Sunday, December 29, 2019

Re: The OpenBSD talk at 36c3

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEQY2JmAMM0Uo2gGJ8smIYX2HgPJ4FAl4I3c8ACgkQsmIYX2Hg
PJ5eCQ//Q5NKA6g4uimlBuEFWNg9z8EwwPQMC4w+iojhga92lh3SHZ7NtHguVqxe
WMGK++BFCCdKPxjH4waQ3i9QYMlqSBoG+e88Tg/S931OlhtMhuc16eLhiZzdphze
DJxVdL7QYFxp9yBiXv7NUypjFBZ/pSV7gbTsU+vXs6MJBq6ZWOQhoRD1NqsYtAtx
rpdOm6eDGXZaTGbAZiyjwhAnuO9FzXIou+LRej+M9ENQUTWyjnPS5JWlj5cO0OEC
ed9iUnqN3qKfo/KGzLgIyERovTBf+oE2DRCQOiTMLN9/LJnt6B6bJYQkeg+wDcla
hlbMsakgtYIx+8zJNk2ZDNziTNFtAzbD35BmoMW8edIgZX//d1iP9VbnfccpX38t
lKlBlOgbSlwc3qeOb04DTFfaG3WDE98HULQjuxxZrNJgLRtrapg+YQUYw2lMIb97
jBumAoAVdk6sGWUjktoemX9fUnAti/fTvCSB4izuX7VLQOCPhdbVfBayL+EfzLdS
F6UsBnPCRosHbyE5p0CMe6PJVQC2fvo7m6XDNVMlrPmLH58TnEr3v94Vfe3TrvUP
0d/1bDYIkjbqa//AHZmYf3+cRxHHBz+yCa/JGAKt3fRjeM8iVlQjb6di5/KvaowA
vBmEQRkWOOmP9LEQpsh3D+y6nHm8NejxEfc/nhE+voRebjX0+xs=
=Pnwo
-----END PGP SIGNATURE-----
> 29. des. 2019 kl. 13:29 skrev Henry Jensen <hjensen@mailbox.org>:
>
> Summary: There are a lot of claims. The speaker basically said, that
> some mitigations are "cool", but other, more or less, useless.
>
> Further accusations are, that OpenBSD still uses e-mail and cvs and not
> more advanced CI tools.
>
> I can't say anything to the more technical claims about useless
> mitigations, since I am not a OS developer. Is there going to be a
> response from the OpenBSD team?

I did not attend the talk, I only leafed through the slides (thanks for posting the link!), so my impression is likely colored by that. I wouldn't hold my breath for an «official» response.

That said, this all reminds me of several earlier talks and rants where the speaker seems to be unaware that OpenBSD commonly has been the first to implement a security feature as *the default* and in a way that it would be extremely hard to disable without a system rebuild, likely breaking seemingly unrelated bits in the process. If you look closer, a lot of the firsts listed more often than not are «feature introduced as a non-default option».

As to the lack of «public» review, keep in mind that OpenBSD was the first to make its version control (cvs then, cvs still) world-readable and visible in real time. At the time the normal mode of operation for open source projects was occasional release tarballs thrown over the wall with almost complete silence between. For public discussion of code, OpenBSD has tech@. Private mailing lists exist (invite-only, developer-only) as far as I am aware mainly used for discussions that would benefit from being out of the public eye for now.

Slide 43 has me thinking this person can not actually have been reading tech@ much at all, and the note about «systematic security engineering» subjectively reminds me of several earlier similar posts about OpenBSD practices not following to the letter somebody's favorite «formal verification» model or what the buzzword du jour turns out to be.

That said, even OpenBSD probably has areas with potential for improvement, I'm just not all that convinced the presenter has actually been looking in the right places.

Slides for my sometimes-repeated propaganda piece (now probably in need of refreshing here and there) at https://home.nuug.no/~peter/openbsd_and_you/ <https://home.nuug.no/~peter/openbsd_and_you/> contains links to relevant material, at least. Please feel free to refer there or directly to the material itself.

All the best,
Peter


Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

No comments:

Post a Comment