Theo De Raadt Says FreeBSD Is Just Catching Up On Security 280
An anonymous reader writes "The OpenBSD project has no reason to follow the steps taken by FreeBSD with regard to hardware-based cryptography because it has already been doing this for a decade, according to Theo de Raadt. 'FreeBSD has caught up to what OpenBSD has been doing for over 10 years,' the OpenBSD founder told iTWire. 'I see nothing new in their changes. Basically, it is 10 years of FreeBSD stupidity. They don't know a thing about security. They even ignore relevant research in all fields, not just from us, but from everyone.'"
Now, if... (Score:5, Funny)
...only OpenBSD would catch up in every OTHER category...
Re:Now, if... (Score:5, Insightful)
...only OpenBSD would catch up in every OTHER category...
You can always port or build other software on OpenBSD.
You can't really bring other operating systems up to OpenBSD security standards with just a compile or two.
Make your pick: secure, or convenient.
Re:Now, if... (Score:4, Funny)
It's like saying "you can always port or build other software on GNU/Hurd". It's a broadly true statement, but a surprisingly meaningless one.
Re: (Score:2)
Who is porting things to Lunix except Lunix people?
Who is porting things to Windows except Windows people?
Notice a pattern here?
Re: (Score:2)
True, but kernel deficiencies cannot be fixed that way.
Re:Now, if... (Score:4, Interesting)
Secure By Default only seems obvious in retrospect. Remember when OSes like RedHat 5 and Windows 2000 automatically started a shitload of network services? No I don't need to run Finger or share my printers over HTTP. Predictably, they got owned before you could download the patches.
Re:Now, if... (Score:5, Insightful)
Still running default services and just hiding them behind a firewall is a stupid, not having them running at all is far more sensible.
Re: (Score:2)
you don't understand that these two are related.
Chasing the latest trends all the time means you don't have time to check them in depth.
Security very often is, first and foremost, simple. If you have one simple and one complex solution to a problem, in most cases the simple one will be more secure, because it is easier to find bugs, review the code, less likely to contain unexpected side-effects, etc. etc.
Re: (Score:2)
Because the SAME message has been randomly posted a bunch of times as replies to completely unrelated topics. I guess you are confirming that you at least spent the effort to copy and paste it? Bravo for you. But it's still spam.
Re: Now, if... (Score:3, Informative)
The openbsd installer is one of the fastest and easiest installers I have seen. I prefer the developers work on developing a secure and functional system then waste time making a pretty GUI for the people who have phobias of text interfaces, or can't be bothered to learn how to edit a text file.
Re: (Score:2, Insightful)
Complete aversion to documentation? Are you sure you're thinking of the OpenBSD folks? I think you might be confusing them with the Linux crowd.
Re: (Score:2)
Shit man, my fucking BIOS has a goddamn GUI these days
I called, I want my 90s back.
Dammit what on earth would you want a GUI-driven BIOS for? Probably depends on a mouse, even.
Would not purchase.
Re:Now, if... (Score:5, Insightful)
What method could possibly be more convenient, simple, and appropriate than opening the file with your text editor of choice and deleting the line?
What do you expect? Some bulky "management interface" to hold your hand while you take 10 times as long as necessary to do the simple task of *removing an entry from a text file*? What is wrong with you?
Re: (Score:2)
Re: (Score:3)
Still storing personal SSH keys in plain text, by default, ...
You mean like every other Unix utility out there?
Oh please. Yes, every other unix does it like that, and Linux, too.
However what is stored in plain text is the public key, there isn't anything wrong with that to begin with.
Making it inaccessible by whatever means would defeat its purpose
Re:Now, if... (Score:4, Funny)
Indeed. You can have my public key. What are you going to do with it, grant me access to things? THE HORROR!
Re: (Score:2)
can anyone ever hope to be a bigger dick than Theo? Guess that means two categories.
No, but fortunately most would be happy having a bigger dick that Theo.
Yeah (Score:5, Funny)
Good old Theo De Raadt.
Half human, half cunt.
Re: (Score:2)
Re:Yeah (Score:5, Insightful)
And usually right.
Not really (Score:4, Informative)
He's often "technically correct". What I mean is that OpenBSD is really secure in its default setup... because it doesn't do fuck-all. Security via turning off everything isn't really that impressive. When something is supposedly so much superior on a security front, yet seems to get very little usage, well, there's a reason.
Also, even if you are right, you shouldn't be a dick about it. Perception matters in the world and if you want to persuade people to your position, you need some empathy. If you act like a jerk all the time, it puts people off and makes them dislike you, and thus not consider the content of your claims.
Re:Not really (Score:5, Funny)
Re: (Score:3)
Having nothing running by default is just basic, if you want to open a service to the world then you should have to explicitly turn it on.
Re:Not really (Score:4, Informative)
Not having stuff running by default is not the only thing OpenBSD does. It has a crapload of features regarding security, starting with the very nice firewall, so please go educate yourself and then comeback. That system is perfect for production systems like web servers and proxy servers which is where I use it.
Re:Not really (Score:5, Funny)
He's often "technically correct".
You are aware that that is the best kind of correct, right?
Re:Not really (Score:5, Funny)
Technically, yes.
Re: (Score:3)
Re: (Score:3)
The majority of Dutch people are too nice and prefer to avoid violence, otherwise those rude dicks (and have quite a lot of them over here) would have been taught a quick and painful lesson in manners early on in life.
It doesn't help that some go on to careers in television of publicly degrading their fellow humans for entertainment and setting a bad example. (And before you complain that television is the same everywhere, remember that Big Brother and the majority of those shitty talent shows that followed
Re: (Score:2, Flamebait)
The majority of Dutch people are too nice and prefer to avoid violence, otherwise those rude dicks (and have quite a lot of them over here) would have been taught a quick and painful lesson in manners early on in life.
A little-known fact about the origins of WWII: Anne Frank wrote some pretty nasty stuff about Hitler in her diary, and word got out.
Re:Yeah (Score:4, Interesting)
Except Theo de Raadt is only Dutch in a very remote way: he is Canadian, and his parents emigrated to Canada from South Africa.
So yeah, Dutch, sure - You probably don't know anything about him, right?
Re: (Score:2)
You don't know much about English, yet you're using it.
emigrated to
I really don't see the difference.
Re: (Score:2)
In my experience the Dutch have always seemed very direct, but I'm not offended by that, and they've also always appeared to be the friendliest nation on earth. (Although I can only admit to knowing about 20 nationalities we
Re:Yeah (Score:5, Interesting)
Let's start with the premise of TFA, which cites the article on Ars that was covered here a few days ago and was complete nonsense about the new random number infrastructure in FreeBSD. We are not moving away from using the hardware random number generator directly, we have never used the hardware random number generator. The new code that the Ars article was talking about is to allow the PRNG to be easily switched. In 10 we're shipping both Fortuna and Yarrow and the infrastructure allows more to be added. The code has been reviewed by two cryptographers that I know of and possibly others. Neither the old nor the new implementation is vulnerable to the attack against random number generators that was published a couple of months ago (Linux was the subject of the paper, not sure if OpenBSD was vulnerable).
If Theo is going to make such remarks as this, he should think more carefully first:
"Basically, it is 10 years of FreeBSD stupidity. They don't know a thing about security. They even ignore relevant research in all fields, not just from us, but from everyone."
He'd be advised to take a look at the transactions for the IEEE Symposium on Security and Privacy over the last 10 years and see how many papers are describing techniques that were both originally implemented on FreeBSD and are now part of the default install. Let's take a look at the two systems, from a security perspective. Both FreeBSD use SSP and non-excutable stack by default, so I'll skip those. To begin with, OpenBSD features missing on FreeBSD:
W^X enforcement. Definitely a nice idea, but it breaks some things (JITs mostly). The default memory map in FreeBSD is W^X, but it is possible to explicitly mmap() memory both writeable and executable. It's generally considered a bad idea though, and we don't ship any code that allows it. We permit third-party code to shoot itself in the foot if it really wants to and provide mitigation techniques to reduce the risk.
Then there's ASLR. This is a pretty nice technique, which is currently not implemented on FreeBSD. We do support PIE, so it would not be a horrendously difficult thing to add, but current implementations (including OpenBSD) use a surprisingly small amount of entropy in the address layout and so don't provide as much mitigation as you'd hope (which, of course, Theo knows, because he's very familiar with 'relevant research'). This is especially true on 32-bit systems.
And that's it for OpenBSD. Well, unless you want to count , but since that's vulnerable to a [openbsd.org] timing attack [watson.org] (still not fixed), which was published in the USENIX Workshop on Offensive Technologies, and Theo is aware of all 'relevant research' in security then it can't really still be there.
Now let's look at FreeBSD security mechanisms:
First up, jails [watson.org]. Jails are somewhere between a chroot and a VM: a shared kernel, but all of the global namespaces (filesystems, IP addresses, users) are separated and so you can completely isolate a service, such as a web browser, from the rest of the system. Scripts like ez-jail in the ports tree make it easy to set up lightweight service jails.
Then there's the MAC framework [acm.org], which allows modular access control policies. This is used by a couple of FreeBSD derivatives: JunOS uses it to implement code signing, OS X and iOS use it for application sandboxing. You can also use it for traditional type enforcement policies, as in SELinux and a variety of other things.
And then there's Capsicum [acm.org], which adds a capability model on top
Quick Wiki Summary (Score:5, Insightful)
"De Raadt has been criticized for having a somewhat abrasive personality..."
Re:Quick Wiki Summary (Score:5, Funny)
Note: That wiki summary was from the entry on "Understatement of the Year, 1996-2013 inclusive"
Re:Quick Wiki Summary (Score:5, Funny)
Re:Quick Wiki Summary (Score:4, Informative)
Re: (Score:2)
Linus a bit more restrained?? ROFLMAO as the young uns say today.
He once called the OpenBSD developpers a bunch of masturbating monkeys, for crying out loud!
I'll grant you that he is a bit funnier than Theo in his trolling, though.
Re: (Score:2)
Deathmatch with RMS.
Re: (Score:2)
"De Raadt has been criticized for having a somewhat abrasive personality..."
Or... Theo has been praised for occasionally not being a (total) dick - especially when he's right.
[ You say tomato... Perspective is everything. ]
Re:Quick Wiki Summary (Score:5, Insightful)
I've personally exchanged emails with De Raadt on the OpenBSD mailing list. Actually, he weighed in on a conversation which didn't initially involve him. He wa calm, helpful and polite and the discussion was a productive one.
Why was this? I didn't start off by being extremely rude to him. Because I did my homework and found out as much as I reasonable could with my knowledge and skills. Expecting someone like that to hold my hand and do my homework for me for free no less is exceptionally rude. Somehow many people are too dumb and selfcentred to realise this.
constructive criticism (Score:2)
you're doing it wrong.
Re:constructive criticism (Score:4, Insightful)
Well, he did produce OpenBSD, which could be seen as constructive criticism in a sense (instead of just complaining, build something). But yeah, if you mean constructively criticizing things in text, that's not really his strong point.
Framing the debate (Score:4, Informative)
As usual:
- Theo is a complete asshole, but also quite correct about most things. OpenBSD is rather behind the
times in general, but very good at what it does do. And their stance on BSD license and making BSD tools is great.
- FreeBSD really is stupid about some things.
Let's take for instance their complete refusal to implement any strong security in their distribution chain.
You can't verify their ISO's or packages back to their source in any way. Their repo is ancient svn, not
git or monotone, so they have no signable hashes in their repos. There's no deterministic builds. etc.
And when you bring it up, they just handwave about process and workflow as reasons to continue
doing the same. FreeBSD is pretty damn good as an OS, but their standing on these things is BULLSHIT.
Re:Framing the debate (Score:5, Interesting)
How is OpenBSD any different in that regard? They rewrote CVS (OpenCVS) for heaven's sake, so they didn't have to move to SVN, let alone Git.
And Git's hashes are not for the sake of security. Linus made that abundantly clear when he refused to allow SHA-2 to be used, even after people were able to manufacture a Git collision using SHA-1.
People misunderstand what makes OpenBSD secure. OpenBSD is about being conservative and simple. Lots of the things they do seem backwards or antiquated. In this case, XORing your random bit streams is as conservative as you can get. And when Theo talks about following the research, it's not to jump on fancy new technology, but in tracking the evolution of software and cryptographic exploits and trying to preemptively get out of those paths. That's opposite of Linux and FreeBSD, where they're constantly chasing new features, new optimizations, and new technologies.
Re:Framing the debate (Score:4, Informative)
And Git's hashes are not for the sake of security. Linus made that abundantly clear when he refused to allow SHA-2 to be used, even after people were able to manufacture a Git collision using SHA-1.
Citation needed. I can't find a published example of any actual SHA-1 collision, much less one from a Git repo.
Re: (Score:2)
The GP might be talking about this [lkml.org].
Re: (Score:3, Informative)
But in the mail you link to, Linus was talking about collisions of the *first 7 characters* of the SHA1-Hash, not a full SHA1 collision. This is opnly important, because in many situations, git defaults to printing only the first 7 digits of the hash, not the full hash. It is *not* a SHA1-collision.
Up to this date, there is no (public) known SHA1 collision, and there is no (public) known method to generate one within any reasonable time frame.
Re: (Score:2)
<FX: tumbleweed.swf>
*And* even a collision would most likely not be a threat - as you have to get one of the colliding things approved. You can't just dick around with trailing spaces to get hashes to agree, or put random strings in comments, without reviewers noticing and rejecting it (however, I guess you could include some extra numbers in a lookup table that were subtly never used, but if they were to change between reviewed versions, that would be highly suspicious). What's ne
Re: (Score:3)
git does include support for gpg signing of commits and tags, which I think is what the GP was talking about (though wrapping one's head around the cryptographic security of how git does it is a bit difficult).
SHA1 in git isn't really used as a cryptographic security measure, but git's structure does allow for some innate security because, if a colliding SHA1 hash is to show up... git looks at the new object, says "Huh, I already have that one." and just uses a reference to the original object instead. I'm
Re: (Score:2)
git does include support for gpg signing of commits and tags, which I think is what the GP was talking about (though wrapping one's head around the cryptographic security of how git does it is a bit difficult).
SHA1 in git isn't really used as a cryptographic security measure
All you sign is the commit, i.e. a SHA1 hash.
Re: (Score:2)
It's perfectly standard to sign a secure hash, there's nothing unusual here.
Re: (Score:2)
And exactly how is being conservative and simple a problem with security?
Re: (Score:2)
Seems to me it means Linus understands tradeoffs in security and isn't willing to throw extra CPU time at a very narrow theoretical hole (sha1 gets broken without sha2 being broken as well)
Re:Framing the debate (Score:5, Informative)
Yeah the bit that struck me here was that Theo was relatively complimentary about Linux and Linux devs. eg mentioning Linux also did this stuff ages ago and that OpenBSD used some research from Ted Ts'o (and others) in their implementation.
So the complaint wasn't about credit for who was first, just about how FreeBSD got a bunch of Snowden related media coverage for something practically everyone else did ages ago as if it was something new to worry about.
Re: (Score:3)
So the complaint wasn't about credit for who was first, just about how FreeBSD got a bunch of Snowden related media coverage for something practically everyone else did ages ago as if it was something new to worry about.
FreeBSD may have a better marketing department than OpenBSD, but not as good as Ted Tso's, because Ted Tso is just awesome.
Re: (Score:2)
Re: (Score:2)
Ted Tso is just awesome.
I remember being here when ext4 was released, and there were some major performance issues. People hated on him like he was burning orphanages.
Re: (Score:2)
I'd take issue with your second point. All binary updates using freebsd-update are signed and that mechanism is used to distribute the signing keys for packages. When you do 'pkg install' on a recent FreeBSD system, it will bail if the packages don't match the signature. We also have a revocation system in place that allows us to easily revoke keys if the package building system is compromised. We just received a large grant from Google to work on package transparency, a mechanism akin to certificate tr
And one more thing... (Score:2)
Stay off his lawn!
Apples and oranges (Score:2)
I'm sure every OS-maker out there has something to learn from OpenBSD, but Theo De Raadt seems incapable of acknowledging that others may have different design criteria than OpenBSD. If they wish to support their customers and gain more business, Red Hat, Apple or Microsoft, for instance, cannot make security the only factor. They have to be quick at supporting some new hardware, provide ease-of-use features and add new features or be considered obsolete very quickly. The same goes for plenty of makers of h
Hardware encryption is great, but in practice... (Score:3)
The biggest security hole in any operating system is the same in every operating system - the source of ID-10-T and PEBKAC errors (Idiot, and Problem Exists Between Keyboard and Chair) - the OS can be totally secure and hardened, but if it allows users to do stupid stuff then it is still going to be vulnerable.
Unless, of course, the system is totally locked down so that it resembles the IT version of a strait jacket, in which case users will spend as much time cursing the fact that the computer stops them working, and trying to get around your restrictions to see their lolcat pictures as they do actually working.
Re:so letting the nsa hire someone (Score:5, Insightful)
to write your ipsec, thats the definition of security.
Exactly.
The NSA is the one you are protecting yourself against . Why would you EVER trust any cryptographic primitives designed by them at all?
Being able to fully trust the cryptographic primitives on a system is not a new thing though... those NSA guys have tainted so much everywhere simply because it is their job description to decrypt sensitive communications for the intelligence community.
Microsoft anyone?
Re: (Score:2, Interesting)
First thing I do with security is look at who I am protecting against, and throw resources at the most common things first:
1: Web browser and add-on compromise is an issue... thus AdBlock, NoScript, and other things, not to mention running all Web browsers in a VM, jail, or sandbox.
2: Theft is common, so I encrypt all my HDDs. That way, Jack Meth-head who grabs a computer will get... hardware. No data is on the black market for blackmail or extortion.
3: Backups are protected on the cloud, because even
Re:so letting the nsa hire someone (Score:5, Insightful)
To play devil's advocate for a second (and from someone who is as opposed to the NSA's spying as anyone), they job is also to prevent adversarial spying on us. That presumably applies much more to government functions than day-to-day ones, but if, say, the military or state department actually follows the NSA's suggestions, there's a decent chance that those suggestions are pretty close to as good as it gets.
Re: (Score:2)
Re: (Score:2)
The Air Force won't let the Marines fly the thing, because planes are for the Air Force (unless they land on a ship).
I've often wondered why the USMC never let out an RFP to make a carrier-worthy A-10.
Re: (Score:3)
pretty sure they did but Navy shot it down?-D
Re: (Score:2)
I don't doubt that the NSA is highly skilled and that one would be wise to follow their suggestions for best practices. Certainly pay attention the NSA suite B.
That being said, why on Earth would one trust a cryptographic primitive that the NSA was involved in creating?
It reminds me of the scorpion and the frog crossing the river. The NSA is strongly compelled to compromise as much of the US communications infrastructure that they can, as well as the rest of the world. Those activities are in the furtheranc
Re: (Score:2)
Are you saying that NSA hasn't yet created enough havoc, that you wish the State Department and the Military to join NSA in making even more violations to our Constitutions ??
When he said suggestions (not examples), I think he meant something like the NSA's Information Assurance [nsa.gov] recommendations.
Check it out, it's quite informative (+5 Informative).
Re: (Score:2)
I second that. Some of their guides are ooold, but look rock solid. That isn't too surprising, corporations and politicians never follow guidelines and probably wouldn't understand the NSA's anyway. So the risk of protecting their real opponents is nil. (If they were worried about terrorists, black hats, etc, that would be another matter.)
Re: (Score:2)
Re: (Score:3)
If I didn't need more throughput than a single CPU can provide, I'd still be on OpenVPN for everything. It's easier to configure, significantly easier to manage, and rock fricking solid in the face of network unreliability - none of which I can say for IPSEC.
Re: (Score:3)
The lot is cast into the lap, but its every decision is from the LORD.
God says, "do_you_get_a_cookie I_quit Venus application bring_it_on
how's_the_weather."
I don't know why people downvote you. We should just use your posts as a form of high entropy communication and use it for cryptography.
No one can predict what you will say....
Re: (Score:2)
Re: (Score:2, Informative)
aaa.... everywhere? just cause you are living under a rock, doesnt mean that everybody else is. dunno what os you're using right now, but chances are pretty high you're using a tool/technology/library developed by one of these bsd's.
windows - shitton of tools are taken verbatim from freebsd (network related)
mac - is a freebsd 5 clone, with improvements made to it (plus a ui) and backported from the main release. they have on payroll a fair few of the freebsd folks.
all of them (linux included): anything secu
Re: (Score:2)
Re: (Score:2)
Of course they might share some stuff, but the parent post is talking about things like OpenSSH among others.
Re:Do these projects OpenBSD, FreeBSD matter anywa (Score:4, Insightful)
...Why should I care? Where in the world is serious stuff being done on any of these platforms? Just asking...
When it comes to security, De Raadt is like House [wikipedia.org]
So I guess it matters if you care about security. Then again, since we don't really use secure software or systems, that point is kind of moot.
Re:Do these projects OpenBSD, FreeBSD matter anywa (Score:4, Informative)
Also, Mac OS X is essentially a fork of FreeBSD.
The OS on all Juniper equipment is a modified version of FreeBSD.
The Playstation 3 and 4 OS are both modified FreeBSD.
Plus more [freebsd.org].
Re: (Score:3, Informative)
Also, Mac OS X is essentially a fork of FreeBSD.
Bull [wikipedia.org]-fucking [wikipedia.org]-shit [slashdot.org].
I know this is slashdot, but for fuck's sake you should still know better than that! And +5 informative too?
What the fuck is wrong with you people?
Re: (Score:3, Informative)
Pedant fail. The basis for OS X was NeXTSTEP, and the basis for NeXTSTEP was BSD.
Have you considered switching to fucking decaf? Then you might notice that operating systems are more than just a kernel.
Re: (Score:2)
PARTS of BSD, it's a Hybrid with XNU and it's part monolithic and microkernal and they've developed Darwin beyond all recognition from that point.
To say it's FreeBSD or OpenBSD or your dad's BSD is to invite the wrath of people who drank too much coffee, and I think Odin. Because that's just the kind of thing that will get you punched in a mainframe computer center.
Re: (Score:2)
Don't get so upset -- it's a common mistake on Slashdot to mistake Scientology for XNU.
Re: (Score:2)
Re: (Score:2)
More stable? Reliable? Secure? In all cases, anecdotes are not useful. Where's the evidence? Is it the license that matters?
The license, pf, and a reputation for networking speed.
Anecdotes do matter, though - Netflix works and is profitable, so if your use case is like Netflix's then FreeBSD probably will work for you.
Speaking of anecdotes, a trend that I've noticed is that linux fans will tend to use FreeBSD when it makes sense in a particular application, and FreeBSD fans will tend to use linux when hell
Re:Do these projects OpenBSD, FreeBSD matter anywa (Score:5, Interesting)
One corp claimed to have over 10,000 VMs and paid RedHat for enterprise support for those VMs with a 5 year contract. They're still locked into contract, but they switched to FreeBSD because they can cut down their number of VMs by 30% and get the same performance. They also found it easier to manage FreeBSD. They're paying for that contract, but not using it. I bet that was a fun sell to management.
Re: (Score:2)
Have a look at their donations page https://www.freebsdfoundation.org/donate/sponsors [freebsdfoundation.org]
Companies support this project because they are doing serious business with FreeBSD.
Re: (Score:2)
Where in the world is serious stuff being done on any of these platforms? Just asking...
Firewall and NAS solutions are often based off of FreeBSD. See, for example, m0n0wall [m0n0.ch] and its derivatives, as well as the popular FreeNAS [freenas.org].
One big advantage of BSD for NAS applications is that it can support ZFS. (Linux attempts have been half-assed, largely due to licensing conflicts.) You really want ZFS if you are building a robust, reliable NAS device.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Yes, they matter.
Even if nobody in the world would be using OpenBSD, it would still be worth doing it, because it is living proof that a secure Unix-based OS is possible if only its makers can be arsed to give a fuck about security and do the hard and not always exciting work required for it.
Re: (Score:2)
Yeah, but working as an Internet server is easy. What do you need, a network card driver and some server software? That problem has been solved a long time ago and almost any OS can be used for the purpose.
Now, give me a cool, fast, usable and bug-free desktop and we will start talking.
Re: (Score:2)
Working as an internet server is easy, sure, we've had Microsoft's IIS and Raspberry Pi's doing it. Working as a safe, stable, secure one is hard, and for that we have the BSD's.
Re: (Score:2)
Just to remind you, His Holiness Saint Jobs forbids reading about heretic technologies.
Then maybe he should've fired the folks responsible for Apple's Internet connection, given that it was, at least as of 2011, quite possible to read, and post to, Slashdot from Apple's corporate network.
Re: (Score:2)
Yeah those lamerz at OpenBSD...
From Wikipedia:
Proprietary systems from several manufacturers are based on OpenBSD, including devices from Armorlogic (Profense web application firewall), Calyptix Security, GeNUA mbH, RTMX Inc,[5] and .vantronix GmbH.[6] Later versions of Microsoft's Services for UNIX, an extension to the Windows operating system which provides some Unix-like functionality, use much OpenBSD code included in the Interix interoperability suite, developed by Softway Systems Inc., which Microsoft
Re: (Score:2)
Re: (Score:2)
You don't know anythin about OpenBSD, do you?
Just read this and learn something: http://www.openbsd.org/papers/ru13-deraadt/mgp00001.html [openbsd.org]
Re: (Score:2)
RTFA.
OpenBSD is using hardware crypto, but only to "stir" the bottom of the entropy pool. The real random-number generation is done internally by the OS, which is as it should be.
OpenBSD has been one of the first free OS to use the CPU randomization functions starting with VIA C3, but, again, they do not trust these 100%, which is what you expect out of serious, professional paranoids.
OpenBSD has a security errata page and an open security mailing list - it was the first open source OS to open its CVS to an