OpenBSD Archive

“FBI Added Secret Backdoors to OpenBSD IPSEC”

Okay, this is potentially very big news that really needs all the exposure it can get. OpenBSD's Theo de Raadt has received an email in which it was revealed to him that ten years ago, the FBI paid several open source developers to implement hidden backdoors in OpenBSD's IPSEC stack. De Raadt decided to publish the email for all to see, so that the code in question can be reviewed. Insane stuff.

“The Insecurity of OpenBSD”

"OpenBSD is widely touted as being 'secure by default', something often mentioned by OpenBSD advocates as an example of the security focused approach the OpenBSD project takes. Secure by default refers to the fact that the base system has been audited and considered to be free of vulnerabilities, and that only the minimal services are running by default. This approach has worked well; indeed, leading to 'Only two remote holes in the default install, in a heck of a long time!'. This is a common sense approach, and a secure default configuration should be expected of all operating systems upon an initial install. An argument often made by proponents of OpenBSD is the extensive code auditing performed on the base system to make sure no vulnerabilities are present. The goal is to produce quality code as most vulnerabilities are caused by errors in the source code. This a noble approach, and it has worked well for the OpenBSD project, with the base system having considerably less vulnerabilities than many other operating systems. Used as an indicator to gauge the security of OpenBSD however, it is worthless."

OpenBSD 4.6 Released

As mentioned in the release announcement: "Many people have received their 4.6 CDs in the mail by now, and we really don't want them to be without the full package repository. We are pleased to announce the official release of OpenBSD 4.6. This is our 26th release on CD-ROM (and 27th via FTP). We remain proud of OpenBSD's record of more than ten years with only two remote holes in the default install." I really want news like this on the front page, but sadly, the long list of improvements makes no sense to me - I don't know what's important and what isn't. If someone can provide a nice readable summary of the most important improvements, I'll include it to the item and place it on the front page. There we are.

PF Enabled by Default in OpenBSD-current

"As seen here, PF is now enabled by default. The default pf.conf will now pass in all traffic, except for TCP port 6000 normally used by remote-X11. By having the X server still listen on port 6000 but let PF block incoming packets that aren't coming from localhost you can still use local X sessions that needs to talk to the TCP port or runs through a port forward from remote, but at the same time don't expose your machine on the network. Recent changes to PF, like having packet reassembly enabled on all packets by default, will now help clean incoming traffic."

What’s New in OpenBSD 4.4

O'Reilly interviewed 27 OpenBSD developers to present the new release. They discussed buffer cache improvements, the new malloc(), the work to make the math library more C99 compliant, what is new in the SCSI area, crypto support for softraid, a lot of fundamental work happened in PF, a new tool to merge configuration files during upgrades, the status of OpenCVS, some cool features of OpenSSH 5.1, the initial support for USB webcams, the never-ending work on improving and extending the sensors framework, and more.

OpenBSD 4.3 Released

Theo de Raadt has lifted the veil off OpenBSD 4.3. "We are pleased to announce the official release of OpenBSD 4.3. This is our 23nd release on CD-ROM (and 24rd via FTP). We remain proud of OpenBSD's record of more than ten years with only two remote holes in the default install." Boasting as always, but when it's justified, arrogance is a virtue.

Stallman: ‘OpenBSD Ports Suggests Non-Free Software’

Richard Stallman sent a message to OpenBSD-Misc, explaining why he doesn't recommend OpenBSD. "From what I have heard, OpenBSD does not contain non-free software (though I am not sure whether it contains any non-free firmware blobs). However, its ports system does suggest non-free programs, or at least so I was told when I looked for some BSD variant that I could recommend. I therefore exercise my freedom of speech by not including OpenBSD in the list of systems that I recommend to the public." His mail started a huge thread (that's just page 1) and since then he's under a blast of messages from Theo de Raadt and the OpenBSD users. De Raadt replied: "Richard, you are wrong. You said very clearly in your interview that the ports tree contains non-free software. It does not. It is just a scaffold of Makefiles containing URLs, and an occasional patch here or there. You are just plain wrong. And you are not enough of a man to admit that you are wrong. I may be unfriendly at times, but you are a power-misusing hypocritical liar who attacks projects that try harder than any others to only make free software available. Shame on you."

OpenBSD 4.2 Released

OpenBSD 4.2 has been released. "We are pleased to announce the official release of OpenBSD 4.2. This is our 22nd release on CD-ROM (and 23rd via FTP). We remain proud of OpenBSD's record of more than ten years with only two remote holes in the default install." Update: A what's new article at ONLamp.

OpenBSD: Virtualization Security

A thread on the OpenBSD -misc mailing list began by discussing whether or not XEN had been ported to OpenBSD, "is it planned at some point to release a paravirtualized xen kernel for OpenBSD 4.3 or 4.4?" Later in the discussion it was suggested that virtualization should be a priority for security reasons, "virtualization seems to have a lot of security benefits." OpenBSD creator Theo de Raadt strongly disagreed with this assertion, "you've been smoking something really mind altering, and I think you should share it."

More on OpenBSD’s New Compiler

"A few weeks ago, the OpenBSD Project announced that the Portable C Compiler had been added to the OpenBSD source tree. There has already been some explanation of why the traditional GNU Compiler Collection is troublesome and why a new compiler is needed, but there are still some details left uncovered. In this interview, Theo de Raadt and Otto Moerbeek of the OpenBSD Project offer more information about PCC and GCC and where they are headed within the project."

OpenBSD Goes Non-Profit

"The OpenBSD Foundation is pleased to announce today it has completed its organization as a Canadian federal non-profit corporation and is ready for public interaction. The OpenBSD Foundation has been formed for the purpose of supporting the OpenBSD project, and related projects such as OpenSSH, OpenBGPD, OpenNTPD, and OpenCVS. In particular it will act as a single point of contact for persons and organizations requiring a legal entity to deal with when they wish to support OpenBSD in any way."

OpenBSD 4.1: Puffy Strikes Again

"OpenBSD 4.1 has just been released. Federico Biancuzzi interviewed several developers to discuss some of the new features for networking, active porting efforts (landisk and UltraSPARC III), work on SMP, and the improvements in spam fighting." More here.

OpenBSD 4.1 Released

OpenBSD 4.1 has been released. "We are pleased to announce the official release of OpenBSD 4.1. This is our 21st release on CD-ROM (and 22nd via FTP). We remain proud of OpenBSD's record of ten years with only two remote holes in the default install. As in our previous releases, 4.1 provides significant improvements, including new features, in nearly all areas of the system."