on it from the point they started using it, or they could use the new release. Since they have to keep tracking new rleases anyway, they could even (and many do) help by giving their changes back to the project.
And even if they don't (and many do), the project members spent those hundreds of hours of work doing what they loved and could care less what some company does. They want the fruits of their labor to fall into as many hands as possible. BSD allows and encourages that.
GPL zealots are hypocritical. If you're so worried about The Man making money off of you, why are you writing free software?
Tell me, would you rather write free software because you WANT to or because you HAVE to?
Re:This is ridiculous. (Score:2)
That's a good point about firewalls, that's an important use of this OS. However, I would have though it would be easier to lock down a firewall machine with existing the existing OS than audit the whole thing? It's my understanding that this audit will attempt to make the OS more secure for more "dangerous" tasks, where more ports need to be open, more applications are running and generally the machine is used for more things.
In that case, then I think SMP starts to become a necessity for any major server OS, otherwise it'll never be put on any of the really big machines that could benefit from all the enhanced security.
This is ridiculous. (Score:4)
Here's the main point, before we even get started: This project should be scrapped, there are easier and better ways to do what is being done here.
Now the reasons.
1. The fact that you need to go back and hand audit libc calls for "subtle" errors means that the wrong language is being used for the majority of these tasks.
For these types of ultra secure tasks, there should be extremely limited cases, and ideally no class of errors that would be "subtle" when it comes to standard library calls. I would suggest that C is not a good language to write a secure operating system in, because it very obviously requires too much manual labour to weed through the subtleties of it's operation.
2. The proper approach seems to be a very limited operating system, perhaps in C, with a virtual machine over that which is proven secure, thereby giving at least strong security to every application then running ontop of that VM.
Yes you'll need to audit that first limited OS and kernel, and yes it'll probably be in C, but let's limit the scope of that code severely. Plan to take a huge performance hit on running everything on that VM but make sure that it's totally secure, do whatever it takes to make sure that everything running on it is protected from itself and other programs. This is the only possible way to make an extensible operating system that is in any way secure, otherwise any software that is later added to the system will either need to be painstakingly audited or not installed. Performance should be a minor concern at this point as VMs can later be optimized, and security should be of prime importance.
3. After they finish all this auditing, we're left with a non-SMP capable OS with limited software of a similarily secure nature to use it with.
What is the point? Why bother if you aren't even going to put in SMP?
4. Theo is obviously so closed minded that no efficiency ideas are ever going to occur to him.
Witness his response to the question about distributed kernels - (in summary) "I have no idea what they are, but they're not useful to me." Great.
It is my opinion that people of this caliber of programming should be spending their time at doing more useful, or perhaps better thought out work.
Moderate at will.
Re:Hey, where's my question? (Score:2)
Quite simply, it's about like asking him what he thinks of some large company deploying BSD/OS.
The users aren't heading at Open/Net/FreeBSD, they're heading at Apple. Not like Theo's gonna get any emails from Joe Machead asking him how to change the system event sounds in OS X or anything.
Pizza 'n' Beer (Score:2)
In any case, lately I've noticed that a lot computer geeks have been trying very hard to shake that reputation, image, and social stigma. The modern "tech boom" has created this new social respect for people who used to be misunderstood, and so many of these people (luckily not including me) have been trying very hard to shake those easily caricatured "typical geek behaviors" while they have their time in the sun.
I'm glad to see traditional geeks, down to caustic remarks about other people's coding (who else but a geek could that get worked up about it that it's a personal matter!). I'm glad, it makes me smile, 'cause that is the sort of person who made life interresting for me as a young geek, and hell, i hope they are around for ever...
Re:BAH! (Score:2)
If you think you can become a world-class runner by "just running" I think you are sadly mistaken.
Besides, he even mentions that many programmers learn how to do it poorly, but when asked how to learn to do it correctly, he says, just do it.
Overall this is a pretty shallow interview, it's obvious he'd rather be coding than answering questions. A good thing for OpenBSD the software, a bad thing for the image of OpenBSD.
$.02
--
Re:So You WANT to Be Exploited? (Score:2)
BSD advocates believe, I think, that given a choice between X for free and X' for a price, X' will cost only what the added value of the ' is worth. I would like to agree, and in a perfect market I would agree. But there is no perfect market in the world today. People, being morons, are quite happy to pay $x for X', where $x is the total value of X', not simply the added value, even though economically it would be smarter to use X for free, getting all the functionality of X' save ', but saving an amount of money equal to functionality(X)+'.
People are the problem.
The GPL is a nuisance, I agree. If this were a sufficiently more perfect world then I would most definitely use BSD. But it's not, and thus I don't. The BSD license allows more freedom--that's a good thing. But the GPL protects freedom. The one is like three acres of apples, exposed to the birds and the beasts. The latter is like an acra of apples, with farmhands to scare away the animals. At the end of the day, the tended land has more apples. Thus with the GPL.
Re:I would've asked about automation of analysis.. (Score:2)
Automated code modification would lead to a situation where the developers would just sit around and think of vunerabilites.
Rather than haveing to look over the same code 14 times, and get to know it. There is something to be said for forcing yourself to pore over every line, every bracket, every semicolon of the code, and check everything.
From what Theo said, it sounds like while they are fixing one sloppy piece of code, they note another bit when they are part way through.
This makes lots of sense.
Where are they going to find new mistakes from if they don't go through all the code.
This is not just of the top of my head, btw. I write scientific code that has to be correct, where there is no way of testing the output. It's amazing how often subtle bugs are missed.
--
Re:Forks are Good! (Score:4)
In Linux land, it appears that projects fork for financial reasons. In BSD land, it appears that the forks that have happened were purely political reasons. I don't know what will happen. It's been 5 years since the last fork in the BSD camp. Why are you guys so fork paranoid?
I suspect that the question was rhetorical, but it deserves an answer. I'm putting it here, with the other fork comment, even though it wasn't written as a follow-up to that comment.
Simply put, it's (too) often used as an object lesson in Linux land. Whenever an argument gets too heated, someone jumps in with "if we keep acting like this, we'll end up like the BSDs." Meaning, I suppose, "fighting over a very tiny percentage of mindshare instead of working together to take over the world."
I suspect that Linux is headed toward a fork. Linus and Alan Cox have been leaving things out of the kernel (like a debugger) that a lot of people want. As there's no charter or formal organizational structure, I think that a coup of some sort is inevitable. When it happens, the interest in the Net/Open split will rise to a crescendo.
I have friends who are OpenBSD advocates, and others who are NetBSD advocates. To hear each side talk, the other side writes crappy code between bouts of trying to ruin BSD for everybody. It's depressing, particularly when I think about what could happen if their talents could be combined. Or, if they would just shut up, stop sniping at each other, and code.
I'd love to see some sort of cross-bsd advocacy organization to help users take that middle step. Help with porting of cool shit between the BSDs. Make generic cross-BSD documentation. Help people decide which OS and user/developer community is right for them. etc.
Unfortunately, that requires a friendlier attitude than I often see between the BSDs. Charges of "code theft" particularly frustrate me. That's the whole damned point of open source: Seeing the good stuff, learning from it, and using it.
--
Re:distributed kernel ... (Score:3)
Re:Where the money goes (Score:2)
I'll agree that the US and Canada can't seem to make a decent beer... the US has a real bad track record... midwest megabrews, Natural Light, Utica, Keystone, anything that says 'ice', etc...
Of course, the Guinness doesn't taste as good here in the Midwest, either...
--
Re:Where the money goes - Totally OT (Score:2)
I know of many pubs that brew their own stuff on the East coast, and it's worth the trip.
--
Re:Where the money goes (Score:2)
My favorite Canadian beer is Elsinore, since I found a mouse in the bottle...
--
Re:No plans for SMP... (Score:2)
As for the UberOS(TM) - That's where the ideas of microkernels and modules really comes into play. Granted, there are always tradeoffs, but theoretically, a microkernel is infinitely adaptable...
--
Re:No plans for SMP... (Score:2)
I wouldn't blame IBM for this, but then again, they give me a piece of paper twice a month... that, and I've seen [CENSORED - IBM Confidential]. So there!
--
Re:Missing the point on floppy-based routers? (Score:3)
It seems very difficult to obtain the same characteristics from a harddisk (or flash ram); I don't know how to physically prevent writing on a standard IDE hd. And if you use the hd just to load the FW into ram, and "hot-swap" it out, then it won't come back up, after powerfailure (even UPS's have their limits).
Floppy disk reliability is not much of an issue, i think, since the floppy isn't used to as a long term storage medium. Remember your friend dd:
"$ dd if=/dev/fd0H1440 of=floppy-image
2880+0 records in
2880+0 records out
$ dd if=floppy-image of=/dev/fd0H1440
2880+0 records in
2880+0 records out
$ The first dd makes an exact image of the floppy to the file floppy-image, the second one writes the image to the floppy." (SAG v. 0.6.2)
(And of course, one can always mount the dd-image; "mount -t ext2 -o loop")
So you develop, maintain and store, the actual FW information on another box, then write the image to a floppy (and making a backup fd image on the development box). All the floppy has to do, is to survive the initial boot. It may have to survive reboots, caused by powerfailure, but even if it does not (harddisks may fail too), a disaster recovery plan is part of the floppy disk based FW scheme; just write a new image, and boot. How many hd-based FW's has a spare harddisk, with a synced and updated system on it?
If you just have a slight suspecion, that the FW is compromized, then a reboot will flush out any trojans and root kits. The firewall may still contain som sort of security hole, but rebooting may give you time to discover what the hole was, and deploy a new FW.
Floppy based firewall is a very cool thing. It doesn't fit everybodies need, but it may be a viable solution to a great many.
Cdroms may offer similar advantages, but they may be slightly more difficult and expensive to develop and maintain.
In short; Firewalls on write protected media, seems to be a very good idea.
Re:Missing the point on floppy-based routers? (Score:2)
It's interesting that someone as massively detail-oriented as Theo de Raadt seems to be shooting from the hip so much when just talking/typing -- maybe Katz should write an expose about detail oriented people being sloppy and neo-Luddite Harper's readers on their off hours.
Design vs. Implementation (Score:3)
He then goes on to say that he really doesn't care about kernel design, so long as the kernel design works.
These two issues are completely different.
Lets face it - he's an implementation junkie. Which I would guess was not, and still is not, popular with the NetBSD crowd, as he probably had to step on a few toes...
'You're not using strcat correctly. You've introduced 6 exploitable bugs into the kernel'
'What do you mean I'm not using strcat correctly?? I've been coding since I was twelve years old!'
Cyano
Forking (Score:2)
I just have to point out the flaw in this reasoning. A political party represents a unique ideology in an abstract sense. A fork also represents a unique ideology, but in a practical sense. If you're a democrat, you believe in welfare. If you're an OpenBSD developer, you believe in security AND you develop software towards that belief.
The problem with too many forks (not that some aren't good) is that it thins programmer resources. The differences in implementation between two forks are, by definition, going to cause incompatibilities between them, meaning at some level programmers have to "choose sides" and decide which ideology to develop for, or do LCD compatibility. If you get too many forks in the open-source, it will be impossible to maintain the critical mass of programmers necessary for providing a comprehensive library of software which takes advantage of the specialties of any single system.
In a political party, on the other hand, while many parties exist, "development" (i.e. practical implementation of ideology) is only going on in ONE place: the government. Your analogy would be more like if each political party decided to take over a different part of the US and declare itself sovereign, which is at this point clearly unproductive and inefficient given the way the US has adapted itself to function well as a single entity.
The corrected analogy carries through well; in other countries we have good forks, which represent ideologies so different that forking is inevitable and staying together would be a resource drain.
Of course, these things are self-limiting; an unnecessary fork will simply not be able to survive for long, or one of two similar projects will eventually end up gaining dominance and reducing the other one to a minority. The point is, forks are only good sometimes, and it's got nothing to do with political parties.
What is a "black hole route"? (Score:2)
What exactly does this mean? That packets from openbsd.org to netbsd.org are just swallowed without trace?
Re:Missing the point on floppy-based routers? (Score:3)
md5sum the whole floppy[*]. On booting, if the floppy image does not have the same checksum, abort. Then it's possible that the router might not boot one day, but it's impossible for the disk to corrupt without you noticing.
[*]ok, md5sum all of the floppy apart from a file containing the md5sums.
Re:This is ridiculous. (Score:2)
Do it right! (Score:5)
Hear, hear! Two of my pet peeves right there:
(1) Why is it that the same bugs keep reappearing? Why is it that we assume bugs only occur in one place? Why is it that we hear, "I fixed the bug," as if a programmer can only screw up in one place?
(2) Every other piece of engineering goes through major scrutiny. Teams are brought in from the outside to look over blueprints. For open source software, we assume that just because anybody can look at the code, that everybody is. Even in OSS, we need to go to outside, objective reviewers and say, "Here's some money, and here's our code [or maybe, here's the URL for our code :-) ]. Please review it and tell us where we screwed up."
Mr. de Raadt knows his stuff; the coders do this themselves, and they take it seriously.
charitable donations (Score:2)
(And I must ask, why are people so cheap, that they only give donations when it provides a partial reduction in their taxes, rather than a real donation? I actually find that pretty fake.)
Econ 101, Theo. It provides you with more money if people don't have to pay taxes on the money that they give. It's the same way that sales taxes are split between the store and the consumer simply because in the absence of sales taxes, the store could charge slightly more for a product.
Don't make me start drawing supply & demand curves.
Michael
Re:What is a "black hole route"? (Score:2)
I have entirely no knowledge of what events occurred between the two groups or whether they were fighting over a network and its routes, but that's the usual meaning.
Hey! I've got an answer! (Score:2)
I've got an answer for this one! Well, sort of - I don't know why people are cheap. But I do know why people who AREN'T cheap still would prefer to donate to a non-profit organization. First, the constrictions placed on a non-profit organization reassure some people that their donation stands some chance of being used for the purpose they think they're donating it to. Second, if I have $10,000 I don't need, and want to donate it to someone, if I donate it to a charitable organization in the U.S., I can donate $12,000 for the same eventual out-of-pocket as if I donated $10,000 to an organization without charitable tax-exempt status. So the second organization would have to convince me that it will make better use of my money.
Sure, most people don't explicitly view it that way, but when you look at the bottom line, there's not much difference between "if I give $500 to them, I get $100 back. if I give $500 to THEM, I get nothing." and "if I give $400 to them, I could actually give $500. if I give $400 to THEM, I can only give $400."
Re:filtering by FreeBSD/NetBSD (Score:2)
If you're scared of spamming and mail bombing, stay off the internet. Frankly, any good admin worth his salt would want to see how his boxes stand up under such a load, rather than be a big weenie and run away from a fight.
So what I read is: Theo threatened to mailbomb, and didn't? Link to mail thread [netbsd.org]
Just bizarre. Frankly there are a lot of high horses out there. OpenBSD is a good system. I'm not a big fan of BSD, but I encourage people to use OpenBSD just to try it and learn. (I did run it for a while on a sparc and it ran better than linux on that box.)
Every OS has it's place. OpenBSD is just canadian and has balls (big encrypted balls.) It's neat and it ships with things like ssh out of the box.
I'm just very depressed lately (lately being a long time now) of hate-mailers and winers on slashdot--- the people who write the software (free) that we use (quality) often don't get the respect they deserve.
Anyway, that's my 2 cents.
Using your own numbers. (Score:2)
Bob Bruce of BSDi (previously of Walnut Creek) says FreeBSD's user amount is 20% of the size of the linux market.
If you consider FreeBSD and Linux all fighting for the same slice of the pie, how many of the 180+ linux distros have 20% marketshare? Lets see...given all distros have the same kernel, they are all alike. So the average market share for any linux distro is 0.55% or 1011 users per distro. So FreeBSD has a far greater marketshare and number of users than the average Linux distro for the Open Source OS market.
36400*5=182000 total linux users. counter.li.org [slashdot.org] says there are 162,680 Linux users. As you can see, the numbers presented as to why BSD is doomed are similar.
It looks like the individual linux companies, none of them strong enough to get any useful market share (1,011 users per distro) will doom the Open Source OS market to appear as a failure.
As you can see, Linux is very, VERY sick and its long term survival is very dim. And the stock prices of Linux companies show how doomed linux is. If Linux survives, it will be among OS hobbyists and die-hard users who read
With the release of Apple's Mac OS X - based on BSD and selling 2 million units a quarter, you can see how just one quarter of Apple sales will outsell *ALL* of the Linux users.
(So there. Nahy!)
Re:But he doesnt follow his own advice (Score:2)
-QNX [qnx.com]
-VSTa [vsta.org]
-----
"People who bite the hand that feeds them usually lick the boot that kicks them"
Re:No plans for SMP... (Score:2)
this certainly verified that point. can anyone think of other features that open source projects need that aren't done because there not interesting?
-Jon
Re:Do it right! (Score:2)
Can you imagine if a Boeing engineer didn't fix ALL of the occurances of a wiring flaw? Why not at least try to engineer software in the same way?
but what if?
it's a lot of work, and not considered the most interesting thing to our developers. Sorry
shit. what if it's not interesting to fix a big fat gaping hole? what if it's too much work, and "just not interesting!"
gasp.
-Jon
Re:But he doesnt follow his own advice (Score:2)
While this is a very subjective topic, many people would argue that the Mach Microkernel found in Next/Open Step is pretty good, and IIRC, the BeOS is pretty good Microkernel, too.
Heh, I bet even l33t j03 [slashdot.org] would say Windows 2000 is a great Microkernel!
Bashing Theo (Score:2)
Re:Missing the point on floppy-based routers? (Score:2)
In my eyes a floppy distribution includes features such as
* Write protection
* VERY VERY MINIMAL install (smaller than openbsd's 60-70 MB minimal install)
NOT that it sits on a floppy. I usually make a good LRP disk and make a bootable cd. Reburn every month with updated nat forwardings and a new password.
If someone DID hack into that box, there is no ftp/ssh/telnet on there for them to connect out! There is no way to write to a CD-R in a regular CD-ROM drive.
Know your interfaces? Bah! (Score:2)
But I have been compiling against the GNU C library a lot, and I loathe it for the most part. Examples? Examples.
- from man strcpy:
If the destination string of a strcpy() is not large enough (that is, if the programmer was stupid/lazy, and failed to check the size before copying) then anything might happen. Overflowing fixed length strings is a favourite cracker technique.
- from man strcat:
The strcat() function appends the src string to the dest string overwriting the `\0' character at the end of dest, and then adds a terminating `\0' character. The strings may not overlap, and the dest string must have enough space for the result.
Yes, I especially loathe the string functions. If you feed them too small buffers, or NULL pointers, glibc just plain old crashes. In my not so humble opinion, it is glibc's _responsability_ as a C library to be flexible enough to allocate that stupid little buffer itself, or at least not to crash with segmentation violences! If I do the same things with GTK+'s glib, my program fails with a nice message, like "assert string != NULL failed" -- but even more often, it just allocates that stupid little buffer!
Now before you're going to say "look, if you want someone to keep your hand, go play with Java, not with C", please realize that all this could just simply _work_ in C with a few checks, and that not a single line of code would need auditing for these "vulnerability" anymore, if only this check had been made in glibc! That's the use of programming libraries, right? Not having to do soemthing again and again, so that you work with well-known interfaces and do not run the risk of making much mistakes.
You know, even Richard Stallman, author of this particular C library, agrees with me upon this point:
- from info libc
It's fairly common for beginning C programmers to "reinvent the wheel" by duplicating this functionality in their own code, but it pays to become familiar with the library functions and to make use of them, since this offers benefits in maintenance, efficiency, and portability.
Now the only sad thing from this quote is that it actually comes from the part "Strings and Array Utilities" of info libc, about which _I_ would like to say "It's fairly common for beginning C programmers to become familiar with the library functions and make use of them, but it pays to duplicate this functionality in your own code" -- if you catch my drift
Which makes me wonder how secure OpenBSD (and *BSD) is at the libc level, that is, how flexible and careful does it work with its input.
[Hmm and while I'm at it, is char++ endian-independent? Just wondering
It's... It's...
Re:Before flaming Theo ... (Score:2)
I have actually met Theo in person and he is NOT egotistical or arrogant in the slightest. He's quiet, reserved, and interesting. I think he's just impatient with a world where software quality standards aren't as high a priority as they should be.
Re:Missing the point on floppy-based routers? (Score:2)
It would also have to provide a nice (albeit simple and text-based) configuration tool or something similar to set up said box.
Of course, it could provide more than just NAT and firewall. I don't care. But I do care about keeping the install minimal. That is why I mentioned FreeSco, a floppy-based product. Unfortunately, it seemed as though I was implying that I was only interested in firewall-on-a-floppy. Oh well.
Re:No plans for SMP... (Score:2)
YOu ignore a couple things in this though. First, I can't implement it myself, I am a medicore programer at best, and would not know where to begin. The poster was commentlin on the commercial viability of Open Source. Let's say my dad needs an OS for his bussiness, and somehow you mananged to dodge all the issues of actualy teaching him Unix, and getting him accept that that was some valid reason he should learn all this new stuff rather than just pointing and drooling through Windows. So dad here you go.. OpenBSD, the most secure OS in the world, course if you want to use on you dual CPU server, you are going to have to learn how to rewrite the Kernal for SMP support. Dad would laugh all the way to CompUSA. Commercial success is going to require more than "Just develop it yourself", if people were willing and able to do that, Windows would not have a 90 % marketshare.
Re:But he doesnt follow his own advice (Score:3)
You wrote
In his first reponse, Theo wrote They don't care about good software, only about "good enough" software. Which I would paraphrase as software that doesn't make security a design goal.
In his other response, Theo wrote As well, I don't think it makes any difference, as long as a system does what it is supposed to do. Which I would paraphrase as software should achieve it's design goals, like security, no matter how it's implemented.
There is no contradiction in those two statements.
Ego based contradictions (Score:3)
As well, I don't think it makes any difference, as long as a system does what it is supposed to do.
This is a fairly asinine thing to say, especially since the second post had a very good point (Micro vs Monolithic kernels). My opinion of Theo is fairly low after this. Instead of responding with a mea culpa (yes a micro kernal is better, of course it's better to keep privledged code to a minimum, but it's also difficult to totally re-engineer a kernel especially when it works) we get mindless thrashing about micro kernals..
(an operating system based on 70's technology dissing ideas from the 80's as obsolete? Kind of ironic..)
Lighten up! (Score:2)
In a word: He has no obligation to you, no matter how hard you try to rationalize that he does. He isn't charging you for software, he isn't forcing you to listen, he isn't infringing on your on any aspect of your reality... unless you let him.
But he doesnt follow his own advice (Score:3)
In the answer to the first question Theo goes into detail about why software should be good, not just "good enough". However in answer to the 5th question "Kernel Design" he contradicts his own previous argument by saying "I dont think it makes any difference, as long as the system does what it is supposed to"
Theo, throughout your responses, you have personally insulted the intelligence of the people who ask you questions. You have insulted the intelligence of the people who either use, pan to try, or know more than most of the dawdling masses about your distrobution. What I dont understand is why. If you could answer that, I would appreciate it. And if you could answer it without the typical belittling that is ever present throughout the answers to the questions asked before, I would appreciate it even more.
Sincerely,
CyberKnet
---
Theo and Microkernels (Score:2)
Set aside discussions about NT or OpenVMS, wouldn't a design like the HURD(I'm not saying MK's are better or that I like theme more the monolithic systems) at least be a reasonyble approach to more system security.
If I understand correctly HURD and probably other Microkernels can run at lot more stuff in userland and that could at least be a advantage when you try to build a very secure system. If Theo is really posting on
Charitable Donations (Score:2)
From a different point of view (for Canadians, at least), you can look at the tax break for "charitable donations" as a way of directing government money to the organizations you would like supported. From my point of view, a $100 chariable donation is really only an ~$80 donation from me, plus ~$20 of the government's money that I want directed to organizations I feel are important.
That's not to say that (non|not-for)-profit is the way to go for OpenBSD, but it may convert a few more anti-charitable donations people to support organizations they feel are important. I only support to those organizations that I feel are important (whether they get me a tax deduction or not), since you don't actually get more out of the tax deduction than you put into the donation.
andrew
Working with microkernels (Score:5)
Forks are Good! (Score:5)
I think he is totally correct with this point. The point of a codefork is that you end up with two variants, only one of which, in the long term, will survive (usually). It leads to a sort of Darwinian survival of the fittest, and improves the overall code base in the long term as well as giving people options - they can mould their distro to their needs. I have often wondered why the Linux people are so scared of code forks also - could it be because they look back at the Unix wars of the eighties and shudder? This would suggest that the BSD'ers have not inherited the UNIX philosophy to the same degree as the Linux community - that may give them more freedom.
I am not suggesting that forks be encouraged, though, rather that people stop whining when they occur, and recognise them as an opportunity.
Perhaps forks will not be a good thing for Linux in ten years or so, but given that it is presently a sort of 'primordial ooze', and very creative, I do not think it is bad thing for the moment.
KTB:Lover, Poet, Artiste, Aesthete, Programmer.
Re: (Score:2)
Re: (Score:2)
Where the money goes (Score:3)
I find the ideas that I get from beer are generally along the lines of "I think I'll have another beer". TdR is obviously made of sterner stuff than I. Or it could just be that Canada has the 2nd worst beer in the world (after the US).
Re:Mr.Sparkler (Score:3)