OpenBSD 3.2 Available 331
fredrikv writes "Right on time, the files defining OpenBSD 3.2 have moved away from "snapshots" to the 3.2 directory of the OpenBSD mirrors. It is well known as the world's most secure operating system and now sports chroot'd Apache, fewer suid binaries, cool pictures for xdm-logins, a brilliant "antispoof" packet filtering rule and as usual includes lots of small updates and fixes. The files are there. What are you waiting for?"
Re:FreeBSD (Score:0, Insightful)
The only real advantage that OpenBSD has is hardware crypto accelerators support, but even that is being ported to FreeBSD now. OTOH, OpenBSD isn't even using ELF yet, has no SMP support, less than 1000 packages and most of its developers are total PITA to deal with. It runs on more platforms. I'd say OpenBSD looks like a cheap NetBSD rip-off.
Unfortunately, FreeBSD seems to be plagued by trolls lately [freebsd.org]
Re:Well, I'm waiting for a downloadable iso (Score:3, Insightful)
It's good, but not that good (Score:4, Insightful)
Whoa, partner. Sure OpenBSD is designed with security in mind, and as far as the BSDs go (which are generally pretty secure in their own right), it's probably the tightest. But it's quite a leap to say that OpenBSD is the most secure operating system in the entire world.
I don't know which OS would get that "award". But I'd have to believe that it'd be something obscure like a tiny, embedded, OS the NSA uses in their crypto equipment or some such.
security (Score:2, Insightful)
That is true.. if you do a default installation and make absolutely no change to any of the services that come installed with it.. that's why it was secure for 4 something years.. but they didn't mention that if you had an old BIND version at the time it would still be "secure"
Re:Threading issues resolved? (Score:1, Insightful)
In any case, I seriously doubt that Solaris is any less vulnerable to such a problem than BSD. The people at Sun may work hard on their scheduling algorithm, but the BSD scheduler was written by Steve Woston himself, and is probably the best in the world.
Re:what happened? (Score:4, Insightful)
The OpenBSD folks do make OpenSSH but not OpenSSL.
Re:It's good, but not that good (Score:4, Insightful)
Otherwise, I tend to agree, but OpenVMS is bi*ch to configure.
New songs too... (Score:2, Insightful)
ftp://ftp.openbsd.org/pub/OpenBSD/songs/ [openbsd.org]
ftp://ftp.usa.openbsd.org/pub/OpenBSD/songs/ [openbsd.org]
(other mirrors have not caught up yet)
The lyrics are available from:
http://www.openbsd.org/lyrics.html#32 [openbsd.org]
Re:what happened? (Score:4, Insightful)
The OpenSSH hole was to be expected, and was long past due. No software is perfect, this just proves it. Face the facs, it'll happening sooner or later.
I don't see what you mean what gee-whiz hardware. Hardware support is still pretty far down on the list, and even my new system is about 80%% supported at best. Security is still the critical issues, but the development teams is humans, and humans miss things.
Flashy features? Again the same thing. The reason I use OpenBSD is because it isn't so darn flashy. That and it just runs.
Path to shame? I think the 3.0 series has been the best yet, and the most innovative. I think it will continue to be too.
Re:what happened? (Score:4, Insightful)
This puzzled me. I've been running an OBSD router since 2.6 (and we've been running it at work since 2.8). The releases have been coming out pretty much every 6 months, haven't they?
I upgrade about once a year, so I often skip releases, but I think they've only missed the release dates a few times, and only by a week or so.
Bugs will be found, which (of course) is the point of the OBSD project. I just don't see any shame in that. Lot's of organizations get compromised. The real test is how the organization reacts and recovers.
*shrug* From my POV, the releases have been getting better and better. I can't imagine running anything else as an edge box.
Of course, I may be wrong. Even openbsd.org runs Solaris!
Re:security (Score:5, Insightful)
It's pretty common to run a few releases back on important and complex daemons like BIND, or Sendmail.
There is little value in going to BIND 8 or 9 if it has not been audited by the OBSD team first. BIND 4 is well understood and the faults, warts and bugs are well-known. BIND 8 is still new enough that it is considered an unknown.
This is one of the downsides (if you consider it a downsid) of trying to be "secure by design".
Of course, OBSD is free, as in beer and as in speech. This means you can run a parallel box with BIND 8 or 9 (or whatever) yourelf until you deem it safe. The responsibility is now yours to maintain security on that chunk of the OS, but everything is a trade-off, especially in host security.
BIND 8/9 will eventually make it into a future release. 99% of us do not need it, however, and so having a well-known and secure BIND 4 implementation has more value for the rest of us.
yes, we need SMP (Score:5, Insightful)
What's great about Open over Free (and most Linux distros) is simply that one can go from zero to installed, up and running in no time flat. The need to secure the OS is minimal (though as another said, why portmap and why inetd?), which also greatly reduces time to production. And no worries about all of those "extra" packages that one doesn't want installed that get installed whether you like it or not, and then having to find a way to yank them out.
That said, yes, I pre-ordered my CDs.
Jud.
Re:Most Secure OS (Score:2, Insightful)
you have users you can trust? god, do i want your job.
my users can't be trusted to follow the simplest directions. EVERYTHING better be automatic and iron-clad or they will find a way to break it.
Re:Same horrible fdisk and disklable process? (Score:2, Insightful)
if you have the bandwidth for isos you have it for (Score:4, Insightful)
just because there are no "Official" iso's does not mean that they are not available from "Unofficial" sources just look around but you really should support hte project if you can
(the t-shirts/posters/stickers are all cool and the later can only be found w/ the official cdrom distribution)
my personal server (which is used primarily for NAT and personal ftp) has been running OpenBSD for years and it's certainly hte most elegant and simply designed UNIX based system that I've ever used and is far more intuitive and secure than Linux (which i have also dealt with since '95 and presently have a debian desktop machine running under my desk so no flames please) by default.. anyway my $.02
here is a link to the floppy internet based install instructions: http://www.openbsd.org/faq/faq4.html#Media
Re:It's good, but not that good (Score:3, Insightful)
Ok, so you believe, programs are absolutely immune against buffer overflow exploits on OpenVMS?
Then I'll show you a simple example of a buffer overflow exploit on OpenVMS/Alpha.
---
The victim program compares a user-supplied password with a password stored inside a file.
I wasn't able to include the source code, because I always get errors like "Your comment has too few characters per line (currently 24.5)." if I do.
Email me, if you'd like to get the complete source code, and I'll send it back to you.
$ cc vmshackme.c;1
strcpy(l_input, input);
%CC-I-IMPLICITFUNC, In this statement, the identifier "strcpy" is implicitly declared as a function.
at line number 66 in file $DKA100:[USERS.OCTOGEN]VMSHACKME.C;1
if (strncmp(l_input, l_pass, _max_pwd_len) == 0)
%CC-I-IMPLICITFUNC, In this statement, the identifier "strncmp" is implicitly declared as a function.
at line number 68 in file $DKA100:[USERS.OCTOGEN]VMSHACKME.C;1
$ link vmshackme.obj;1
$ type pass.pwd;1
openvms
$ run vmshackme
openvms
Password correct
$ run vmshackme
os400
Wrong password, try again.
$
-----
The program works, as you can see.
Now I'll type in a bit too much:
$ run vmshackme
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Pas
$
-----
What I'm exploiting here is nothing else than a simple example of a buffer overflow.
Even if you can't execute arbitrary code (and I'm quite sure you can do that, too!), you can still damage data structures, data pointers, numeric values like buffer offsets and many other things - so there are a lot of possibilities left for exploiting a buffer overflow vulnerability.
AS/400s have hardware protection for system pointers, so they are even more secure than OpenVMS. But even on AS/400s you can still damage space pointers, and I'm quite sure, this example program would even work on an AS/400.
It might not be possible to execute arbitrary code on an AS/400, but you can still damage many things by exploiting buffer overflows.
---
regards,
octogen
Re:FreeBSD (Score:2, Insightful)
Uhhhh... I hate to be rude, but what crack are you smoking?
"Few-function"? Right now, off the top of my head, I use OpenBSD for:
This is all on my servers, both at my work and at my home. These do not even have a GUI installed... but if you want more than a command line, that has it, too. I mean, it's *really* difficult to install the x* .tgz bundles when you're installing, then configure your X server and install your favorite window manager from ports. Took me all of five minutes, last time I did it.
That brings me to my desktop. I use my computer for a lot of stuff. Mail, web surfing, 3D modelling, test compiles, image editing, HTML editing, writings (technical and otherwise), media playing (Flash, DVD's, mp3's, CD's), and much, much more. This computer, a PIII 850 laptop, runs single-boot OpenBSD 3.1-stable, soon to be 3.2 (after I write this post.) I use Enlightenment, and damn, but it *flies*.
No, if you need your hand held on every single little thing, or you're scared off by a text installer (which, by the way, is easier than any GUI installer I've ever used), then PLEASE stay away. But if you can handle changing a few of the ways you think, give OpenBSD a try as a desktop. You may just like it.
(And just as a data point, I started out with OpenBSD. My first *nix experience, except for a tiny bit of Red Hat several months before, which I *hated* - not flaming, just saying it wasn't for me. I managed to get to the point where I am with it without getting flamed on the lists once, and it's because when I have a problem, I RTFM and STFW. If you're capable of doing the same, it's a refreshing change from the other user communities.)
Re:Please provide .iso's (Score:1, Insightful)
Well, I think you are lazy. Download the install files, download the bootdisk, run mkisofs using the bootdisk file as the bootable image for the cd, cdrecord dev=0,0,0 speed=8x -data obsd.iso and you have a bootable cd image. Hrm. Anyways, THAT is what I think. Alternatively, you could download an
Re:Same horrible fdisk and disklable process? (Score:3, Insightful)
Yes, the disk partitioning is the least intuitive part of the install, but it only took a complete newbie like myself a few times (3, maybe 4) to feel comfortable with it so I think you might have missed something in the documentation. I was using "Building Linux and OpenBSD Firewalls" at the time as well, but it's all there on the screen for you.
psxndc
Re:FreeBSD (Score:3, Insightful)
Nah, stick to FreeBSD for your desktop. OpenBSD might be secure and great for firewalls, bastion-hosts, but for a large multiple CPU server box, I rather use FreeBSD, Linux or Solaris.
Re:FreeBSD (Score:1, Insightful)
Re:Still won't boot above 8 Gig- IDIOt (Score:3, Insightful)
OpenBSD is a SERVER operating system. 99.99999% of the people using OpenBSD use OpenBSD as a SERVER
Rubbish.
The OpenBSD ports tree [openbsd.org], while not as brimming with goodies as FreeBSDs, has loads of software for use on the desktop.
My desktop *NIX boxes at home and work are both OpenBSD with lots of decent software installed via ports. I hardly think that developers would bother making a port of only
Re:It's good, but not that good (Score:3, Insightful)
The same is true for Solaris/SPARC, if you configure it correctly.
You don't need to execute overflowing data, it can even be enough only to change a function pointer, and the program would run some code which was already there before the overflow occurred.
This code would be executable, because it's simply a part of the running program or of a library used by the running program.
Just changing some piece of data which gets passed to a system call can also be enough to break security.
From a technical point of view, applications on OpenVMS are just as vulnerable to buffer overflow exploits as applications on Solaris/SPARC (with noexec_user_stack set to 1).
On both OSs you can't execute overflowing data.
But on both OSs you can (sometimes) circumvent this sort of protection.