Contributed by jose on from the incremental-improvements dept.
" Open-source team fights buffer overflows By Robert Lemos, CNET News.comBecause of copyright, we can't reproduce the whole article. The original article is on the news.com website, however. This is from Theo's talk he gave at this years CanSecWest in Vancouver. It was a great talk, hopefully the material will be online. Very cool stuff afoot in 3.3 and -current, keep your eyes peeled.The OpenBSD project hopes new changes to its latest release will eliminate "buffer overflows," a software issue that has been plaguing security experts for more than three decades."
Update deRaadt's slides from CSW03 are online on the OpenBSD papers site . Look forward to the audio being available on the CanSecWest site , hopefully soon.
(Comments are closed)
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
If you attend one of these, it should be your DUTY to record it. Share the information with the rest of the world. Not everyone can attend.
Thank you.
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By Aasmund () on
I would prefer some xfig sketches...
Comments
By RC () on
By jose () on http://monkey.org/~jose/
By grey () on http://www.cansecwest.com
Dragos is a smart guy and already knows this, and has been recording the CSW's in previous years on video. And this year at the very least, audio was grabbed straight from the mixing board.
Dragos also realizes that not everyone who would like to, can attend. To mediate concerns for those who could not attend: there were shoutcast streams during the conference (apparently maxed at 150users, they were asking for more reflector sites). I know several people who took advantage of that fact, some of whom even ripped the streams to their hdd's for archival purposes in the unlikely event that archives won't appear. The shoutcast sites were mentioned on the cansecwest website, as well as a few disparate IRC and silc channels.
For those who missed the shoutcast streams too because they didn't know about it, or because there wasn't enough bandwidth, fear not. Proportedly the mp3's of the talks will be up shortly on the CSW site. For the first time Dragos even said that video from the past four cores will be up on the site soonish too (keep in mind the video footage archives have never made it public as it takes some effort and bandwidth to get all that going).
For those who couldn't attend, that should be more than sufficient I imagine - but patience is required. Moreover, I'm not 100% sure if that information will be made available to non-attendees (though presumably it will be, and if not, I'm sure it will channel out). When conference materials are online, you will get them as fast as attendees this year as there was no CD passed out at the end of CSW.
I hope that addresses some concerns about materials for the talks being made available. Keep in mind, I am not an official spokesperson for CanSecWest - merely an attendee; my information might be completely wrong (though I've tried to make it otherwise).
As far as something that I as an attendee might be able to over. I might polish up a kind of a talk-by-talk summary/personal note taking for posting here, but keep in mind a few things about something like that:
1. I might have taken incorrect notes and munged a lot of details.
2. Some of the stuff presented at CSW is quite frankly beyond my understanding, in such cases it will be extremely likely that I'll screw up and get something wrong. Naturally, I could just pretend I took a lot of poor notes (the #1 excuse, but in actuality I took no notes, so it would be entirely from memory meaning that #1 isn't even a real issue, it's far far worse ;).
3. I am not a journalist, and despite best intentions, have no real obligation to hide things like bias, or pretend to be objective, or hell even report the facts. (ie maybe you could even expect lots of jose & Theo 0wn'z0r3d CSW! comments if I end up finishing up that post-report dealio ;)
By Kay () on
http://www.heise.de/newsticker/data/odi-13.04.03-000/
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Its awful funny how the sheep troll thhis place and are so one-sided when it benefitds them, yet so defensive when they feel they were violated.
Comments
By Anonymous Coward () on
By Troll Hunter D () trollhuntahdee@a-larting-we-will-go.smash on http://www.trl.ibm.com/projects/security/ssp/
Did you also notice that Etoh himself mentions OpenBSD usage? As someone else noted, etoh also has commit access - while the article may have botched it, the OpenBSD community (and security field as a whole) do give proper credit. And since journalists are known for missing things that don't matter to the community, the only person who is being one sided and missing things (whi is seemingly) within the community is apparently you.
I'm sick and tired of all the trash coming from trolls and projects like GRSecurity and MicroBSD claiming things about OpenBSD that no OpenBSD developers (nor most users) have ever uttered, and saying that OpenBSD developers don't give credit where credit is due. Etoh has most definitely been credited within OpenBSD. And, as far as the article goes - well I didn't see it posting any form of redistribution of ssp/pp/ProPolice so I don't think he's actually obligated to credit anyone.
OpenBSD is not perfect, but they're also not at fault here - get your facts straight and piss on another tree.
Comments
By Anonymous Coward () on
http://marc.theaimsgroup.com/?l=openbsd-misc&m=90224011404958&w=2
http://marc.theaimsgroup.com/?l=openbsd-misc&m=94538181700598&w=2
http://marc.theaimsgroup.com/?l=openbsd-misc&m=94536741320829&w=2
http://marc.theaimsgroup.com/?l=openbsd-misc&m=102747879924140&w=2
Comments
By Anonymous Coward () on
Indeed, it gives me some ideas. It looks like they're human, and have the capacity to change their mind as far as what is useful to spend time as things progress.
To quote Theo: "We've just never written code to protect the stack, because that's really difficult."
Looks like Etoh's efforts helped out in some regard, most likely along with different interests, funding, etc.
Other interesting things that come from looking at a historical approach to this (which is something I am glad was raised, since more people should do it).
While OpenBSD developers were quite outspoken about some of the potential pitfalls of things like stack protection (false sense of security, bugs still there just harder to exploit, etc). I'm not too sure if even now they're ready to eat their words on that just yet. However, it is interesting to notice that with the ProPolice et al integration, that they used that as an opportunity to discover more bugs, one thing you'll notice in other postings (before and after PP, W^X etc) is that Theo was concerned about whether Immunix et al revealed any bugs. Well, it certainly has been true of OpenBSD efforts into encorporating these sorts of technologies, some in the new software (e.g. fixes to PP), but more importantly are bugs that were found in the existing software base.
Somehow, I just don't think that the OpenBSD developers are going to curl up with the PP & W^X safety blanket and turn a blind eye to new problems revealed.
And, they're not the only ones who can benefit from similar levels of scrutiny and precaution.
Comments
By Anonymous Coward () on
> capacity to change their mind as far as what
> is useful to spend time as things progress.
everyone changes their mind all the time, but few admit it openly, especially if it's inconvenient. or put it another way, would you please ask Theo & Co. why they changed their mind in this case? i'm really curious.
> To quote Theo: "We've just never written code
> to protect the stack, because that's really
> difficult."
if it was really difficult, how come they released the initial non-exec stack implementation on all supported archs in a matter of weeks and the changes aren't like thousands of lines of code (i'm assuming here that the openssh exploit triggered it, but it's probably closer to the truth than they would admit it)?
> However, it is interesting to notice that with
> the ProPolice et al integration, that they used
> that as an opportunity to discover more bugs,
> one thing you'll notice in other postings
> (before and after PP, W^X etc) is that Theo was
> concerned about whether Immunix et al revealed
> any bugs.
Theo was concerned with finding an excuse not bugs. propolice was incorporated for protection, read the presentation or his posts on the topic. if it finds a bug every now and then, all the better but it's not a show stopper (and never been), apparently.
> Somehow, I just don't think that the OpenBSD
> developers are going to curl up with the
> PP & W^X safety blanket and turn a blind eye
> to new problems revealed.
you haven't read his presentation, have you. check the page entitled "Killing Buffer Overflows" (quotes are his) stating among others that "By combining 5 technologies, we can make buffer overflows basically unexploitable" (quotes are mine). talk about being overly confident (and wrong).
> And, they're not the only ones who can benefit
> from similar levels of scrutiny and precaution.
indeed, other systems have had these features (properly implemented, unlike OpenBSD) for years now.
Comments
By grey () on
"would you please ask Theo & Co. why they changed their mind in this case? i'm really curious."
I think you can do this as easily as I can, try posting to misc; I might understand your tenacity on this if you would use your own handle too. I don't really have a beef in this case, so please pursue it on your own, from things I've gleaned from listening to resources - Theo has been pushing developers in new directions, especially given (as you mentioned) the openssh vulnerability last year; and the fact that the DARPA grant money from 18 months ago obligated them to certain improvements, which they have continue to look towards new directions to grow in.
"you haven't read his presentation, have you. check the page entitled "Killing Buffer Overflows" (quotes are his) stating among others that "By combining 5 technologies, we can make buffer overflows basically unexploitable" (quotes are mine). talk about being overly confident (and wrong)."
Actually I did read the presentation, while he was presenting it last week (I was sitting in the front row throughout CanSecWest). And, if you had been sitting in the audience (or even listening to the shoutcast stream) he stated (and I'm going to paraphrase, since I don't remember the precise words):
I have to put that claim in quotes, because if I say that here I will get challenged immediately. But for the average kiddie, these things should make life a lot more difficult. And I don't care if we make some kiddies go crazy and die.
(When Dragos puts up the shoutcast/mp3's of the talks feel free to correct that paraphasing, my memory is not perfect). Oh, and if something is already in quotes, the convention to quote it is to use nested quotes as follows (it might eliminate some confusion, especially in instances where the author made extremely intentional use of quotes vs an outright claim as you seem perceive it):
"'Killing Buffer Overflows'"
"indeed, other systems have had these features (properly implemented, unlike OpenBSD) for years now."
Please _name_ these SYSTEMS. I can only guess that you are referring to PAX/GRSecurity work, which:
A. Is not an operating -system- (it's a collection of patches) project and has different goals than OpenBSD based on that fact alone, let alone other conflicts [gpl, vs bsd, functionality, etc].
B. According to further discussions at CanSecWest (by Theo and others) violates POSIX, and as such, despite potential benefits gained - is not necessarily an ideal solution for certain systems; especially for an operating system project which has stated as one of its goals:
"Track and implement standards (ANSI, --POSIX--, parts of X/Open, etc.)" [POSIX emphasis added]
Also, since you have read the paper - you will note that there are certain aspects of the W^X, PP, etc. implementation that are still being worked on intended for a 3.4 release. It is relatively new to the tree, and is not in a polished final state, by Theo et al's own admission.
Comments
By Anonymous Coward () on
next, speaking of PaX/grsec, what exactly do they violate in POSIX? the fact that certain mmap/mprotect protection flags combinations are explicitly not supported is well within the spec, feel free to check it yourself. in fact, OpenBSD is (and has been) in violation because the spec says (quoting from the mmap page):
------------------
If an implementation cannot support the
combination of access types specified by prot,
the call to mmap() shall fail.
------------------
get it? if your system cannot provide PROT_EXEC, then every mmap/mprotect request not specifying it should fail, yet they don't on OpenBSD (and many others, i might add). are you speaking your mind then or what Theo feeds you?
Comments
By Anonymous Coward () on
me: "According to further discussions at CanSecWest (by Theo and others) violates POSIX"
I was merely reporting some of the discussions I overheard at CSW last week, as such it's not so much speaking my mind.
As far as my own opinion goes, I will state that I think that the definition of an Operating System is by its necessity, a complete whole, not merely patches which in and of themselves do not function. There are _many_ security products which do no good without something to run them on, antivirus software, Okena's Stormwatch, etc. all of those need an Operating system (in those examples, usually windows) to run on, even if the intention is to harden them.
Based on that notion of an operating system:
OWL would qualify as an OS,
Solar's work is too broad a term (popa3d?) to qualify.
StackGuard would -not- qualify as an OS.
PaX/GRSEC would -not- qualify as an OS.
Trustix Secure Linux would qualify as an OS.
Immunix Secured Linux would qualify as an OS.
OpenBSD would qualify as an OS.
ProPolice/W^X would -not- qualify as an OS.
TrustedBSD is an OS.
I can go on, but this is just starting to get stupid, and you're being argumentative over nothing worth even arguing anymore (I'm glad to see you have at least stopped making use of eroneous quotes such as 'most secure OS in the world').
Now, onto the interesting part - I can't answer what Theo claims is POSIX violation in PaX/grsec. That is a good question, and I think I'll go post it to misc@ and we'll see what happens.
Comments
By Anonymous Coward () on
Comments
By grey () on
I'm not disregarding PaX by any means; but there have been other neat security-related patches out there (for OpenBSD, or linux) which cannot be expected to be incorporated into most operating systems, even those (such as OpenBSD) which focus on security. Look at Stephanie, or some of Daniel Lucq's more out there work [e.g. network-port-acls'] some things, while neat and more secure might be beyond the immediate scope of a project, not only due to time considerations from developers and because of the problems they might incur, but because they often conflict with other stated goals, such as functionality.
I don't think most people (be they advocates of GPL or BSD) have trouble understanding that difficulties arise if a BSD project attempts to incorporate a GPL piece of software (or if GPL were to incorporate some other more restrictive license). Theo has historically been pretty outspoken on such issues (e.g. openssl + sun elliptic curve code, Darren Reed vs pf, etc.). The same can be said for some of the other goals listed, whether they be functionality, POSIX compliance or whatever.
Anyway, I did post your previous bit about PROT_EXEC and mmap concerns to misc@ we'll see if that generates any response.
By no means do I know everything, and will happily admit when I am wrong, as I have already been doing in some cases. I don't see you making any apologies for using quotes unattributed to any OpenBSD developers, or the fact that the ftp client bo was prominently announced - so get off your high horse, no one is perfect.
By Anonymous Coward () on
> I overheard at CSW last week, as such it's not
> so much speaking my mind.
[...]
> I can't answer what Theo claims is POSIX
> violation in PaX/grsec.
you weren't merely reporting it, you were using it in an argument. the difference is that you're no longer a neutral party, you wanted to get a point accross ("not ideal solution for certain systems... POSIX..."). if you don't understand the quote yourself (you seem to have admitted it now) then you were simply speaking what has been fed to you without critical analysis - also known as brainwashing. you were talking about the great character of OpenBSD people, this is your chance to prove it (by admitting your mistake).
as for the OS issue: you introduced it, i merely mentioned 'systems' if you check back. in any case, for me an OS is what is running on my computer, regardless how i put it together. besides that, what difference does it make as to the fact that OpenBSD was not the first to implement these great new security enhancements? nothing?
Comments
By grey () on
It's probably wiser not to raise such points if I don't understand them well (my mistake) but as part of a learning process, I do find it useful to ask questions and raise concerns that I've heard even if the end result is to hear those questions and concerns refuted.
The systems/patches issue is pretty stupid to argue about anyway - if its running on your computer, fine great. At any rate, it makes absolutely no difference to me whether OpenBSD was the first to implement something or not; but since it is a gestalt approach, it means that when something is implemented it tends to integrate well with other components be they directly linked to security or not.
By Anonymous Coward () on
> making use of eroneous quotes such as 'most
> secure OS in the world'
...and just when you tought it would be over...
the http://marc.theaimsgroup.com/?l=openbsd-misc&m=105051915430914&w=2
a quick search turns up http://pageexec.virtualave.net/docs/ . knowing that this stuff (the randomization) has existed for almost 2 years, it's hard to believe that Theo/Dragos have never heard of it. so how does this one smell to you?
Comments
By grey () on
Oh, wait I forgot - you're just upset about lack of credits, even when the actual code wasn't from the original authors. My bad.
OpenBSD has plenty of firsts to lay claim to already, and credits when they have a reason to (borrowed code). If something is inspirational, my understanding of legal terms is that it's not a necessity except in dealing with simple copyright and patents. If, by using the GPL you have made your code unusable to people, don't expect any credit when they don't use your code. If you use a BSD license, credit is pretty much the only thing left from the original copyright claims, and as such 99% of people don't have a problem using it. Those who don't, shouldn't feel any need to credit BSD if they don't use the code due to disagreeing with the license. Of course there's a very small set of people who like Public Domain for this reason, which obviates any obligations of any standard copyright needs (including even credit).
If you have a problem with not being credited, but people didn't borrow your code, you're pretty much shafted; you won't even have an option to claim plaguerism, regardless of license. If that kind of stuff is so important to you that you are wasting time berating people who didn't even use your own work beyond the conceptual stage. Try filing a patent instead, it affords more protection.
Given this day and age and the technology we have access to, it is absolutely against anything but private & selfish interests to whine about credit I don't like seeing when pursue such routes. If you have pursued the route of an OpenSource license, then be happy with the humanitarian attributes that already affords, and the people who will support you already - why are you so bitter?
Anyway, I posted to misc@ and maybe we'll hear a response - if so, I strongly encourage you follow up any concerns there since I'm getting sick of arguing with what is increasingly an emotion concern here. I may not be super smart about everything, and certainly couldn't implement this kind of stuff on my own - but this just isn't the right place to be discussing this anymore.
By grey () on
Anyway, read it over - please follow up to it on misc@ if you want to continue and knock yourself out. I'll be more than happy to watch a technical discussion on it there, but sadly I doubt I'll be able to contribute anything to it myself at this point.
http://marc.theaimsgroup.com/?l=openbsd-misc&m=105053858319166&w=2
By Anonymous Coward () on
Nor can you people give credit where credit is due. This site gets worse by the day.
Comments
By Anonymous Coward () on
By Anonymous Coward () on
In addition to that, their I.P. network is "protected" by Windows... so take it from whence it comes (I'm talking about their corporate network, not the telecoms network).
So it seems the author couldn't even get the real-world facts right... let alone the techical ones (filesystem being hacked!).
By Anonymous Coward () on
Then, I want to see you bragging all over the place about OwnedBSD's security :]
Comments
By shawn () on
By greyisbored () on
Number 0.
How many times have we already read Schneier and others saying "Security is a process" (not a product/solution)? So, yes - there will likely be vulnerabilities published in the future for OpenBSD, that's life. Life is a cycle of changes. Accept it.
Number .5
When such a vulnerability is disclosed - how will the OpenBSD developers react to it? This is the key question people should be asking (not whether a new vuln will come out, because that's inevitable).
Looking at history, when a bug (particularly a security impacting bug) is discovered, it is given a very high priority by the OpenBSD developers and rectified quickly. There is no backpeddling and excuse making for months on end before a patch is issued, whilst such behaviour is often seen in the software industry as a whole. Granted, the security subset of the software industry is better about this, and OpenBSD could be considered to be a part of that.
Number 1.
I am sick of hearing people go on about "Most Secure OS in the world" tyriads. As if putting it in quotes means that it's actually an official motto, or has been claimed by OpenBSD developers (or at the least, Theo).
Please find a spot for me where an OpenBSD developer has said that OpenBSD is the "most secure OS on earth" or "most secure OS in the world" I've tried google and deja with theo and deraadt and others and come up blank for anything showing that he ever said those phrases, so maybe some other developer ever said that? Of course, as most should know - the theocracy of OpenBSD doesn't often accept the word of other developers, but please - I would like to put an end to that myth either by finally substantiating it, or by people learning that such a claim is not made. This is not to say that it's never said, I do see lots of hits for OpenBSD and "most secure OS in the world" but those are praise from other people that as far as I can tell are not directly associated with the project.
For some mottos which can easily be found on the official website, you'll see that "Secure by default" is an accepted motto, officially uttered by project members, but that is not making a claim that it is the -most- secure thing out there. Another motto, "Free, Functional, Secure" has a word there which is often the antithesis of security: functional[ity]. OpenBSD does not make the claim that is the most secure OS, most likely because they hold that goal of functionality up quite high and as a result certain compromises are made.
Any high level CISSP/ISSA/CIA kinda security crap will tell you about risk assessment and all that fun stuff - in this case, I think OpenBSD does occasionally sacrifice a security feature for usability. I'd rather see that than the opposite to the point of being absurd. Take for example, NetBSD turning off _all_ services by default. Not only is it not functional, but it sort of makes the 'net' part of their name a bit of a misnomer. Don't buy into the "No Hype" hype.
Nothing is perfect, change is inevitable, it's how change is dealt with that matters.
In other words: OpenBSD is not the most secure OS in the world, vulnerabilities will be found, OpenBSD will continue to fix bugs as long as it maintains its reputation).
Oh, and OpenBSD is not the only project doing this either - but it's kind of pointless to troll most of those as well.
Comments
By Anonymous Coward () on
http://security-archive.merton.ox.ac.uk/bugtraq-200010/0065.html
Comments
By greymuststillbebored () on
To quote (k2 from www.ktwo.ca/security.html):
"OpenBSD 2.7 Rant with respect to lots of silently patched things.... Apparently there is just to much work to keep posting all of these fix's. I hear now they have streamlined the process :)"
That last sentence I find rather more interesting to the current state of the world than K2's original posting. I'm not trying to start any bad blood or put words in peoples' mouths. I'm not absolving anyone of fuckups either (everyone makes mistakes).
However, even as an observer of the OpenBSD project, it seems that some attitudes have changed, both with how things might be fixed (being better about disclosing issues they're aware of vs ones they're just fixing as bugs) and in what approaches are deemed worthwhile security tools to encorporate (e.g. W^X, PP, systrace usage).
OpenBSD is evolving, if people think that's a bad thing I'd like to know why. Better yet, if people know of an operating system project which has gotten everything perfect already, I'd love to know about it. There are still problems with OpenBSD, be they technical or attitude related. And maybe I'm buying propoganda too much (I am trying to read things from every side of the argument whenever possible) - however, I think as a general whole the project members are pretty open, and have a genuine interest for fixing problems for the sake of quality above notoriety.
By Anonymous Coward () on
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ftp/ftp.c.diff?r1=1.43&r2=1.43.2.1&f=h
Still not mentioned in the security section of the website. the changelog clearly states it was a fix for a buffer overflow, yet OpenBSD didn't want to ruin their "record." This has happened several times before, but they can only get away with it if they keep the information away from the public.
Comments
By greyshouldstopwastingtimeapparently () on
1. ftpd was certainly not running per the default install back when this fix was committed, so I don't see what you're trying to dispute here. Their record relates strictly to their default install as in the quote (from their site):
"Only one remote hole in the -default install-, in more than 7 years!" (emphasis added)
2. I will definitely agree with you that such things should appear in the security section of the website; my question to that end then is - was this a published vulnerability? I'm curious. Maybe there's less incentive to make an announcement out of a privately held exploit that's running against a non-default service. I would still agree with you that more could be said here in an official capacity. Still, it's hard to say - did they just have someone drop them a hint that they fixed (psst, look in ftpd there's a bo in line xyz), or was this a bigger known issue?
3. " but they can only get away with it if they keep the information away from the public."
I really question how they are keeping this information away from the public; you yourself just linked to their own CVSWeb diff - I don't know how much more open it can get than that, or even how much more open it needs to get.
Ok, here's a request though - since you (and others? damned AC) obviously are pointing out some valid issues - can this be formulized somewhat? If official means (bugreports, mailing lists) aren't effective at getting the word out, well posting here is certainly encouraging discussion which is good. Better yet might be some openbsdwatch site.
That said, such watchgroups are usually most effective when they work in coordination with the watched party; and I think that the security field is already rife with them, so one focused on OpenBSD really isn't necessary. What is necessary is exposure to questionable issues so that they can be addressed and that users (and since we're not dealing with evil corporations, more likely) developers can actually improve things.
I would encourage people to point out issues in a cooperative manner, but as with anything - if pleas fall on deaf ears, get more organized and raise awareness. Keeping things to oneself and looking down from on high is rarely a useful stance for anyone.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By greyneedstostopalready () on
Though, correct me if I'm wrong, but if you set up a default install of OpenBSD, put it on the network, and just let it sit there forever - will it ever autonomously make an ftp connection? I mean, there's no crontab that I've seen akin to default sendmail configuration.
And sitting on disk vs installed (& running) is a different thing I guess (ask others who actually work on the project there).
IIRC this was stated, though not on security but at the least, here:
http://www.openbsd.org/plus32.html
"RELIABILITY FIX: avoid buffer overrun on PASV from a malicious server in ftp(1).
[Applied to stable]"
Client side bugs are indeed a concern, I'm not disputing that and I think there was a resolver issue not too long ago as well, which ostensibly appears to be a much bigger concern [especially seeing how sshd is running by default, and how it also tries to resolve DNS for incoming connections iirc]:
http://www.openbsd.org/errata29.html#resolver
The fact is, it was reported and committed to stable; maybe it didn't have the Security banner you and I might have preferred, but it was hardly a swept-under-the-rug case. I think I even recall this being posted to deadly at the time, though I can't seem to find that now.
Comments
By Anonimus () on
Honestly.. Don't bother answering these kids.
They still didn't understand that they can whine
as much as they can, that things won't be done
the way THEY WANT.
Things are done OpenBSD way, either they like it
or not.
Bugs are fixed and that is what fucking matters!
If they were really interested in knowing about
new bugs coming up, they would follow src-changes,
plus.html, etc etc. But no, they're just whinning
like the poor users they are.
Did i say users ? Sorry.. it's lusers.
Now let them measure their dicks in peace, they
are happy that way.
By Anonymous Coward () on http://www.openbsd.org/plus32.html
RELIABILITY FIX: avoid buffer overrun on PASV from a malicious server in ftp(1).
[Applied to stable]
By Dries Schellekens () on http://www.securityfocus.com/archive/1/269356/2002
Prove us it's exploitable! Please do.
Comments
By Dries Schellekens () on
By Dries Schellekens () on http://www.securityfocus.com/archive/1/269356/2002
Prove us it's exploitable! Please do.
By Anonymous Coward () on
.1 are you sure you want to take the red pill Neo? then here's one for you:
http://marc.theaimsgroup.com/?l=openbsd-misc&m=94537227325110&w=2
the original must have been a private mail as i can't find it in the archives, nevertheless the quote speaks for itself knowing how many bugs they'd fixed since, both local & remote (most are never announced, like this one: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ftp/ftp.c.diff?r1=1.43&r2=1.43.2.1&f=h). really professional and trustworthy.
> Nothing is perfect, change is inevitable, it's
> how change is dealt with that matters.
well said. a pity you're barking up the wrong tree.
Comments
By grey () on
"{reimplement hardening features available for linux for many years (and forget about credits along the way). now that's very professional.}"
If it's a feature from linux, they can't simply implement it into their tree due to licensing. Since they must then implement their own version, they are not obligated under any legal clause that I am aware of to provide credit, as it is new code. Maybe they should cite inspirational works (I think they, and other authors often do, but don't take my word for it).
What is it in particular that they've ripped that is getting your goat? How do you feel about the various Linux imports from BSD over the years? Is it any different? (other than the BSD license permitting such a trickle down effect - Linux and most everyone else should be grateful for BSD; TCP/IP stacks might still be uncommon were it not for that).
That was a neat misc@ read; though I can't quite pinpoint the applicability of it in this discussion anymore. It seemed to be rather complimentary of OpenBSD as a whole [unless the author really sucks with sarcasm and thinks that allegory is the core of information exchange which is a flawed assumption].
I already addressed the ftp diff you mentioned, it was announced & applied to -stable at the time, though as a reliability fix, not a security fix.
"well said. a pity you're barking up the wrong tree."
Well, you are pretty well spoken yourself. Here I am just trying to be a decent OpenBSD advocate by providing primarily factual information, so I don't think I'm barking up the wrong tree [deadly.org is the -OpenBSD- Journal after all]. I do appreciate you raising some potential issues, but thus far your historical research still seems a little bit incomplete (missing the notes about the ftp client for one).
This is the right forum for discussing OpenBSD, but unless you're here to debate things towards a useful end, it kind of ends up as trolling. I can carry on with this thread for a while longer, but I should suggest to you that if you want to see changes and improvements, I'm not the person you should be talking to - talk to some of the developers, post to misc@, tech@, submit a bug report. If those avenues are being blind, you should know how to get people's attention in this field (though I doubt it would come to that). Bantering back and forth with someone like me isn't going to get results that are worthwhile to anyone other than maybe you and me, and I'm not really too excited about that.
These are issues you are raising, and some of which are old and have been addressed already. If, moving forward, new issues arise - please continue to raise them for sure. But I'd recommend doing it someplace more amenable to solving the problem rather than discussing it (I don't have commit access, I can't help you there). If you find those who do have the power are ignoring the problems - then like I said, some sort of official watchgroup capacity would be a better way of getting peoples attention for the developers and the users.
Comments
By Anonymous Coward () on
> accepting any positive improvements. That's
> not a very constructive attitude.
what exactly do you want to fix in something that
works? if you mean cheerleading and praising our great leader, then you're asking the wrong person.
> If it's a feature from linux, they can't simply
> implement it into their tree due to licensing.
it's not about taking code, but ideas and passing them down as their own. and it's not about being obligated by some license but common human courtesy to acknowledge others' work, regardless of what camp it comes from. agree/disagree?
anyway, you're right this is the wrong forum for this kind of discussion, but you see, something must be really wrong somewhere if it gets this far.
Comments
By Anonimus () on
Where the fuck did you see OpenBSD taking credits for inventing these new implementations in its
system ? Read my lips: NEW IN ITS SYSTEM!
Go back to your grsec/pax/whatfuckingever, where
they waste time making pages comparing themselves
with other OSes just like teenager kids "See ? My Dick is bigger than yours!"
Comments
By Anonymous Coward () on
or here? http://openbsd.org/papers/csw03.mgp
By grey () on
Not asking you, or anyone to praise Theo; but I do find it helpful to see real problems discussed so that workable. Again here is probably not the place to effect change, except in maybe a grassroots sense. I don't buy your whole "something must be really wrong somewhere if it gets this far" bit, since forums and mailing lists tend to be the breeding ground for where these kinds of debates get started. Where the problems discussed get fixed is elsewhere.
Comments
By Anonymous Coward () on
> breeding ground for where these kinds of
> debates get started.
sorry, just one comment on this. can you please show me public records of discussions of said security features as they (OpenBSD users/developers) were debating them? i'm not talking about stuff after these changes had been announced/released, i'm really meaning the kind of discussion that goes on in the design/development phase. now assuming you'll find the same results as me (0), maybe you will change your argument (that is, what is one supposed to do when there are NO discussions to take part in)?