![[OpenBSD]](images/smalltitle.gif){kind=small}
"And then the new features: FFS2, support for the Advanced Host Controller Interface, IP balancing in CARP, layer 7 manipulation with hoststated, Xenocara, and more!"
And goes on to discuss each of these and more with the good folk who make it happen.
"Many of the technologies that Microsoft has employed to bolster the security of Windows Vista are not new. In fact, most are derived from the groundwork originally laid by open-source operating systems such as Linux and OpenBSD, the PaX and Stackguard projects, as well as numerous academic publications.... The majority of these technologies first appeared in Windows XP SP2 [Service Pack 2]. Windows XP SP2, at the time of its release, was also billed as the most secure version of Windows."So remember, folks, if it's about security, you may well have heard it here first, long before Microsoft "invented" it.
The most important property of bcrypt (and thus crypt_blowfish) is that it is adaptable to future processor performance improvements, allowing you to arbitrarily increase the processing cost of checking a password while still maintaining compatibility with your older password hashes. Already now bcrypt hashes you would use are several orders of magnitude stronger than traditional Unix DES-based or FreeBSD-style MD5-based hashes.This is just plain cool."
This article can also be found online as Academic calls for better bug tracking (uk.builder.com).
"In order to do security the BSD way, however, much more effort needs to be spent auditing code for holes, which is much less sexy, and attracts a different set of coders," Zymaris added.
The closed-source component required to support this hardware is completely independent of the associated operating system, and as such, is also independent of the engineering team, security team, auditing process, and quality control procedures normally related to the operating system...
What's possibly even more disturbing is that we're talking about a chunk of code in the operating system, running with the highest possible level of privilege (the kernel), which is supplied by a third-party vendor. This code could do anything once loaded, including leaking active WEP keys, gathering usage statistics, sniffing and disclosing traffic, and it could even introduce a subtle backdoor into the operating system itself (much the same as any device driver in a closed source operating system).
[A]lthough some of these scenarios are a little far-fetched, the possibility for them to exist is there... Ultimately it becomes an issue of trust, which is a cornerstone of good security: whom do you trust, and how much do you trust them?
And he comments that trust "seems to be a one-way street": vendors demand that you trust them, but they won't trust you to know how their hardware and software operates. This lack of trust is one reason why OpenBSD has recently completed reverse-engineering the Atheros wireless chipset driver that was originally provided as a binary insert.
"... which is more secure - Windows or Linux?Not surprisingly, the answer is in the negative. Good discussion on why Microsoft's OS is still not really secure. Ends with the conclusion that, if you must use MS-Windows, do so, but have another computer running an OS "which has a lower-risk profile" for your mail, web and other online activities. That could be OpenBSD (registration required).
A snide answer is OpenBSD, which has an exemplary record with respect to security. But let's stick to the two most broadly used platforms in IT today.
Microsoft's hired analysts claim that Windows is more secure than Linux. Should we believe them?"
because it takes a "tough love" approach; when it spots a virus on a computer, it automatically blocks that machine, "blackholing" the user, and notifies Grant... "The Airlok has the best firewall I have ever seen," says Grant, who believes the product could even change the Web itself. "Imagine if Comcast or other ISPs started using Airloks. If someone got a virus, the system would just shut that person down before it could spread. This could make hackers obsolete."Maybe a bit of hyperbole, but the product does look good, and serves as an example of what you can do with OpenBSD as a base.
There's lots of open-source software out there that no one has analyzed and is no more secure than all the closed-source products that no one has analyzed. But then there are things like Linux, Apache or OpenBSD that get a lot of analysis. When open-source code is properly analyzed, there's nothing better.
Just as brilliant scientists are capable of making spelling mistakes, brilliant coders can also make fatal mistakes in their software perhaps because writing good software is both a science and an art.And then quotes Theo as saying:
"Also, more people in the coding community are writing code, while fewer are reading or auditing code."
This article can also be found online at:
Then on some news sites, the story starts to change. A spokeswoman from DARPA is quoted as saying "We're sorry if this review process has been misinterpreted as an effort to cancel the work." (If it was not a cancellation, then why did Mark West from UPENN phone the Hyatt Calgary and cancel the reservations -- even before OpenBSD was informed by Jonathan Smith, who in email said "Penn has been contacted by the Air Force and NO FURTHER COSTS MAY BE INCURRED, effective today, 4/17/03", "All subcontracts are terminated, effective TODAY", and "Penn must cancel/terminate contracts & obligations such as the Hyatt and travel not yet PAID. Mark, please carry this out ASAP per our contractual requirements with the government" These papers proceed to pick up the new story; some retain the old one:
Note: some material related to POSSE is mirrored here.
"Smith and colleagues at Penn, the software development consortium OpenBSD, and the Apache Software Foundation and OpenSSL Group propose to use the open-source movement - where programmers openly share incremental advances - to try to engineer better security features into mainstream computers, not only those developed just for the military and other high-security organizations. The government then benefits by purchasing more affordable, standardized computers with security features."
vi and a default C shell, he finds nice things to
say about OpenBSD's floppy + 'Net installation, the thorough system probe and
the IP filtering and address translation.
make options and targets, and also notes OpenBSD's
"fake" installation used to create easily distributable binary
packages as an automatic by-product of building a port.
fuzz, a tool that tests commands with randomly generated
command line arguments. Lead developer Theo de Raadt ran it against OpenBSD
and found routine coding errors in about a dozen commands, none security-related.
The article reprints de Raadt's posting and comments. Though the exercise was
worthwhile, the tool only points to the areas to check, and is no substitute for
careful code reviews, he concludes.
Connected to spanweb.glasgow-ky.com.
Escape character is '^]'.
OpenBSD/mac68k (spanweb.glasgow-ky.com) (ttyp0)