Remotely Crash OpenBSD 407
*no comment* writes "If you are running OpenBSD on your IPv6 install, it might be time to upgrade to -current. (just kidding) There is, however, a way to crash OpenBSD 3.4 with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Theo, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.
Double standards? (Score:5, Insightful)
Oh wow (Score:0, Insightful)
Maybe the next time Bashdork reports the new evil IE vulnerability that allows my desktop wallpaper to be changed by a hacker in Romania I'll se a quote like this one. "To quote [whomever], head of [whatever] at Microsoft, it's just a crash".
I'm sure.
Re:Does this count? (Score:5, Insightful)
Re:Double standards? (Score:2, Insightful)
Re:Oh wow (Score:5, Insightful)
Re:Patch for production systems? (Score:1, Insightful)
But if you are just wait a little while for the fix.
Re:Does this count? (Score:4, Insightful)
Personally I don't like random people crashing my servers, so I'd call it a hole!
It's called selective quoting (Score:5, Insightful)
Fwiw, I wouldn't go into riot mode over four monosyllable words taken out of context be it from MS or OBSD. Of course, this is /. and that nice little blurb will most certainly cause a lot of banner hits as people will just have to comment. I can personally attest to 3 to get this post up.
"Crash" vs. "Root Exploit" (Score:5, Insightful)
A non-serious cracker might have fun taking down OpenBSD a few times with an exploit like this. A more serious cracker would do this to try to convince some number of systems to stop running the most secure OS that's reasonably available and replace it with more vulnerable systems that aren't getting spanked a lot.
Re:Maybe time to drop this "securitier than thou" (Score:5, Insightful)
Comparing MS to OpenBSD? (Score:1, Insightful)
Re:Maybe time to drop this "securitier than thou" (Score:5, Insightful)
"Hmm, well if we have gotten to the point where people have to roll their own net stack or patch a kernel to bring an issue to the for, then hasnt hte OpenBSD project succeeded in its goal?"
Re:Double standards? (Score:3, Insightful)
Especially given that Microsoft is a company that charges for their product, where OpenBSD is free.
Track record (Score:5, Insightful)
The day Microsoft has half the kind of security track record as OpenBSD, they'll be cut some slack.
OpenBSD had earned a little slack. MS still has a long way to go in system security/stability before they deserve the same treatment.
Re:Oh wow (Score:5, Insightful)
Why does "remote hole" == elevation of privilege? (Score:5, Insightful)
Just a crash.. (Score:5, Insightful)
I replaced all firewalls with OpenBSD filtering bridges. One rather persistent script kiddie (unfortuneately a legitimite $luser on the network) decided to send a few malformed packets here, there and everywhere. One of these crashed the filtering bridge at the edge of that particular subnet.
Immediately no packets enter or leave that subnet and I get about 40 phone calls "the internet is broken / my session crashed..." and go and deal with it.
Just a crash, saved several boxes. By contrast, accessible linux machines, privelege escalation - root exploit. All over.
Now if only the average windows box would *only* bluescreen in response to being cracked/ infection with the latest...rather than sending mal packets everywhere. Then infection would be self limiting and the world would be a better place.
Re:Double standards? (Score:5, Insightful)
*no comment* writes "If you are IPv6 on WinXP, it might be time to upgrade to Linux (just kidding). There is, however, a way to crash WinXP with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Bill Gates, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.
Okay, now that the wording has been changed to Microsoft, doesn't it suddenly look like a typical rabid-anti-Microsoft Slashdot article? You are so blinded by the belief that everything is anti-Microsoft that you cannot even see people being sarcastic about anything not Microsoft!
Re:IPv7? (Score:2, Insightful)
Re:about ipv6 (Score:3, Insightful)
ipv6 has security built into it, more addresses then particles in the universe, and eliminates the need for private addressing and nat... we should move to ipv6 if for no other reason than it is a cleaner, better solution to internet addressing.
Re:Does this count? (Score:3, Insightful)
Just because they fixed it before it was reported doesn't mean it never existed -- or that it was never quietly exploited. This sort of semantic game detracts from the hard work that goes into OpenBSD. It may be no worse than the sort of word games used to market other software, but in an area like security where trust is paramount it needlessly raises suspicion.
Re:Maybe time to drop this "securitier than thou" (Score:3, Insightful)
Now the specialist press, including web sites, who know of the existence of OpenBSD, are likely to treat this in much the same way. A BSD crash, any variant, is a rarity, 1000 times or more less likely to happen than a BSOD. Same sort of ratio fro security holes also. So, the same thing happens, the uncommon major event gets the attention, although it does far, far less harm overall than the very common everyday event.
Of course in this case the normal press remain in utter ignorance, some of them may know that Windoze is not the same as a MAC, a few will know of Linux, and very few indeed will know what BSD is, they probably think it is a shorter abbreviation for BSOD. So, the mainstream press will leave this well alone.
It is quite right and proper that crashes should be reported, and certainly it is only fair that a problem with a secure OS gets to be known, and fixed, but like the train crash, it needs to be kept in perspective.
I know that Theo allegedly has an attitude problem, however those who extrapolate from his remark that it is only a crash to suggest that he does not care are IMHO quite wrong. I think he was only putting the event in its true perspective, as being of slightly less importance than a security breach. I think he does care, very much, that "his" software works properly, that is what drives such people, who could earn much more financial reward elsewhere.
All of this is a matter of seeing the thing in its true perspective. If people did that, no-one at all would use the products of the Convicted Monopolist, and the world would be a very much safer place as regards computer security, and much more productive because there would probably be only one crash for 1000 or even 1000000 BSODs in inferior systems, which are riddled with fundamental design errors.
Re:Does this count? (Score:2, Insightful)
iow, if it doesn't make sense to you, that's completely fine. But it's not like OBSD is being hush hush, nudge wink with how they come up with their count.
imnsho, at least they have a standard or policy or rules or what have you for determining their remote hole count. Of all other OS makers, groups, and mfgs out there, I don't know of one other that keeps count, has a public statement of that count, gives publicly accessible rules for determining that count, and follows those rules. Linux sure doesn't--the sheer variation, number of distros, etc. has no one keeping a firm count. OBSD is more limited and applies it to their default install.
Personally, I like OBSD's claim and think it's valid, both in the areas of valid to make and valid as valuable to the OS user.
Compare them to other OS makers. When MS releases a security patch and months later, Melissa or some other virus comes along and exploits it because people were too lazy to plug up their systems, I don't say "That's MS's fault." I consider that on incompetent or lazy users. Now, I realize many here on this forum will blame MS, and they do get boatloads of blame, but they also patched the damn thing. Sometimes with these patches, the patch itself reveals the error and makes it widely known; virus or exploit writers then go about taking advantage of that, comparing differences between a patched and unpatched systems.
When Samba had that "caught in the wild" ecurity issue last year, I don't say "well that's been in the wild 5 years" and then count that one bug multiple times against them for every Samba version released since then, or every update. Why not? Because that would be ludicrous. Likewise with OBSD, I don't say "well, that was out there since release X when Y code was added, hence that counts for every release since X until current as a bug".
Note with the last, this also reveals that people and communities innately have their own idea or standards on how "bugs" are counted against to versions or releases. Most people would say Samba's bug they caught in the wild counts as 1 bug. And they'd be right. Not several via very Samba release since that code was written.
Same with OBSD. They have a standard, they found an issue, so does it apply to their policy for determining that count? No. Count doesn't go up.