Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
BSD Operating Systems

FreeBSD 4.1.1 Includes RSA 91

Eladio McCormick writes: "Yeah, I know point releases are not by themselves huge news, but FreeBSD 4.1.1-RELEASE represents a major event, in that the base distribution now includes RSA. Info on the release is online." We've had a number of submissions about this one -- good to see the patent come off, and encryption working its way into more things.
This discussion has been archived. No new comments can be posted.

FreeBSD 4.1.1 Includes RSA

Comments Filter:
  • by SirGeek ( 120712 ) <sirgeek-slashdot.mrsucko@org> on Wednesday September 27, 2000 @03:24AM (#750883) Homepage
    Didn't they say they would never do a 4.x.x release ? (only a 4.x)..
  • Does everything have to further Gnu Linux ? There are people like me who prefer FreeBSD for server applications. This is a great step to make more secure FreeBSD servers (and the next step will probably be the various Gnu Linux distributions including this.. Only FreeBSD did it first.
  • by jjr ( 6873 ) on Wednesday September 27, 2000 @03:34AM (#750885) Homepage
    This the way server need to be secure when you install it. I hope that more linux distros start doing this also. When will they start incorperating RSA in thier distros.
  • I'm rebuilding all my machines already :)

    dopp
  • and i just got 4.1 working right
  • by Anonymous Coward
    Is RSA being included in the filesystem, kernel, as a library, in ssh, what? Including RSA by itself does not mean a damn thing. Useing it for some purpose might be interesting, depending on the purpose, but just including it does not.
  • Please use your mirrors. I know not all of them have updated, but there are a TON of mirrors (ftp..freebsd.org) and usually even there you have a number of ftp sites. Like, for instance, ftp5.freebsd.org has most of 4.1.1-RELEASE ready.
  • There are also people who prefer FreeBSD for desktop applications.
  • Its all good. The more cryptography gets into more computers, the more difficult it will become for governments to regulate it. Computers will become more secure, and crackers will become less of a black hat for government agencies. The linux distros ought to follow suit. Before long, folks will be encrypting everything. THEN, the FBI will have to do real investigating, instead of trolling for leads with Carnivore. It means more freedom.

    -- Rich
  • So you get your feeling of "signifigance" from the Operating System on your desktop?

    I pity you...
  • by Baki ( 72515 )
    So? cvsup -stable, make world, make install
    then you have 4.1.1 working right.

    No need for reinstalls, ever. I've been upgrading FBSD for >5 years without one reinstall from scratch (moved dumps to new disks/hardware, cvsupped all the time) still my filesystems are perfectly clean and tidy.

    There is no other OS that could do that.
  • Nice troll....

    I often wonder if some people arent almost serious, but you know posting that kind of stuff here with us close minded zealots (speaking for my self) is just going to be modded to troll land..
  • by heliocentric ( 74613 ) on Wednesday September 27, 2000 @03:52AM (#750895) Homepage Journal
    I just downloaded red hat 7.0 and loaded it onto a test machine. I noticed on bootup that it loads some RSA stuff.

    Just letting you know that if you absolutely want to go play with this (something I plan to do now that I saw it's already on my test box) and the mirrors you are getting BSD from are full, red hat has it, too.
  • Debian [debian.org]. Maybe not for 5 years, but certainly 3.
  • by Anonymous Coward
    nuff said.
  • by MartinG ( 52587 ) on Wednesday September 27, 2000 @03:55AM (#750898) Homepage Journal
    > But this does nothing to get Linux onto
    > mainstream desktops.

    Nor does it do anything to make lemons bigger or encourage owls to explode.

    Perhaps that's because it isn't intending to do any of these things, and nobody is suggesting that it should?

  • > There is no other OS that could do that.
    NetBSD, OpenBSD...
  • I was following the discussion on -stable, and it looks like one of developers said something on IRC about a 4.1.1, and later said "well, I guess I'm stuck now." or something along those lines.

    -- Absinthe, absinthe@jlc.net
    http://www.landofsunshine.net [landofsunshine.net]
  • by Greyfox ( 87712 ) on Wednesday September 27, 2000 @03:59AM (#750901) Homepage Journal
    RSA's been patented for 17 years now. Look at the number of products that use it, and the ways it's used in those products.

    This time next year, look at the number of products that appeared since the patent expired, and the ways they use it.

    Where do you see the innovation happening?

  • I hate when people screw that up. "It's not that bloody difficult!"

    --
    Absinthe, absinthe@jlc.net
    http://www.landofsunshine.net
  • No, he's serious. I did a quick look at his previous postings, and this guy seems to get off talking down to folks about all there various oppinions - the mark of a true M$ zealot.

    Perhaps we can get the powers that be to have everyone with a negative karma to automatically post at -1, so the rest of us can get on with our lives...just a thought
  • Ummm... if you're looking for flames, don't bother. You'll probably just be ignored.

    Wow! You're a |_33+ |-|/\X0|2Z! Wow!

    --
    Absinthe, absinthe@jlc.net
    http://www.landofsunshine.net
  • We've done it in 7.0 - since the timeframe was a bit short, we haven't SSLified everything, but there's still plenty of time for the next version...
  • hmmm... can anyone else make sense out of this one?

    --
    Absinthe, absinthe@jlc.net
    http://www.landofsunshine.net
  • Unless I missed something while looking through the sources, they've just added more tools/libraries (openssl, openssh, etc.), not modified the filesystem code in the kernel.
  • Right, but it definitely adds to security and makes it easier to build a secure system.

    If someone sniffs on your connection and you're using telnet, enjoy.
    If someone sniffs on your connection and you're using ssh (basically == telnet+cryptography), not too much of a problem.
  • by Millennium ( 2451 ) on Wednesday September 27, 2000 @04:17AM (#750909)
    RSA actually isn't very complex (relatively speaking, of course). It's been in any decent college-level discrete mathematics textbook for years. CS students are taught to do it in their heads (mind you, the human brain is a lot slower than a computer at this sort of thing, but the algorithm holds).

    So no, it's no surprise that the BSD folks could get an implementation going. The Mozilla folks have had their OSS RSA out for a week already.

    And, oh yeah, [i]everyone [/i]wanted RSA, even when you had to pay for a license. What we were mad about was RSA's abuse of the patent system (never mind the issues of software patents; they had freely published this themselves for so long that in any sane country it would be considered prior art; in fact they published it for so long that even by the US system it should have been considered as such).
    ----------
  • Nor does it do anything to make lemons bigger or encourage owls to explode.

    It might sound a bit silly, but this isn't actually such a bad idea. At least it would make for some killer marketing:

    FreeBSD.
    Encouraging owls to explode since the year 2000.
    --

  • RSA's been patented for 17 years now. Look at the number of products that use it, and the ways it's used in those products.

    This time next year, look at the number of products that appeared since the patent expired, and the ways they use it.

    Where do you see the innovation happening?

    The innovation happened when RSA was developed. Maybe, had they not gotten a patent, RSA would have never publicized their algorithm. Maybe instead they would have kept it as a trade secret, releasing only closed-source binary implementations of it. And as a result, it would have never recieved the peer review that it has, and all of those products that will begin using RSA encryption in novel ways over the next year would never get that opportunity. The point of the patent system is to encourage inventors to disclose how their inventions work. And in this case, that's exactly what it did. You can argue that maybe that patents shouldn't last as long as they do. But RSA is not the best case for demonstrating that the patent concept is fundamentally unsound.

  • Will this now give freebsd the power to actually give openbsd some competition? imagine these 2 oses going after the title of "most secure os, out of the box". THat would rock.
  • it has to do w/ the level of integration, RH7 has the RSA stuff, it just doesn't go as deep. Just wait for 7.1 or whatever if you don't wanna go BSD.
  • Total non-sequetor. Youve read so much between lines that it appears you didn't read the original lines. You are the one who comes over very poorly with your follow-up.

    FatPhil
  • What is flamebait about this comment? The fact that it is cid=1?

    Learn to moderate.

  • I really think people are going over the top with encryption - we'll be encrypting water molecules as they enter our homes next!

    I dont want to encrypt my entire HDD - data recovery is much harder, its slower, until the encryption is done in hardware, its unneccessarily complicated, something that is NOT a good idea in a filesystem, and offers no benefits over simply encrypting your sensitive data in an archive.

    I guess there would be scope for an encrypted partition for /some/ people, but nearly no-one needs this (the government really doesnt CARE about most people at all). Certainly only idiots would encrypt their root filesystem.
  • So you get your feeling of "signifigance" from the Operating System on your desktop?
    Signifigance has nothing to do with it. Linux is suppose to be about choice. Well some of us chose FreeBSD instead. I run both. Linux has its advantages,as does BSD. I tend to go more towards BSD for several reasons but sometimes I use linux. Other people feel the same way.
  • This is a FTP-only release, to integrate the overseas and US versions of FreeBSD.

    The release of RSA was deemed important enough to warrant this. It gives a convenient install point for those of us who want RSA on a production system and don't want to bother with upgrading after install.

    After all, 4.1-RELEASE is rock-solid, there's no other reason to upgrade.

  • why isn't it on their already?

    on 4.0 and 4.1 just do this:

    cd /usr/ports/security/rsaref
    make
    [hit enter to agree]
    make install
    vi /etc/inetd.conf
    [insert the lines]
    sshd_enable="YES"
    inetd_enable="NO"
    sendmail_enable="NO"
    portmap_enable="NO"
    syslogd_flags="-s"

    much more secure eh?
  • Yeah, and everytime i touch the network settings, or perform some other essential MS function like moving the mouse, I can spend half the day rebooting. I'll stick with my BSD and Linux.
  • We often criticize Windows for being "bloatware", but, come on, do we really need RSA included with our operating systems? It's a 3-second download. All the linux distros keep including surreal quantities of insecure crap in the default install. A 2GB drive provides barely enough room to install the latest Redhat w/ a swap partition. That is completely insane. Then of course, there's all kinds of fun exploits on 90% of the installed programs, most of which are useless crap. I mean, chargen? WTF needs that? The latest wuftpd SITE EXEC vulnerability (again, default) is just another example of how insecure this half-assed written, feature-driven evolution of open source software of today is. ("Ooh, it would be neat if you could execute remote commands via FTP! Who needs a TERMINAL when you've got FTP??") Notice the closed source NIX's like SunOS and IRIX don't have this problem. And a default install of any version of Windows doesn't either! And it never could! Why? Because random crap is not included with Windows the way it is with Linux distros. I can see why by default, say, xpdf is installed, but, Apache?! No wonder the open source alternatives are lagging behind in terms of desktop use vs. server use. Maybe once someone realizes that in order to properly market open source software, they need to go in and take out all the "that would be cool" half-assed written crap, and maybe then, consumers can begin to respect Linux/FreeBSD for security, reliability, and ease of use, as they should.
    ---
  • LOL!
    Damn you!
    I just spat a mouthfull of coffee all over my shiny new SGI monitor laughing at that!!!

    Strong data typing is for those with weak minds.

  • Isn't it /etc/rc.conf?? Also (bear with me, somewhat new to FreeBSD, but not *nix), couldn't you just download and compile the ssh stuff, and do this all manually if you had to??
  • by IGnatius T Foobar ( 4328 ) on Wednesday September 27, 2000 @04:57AM (#750924) Homepage Journal
    This isn't directly related to RSA, but it got me thinking: now that strong crypto isn't considered a 'munition' anymore, it'd really be a good time to start including the IPSEC hooks for FreeS/WAN in the stock Linux kernel. FreeS/WAN is a great package, and it enables really good VPN's to be done on a shoestring. Unfortunately, it requires a kernel patch. I'd like to see the relevant IPSEC hooks in the stock kernel now.
    --
  • this sounds like a commercial for freebsd. freebsd wouldn't touch wuftpd with a 10 foot pole. by default, you have only sendmail and inetd running (telnet/ftp/finger, etc).

    i agree, however, that releasing a 4.x.y for rsa has a little "that would be cool" flavor to it, but freebsd really doesn't install random crap like linux.
  • What about safe, unsnoopable FTP sessions? I'd like that when I'm constantly logging into an FTP site to upload a webcam pic(ChillCAM refuses to stay connected for some reason, which ticks me off)
  • None of the mirrors have the ISO for 4.1.1 as of right now (1104 EDT, 27 Sep 2000), and WC's site has all 3000 connections going. A bit of a problem for those of us who like the ISOs.
  • And a default install of any version of Windows doesn't either! And it never could! Why? Because random crap is not included with Windows the way it is with Linux distros.

    You've obviously never install NT or 2000 Advanced server. Talk about useless stuff being installed and running.

    My personal favorite is the qotd (Quote of the Day) server. VERY useful.

  • The algorithm was made public as part of Rivest's paper at MIT before the patent was applied for, much less granted.
  • by drudd ( 43032 ) on Wednesday September 27, 2000 @05:35AM (#750930)
    They've dealt with this issue on the Kernel mailing list, and I believe the problem is that it would prevent the kernel's distribution in other countries which still don't allow the export/import/use of crypto. Since nobody wants to cut out potential users of Linux, crypo will have to remain an extra patch.

    Doug
  • by reg ( 5428 ) <reg@freebsd.org> on Wednesday September 27, 2000 @05:39AM (#750931) Homepage
    This is not something "new" for FreeBSD. For some time the base system has included RSA based encryption (for OpenSSH). What is new is that there is now only one distribution, not a USA version and an International version.

    What occurred in the past was that the RSA code could come from two sources - a USA patented version, which required a licence for commercial use, and an international free version (which was also cleaner and faster). If you were a USA resident you were required to install the librsa port to obtain RSA based encryption.

    Since the changes in the patent, there is now no need for the RSA Data Security library, and so the international library is used in all cases, and we now longer have to have two seperate distributions, and all of the Makefile goop to handle having two slightly different libs for USA/non USA.

    It also means that RSA can be used commercially without a licence.

    Regards,
    -Jeremy (reg@FreeBSD.org)
  • by sjames ( 1099 ) on Wednesday September 27, 2000 @05:40AM (#750932) Homepage Journal

    The innovation happened when RSA was developed. Maybe, had they not gotten a patent, RSA would have never publicized their algorithm. Maybe instead they would have kept it as a trade secret, releasing only closed-source binary implementations of it.

    RSA was published before a patent was granted (And before an algorythm could be patented at all, indicating that the work was done under the belief that it could NEVER be patented), and was developed with public funds. The patent was an afterthought. The patent system encouraged nothing but price gouging.

  • OpenBSD has sftp support now. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ ssh/Makefile
  • If you don't want the half-assed written crap, click that little button that says "Select individual packages" or whatever, and deselect them. You don't want wu-ftp? Don't install it. Don't want application xyz? Don't install it. If you don't want it to be insecure, don't be lazy, take the time to NOT install the insecure software packages. Its really easy, and only take ~5 mins to do it. That is exactly why redhat put the "Custom Install" option in their install program to begin with. When you do the "Workstation install", you get what they think you *might* want, even when you *might* not want it. It's not RedHat's fault that you are lazy when it comes to installs, so don't try to blame it on them.

    A 2GB drive provides barely enough room to install the latest Redhat w/ a swap partition

    I just put 6.2 on my machine last night. I put KDE and Gnome, and a 128M swap all in under 650M of space combined. I don't know what your problem is....


    -- Bucket
  • All the linux distros keep including surreal quantities of insecure crap in the default install. A 2GB drive provides barely enough room to install the latest Redhat w/ a swap partition
    So don't do the default install. All the distributions give you the option to specify what you want installed, either in broad categories or in minute detail.

    If you really aren't capable of ticking a few boxes, then I suggest you try Debian, which starts hardly any services after installation and leaves you to configure the rest after installation. But if you have problems ticking boxes, I don't suppose you'll get past the Debian installer.

    Notice the closed source NIX's like SunOS and IRIX don't have this problem
    They don't have to cater for a home desktop installation, they would normally be being installed on a commmercial/academic site by a technician. Hardly compares. And if you think they don't have exploits in default installations, what have you been smoking?
    And a default install of any version of Windows doesn't either! And it never could!
    Ah, I see the problem, you're posting from an alternative universe. In this universe Windows is insecure and has ludicrous installation defaults.
    maybe then, consumers can begin to respect Linux/FreeBSD for security, reliability
    And in our universe some of your points apply to Linux but none at all to FreeBSD. Stick to your own universe or learn more about ours. Your choice.
  • yeah you spotted the deliberate mistake :) /etc/rc.conf is the file i meant.

    freebsd ships with sshd & ssh by default but moans when you try to run them because the correct libraries are not present. to get ssh / sshd running you just make rsaref or librsa depending on where you are.

    if you really want to you could do it manually :)

  • Please click on "parent", the Slashdot threaded view doesn't always display the correct parent. My remark was to another posting, and I didn't need to read between the lines at all on that one.
  • it's an ftp-only release, no CDs will be burnt until November when 4.2 will be rolling our way.

    There was a lot of people who wanted to ditch rsaref and use better rsa implementations, so this release grants them that ability, for the small price of a little bandwidth.

    "Don't trolls get tired?"
  • For me, it's more than just RSA.

    They also added hardware watchpoints to gdb :-) It will be WELL worth the bother upgrading one of my development boxes just for that alone. Maybe you aren't a developer, but I have been wishing for some kind of hardware breakpoints for a long time. You haven't really lived until you spend a half day trying to find out which line of code in a multi-threaded or multi-process server is fiddling with that data...

    There are a few other nice improvements, but this is enough reason for me to snarf 4.1.1

  • I hate replying to an AC troll, but this AC does have a point. Even things such as setting the defaults in orbitrc to be ORBIIOPIPv4=0
    ORBIIOPIPv6=0 would be great start. The RHAT defaults are a little unusual, but overall I have to say keep up the good work. RHAT 6.2 is the in-house OS used on any proliants, and it, with kickstart, has worked out pretty well.

    "Don't trolls get tired?"
  • the big deal is that there isn't a USA and an international flavor anymore, there's one, count 'em one, flavor of RSA, and everything can feel free to depend on it.

    what occured was a very useful change, it gets rid of a lot of USA_RESIDENT dependencies, simplifies things, and let's us americans use RSA commercially without a license, and use a fine implementation of it too.

    oh, and as long as you're securing your system, shouldn't you change syslogd_flags to "-ss", have a firewall_enable="YES", edit rc.firewall appropriately and choose a firewall_type, edit Xservers in /etc/X11/xdm to ave a -nolisten tcp option tagged on... if you're running gnome, you probably want ORBIIOPIPv4=0
    ORBIIOPIPv6=0 added to your /usr/local/etc/orbitrc, kern_securelevel_enable="YES" should be set as well as kern_securelevel="3"...etc etc etc...

    "Don't trolls get tired?"
  • Because random crap is not included with Windows

    [sarcasm]

    Because, as we all know, Minesweeper is not crap. It is crucial to the OS.
    [/sarcasm]
    -jerdenn
  • Actually, I don't. But I do feel that if you think Linux should be around for a while you want to get it to the desktop.

    I honestly believe, and will continue to do so for some time until I see evidence to the contrary, that the only reason NT is used as a server for applications is because of its dominance of the desktop.
  • I don't think you understood. I don't think Linux is ready to be a mainstream desktop yet, and don't think it's viable for servers until it is. Bigger backing for existing Solaris, AIX, and HPUX will ensure they dominate servers.

  • Well, the Gestapo liked to do "real investigating" and there was lots of secrets and not a lot of safety.

    If the FBI felt the need to go a little wild and beat or intimidate information out of people and didn't have Carnivore to spy on them it would go out and do it. I think we may be safer without encryption, but I agree we won't be more free.

  • a) Data recovery is always going to be tricky with a multitasking multiuser OS.


    b) If you only encrypt your 'sensitive' data, then whoever you're hiding from know's what you think's important leaving them with only a few hundred K to decrypt. However, if you're whole hdd is encrypted, then they'll have to dig through multiple gigs of metalica MP3s in order to find your plans for bombing the UN building.



    Note: This post is not an endorsement of MP3 piracy. Piracy is bad, and will cause Lars Ulrich's children to starve. Do you really want to know that you killed children in order to save $15 on some music that your parents wouldn't want you listening to anyways? DON'T DO IT
  • I hope there is a lot more implementation of RSA stuff in future releases of both Linux and FreeBSD OSes.

    An accepted crypto standard that is in use today that can be FREELY used on a open source OS box makes that OS more palitable to "corporate buyers". Which in the end means more resources for the entire OS community.

    p.s. YMMV but NO .0 release of RedHat has been any good IMHO (4.0,5.0 & 6.0) wait for 7.1 or 7.2 >

  • Patents were originally designed to cover processes. If you had a widget, then the patent would encourage manufactuers to release their way of making widgets, for the benefit of preventing others from making widgets for the period of the patent. This was needed because you can't look at a physical object and know how it was manufactuered.

    However, if an algorythm is used in a software product, then it's not impossible for a suitably skilled & equipped programmer to work out what that program is doing, and reproduce it. The process is unseperable from the implementation. In many cases, the exact process used isn't needed, just the concept that it's possible. I don't need to know how widgetsoft's right justification algorythm works, I can make my own. The chances are that my algorythm will be either the same, or quite similar.

    I think that explictly legalizing reverse engineering would be a much better way of ensuring that algorythms are not kept properitary.

  • There are lots of things that I don't want to do. Doesn't mean that I can't see others having value in doing it.

    However, I can certainly see the value of an encrypting filesystem. I'd save my mail on it, so that if someone was to open the case on my system and remove the drive, it doesn't do them any good. Everyone has some files they'd like to keep private. Unless you go for secured hardware, encryption is the only way to do this. Unless the program supports encryption nativily, then an encrypting filesystem is the second best option.

  • I thought that windows _WAS_ random crap.
  • Your complaints about bloat are exactly why OpenBSD exists, and a major part of why OpenBSD is more secure than other Unix distributions.

    OpenBSD does include a lot of extra junk, but a default installation has Apache, etc turned off by default.

  • Actually, process patents are a new thing. Patents were intended to cover actual products. For a long time, patent law said that you couldn't patent anything except physical things.

    Personally, I think it should still be that way.
  • How much crap did you put in? I got enough in to boot and run KDE/Gnome and netscape. Everything else was out.
    -- Bucket
  • The native OpenSSL RSA code was added back to OpenSSL (international people have already been using this since the beginning), meaning OpenSSH can now speak SSHv1 out of the box where before you had to install the rsaref library separately, and not everyone was allowed to use it.

    The biggest upshot is that a default FreeBSD installation will come up running OpenSSH and speaking both SSH1 and SSH2 protocols when you reboot it after completeing the initial installation.
  • Not really... They simply used the international version of RSA which is now publicly available. The code was released for quite some time, it is simply the patent that was preventing it from being distributed with the base OS.

    ---
  • Well, as much as I hate to say something which might dispel your impression that BSD developers are amazing :-) this was actually very simple to achieve and involved REMOVING code which was keeping RSA *out* of the US version.

    International folks have had real RSA since 4.0-RELEASE (and this was enabled by default on the releases by some third party CD distributors) - but as of 4.1.1 the main BSDi release of FreeBSD will have it enabled for all users.
  • Stay tuned. FreeBSD 5.0-CURRENT has working sftp support (as does OpenBSD, where the code came from). It will likely be backported to 4.1.1-STABLE in a week or two.
  • Unless I missed something while looking through the sources, they've just added more tools/libraries (openssl, openssh, etc.), not modified the filesystem code in the kernel.

    That's right. FreeBSD is not just a kernel, it's a whole operating system! *ducks* ;)

  • Not only that, but Rivest did a "stealth release" of the paper - handing them out unannounced at the start of the meeting where he presented it.

    One of the people in the audience then made a few hundred copies of his copy and anonymously snail-mailed them to potentially interested open-cryptography researchers all over the place.

    The idea was to keep the US security agencies from putting this genie back in the bottle.

    (Of course the US-only patent effectively kept open-source software authors in the US from using it, while the export rules kept the US commercial software authors in check. Smart move on the gov's part...)
  • I think a decent implementation of RSA does get more complicated. But you're right; the basic algorithm is pretty simple.

    Also, unless I am misremembering, I think it's not illegal to experiment with patented ideas. Coding up RSA for research purposes, even if what you are researching is the feasibility of folding it into BSD when the patent expires, shouldn't have been illegal. They were probably working on it for a while.

  • b) If you only encrypt your 'sensitive' data, then whoever you're hiding from know's what you think's important leaving them with only a few hundred K to decrypt. However, if you're whole hdd is encrypted, then they'll have to dig through multiple gigs of metalica MP3s in order to find your plans for bombing the UN building.

    However, if your whole hdd is encrypted, then they'll have multiple gigs of metallica MP3s to perform cryptanalysis on too...
  • If you want to be pedantic about it, FreeBSD 4.1.1 will never "ship" in any case. Plus, you don't have to be running 4.1.1; you could be running a -STABLE snapshot from before 4.1.1's release at the time just after the RSA announcement that Kris had tested the unified build (OpenSSL RSA, not RSAref, etc.)

    --

  • It's still going to be hard for FreeBSD to compete. OpenBSD has the advantage of being based in Canada, where there are no restrictions on the export of encryption. The encryption projects won't accept any patches from the U.S. at all. OpenBSD has high level encryption in the kernel, while FreeBSD has had trouble even including DES. The current encryption stuff for FreeBSD comes as libraries ported from OpenBSD. The FreeBSD people can't develop the code, they can only distribute it. No kernel crypto, just stuff for applications. The standard Linux kernel doesn't have cryptography either. And the International Kernel Patch authors will not accept patches from Americans. It's still possible for FreeBSD to do stuff because export restrictions have been relaxed. But we're still subject to some restrictions. We can't allow countries on the terrorist list from obtaining the code or developing it. And the government has to approve exported code. It's enough a nuisance that it's still preventing things from happening. It's still enough to keep crypto out of the Linux kernel.

    It's the stupidest thing. America invents so much encryption technology, but we have to use foreign implementations!
  • It wasn't a comprehensive guide to securing a machine, more an idea of how to get it to the state it should be out of the box.

    For a machine in an aggresive environment i'd be doing stuff like installing ipfw, changing setuid & setgid binaries, mounting filesystems ro, removing compilers, installing tripwire with the db on a ro floppy, monitoring logs closely, installing fake binaries, removing unused accounts etc...

    Of course you could just unplug the damn machine
  • After all, 4.1-RELEASE is rock-solid, there's no other reason to upgrade.

    There is a security hole fixed in 4.1.1.

  • Cryptography is not all that OpenBSD is about. OpenBSD more importantly is about highly audited code at the operating system level. That's why most vulnerabilities have been proactively fixed. Cryptography will do nothing for you if the application that uses it is vulnerable due to coding mistakes. SSH+RSAREF come to mind.
  • I meant the process of making a physical item. For example, the process where aluminum is made from bauxite.

    If someone gives you some aluminum, and some bauxite, it's not obvious how you got one from the other. You need the patent in order to find this out. If someone gives you ronco's patent electric egg scrambler [ronco.com] (in the shell no less), then you can take it apart and find how it works.

  • Personally, I think it's a crime the way the Wu Tang Clan has been a victim of the US Government's conspiracy to suppress rap music by outlawing the works of RZA and others for export. They are making it illegal to listen to the Wu, and that's against the first amendment guaranteeing freedom of information which needless to say should be free to make it's own (albeit informed) opinions.
  • Go look at The US-based kernel mirrors [kernel.org] and tell us what you see there.

  • So how does this conflict with what I said? I didn't say the intl kernel patch couldn't be hosted on a US site. I said it's not integrated into the kernel and there are no plans for it to be. And I said that the IKP developers will not accept patches from people in the US. If it were to be integrated into the kernel, it would immediately be subject to U.S. export restrictions because Linus is in America. And if he wasn't living in the US, it still wouldn't help because there are many other kernel developers in the U.S. All their code would have to be removed and no patches could be accepted from any American. Unless of course Linus decides to go through the export control bullshit.
  • Sorry. In a way similar to your article's parent, your article could have been an equally misguided retort to the original. I wish slashdot would indicate that there are missing articles in the thread.
    I was wrong, ooops.

    Phil

    Phil
  • Great! I've been waiting for sftp in OSSH for a while now! Yummy

A person with one watch knows what time it is; a person with two watches is never sure. Proverb

Working...