OpenBSD Journal

Peter Hansteen on OpenBSD and you

Contributed by weerd on from the pitrh-promotes-puffy dept.

Undeadly editor Peter Hansteen (pitrh) recently spoke to the Bergen (BSD and) Linux User Group (BLUG) on the subject "OpenBSD and you", and has shared the slides from the talk.

These make a great resource for preaching to the as-yet-unconverted.

(Comments are closed)


  1. By Anonymous Coward (79.247.178.193) on

    Would it be possible to maybe get recordings of his speach?
    Just in case they got recorded...

    Also: 2 remote Holes aint rly correct... 3..... *ehem...*

    Also Mr. Hansteen may not be aware of it: OpenBSD Code is part of Windows, Oracle also has included a lot stuff...

    So let me critic some stuff....

    "no Service enabled by default" is a false claim btw...
    Service includes everything on startup....

    About Ports: OpenBSB lacks security Software (especialy fuzzers :( ), some even get removed because it's old... (which should simply be a no-go, check for functionality and try to fix it if code is unmaintained.. Compiler-improvements or new Compilers can't get forseen 7yrs ago).

    OpenBSD PF lacks improvements in the passive OS Fingerprinting.
    1st the stuff included (PoS DB in /etc/!) but you can do Fingerprinting even based on ICMP and this is handy with IPv6.... the method I talk about is from 1996.... *greetings to everyone at 33C3*

    Also SMP would be awesome.... PATCHES do exists.... just not applied/included and now they need more manpower to apply..

    SpamD needs to get enhanced too... IPv6 for the win... \o/
    Or it becomes useless.. additional baysan filtering would be absolutely awesome.... but of course this is CPU intensive..

    The WiFi Stack needs massive enhancements, also in genereal the USB/IP Stack.. for the IP Stack I would even recomment to rewrite it but I aint capable (to do it RIGHT...) myself. The USB-Stack needs fuzzing...

    Some WIFI drivers act weired.... like ATHN on an APU2 and an TP-Link N600 as AP... OpenBSD WILL stop to communicate at some point, I was unable to debug it for weeks, told STSP about it... but he lacks the SetUP but provided hints...


    So... OpenBSd IS great, it's awesome and if you aint crazy nor an Idiot: You donate 10 (EUR/USD) a year... something everyone can do....

    1. By Anonymous Coward (128.78.175.12) on

      Not sure if trolling, or 16 years old, or Linux guy, or just drunk or high... but if none of that applies, what exactly is your point? How about stop to "critic" some stuff, and shut up and hack and help?



      > Would it be possible to maybe get recordings of his speach?
      > Just in case they got recorded...
      >
      > Also: 2 remote Holes aint rly correct... 3..... *ehem...*
      >
      > Also Mr. Hansteen may not be aware of it: OpenBSD Code is part of Windows, Oracle also has included a lot stuff...
      >
      > So let me critic some stuff....
      >
      > "no Service enabled by default" is a false claim btw...
      > Service includes everything on startup....
      >
      > About Ports: OpenBSB lacks security Software (especialy fuzzers :( ), some even get removed because it's old... (which should simply be a no-go, check for functionality and try to fix it if code is unmaintained.. Compiler-improvements or new Compilers can't get forseen 7yrs ago).
      >
      > OpenBSD PF lacks improvements in the passive OS Fingerprinting.
      > 1st the stuff included (PoS DB in /etc/!) but you can do Fingerprinting even based on ICMP and this is handy with IPv6.... the method I talk about is from 1996.... *greetings to everyone at 33C3*
      >
      > Also SMP would be awesome.... PATCHES do exists.... just not applied/included and now they need more manpower to apply..
      >
      > SpamD needs to get enhanced too... IPv6 for the win... \o/
      > Or it becomes useless.. additional baysan filtering would be absolutely awesome.... but of course this is CPU intensive..
      >
      > The WiFi Stack needs massive enhancements, also in genereal the USB/IP Stack.. for the IP Stack I would even recomment to rewrite it but I aint capable (to do it RIGHT...) myself. The USB-Stack needs fuzzing...
      >
      > Some WIFI drivers act weired.... like ATHN on an APU2 and an TP-Link N600 as AP... OpenBSD WILL stop to communicate at some point, I was unable to debug it for weeks, told STSP about it... but he lacks the SetUP but provided hints...
      >
      >
      > So... OpenBSd IS great, it's awesome and if you aint crazy nor an Idiot: You donate 10 (EUR/USD) a year... something everyone can do....
      >
      >

      1. By Anonymous Coward (79.247.178.193) on

        > Not sure if trolling, or 16 years old, or Linux guy, or just drunk or high... but if none of that applies, what exactly is your point? How about stop to "critic" some stuff, and shut up and hack and help?
        >
        >
        >
        > > Would it be possible to maybe get recordings of his speach?
        > > Just in case they got recorded...
        > >
        > > Also: 2 remote Holes aint rly correct... 3..... *ehem...*
        > >
        > > Also Mr. Hansteen may not be aware of it: OpenBSD Code is part of Windows, Oracle also has included a lot stuff...
        > >
        > > So let me critic some stuff....
        > >
        > > "no Service enabled by default" is a false claim btw...
        > > Service includes everything on startup....
        > >
        > > About Ports: OpenBSB lacks security Software (especialy fuzzers :( ), some even get removed because it's old... (which should simply be a no-go, check for functionality and try to fix it if code is unmaintained.. Compiler-improvements or new Compilers can't get forseen 7yrs ago).
        > >
        > > OpenBSD PF lacks improvements in the passive OS Fingerprinting.
        > > 1st the stuff included (PoS DB in /etc/!) but you can do Fingerprinting even based on ICMP and this is handy with IPv6.... the method I talk about is from 1996.... *greetings to everyone at 33C3*
        > >
        > > Also SMP would be awesome.... PATCHES do exists.... just not applied/included and now they need more manpower to apply..
        > >
        > > SpamD needs to get enhanced too... IPv6 for the win... \o/
        > > Or it becomes useless.. additional baysan filtering would be absolutely awesome.... but of course this is CPU intensive..
        > >
        > > The WiFi Stack needs massive enhancements, also in genereal the USB/IP Stack.. for the IP Stack I would even recomment to rewrite it but I aint capable (to do it RIGHT...) myself. The USB-Stack needs fuzzing...
        > >
        > > Some WIFI drivers act weired.... like ATHN on an APU2 and an TP-Link N600 as AP... OpenBSD WILL stop to communicate at some point, I was unable to debug it for weeks, told STSP about it... but he lacks the SetUP but provided hints...
        > >
        > >
        > > So... OpenBSd IS great, it's awesome and if you aint crazy nor an Idiot: You donate 10 (EUR/USD) a year... something everyone can do....

        I am trolling AND being critic...

    2. By Peter N. M. Hansteen (pitrh) on http://bsdly.blogspot.com/

      > Would it be possible to maybe get recordings of his speach?
      > Just in case they got recorded...

      The Bergen session was streamed and recorded to Youtube. You should be able to find a link via the BLUG website. The talk was in Norwegian, though.

    3. By Anonymous Coward (82.68.199.128) on

      > Would it be possible to maybe get recordings of his speach?
      > Just in case they got recorded...
      >
      > Also:
      > "no Service enabled by default" is a false claim btw...

      Correct. IIRC sndiod, ntpd, syslogd, smtpd are enabled by default.

      > About Ports: OpenBSB lacks security Software (especialy fuzzers :( ), some even get removed because it's old... (which should simply be a no-go, check for functionality and try to fix it if code is unmaintained.. Compiler-improvements or new Compilers can't get forseen 7yrs ago).

      I'd argue that it's a disservice to ship packages for things that nobody has touched in years, we don't even know if they really work following OS changes. Some things probably have never even been run on a 64-bit arch and may just crash and burn. If there's something that you care about which had been removed you could always post to ports@ and put your case forward as to why a particular thing is useful to keep.

      > OpenBSD PF lacks improvements in the passive OS Fingerprinting.
      > 1st the stuff included (PoS DB in /etc/!) but you can do Fingerprinting even based on ICMP and this is handy with IPv6.... the method I talk about is from 1996.... *greetings to everyone at 33C3*
      >
      > Also SMP would be awesome.... PATCHES do exists.... just not applied/included and now they need more manpower to apply..

      There is SMP already. There are some problems but "SMP would be awesome" makes no sense.

      > SpamD needs to get enhanced too... IPv6 for the win... \o/
      > Or it becomes useless.. additional baysan filtering would be absolutely awesome.... but of course this is CPU intensive..

      Without a lot of help spamd-style greylisting doesn't really seem all that useful in the typical case any more.. but the whole point of spamd is to have something simple that can run on a firewall safely. When you start getting into rules, Bayesian filtering, etc, you're really taking about a different program than what spamd aims to be. (hint: rspamd)

      > The WiFi Stack needs massive enhancements, also in genereal the USB/IP Stack.. for the IP Stack I would even recomment to rewrite it but I aint capable (to do it RIGHT...) myself. The USB-Stack needs fuzzing...

      I think you'll often find that the people who are actually putting work into OpenBSD are usually quite aware of what needs doing in their area already. They don't need people telling them what to spend their time on, they mostly need help with their diffs: testing, finding and figuring out problems, reviewing. And if there are people who *are* capable with time who can help out, that's almost always appreciated.

      > Some WIFI drivers act weired.... like ATHN on an APU2 and an TP-Link N600 as AP... OpenBSD WILL stop to communicate at some point, I was unable to debug it for weeks, told STSP about it... but he lacks the SetUP but provided hints...

      If you can't figure out a problem, sometimes it can help to get the necessary setup in the hands of an interested developer.

      > So... OpenBSd IS great, it's awesome and if you aint crazy nor an Idiot: You donate 10 (EUR/USD) a year... something everyone can do....

      Maybe in your world experience, but actually no, that's not something everyone can do. And some will barely notice 50x that.

      1. By Anonymous Coward (185.38.14.171) on


        > Correct. IIRC sndiod, ntpd, syslogd, smtpd are enabled by default.

        It's not all that many services though. This is one of the reason why the "only 2 remote holes in the default install..." slogan is problematic, because the default install contains very little. Like saying for MS-DOS "Over 35 years and no remote holes in the default install." It also encourages developers to play down security issues in order to avoid incrementing this "Only X remote holes in the default install..." counter.

      2. By Peter N. M. Hansteen (pitrh) on http://bsdly.blogspot.com/

        Thanks to all of you wonderful nitpickers, I've made oen correction to the presentation. See if you can spot it!

        Cheers,
        Peter

        1. By Anonymous Coward (79.247.178.193) on

          > Thanks to all of you wonderful nitpickers, I've made oen correction to the presentation. See if you can spot it!
          >
          > Cheers,
          > Peter

          It was not ment to dishonor you! You do an awesome job! *hug*

          1. By Peter N. M. Hansteen (pitrh) on http://bsdly.blogspot.com/

            > It was not ment to dishonor you! You do an awesome job! *hug*

            You need to learn to take 'nitpicker' as a compliment. :)

      3. By Anonymous Coward (79.247.178.193) on

        > > Would it be possible to maybe get recordings of his speach?
        > > Just in case they got recorded...
        > >
        > > Also:
        > > "no Service enabled by default" is a false claim btw...
        >
        > Correct. IIRC sndiod, ntpd, syslogd, smtpd are enabled by default.
        >
        > > About Ports: OpenBSB lacks security Software (especialy fuzzers :( ), some even get removed because it's old... (which should simply be a no-go, check for functionality and try to fix it if code is unmaintained.. Compiler-improvements or new Compilers can't get forseen 7yrs ago).

        Then things can get tested....
        BlackArch (comparsion, not because it's a LINUX Distribution) has an AWESOME list of security tools. Sure... not everything can get ported yeah.. but even just the fuzzers alone...

        You can test something with a Fuzzer (which is ALWAYS a great idea) but this fuzzer is limited to it's own logic and code...
        Better you test things with serval tools... *my oppinion*


        > I'd argue that it's a disservice to ship packages for things that nobody has touched in years, we don't even know if they really work following OS changes. Some things probably have never even been run on a 64-bit arch and may just crash and burn. If there's something that you care about which had been removed you could always post to ports@ and put your case forward as to why a particular thing is useful to keep.

        That will not work, never did...
        Somebody who is "known" (no blaming now!) decides something was NOT updated since for example 2002 ("upstream is dead...")... but does this mean the Code is obsulate?! No... maybe the Code just had NOT to get improved. ofcourse new Compilers can lead to non compiling Source Code... or a switch to CLANG... something the original Authors could not have predicted...

        Still such Ports get dropped...
        Why can't they get marked "likely brocken", no binary package is created but they remain in Ports tree and everyone could try to build and use them and see if they work?

        No additional menpower required...
        If something is brocken: This could get reported... and still the Port could get removed. None can use each Port/Package..

        > > OpenBSD PF lacks improvements in the passive OS Fingerprinting.
        > > 1st the stuff included (PoS DB in /etc/!) but you can do Fingerprinting even based on ICMP and this is handy with IPv6.... the method I talk about is from 1996.... *greetings to everyone at 33C3*

        No comment about this? Where you not aware of it? :<

        > > Also SMP would be awesome.... PATCHES do exists.... just not applied/included and now they need more manpower to apply..
        >
        > There is SMP already. There are some problems but "SMP would be awesome" makes no sense.

        I clarify my sentence: For PF....

        > > SpamD needs to get enhanced too... IPv6 for the win... \o/
        > > Or it becomes useless.. additional baysan filtering would be absolutely awesome.... but of course this is CPU intensive..
        >
        > Without a lot of help spamd-style greylisting doesn't really seem all that useful in the typical case any more.. but the whole point of spamd is to have something simple that can run on a firewall safely. When you start getting into rules, Bayesian filtering, etc, you're really taking about a different program than what spamd aims to be. (hint: rspamd)

        Ok i angree but still IPv6 support is lacking.

        > > The WiFi Stack needs massive enhancements, also in genereal the USB/IP Stack.. for the IP Stack I would even recomment to rewrite it but I aint capable (to do it RIGHT...) myself. The USB-Stack needs fuzzing...

        > I think you'll often find that the people who are actually putting work into OpenBSD are usually quite aware of what needs doing in their area already. They don't need people telling them what to spend their time on, they mostly need help with their diffs: testing, finding and figuring out problems, reviewing. And if there are people who *are* capable with time who can help out, that's almost always appreciated.

        I know this but they're so few of them... because you need guys who RLY do know the shit and understand a lot of the Subsystems...

        TIME might not be the main Issue, knowledge is...

        > > Some WIFI drivers act weired.... like ATHN on an APU2 and an TP-Link N600 as AP... OpenBSD WILL stop to communicate at some point, I was unable to debug it for weeks, told STSP about it... but he lacks the SetUP but provided hints...
        >
        > If you can't figure out a problem, sometimes it can help to get the necessary setup in the hands of an interested developer.

        There aint many WLAN Stack Maintainers anymore since Bitrig split off...

        > > So... OpenBSd IS great, it's awesome and if you aint crazy nor an Idiot: You donate 10 (EUR/USD) a year... something everyone can do....
        >
        > Maybe in your world experience, but actually no, that's not something everyone can do. And some will barely notice 50x that.

        I talked about a rich country indead... like USA or Canada, central Europe...

        Still: There's stuff to do.. a lot... zstd (compression algorithm) for example would be pretty damn usefull in base (Kernel compression + install sets), maybe switching over to Twofish too.... stopping more "default" Services, dropping old cruft (to "Ports", lpd....?!), USB/IP/WLAn Stack is a complete different beast....

        Ipromving even this Forum would be awesome... but hey...
        HT:DIG aint even in the Ports... :D

        1. By Anonymous Coward (194.22.188.114) on

          > Ipromving even this Forum would be awesome... but hey...
          > HT:DIG aint even in the Ports... :D

          Why would you want Dig when Drill is in ports?

          1. By Anonymous Coward (79.247.178.193) on

            > > Ipromving even this Forum would be awesome... but hey...
            > > HT:DIG aint even in the Ports... :D
            >
            > Why would you want Dig when Drill is in ports?
            >

            Eh... bro...

            HT:DIG [http://www.htdig.org/] != DIG...
            It's what is NOT working on this Website either (the search field :D :)


            So if you got a AWESOME (or working.. just WORKING!) replacement with sane Codebase: Please tell me :)

          2. By Anonymous Coward (79.247.178.193) on

            > > Ipromving even this Forum would be awesome... but hey...
            > > HT:DIG aint even in the Ports... :D
            >
            > Why would you want Dig when Drill is in ports?
            >

            P.S. or "EXTRA":

            I did field tests with "zst" (aka: Z Standard), the compression is better ten LZMA2.... it should get into base and used. The Size of the install sets or Ports could get reduced massivley.. MIT Licensed...

            Or in other words: Please consider it... test it maybe... I teatsed serval files and it performed in 87% better (compression ratio and performence).

            Hre the results with the NSA leaks:
            436M nsa.tar.xz
            902M nsa2.tar
            413M nsa2.tar.zst

            LZMA2 (aka xz) and zst: Both are "maximum", zst compressed faster too btw...


            So.. include zst... MIT licended... no slower then gzip...

            1. By Anonymous Coward (86.187.160.130) on

              > > > Ipromving even this Forum would be awesome... but hey...
              > > > HT:DIG aint even in the Ports... :D
              > >
              > > Why would you want Dig when Drill is in ports?
              > >
              >
              > P.S. or "EXTRA":
              >
              > I did field tests with "zst" (aka: Z Standard), the compression is better ten LZMA2.... it should get into base and used. The Size of the install sets or Ports could get reduced massivley.. MIT Licensed...
              >
              > Or in other words: Please consider it... test it maybe... I teatsed serval files and it performed in 87% better (compression ratio and performence).
              >
              > Hre the results with the NSA leaks:
              > 436M nsa.tar.xz
              > 902M nsa2.tar
              > 413M nsa2.tar.zst
              >
              > LZMA2 (aka xz) and zst: Both are "maximum", zst compressed faster too btw...
              >
              >
              > So.. include zst... MIT licended... no slower then gzip...

              How's the memory use?

              Can it handle concatenations? (packages use concatenated compressed files to restart the compression stream occasionally, to help rsync data to the mirrors)

              How's the patent situation?

              1. By Anonymous Coward (79.247.178.193) on

                > > > > Ipromving even this Forum would be awesome... but hey...
                > > > > HT:DIG aint even in the Ports... :D
                > > >
                > > > Why would you want Dig when Drill is in ports?
                > > >
                > >
                > > P.S. or "EXTRA":
                > >
                > > I did field tests with "zst" (aka: Z Standard), the compression is better ten LZMA2.... it should get into base and used. The Size of the install sets or Ports could get reduced massivley.. MIT Licensed...
                > >
                > > Or in other words: Please consider it... test it maybe... I teatsed serval files and it performed in 87% better (compression ratio and performence).
                > >
                > > Hre the results with the NSA leaks:
                > > 436M nsa.tar.xz
                > > 902M nsa2.tar
                > > 413M nsa2.tar.zst
                > >
                > > LZMA2 (aka xz) and zst: Both are "maximum", zst compressed faster too btw...
                > >
                > >
                > > So.. include zst... MIT licended... no slower then gzip...
                >
                > How's the memory use?
                >
                > Can it handle concatenations? (packages use concatenated compressed files to restart the compression stream occasionally, to help rsync data to the mirrors)
                >
                > How's the patent situation?

                Advise me how to do the tests.... and I#ll do them but you could do them yourself because the tools got included into current.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]