44 comments

[ 2.4 ms ] story [ 108 ms ] thread
> Proactive security ●64-bit long long time_t (NetBSD technically did it first)

The best kind of first. Joking aside -- why is so much OpenBSD advocacy backhanded like this ? Do the writers not think that OpenBSD can stand on it's own ?

You left off the following bullet point:

* NetBSD technically did it first

* But OpenBSD is the one who engaged with the rest of the software community to fix bugs that were uncovered

Now it doesn't seem so backhanded.

Well I think actually NetBSD just made less noise about it. You can call that "engaging with the community", and it can be helpful but since NetBSD switched in 2012 it was not the case that there was no engagement in making software work if it needed fixing.
The thing is to ask and poke pre-emptively before problems actually occur.
And if they didn't mention it others would be here complaining that NetBSD did it first and OpenBSD is just trying to take credit.
And they will copy UBC, uvm locks, WAPBL, device abstraction layer. Just diff their kernel source to 4.3BSD and compare how close they are still. Their kernel is still stuck in the 80s.
I was born in the 80s. I'm not stuck there...
Actually this is not quite right. Pkgsrc pushes fixes upstream for all breakage, including the 64bit long long time_t. We just weren't born on third base thinking we scored a triple.
Slightly off topic, but does anybody know why the OpenBSD community has started using Comic Sans in all their material? Is it some kind of inside joke?

I don't find it neither good nor wrong, but there must be some reason behind it.

It's the only truly secure by default font.
I remember Bob Beck saying it was one of the three fonts that works with MagicPoint and the one that is most readable on projector.
and the fact it is just the best font. period
I think it's just the OpenBSD crew having fun by watching people cringe.
I think it's more fun to consider the widespread "hate" of comic sans, and considering whether it is really "bad" or just band-wagoning.
If someone starts giving any importance to the font instead of the code quality he or she gets summarily expelled. Helps keeping the priorities right.
All the wannabes on reddit end up getting derailed into long comment chains circlejerking about comic sans; shunts a lot of people who have nothing worthwhile to say into an easy-to-avoid thread.
> Random PIDs > Eliminates race conditions > Say you have a root daemon that forks then the child drops privileges. If you can beat the child you can inherit root privileges

Can someone explain this? I don't see what this has to do with the randomness of pids.

Being the most secure OS, these days, is like being valedictorian of summer school. The reality is as soon as you install a dynamic language behind a webserver all their memory tricks are for not. They are still focusing on exploitation from 2002.
Something like after the parent forks, the child opens a file called "/tmp/log.$$" with its PID in the name as root. If you can guess the PID of the child, you could create a link with that name, pointing at a file of your choice that is owned by root, such as "/etc/passwd". Then, you need to make the child do something predictable to that file, such as ensuring that the user supplied data being logged contains text like "\npwn::0:0::/:/bin/sh\n" giving you a valid password file entry for "pwn" with no password and root privileges.
Predictable file names in tmp is considered a security issue pretty much everywhere (hence mkstemp), so I would guess that's not what they mean.
That does seem like a strange example. Random source ports is probably a better example of system wide randomization.
"OpenBSD's OpenBGPD responsible for 30% of worldwide BGP communication"

Ummm. Citation needed?

With enough loops, anything is possible.
Yeah, that was my first thought, too.

In all my years in networking, I've ran exactly one instance of OpenBGPD and that's used simply for real-time updates of (anti-spam) blacklists and whitelists [0,1].

[0]: http://bgp-spamd.net/ [1]: http://www.openbsd.org/papers/asiabsdcon2013/phessler-bgp-sp...

http://www.openbgpd.org/users.html

Also, most large service providers don't tend to talk about their internal implementations.

Many in the networking field have been indoctrinated in a Cisco-only philosophy, and then get hired into that monoculture over and over to the point they don't know about anything else, other than if it's something viewed as a Cisco competitor.

Sorry, I never doubted that there are large organizations that run OpenBGPD -- it's just that I, myself, have never personally encountered one (meaningless, I know).

I do know that it's used quite often as a route server/reflector at various IXPs (and I may be standing up an instance to do just that in the near future as well) as well as a looking glass. I've managed routers from most of the large manufacturers (Cisco, Juniper, Brocade, HP/H3C, ALU, Mikrotik) and I took a good hard look at OpenBGPD a while back for a customer project so I am aware that it is quite feature-rich and capable and I certainly didn't intend to imply (if it came across that way) that it's not.

Really, the thing that I took issue with was:

> OpenBSD's OpenBGPD responsible for 30% of worldwide BGP communication

It was followed up with:

> Correction: 20% of ISPs using OpenBGPD

That claim may very well be technically correct, but it strikes me as similar to, e.g., someone claiming that 90% of users on the Internet "use Linux" simply because their traffic may have {passed through|been directed to} a {router|server|firewall} that runs Linux.

you are my hero, not just for all the awesome OpenBSD contributions and dedication but for the fact that you still maintain a GOPHER protocol'd site!

gopher://gopher.anthrobsd.net/

I still love Gopher. Its for people who give a shit about the content and structure, not oodles of CSS and JS cack wrapped around four square inches of content that looks like my teenage daughter fired up Word and set the font size to 18pt so she didn't have to write so much.
do you know what gopher server is in use?
If I remember correctly it is The Gophernicus Project.

http://gopherproxy.meulie.net/gophernicus.org/ or you can use the overbite extension for firefox.

yes that is one. I remember accessing txt files via gopher on university systems back in the 90's. It was similar to browsing an FTP directory via a web browser, with a few more features.
Very useful, sans the font. Pardon the pun
Theo's opinion notwithstanding, what's the best virtualization platform to run OpenBSD?

There's a project to improve AWS/Xen support, http://www.joelroberts.org/openbsd/

Works fine in VMware ESX and HyperV. Need to run NTP though to combat clock drift. Not tried it on Xen but it has drivers for virtual NICs and storage etc.
If you watch the the ruBSD 2013 interview video with Theo de Raadt[1] at the 6:36, he states that they should take a shot at dealing with modern x86 VMs. That gives me quite a bit of hope along with the work on vmware related drivers in each release.

I use VMware at work, seems to do ok.

1) https://www.youtube.com/watch?v=OXS8ljif9b8

> strlcat() and strlcpy() > - Solves the problem of unterminated C strings

Handling truncation correctly with those is just as much work as handling strcat and strcpy correctly. The only difference is that wrong handling of strcat and strcpy have worse effects usually.