OpenBSD Journal

Response to OpenBSD's security enhancements

Contributed by jose on from the defense-on-many-fronts dept.

Yet another anonymous was the first to write to us about a message describing the recent changes in OpenBSD's secuurity infrastructure:



"List:     openbsd-misc
Subject:  our recent security stuff
From:     Theo de Raadt

Date:     2003-02-03 5:45:36

The most amazing thing about this new buffer overflow stuff is that it
appears noone in any other project has commented on it in a public
mailing list anywhere.  Eerie silence.

I don't know about how you guys view that, but to me it is pretty
depressing that none of these other projects (or their users) see the
impact and import of these changes; that indicates a large lack of
vision.

The interesting side of ProPolice is that it will, once we ship 3.3,
be on everyone's OpenBSD machines.  People will run buggy software.
ProPolice catches bugs at run-time.  When a buffer overflow is
accidentally (or purposefully) hit, a syslog will be delivered naming
the function where the problem happened, before the program aborts.
Since our noses are stuck in the source, and our run-time testing
methodology is weak (as weak as the entire industry) many bugs will be
found; safely.  Many bugs will be found, because there's only a few of
us running this stuff now, in the way we run it.  But when these
runtime errors are caught, it will be easy to find the actual bugs.
And easy for an attacker to attack the same software on another
system.  I don't know how large this impact will be.

However, it is possible it might be big.

I used to ask Crispin Cowan if StackGuard had ever found any regular
bugs; and he never said yes... well, since integrating ProPolice we've
already found a whole bunch of bugs as a result of it.  So, this
might be very interesting...



Link: http://marc.theaimsgroup.com/?l=openbsd-misc&m=104425125001567&w=2 "
Recall that every stack protection mechanism has been defeated in some form or another, but OpenBSD's multifaced stance is sure to help protect things a bit further. Theo's right, the wider community's silence is interesting.

(Comments are closed)


Comments
  1. By systrace () grifter@w3dev.net on mailto:grifter@w3dev.net

    most people i know only take security semi seriously. "only if its convenient they say", of course, until the day their screwed and out of a job. This is _huge_, and is a great example of where doing things right can get you. good job guys! and please visit open.bsdcow.net <-- shamefull plug ^_^

  2. By Anonymous Coward () on

    Maybe the eerie silence is because not that many people in the industry actually care. And the ones that do are probably already using OpenBSD. We know that it is really good shit, that's all that should matter...

    Comments
    1. By Anonymous Coward () on

      The industry is still a profession. Threaten it in some way, people tend to be silent.

      Also, I wonder how many people truly understand what was done. I don't. Of those that understand this in concept, how many understand this in detail? In code? And then have the will to implement it?

      The population that *can* comment on this shrinks handily. That, to me, is the probably the primary cause of the silence. Combine that with the industry hands of eyes, mouth, ears, and you get a lot of quiet.

  3. By Anonymous Coward () on http://www.microbsd.net

    Are you joking... This is funny. MicroBSD had Stack Protection Capabilities in 0.1 Over 2 Years ago. It was ported to the system by the author of the code on the MicroBSD teams system. Been there, Done that & now moved on. The founder even stated he has both MicroBSD/OpenBSD/FreeBSD based systems that use the same code. This isnt really news the capabilities have been around, but they have finally been integrated into a larger distro with more exposure and user base. Though MicroBSD has still pulled further ahead by enhancing their fork of OpenBSD with further security features not yet found in the other BSD, and some ported from FreeBSD/NetBSD.

    Comments
    1. By djm () on

      Theo's post wan't just noexec stack. I suppose that MicroBSD has WorX, pp and the ELF section tricks too?

      Comments
      1. By Anonymous Coward () on

        They track all BSDs,so im sure they are in sync with current on OpenBSD also....

    2. By schubert () on

      MicroBSD also had the utter stupidity of including the Stephanie project code which causes kernel panics quite easily (I spent alot of time testing out stephanie and yes it does suck for that reason. The main problem was with the k5 binary md5 feature and the ld preload protection. And yes this is why I believe it was never accepted, not to mention its really really ugly code and doesn't really SOLVE the underlying problem it just defers it).

      Two years ago? Are you an idiot? According to freshmeat the initial announcement for 0.1.1a was LESS than ONE year ago.

      0.1.1Alpha Initial freshmeat announcement 13-May-2002 21:42

      http://freshmeat.net/releases/84225/

      Unless by some freak nature it took them 15 months to move from 0.1 to 0.1.1a or they just then decided to post on freshmeat, you wouldn't know from their website since they seem have a habit of not keeping a real history of previous releases.

      Do you always rant and rave and carry on without fact checking? (be glad you did so anonymously)

      I'm glad MicroBSD exists, it seems to be where alot of useful and not useful and just plain BAD additions to a bsd system can be made, tested, played with yadda yadda. But to hell if its going on one of my boxes, not without some substantial proof of integrity of those additions.

      Comments
      1. By Anonymous Coward () on

        Where have you been,its all been re-written and doesnt have issues anymore.... look at 0.6RC2

        Comments
        1. By schubert () on

          Hey author of microbsd quit posting anonymously and even bragging about your own project anonymously, it's not very discrete that you chose this THREADS subject line as "MicroBSD has been there, done that...." and shockingly the same NAME for your latest newsthread on your website. Have you no shame?

          Comments
          1. By Anonymous Coward () on

            Bragging. not at all. just setting the record straight. its not really that important overall. Anonymous even... not looking to flame anyone, just providing some information is all.

            Comments
            1. By schubert () on

              I'm done feeding this troll for one night. Welcome to my killfile.

            2. By click46 () click46@operamail.com on www.genmay.net

              the fact that you dont have the juevo's to post comments under a real account shows how seriously MicroBSD is to be taken.

              good luck with that.

      2. By Anonymous Coward () on

        We actually had it integrated in November of 2000, and we tested it for months, before we posted the 0.1 release to freshmeat.net so no due to the timeline of when the work was done, its been over two years.I checked my facts, sorry you didnt have them all. Proof of integrity is in the CVS server and CVSweb. Check it out for yourself...

      3. By brian () on

        i dont know when was the last time you looked at stephanie, but most of what sucked in it in early versions was fixed... locking problems which caused panics were resolved and various parts were taken out/replaced (k5 -> verified exec from brett lymn, restricted symlinks taken out, pointless)...

        stephanie dont try to solve any problems; it exists to allow people who like that "extra layer" there have it. you are more than invited to try the latest version and comment on what you think should get fixed. :)

    3. By couderc () on

      Well when i look at MicroBSD's cvsweb i see that stack protection has been added on 2002/11/18.

      I'm also curious on why OpenBSD has been imported instead of the MicroBSD sources ?
      MicroBSD sources should have been ready to import, this would have been avoided to commit changes.
      I'm also amazed by the way they use to manage sync with OpenBSD ...

    4. By Anonymous Coward () on

      bzzz... bzzz... bzzz... bzzz... THWAAACK!

  4. By Anonymous () on

    Maybe I'm dense and don't see the obvious, but...
    Won't nonexecutable data make it tough/impossible to create language implementations that use incremental compilation (aka just-in-time compilation, "JIT"), which is in effect a controlled form of self-modifying code.
    Such techniques are important for high-performance implementation of the more dynamic languages, like Lisp and Java.

    Comments
    1. By Parturient Ungulate () on

      Good point! I can see that being a problem, even though the standard answer will be 'We don't care'.

      It would be interesting to find out whether the existing mechanisms can be used to run generated code (mmap, etc), or if a new mechanism, syscall, whatever is in order. Are you up to the task?

    2. By Anonymous Coward () on

      the program is required to mprotect() the data if
      it needs it to be executable. not doing so is a
      bug in the program.

      Comments
      1. By Anonymous () on

        > mprotect() the data

        Yes, but what happens on those architectures where you cannot actually set the protection in a fine-grained way?

        Consider the i386, where, as Theo says, you can only "draw a line" across the address space. To write the code, the memory needs to be allocated on the writable-but-nonexecutable side of the line. To execute, it has to be moved to the executable-and-protected side of the line, which changes its address.

        I think mprotect() cannot do this! You need to define a new system call like

        exe_addr = make_executable(data_addr);

        where exe_addr points to the executable code and is different from data_addr, if the CPU does not support making the page executable in-place.

        Comments
        1. By tedu () on

          on i386, if you mprotect the a page of the stack to be exec, then the whole thing becomes exec.

    3. By Janne Johansson () on

      They will just have to mprotect(). And if one
      platform needs to do magic, then they'll just have
      to make a magic_mprotect() for it. No big deal.
      Whatever the loops are, it STILL is a good idea,
      since external injected code can't execute before
      it's magic_mprotect()ed anyway, so it can't mprotect()
      itself. This is why it's worth the while.

    4. By Anonymous Coward () on

      I hope that Java will be able to work in JIT mode. Sun's HotSpot JVM can run very very fast. I am hoping/expecting that there will eventually be a release of it for FreeBSD/OpenBSD. Java + OpenBSD with the new stack protections will be an extremely secure system for servers. It would be hard to do better because there would be many layers of protection: Java itself is extremely secure, and then run that inside OpenBSD. That's excellent.

  5. By Anonymous Coward () on

    http://mail-index.netbsd.org/tech-kern/2003/02/02/0009.html

    Maybe it hasn't gotten as much admiration as theo would like, but it hasn't exactly been ignored either.

  6. By RooTchO () rootcho@microbsd.net on www.microbsd.net

    I want to clear something about MicroBSD that many ppl thing that this is just crap :
    appears noone in any other project has commented on it in a public
    mailing list anywhere. Eerie silence.
    I don't know about how you guys view that, but to me it is pretty
    depressing that none of these other projects (or their users) see the
    impact and import of these changes; that indicates a large lack of vision.
    first let me tell you the MicroBSD team had this vision from the start,
    sincce they were first to release stack-protection in 0.1 in 2001
    second they have added/modified and re-written alot of other features that you dont find in any BSDs (ACLs). We don;t want flame wars we want just the credit for doing it first.

    Comments
    1. By Anonymous Coward () on

      * How many bugs have you (MicroBSD) fixed using propolice?
      * How did propolice work in MicroBSD, as there clearly were some bugs in it (these bugs are fixed, thanks to OpenBSD and etoh@)?

    2. By Anonymous Coward () on

      Just like non-executable stacks would be a /new/ thing?

      kiddies ...

    3. By Anonymous Coward () on

      So I visit the microbsd.net web site for the first time, see all the nicknames and almost no real names which have verifiable track records. The domain is registered to some unknown company with a PO address, the contact info is a hotmail email address and no real name either.

      You guys have a serious credibility problem. No wonder you get ignored, if you're not standing up to your work with your real reputation.

      Would you trust your networks security to someone you can't fly over to and kick his butt in person if he fucks up?

      Comments
      1. By Anonymous Coward () on

        If your network fucks up, kick yourself in your own butt (or get your boss to).

        The free BSD's come with absolutely no warrantee.

        Fact is, no matter who you are, past, present or future, mistakes you will make. Some of the Worlds absolute finest can make probes that land on Mars (back in the 70's) and other probes that travel, explore and communicate for decades, but then also turn a space shuttle into a meteor shower.

        Comments
        1. By Anonymous Coward () on

          The comment was on credibility. Not on mistakes. OBSD has made many mistakes in the past. But they are of credible people.

          You have little to no credibility. Hence, you are ignored. Don't like it, then change. Don't care, then keep coding and shut up and be silent and let your code speak for itself. Instead, you have done neither.

        2. By Anonymous OBSD user () on

          This is hardly the same thing. Conflating situations where organizations involved in risky behaviour (i.e., the space program) and offering risk-free money-free software is clearly not the same thing.

          uBSD may, in fact, be cooler than a bag of liquid nitrogen. It's hard to tell, though, as the people behind the project do not seem to understand the concept of "accountability" and "transparency".

          The fact is, you are coming across as a bunch of script kiddies. If you want to be taken seriously, then you may want to consider an attitude adjustment.

      2. By matteo () on

        what a prick. you have the balls to post that as an anonymous coward?

        i haven't been to the microbsd site, but all the weak egos complaining that they aren't any good because they have funny names reminds me of what i didn't like about 3rd grade.

        grow up folks!

    4. By djm () on

      It will be a cold day in hell before I use a OS produced by people who use skript-kiddie nicknames.

    5. By lars Hansson () lars@unet.net.ph on mailto:lars@unet.net.ph

      Wow, remaking Theo's post. How original. Sort of like how you copied the text from the OpenBSD site to your site. Original and innovative, indeed.
      You know what? The day you guys stop hiding behind retarded nicknames (Hackers sucked, kiddo) and take some actual pride in your product people might consider taking you seriously.
      Until then you're just soma lamers with little to show and nothing to be credited for.

      Comments
  7. By Anonymous Coward () on

    Over 200 posts there, Oh. wait, seriously he said.... my mistake... Some of them were serious.

  8. By RC () on

    I wouldn't think that this would surprise Theo at all. OpenBSD has been quite a ways ahead of everyone else since it's inception. How long after the source audits began did people start noticing that OpenBSD had gone years without any exploits? Whatever answer you prefer, I'm sure no-one would answer `before it was released'.

    Glad to hear that Theo is excited about it, but it's still VERY early on in the process. I wouldn't expect any interest until, AT LEAST, after 3.3 is released and tested.

  9. By Anonymous Coward () on

    The "eerie silence" is because everyone outside of OpenBSD is saying "so what?".

    Others had already been looking at ProPolice, before Theo decided it was cool enough to integrate, same as they already use ELF's .rodata and are working on changing compilers and the kernel to support non-executable stacks.

    So you might say OpenBSD is still playing catch up with others when it comes to security on the fronts mentioned in Theo's post.

    Comments
    1. By Anonymous Coward () on

      Darren, is that you?

      Comments
      1. By Anonymous Coward () on

        must be, some trolls are easily detectable
        by their unique smell

        Comments
        1. By Anonymous Coward () on

          lol .. nice message

    2. By Anonymous Coward () on

      Maybe others have been looking at using these options, but the point is that OpenBSD is the first to integrate them. I hardly call that catch up.

      Comments
      1. By Anonymous Coward () on

        No OpenBSD is not the first to integrate them... someof them, but stack-protection was first integrated in MicroBSD, over a year ago.

        Comments
        1. By Anonymous Coward () on

          No, OpenBSD is the first to integrate this set of feature (this isn't limited to propolice)!

        2. By Anonymous Coward () on

          That's nice.

          Umm, and who are you folks again?

  10. By Anonymous Coward () on

    Let me be the one using Linux 2.4 coupled with the grsecurit patch (based on Solar Designer's OpenWall Linux 2.2 stuff).

    Comments
    1. By Anonymous Coward () on

      you can have your 3rd party band-aid patches.

  11. By Thio Deraatd () thio@redhat.com on http://www.deraatd.org

    Hi guys, this is Thio. I just found a serious buffer overflow in the OpenBSD kernel and I'm sick to death of all the other kernel developers.

    Over the recent path, I have growingly lost faith in the OpenBSD platform and recognize Linux's leading edge value in the enterprise marketspace. I was recently offered a job by Red Hat, Inc and after much turmoil and thought have decided to accept their offer. I will be in charge of bringing OpenBSD's more security-focused features to the Linux kernel.

    Thus, let it be known that today I am resigning as the OpenBSD project lead. Thank you for the many wonderful years in the project, good luck. List members, please post this to the appropriate mailing lists, thanks.

    Sincerely,
    Thio Deraatd
    (Former) OpenBSD Project Lead

    Comments
    1. By Anonymous Coward () on

      You're realy funny, NOT. Lamer!

    2. By Anonymous Coward () on

      cool Theo should help out with grsecurity then :P

    3. By kremlyn () on

      I pity the fool.

    4. By Anonymous Coward () on

      I vote that OBSD keeps its news off of slashdork from now on...

  12. By Anonymous Coward () on

    I think this is great for all of us who are running Windows+Linux on the same computer.

    Comments
    1. By Anonymous Coward () on

      Why would it be?

  13. By Anonymous Coward () on

    Wonder if would have any positive effect on XFree86...

  14. By Anonymous Coward () on

    I'm installing 3.2 from my CD set on an old sparcstation now, and then I'm going to update to -current.

    Is the propolice stuff enabled by default, or do I have to do something special before I compile the system?

    Comments
    1. By Anonymous Coward () on

      Just install a snapshot. That's it.

      Comments
      1. By Anonymous Coward () on

        aaaahhh!! I see. I thought I had to "cvs update" then recompile. I'll just do an FTP install from ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/sparc/
        instead.

  15. By Klaus Feiertag () on

    How do these security enhancement compare to those of commercial Unices (AIX, HP-UX, Solaris) and maybe Linux.
    Or better formulated: How do the latter compare to OpenBSD in this respect. Any URLs, hints?

    Thanks

    Comments
    1. By Michael van der Westhuizen () on

      Well, I can give you a little bit of info on HP-UX 11.00. From the 'chatr' man page:

      +es flag

      Control the ability of user code to execute from stack with the flag values, enable and disable. See the Restricting Execute Permission on Stacks section below for additional information related to security issues.

      The "Restricting Execute Permission on Stacks" goes on to explain what we all have heard already about executable stacks, then states:

      The message logged by the kernel is:
      WARNING: UID # may have attempted a buffer overflow attack. PID # (program_name) has been terminated. See the '+es enable' option of chatr(1).

      So the logged message points to the program, not the function.

      A little later the man page explains that setting the kernel tunable parameter "executable_stack" to 1 (default) should only be done for compatibility with older releases, while setting it to 0 is recommended for security sensitive systems.

      The other valid value for "executable_stack" is 2, which means that non-fatal warnings will be logged - otherwise it's behaviour is the same as 0.

      The man page this information is from states that it applies to HP-UX 11.11 (11i) while the system is 11.00 - I'd assume it applies to both systems.

      The +es option applies to both PA32 SOM and PA64 ELF executable formats.

    2. By Anonymous Coward () on

      AIX (4.3.3-10..5.1-2) has nothing to configure , but at least logs core dumps along with ldd and whatever output to errpt log (not syslog) thus helping a great deal to hunt bugs

  16. By marc () on

    Microbsd must have a good logo, a good website,
    documentations, everything that shows it is a serious project..if not, not many people will even download and install it.
    And like someone said stop pšeudo name
    and put real name..
    if it is a fork of openbsd tell it and who
    were you in the openbsd team.

    Comments
    1. By Anonymous Coward () on

      Im sure there is a standards doc somewhere to be accepted as an Open Source OS. I couldnt find one, so what make you all think they could also. Do any of you realize that these people in the MicroBSD group total like 10 people. How much work can be done with 10 people. Well it seems they are concentrating on code/features. I know that if more people stopped beating them up for lacking things, and started contributing to the project, maybe they would soon gain those things that were missing. This takes work you know, and I am sure they peobably have full time jobs also. Stop beating them up and start helping, or shut the hell up!

      Comments
      1. By Anonymous Coward () on

        Why wast your energy on MicroBSD, when OpenBSD doesn't have enough manpower (and financial resources). Drop MicroBSD and start working on OpenBSD!

        Comments
        1. By Anonymous Coward () on

          Now that they start selling CDs and T-shirts and accept donations, they start "stealing" financial resources from OpenBSD.

      2. By marc () on

        yes u are right ..but every starting project is very hard because u must 200% more job than normally to be accept.
        and if it isn"t done even if u have the best project
        you attract noone.

    2. By ihate'distro'BSDs () on

      MicroBSD really must do something to actually innovate before people give a poop.

      Really every thing they've done is just incorporate patches from various sources into essentially a distro. If they actually broke new ground on a challenging problem of their own effort, maybe it would raise some more eyebrows - e.g. if they got x86 over to ELF; or got decent SMP support all on their own. Then maybe someone would give a rats ass and borrow some of their code instead of the other way around. As it stands, incorporating other people's patches does not make you unique. Just as "sticking feathers up your ass does not make you a chicken."

      I see plenty of other OpenBSD derived releases without the bad karma (e.g. Opensoekris) because they "ain't frontin'" - straight up, such projects know that they're doing little more than the average clued in OpenBSD user with some time and energy. Meanwhile, I think 99.9% of people (or even clued in OpenBSD users) do not have the wherewithall or desire to build and mold -new- things to their needs as OpenBSD has (e.g. pf, openssh, systrace, etc).

      Comments
      1. By Anonymous Coward () on

        Well said.

  17. By Che Ge Rootvara () fu@ck.yu on www.nahuy.com

    Show me one thing that is truly innovative and original. So far I see a bunch of talented repackagers at best, more talented than some others and even more and more talented than some other others. Neither Linus nor Theo can not comprehend simple things, the difference is that Linus is a cunning fox playing the crowds. Theo is an underuppreciated and pityful misanthrop who happens to be an excellent coder and who has not learned enough to make his sparc64 port to actually work. He was not taught that while in NetBSD camp, it was too early.
    When he started Open it was called "NetBSD and some more", not less, later he discovered security scare venue.
    So, what's innovative and truly original in Open?

    Comments
    1. By Brad () brad@comstyle.com on mailto:brad@comstyle.com

      The sparc64 port works just fine. Come back when you have half a clue.

    2. By grey () on

      Not to feed the trolls, but this brings an opportunity to elucidate folks on some of the lesser known bits about OpenBSD (as far as I have come to learn them at least).

      Actually, when he started OpenBSD it was proportedly called ScandinavianBSD - not "NetBSD and some more" due to the number of Scandinavians who were helping him early on. The security initiative also began pretty much from the get-go as it appeared that very early on some of his machines were tampered with (read: pieces of coremail were deleted from what I recall) by someone with a bit of knowledge about unpublished NetBSD vulnerabilities. This provided the first incentive to really begin the first code audit (which was in process as early as 2.1 - the first 'official' release).

      That's more or less a recapitulation of some of the points Theo mentioned at his 2001 talk at CanSecWest - I may have screwed up on some of the details, but it's close to what I remember at least.

      I know, it's a long read (but I think well worth it) but if you ever bothered to read coremail (http://zeus.theos.com/deraadt/coremail.html), . you would have noticed that Theo's frustration and eventual fork with the NetBSD core team was related to some 10k lines of Theo's own code to improve original sparc support that he was not allowed to commit himself. You should cough up some facts about Sparc64 status as it stands, beyond things that Theo et al have already admitted themselves to be porked due to insufficient documentation. I don't think I have ever heard claims that NetBSD's sparc64 support is more mature [though I have heard such things regarding Linux support, as they have had documentation - whereas OpenBSD has not even been offered an NDA to sign] Older sparc64 architectures are doing OK as it stands, but USIII (and looking forward towards USIV & USIIIi) support is seriously hindered by lack of cooperation from Sun.

      As far as what is truly innovative & original - you need to remember that OpenBSD isn't about the newest and coolest features, so much it is about -correctness-. That said, performing a full & ongoing audit on their tree was a first for opensource OS's, being the first OS to ship with ssh [their own BSD-licensed version no less], being the first OS to ship with IPSec support, and on and on.

      I think what OpenBSD has really garnered is a reputation based on true merits. Certainly there are other people out there doing similar work (or even more advanced work) - but it is primarily independant and not well tested. When OpenBSD takes the time to adopt something, they go whole hog and really work to get a lot of the kinks out. The Propolice example is only a recent one of something that had beeen ignored for several years by the community - until OpenBSD adopted it, and now the original developer has worked in cooperation to effect some 2500 lines of changes to the original. That's a real sign of cooperation with other like minded developers - which many independant projects will never attain because they're too focused on simply looking cool rather than hammering things to completeness. I think you'll notice that for dedicated individuals, there has actually been a lot of cooperation with the OpenBSD project. Theo and Solar Designer seem to have quite a bit of respect for each other, and even though OWL and OBSD have different licenses oriented goals - you'll notice that OpenBSD adopted popa3d as part of the base install (though not enabled). While OBSD might have been slower on the uptake of stack protection than others, I don't think anyone can argue that they have done it in a half assed way, in fact just the opposite seems to be true.

      What to me seems to be innovative and original, is that here we have a software project which is more concerned with quality & correctness - traditional craftsmanship values than anyone else is, publically. They're -not- trying to win any races in speed, or have cool wizbang chromey features, they're not trying to glorify themselves either - they realize that humans are fallable, and so they do their best to correct mistakes [which very often are in other people's software]. As such the trust and respect they get is one that is earned, I don't see any other project matching them there yet. If you have some examples of software out there that match that in innovation & originality - please let us all know. But I'll bet that if you do, they're not things that many OpenBSD folk have a beef with (e.g. maybe postfix or djbwarez [which I think most OBSD users respect, even if they don't -get- DJB himself]).

      Comments
      1. By Anonymous Coward () on

        "The Propolice example is only a recent one of something that had beeen ignored for several years by the community - until OpenBSD adopted it!"

        Are you joking..? ignored for several years by all the BSDs but MicroBSD. Everyone says how OpenBSD, and BSD in general overlooked this technology. This is completely not true. Why is it you all decide to downplay the truth and censor other projects that also have merit. Ive read nothing but BS when it comes to accountability. If someone were to really do some solid research and maybe look at MicroBSD 0.1 they would see that stack-protection was released by a "lessor" MicroBSD in 2001. Why cant anyone accept the fact that Theo is not the Visionary everyone claims. There are other thats exist in this community, Well that could exist in this community if they were allowed to.

        Comments
        1. By Anonymous Coward () on

          The minute you release your real names and don't have to resort to trolling other OS's lists in order to get people to look at your website, you may get taken seriously.

          Sorry about feeding the trolls, but for the love of all that's holy, someone needs to take their meds.

        2. By grey () on

          Yes, MicroBSD adopted it first. Did they work with etoh at all? Were any changes that arose brought back to Propolice? What order of magnitude?

          I don't know the answer to any of those questions, because I don't follow MicroBSD. However, the answer to those three questions is quite clear in the case of OpenBSD, which I do follow - and the Propolice project itself has undergone improvements as a result, not just OpenBSD. So, thanks to OpenBSD's efforts - MicroBSD will also benefit.

          No one is trying to censor MicroBSD, prevent them from existing or anything else. MicroBSD was not even mentioned in my above post, nor in the post from 'Che Ge Rootvara' to which I was responding. It was not a conscious consideration in my post. I am sorry that I did not instead say "The Propolice example is only a recent one of something that had been ignored for several years by the community --AT LARGE--..."

          Moreover, in my response, I think I stated just the opposite of Theo & OpenBSD being 'visionary' - I'm not claiming that, nor would I argue that. What I feel is unique to OpenBSD is that the project focuses on correctness, not the latest and greatest. They tend not to adopt technologies until they are ready to. I would say that this is the opposite of the visionary innovation complex you seem to be obsessing over - you seem only to be arguing with yourself.

          What has traditionally set OpenBSD apart from others, is that when they do finally adopt a technology, a concerted effort is made at doing it right and if they're working from an existing codebase, they try to make some real improvements (OpenSSH started as just v1, but it wasn't a very long wait before v2 support was also added; and even pf was started off of someone else's simplistic packet filtering project). Their efforts are also done cooperatively as often as possible with other development teams (systrace was ported to NetBSD & Linux even before the provos [hopefully just a] hiatus), and that is shown yet again in their Propolice efforts as evidenced by the code changes that have now occurred to Propolice.

          This is a free world, and this is all freely BSD-licensed software. The only thing that will affect MicroBSD is their own work, trust & recognition are gained over time by demonstrated excellence of one's own actions; or at least, that's an ideal to strive for.

          I do not know if MicroBSD is accomplishing that or not, I would have to try it to know. I will state that while MicroBSD once garnered some curiousity as a project I would keep an eye peeled for if I saw some headlines [which jose has posted information on twice to deadly] I am certainly becoming increasingly less interested to try it out on my own due to the continual pandering found on OpenBSD mailing lists & discussion forums, especially by people that aren't even clearly associated with the project [at least Outback Dingo used a consistent handle]. If you are a MicroBSD developer, then you should try to be a little more diplomatic in your advocacy, if you are a user, then you should really think about how you are helping people get a positive image about the project. -EITHER WAY- I think you should stop taking things out of context and act so defensive for MicroBSD topic when no one else is directing their comments towards that project negatively.

        3. By Anonymous Coward () on

          By being such a jerk on this OpenBSD related site, you're just scaring away potential MicroBSD users.

        4. By couderc () on

          I'm tired to see all these lyings.
          Looking at cvsweb i can see that :
          http://cvs.microbsd.net/cgi-bin/cvsweb/src/share/mk/sys.mk?rev=1.1.1.1&content-type=text/x-cvsweb-markup

          So where are previous versions ?
          It has been claimed that cvs can prove all that has been said :
          "Proof of integrity is in the CVS server and CVSweb. Check it out for yourself..."

          As far as i've seen changes are lots of sed OpenBSD/MicroBSD and somme code changes.
          I haven't look at propolice yet but as sys.mk was imported for 0.6 i doubt that propolice can speak better in the cvsweb.

          The more funny is to look at the changes like here :
          http://cvs.microbsd.net/cgi-bin/cvsweb/src/sys/net/pf.c

          Sounds like lot of time is wasted to put back change after each sync (well only one sync is visible).

          I think all the above is enough.

          Comments
          1. By Anonymous Coward () on

            I believe if you read their site new, or at least the old site news they did say something about a cvs hard drive crash. Not to defend them but to make a point they said look at MicroBSD 0.1 which according to records was released in 2001. I dont think these guys are looking to disrupt the community, but it seems they are trying to defend themselves from alot of people claiming their a fraud in some way. I ask why should they make who they are known to the public at large ? Ive used software found on freshmeat/soourceforge without knowing the integrity of its author. I dont even know the integrity of alot of coders. I see everyone badgering them about get a web site, wheres the code, who are you. What i dont see is these same peopler stepping forward and saying, damn... they did make a new web site, they did put their code on cvs. Well to me that at least provides them some credibility in my book. I also did locate a copy of MicroBSD 0.1. It does have stack protection in it. and a diff of the OpenBSD tree and MicroBSD tree from their cvs is quite different, so i wouldnt say it was search & replace. Also if you pop into their irc server you might learn a bit about the group in general. Some of these guys actually are well known to the industry. Problem is they are well known in many diverse areas of this industry. stop by their IRC you might be surprised, look at the names of some of their commiters... I recognize something alot of people havent even taken the time to. Stop beating these guys up and let them work.

            Comments
            1. By couderc () on

              Their cvs was early opened to public so nobody could check the sources.
              Also since we had propolice bugs have been found. Did MicroBSD fixed them ? Did they give some feedback to OpenBSD as it is their base ?

              You also say that a diff between both is quite different, can you please give me some example of real changes between both ?

              We've been told since a while now that they were well know, so why not putting their real name on the web site ?

              Anyway, nobody prevent them to "work" ...

              Comments
              1. By Anonymous Coward () on

                I have read the articles here, and even looked at their web site, even it only goes back to 7/2002 so it might seem that what they say about a lost drive is correct. They state in the very first news post on the old site that they are currently importing old data to their new site, that was in july 2002. they have been around since before that time. So maybe there is some truth to what they state. I dont care who they are or arent, i can see their source codes in the cvs web and download them. i can diff their changed code from OpenBSD. I can also say if it was asearch and replace OS there would not be still defines for NetBSD/OpenBSD/MicroBSD in the same line. If you ask me they hand edited them all manually. which would account for their slowness in release. i could maybe 4-5 different names in their cvs tree. and it looks like it only contains their version 0.6 codes. though from their cvs tree, its all been rewritten, so they have written some of their own code. they have even added code to apache & sendmail, csh there are alot of changes.

                Comments
                1. By couderc () on

                  Are you kidding ???
                  You call that a lot of changes ???

                  For apache
                  http://cvs.microbsd.net/cgi-bin/cvsweb/src/usr.sbin/httpd/src/include/http_core.h
                  http://cvs.microbsd.net/cgi-bin/cvsweb/src/usr.sbin/httpd/src/main/http_core.c
                  http://cvs.microbsd.net/cgi-bin/cvsweb/src/usr.sbin/httpd/src/main/util_script.c
                  http://cvs.microbsd.net/cgi-bin/cvsweb/src/usr.sbin/httpd/src/support/htpasswd.c:

                  For sendmail :
                  http://cvs.microbsd.net/cgi-bin/cvsweb/src/gnu/usr.sbin/sendmail/sendmail/conf.c

                  For csh :
                  http://cvs.microbsd.net/cgi-bin/cvsweb/src/bin/csh/func.c

                  I really hope that you're joking ...

                  Comments
                  1. By OutBack Dingo () dingo@microbsd.net on mailto:dingo@microbsd.net

                    Those are not the only changes that were made for MicroBSD. Dig Deeper.

                    Comments
                    1. By couderc () on

                      That was just a reply to that : they have even added code to apache & sendmail, csh there are alot of changes
                      For what i've seen in your cvsweb there are not so much changes, give me some pointers.

                  2. By Anonymous Coward () on

                    Yes. Everything is just taken from http://www.42-networks.com/obsd_patches.

                    They also added some stuff from http://www.stanford.edu/~tedu/ (mainly cgd and device polling).

                    Brian Innu is developing Stephanie (now called ESF, Extended Security Features) in MicroBSD and ported Verified exec from NetBSD (http://www.netbsd.org/Changes/#veriexec_021029).

                    They also added Daniel Lucq's POSIX/1.e work (http://www.lucq.org/openbsd/posix1e.html).

                    The only thing they did themself was replace OpenBSD by MicroBSD. That's it.

                    Comments
                    1. By Dries Schellekens () on

                      Homepage of the most recent Stephanie is http://hell.innu.org/~brian/stephanie.html

                    2. By OutBack Dingo () dingo@microbsd.net on http://www.microbsd.net

                      http://www.42-networks.com/obsd_patches

                      no, not taken, it was all commited by the person who wrote it, and is actively involved.

                      http://www.stanford.edu/~tedu/

                      someone we also helped debug some of the work he did port that we integrated, ask him!

                      Brian Innu is developing Stephanie (now called ESF, Extended Security Features) in MicroBSD and ported Verified exec from NetBSD (http://www.netbsd.org/Changes/#veriexec_021029).

                      another person who commited brand new re-written code to cvs himself and is also actively participating.

                      http://www.lucq.org/openbsd/posix1e.html

                      yes this was integrated by myself, blink blink, ive seen code written by other projects integrated in other BSDs by someone other then the maintainer.

                      we also had Hiroaki Etoh work with us in 2001 to integrate propolice, stack protection, and it was done on our servers, and yes it was committed by me after it was finished.

                      there is still more... not bad for 6 people.

                    3. By brian () on

                      stephanie isn't called "ESF", it's still "stephanie". "ESF" is just "extended security features", how i describe it on my own website.

                      i integrated stephanie of an earlier version into microbsd to make sure i dont get emails/comments like "stephanie doesn't work" because improper code insertion. i wouldn't call that active participation either - i just make sure my code dont generate any complaints from people who're using it...

                      ps: "innu" is not my last name

              2. Comments
                1. By couderc () on

                  Only 2 names ? Were you not 10 dev ?

                  Also where are the famous names ? I'm sorry but your two names are unknow for me (well not yours but only as related to MicroBSD).

                  And yes i'm getting a life as often as i can.

                  Comments
                  1. By OutBack Dingo () dingo@microbsd.net on mailto:dingo@microbsd.net

                    actually about 10 people really in the project, though only 7 actually writing any code. the other 3 are like graphics and miscellaneous stuff

                    Comments
                    1. By OutBack Dingo () dingo@microbsd.net on mailto:dingo@microbsd.net

                      I dont see a list of published names of developers for any other of the BSDs published anywhere! What is everyones problem. but then again I guess its safe to assume that the people that read this site know the integrity of each and everyone of them personally.

                      Comments
                      1. By couderc () on

                        Check out each OpenBSD announce to get OpenBSD dev.

                        Problem is they are well known in many diverse areas of this industry. stop by their IRC you might be surprised, look at the names of some of their commiters...

                        So who are the well know people ?

                        And i still get no reply about propolice in microbsd. Did bugs were found and if yes, why did they were not reported to openbsd ?

                        Comments
                        1. By OutBack Dingo () dingo@microbsd.net on mailto:dingo@microbsd.net

                          Because at the time back in 2001 when we did Propolice OpenBSD hadnt even started into it. and didnt look like they were going to, why report something to someone they didnt use at the time. sounds kind of foolish to me. if they were using it then I more then happily would have raised a flag, and gave them what I knew, im sure there is still things they havent discovered yet, maybe not, that we may have, but once we do we will let Theo, Hiroaki and the group know. matter of fact Ive had conversations with various OpenBSD developers lately. FreeBSD and NetBSD developers also.

                          Comments
                          1. By couderc () on

                            Well the only thing i see is that propolice has not been easily included in openbsd.
                            And as microbsd is 99% based on openbsd, i'm amazed that you didn't encounter any problem.

                          2. By Anonymous Coward () on

                            Theo said they discovered some bugs thanks to propolice. Did you discover any bugs in MicroBSD (and therefore OpenBSD)? Why were these not reported to OpenBSD?

                            Comments
                            1. By OutBack Dingo () dingo@microbsd.net on mailto:dingo@microbsd.net

                              as it wasnt easily integrated into MicroBSD when we did it, and yes we encountered problems, matter of fact the biggest problems were with rtld. hence the small stack protector patch in that directory. So therefor id say yes, we reported the issues found that affected the code to the author, and he fixed them. And no we didnt report them to any other BSD at the time, because we were the only BSD using it, therefore there was no one to report it to, and what we did find we let Hiroaki know mind you we did this over a year ago. And propolice code has changed and grown since then, OpenBSD also has currently larger resources then us to find issues. We resolved the issues that we found back then. Now because more people are actually looking at it more things are beginning to show up.

                2. By jolan () on

                  OpenBSD has no major sponsors -- the project's infancy was funded by a large cash donation from Theo de Raadt (i.e., "savings").

                  MicroBSD has no major sponsors -- the project's infancy was funded by a large cash donation from the Projects Founder (i.e., "savings").

                  Is there anything you guys don't search and replace?

                  Comments
                  1. By OutBack Dingo () dingo@microbsd.net on mailto:dingo@microbsd.net

                    Well I appreciate you bringing that to my attention. Ive spoken to the person who created the page, and will now i guess ill do a full review of the web site. I appreciate the pointing out of that, though i dont appreciate the sarcasm connected to it. The page has been removed until a new one can be created in its place.

  18. By dmp () on

    Please, we can all use sed, now stop with the MicroBSD crap. MicroBSD appears to be 99.95% OpenBSD. I'll take the 100% OpenBSD from a group of guys who actually put their real names on their work. Who the hell are 'kerberus' or 'god'?? I don't know, and what's more MOST EVERYBODY HERE DOESN'T CARE. When you want to contribute your great coding (beyond sed and awk) back to OpenBSD, feel free to let everyone know. Until then, put up or shut up. Oh, and by the way, learn how to back up cvs. I am really not interested in a distro from people who don't know how to back up data. Is the domain themicrobsdteamreallysucks.com available? :-)

    Comments
    1. By Scott Kamp AKA OutBack Dingo () scottk@microbsd.net on http://www.microbsd.net

      sed/awk sure, believe what you want, also vi, yes it is 96% OpenBSD,1% NetBSD,1% FreeBSD, and 1% just code, 1% Crap at the moment. believe what you want. Logically though OutBack Dingo, AKA Scott Kamp, is my name... happy now...! you still have no clue. big deal. you want my social security number, home address, telephone number?? my resume maybe ? get a life. I started this to contribute something back to the community. You choose to trash it. honestly I and the MicroBSD team could care less. You must be the OpenSource guru. okay now what,trash us some more. We honestly could care less what is said. By the way Im not doing this to please anyone. This started as a small hobby for me. still is actually. You think I take any of what you idiots say seriously ? Please, We have been working for more then a year, no matter what you say, it wount stop us from building on what we started. quick now scramble to google all you trolls and type in the name... what cant find anything? sorry. But I still exist and so will MicroBSD. I could care less if you respect the work, or think its crap, I do for the most part also. But everyone has to start somewhere. It needs work, we never denied that. we created a new web site, we put up cvs,after the first died. hell you pay for a 6Meg pipe in your garage and all the needed items that go with it. you dont think im going away after dropping 100K in the past 24 months because of some trivial blogger that flames us do you. Give it a rest Im so tired of reading the banter, and the literary crap I see here about MicroBSD.

      Comments
      1. By Anonymous Coward () on

        You're misreading the constructive criticism as aggression, I think. May I suggest that you read

        http://www.firstmonday.dk/issues/issue3_10/raymond/

        and then carefully reflect upon what your reasons are for working on the project and what your goals are?

        Because most people, even if they are not aware of it or blatantly claim otherwise, do care what others think about their work, and it's even a primary motivation.

        If you should realize that this might be the case for you as well, it should become obvious why putting your real name on the project is crucial.

        And if you come to the conclusion that you really don't care about other people's impressions, there's no reason to advocate the project, here or at all, is there?

        We're not asking for your name because we want to harrass you. I think you'll get more satisfied if you drop the pseudonyms. It was a constructive criticism, based on personal experience. You're free to refuse it, of course.

        Comments
        1. By OutBack Dingo () dingo@microbsd.net on mailto:dingo@microbsd.net

          We have already done everything that everyone suggested, and are actually still building on top of that. I do appreciate the positive feedback that the project has recieved in the past two years. I also appreciate the fact that there are people that believe what we are doing is actually good, and possibly even useful. It is those I thank for their support. This i guess all started in defense of an email that was posted about "other" not having a vision, nor commenting on what OpenBSDD has done, then us trying to respond to that in various places, and being completely "censored" and called "liars", trolls and such. I have the email from various people to attest to that, but it is irrelevant. If people want to oppres (sp?) the truth in the BSD community.

  19. By Commment101 () co@co.us on mailto:co@co.us

    Don't lie to us, this was the initial motto.

    Go and dig the web archives, the web-site is cached and everybody can see.

    How appalling, nobody in the community noticed the capabilities of Plan9 until Theo with Godz Grace will exclaim in despair. Or something along the lines.

    Btw, sparc64 is broken quite a bit on U1, nobody would run this on younger than 5 y.o. SPARC. Go, dig under yorock and gimme some good code, and useable at that...

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]