Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 9 Jun 2020 10:04:50 -0500
From:      Valeri Galtsev <galtsev@kicp.uchicago.edu>
To:        Anatoli <me@anatoli.ws>
Cc:        FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: freebsd vs. netbsd
Message-ID:  <373EDB20-C750-42E2-A41B-EA61F6E49807@kicp.uchicago.edu>
In-Reply-To: <00225a04-237d-9051-9aea-12c192106a20@anatoli.ws>
References:  <171506d5-19aa-359e-c21d-f07257c52ebd@freenetMail.de> <62d10000-e068-922e-23bd-f7a61e7a4e89@anatoli.ws> <ACE27C81-9437-41D6-BBD4-FA7A7B791428@kicp.uchicago.edu> <6a4f6a15-ec43-03f6-1a41-a109e445f026@anatoli.ws> <f667e8f9-b279-a3ce-3fc4-224ba17f4bbb@kicp.uchicago.edu> <00225a04-237d-9051-9aea-12c192106a20@anatoli.ws>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help


> On Jun 8, 2020, at 11:38 PM, Anatoli <me@anatoli.ws> wrote:
>=20
> If you're talking about the allegations that Jason Wright planted
> backdoors into OpenBSD for FBI, then you invented about 90% of the
> story.
>=20
> The story is about Gregory Perry's (a former technical consultant for
> the FBI) allegations that Jason Wright (an ex-dev) and NETSEC (the
> company he and some others worked for) accepted US government money to
> put backdoors into OpenBSD's network stack, in particular the IPSEC
> stack, around 2000-2001.
>=20
> This information is public, was discussed multiple times and nothing
> extraordinary resulted from it.
>=20
> After the allegations went public, extensive audits were conducted
> internally and externally and nothing serious or of intentional nature
> was found by anyone.
>=20
> For those interested, here are some links:
> 1. A TL;DR version about the story by ArsTechnica: [1];
> 2. Theo De Raadt (founder of OpenBSD) mail disclosing the allegations
>    made privately to him: [2];
> 3. His follow-up email: [3];
> 4. A follow-up email from Gregory Perry (the one making allegations)
>    after his initial email was made public by Theo [4]
> 5. Damien Miller (OpenSSH/OpenBSD) comments about feasibility of such
>    implantation, very insightful for those interested in technical
>    details (as the entire thread) [5];
> 6. All allegations denied by named participants: [6];
> 7. A follow-up to the story from the past year (2019), a FOIA request
>    to the FBI to disclose any involvement with OpenBSD: [7].
>=20
> If you're talking about this story, nothing new or interesting. If
> you're talking about something else, then the burden of proof is on =
the
> one making the claim. So don't say "check that on your own". You're
> making a public claim, provide the proof or be considered just a
> FUD-spreader.
>=20
>=20
> On the other hand, no software project, public or private, is immune =
to
> governments trying to insert backdoors, though Bruce Schneier believes
> this would be just plain stupid: [8].
>=20
>> I too was considering OpenBSD the most secure operating system out
>> there. Till the moment I've learned ..."
>=20
> So even *if* we suppose that there were any backdoors planted in =
OpenBSD
> (which was never demonstrated by anyone publicly), do you have any
> better alternative than OpenBSD? Some OS guaranteed to be free from
> government backdoors? Any OS better suited for entire system audits =
due
> to its simplicity and a small, clean code base? Any OS with a better
> secure development and peer review process?
>=20
> If not, what's your point then?
>=20
> [1]: =
https://arstechnica.com/information-technology/2010/12/openbsd-code-audit-=
uncovers-bugs-but-no-evidence-of-backdoor/
> [2]: https://marc.info/?l=3Dopenbsd-tech&m=3D129236621626462&w=3D2
> [3]: https://marc.info/?l=3Dopenbsd-tech&m=3D129296046123471
> [4]: =
https://www.csoonline.com/article/2136901/an-fbi-backdoor-in-openbsd-.html=

> [5]: https://marc.info/?l=3Dopenbsd-tech&m=3D129237675106730&w=3D2
> [6]: =
https://www.itworld.com/article/2744922/openbsd-fbi-allegations-denied-by-=
named-participants.html
> [7]: https://news.ycombinator.com/item?id=3D20489904
> [8]: =
https://www.schneier.com/blog/archives/2010/12/did_the_fbi_pla.html
>=20

Thanks for nice write-up. Now everyone who haven=E2=80=99t heard this =
story (not everyone is as old as some of us), have it in meticulous =
detail and unbiased presentation. So, they can make their own =
independent judgement for themselves. Which is the most important, =
thanks again!

Valeri

> On 8/6/20 12:44, Valeri Galtsev wrote:
>>=20
>>=20
>> On 2020-06-08 09:25, Anatoli wrote:
>>>> The most secure=E2=80=A6 if you dismiss the fact that one of the =
developer (who wrote network stack if my memory serves me) was =
simultaneously receiving payments from one of three letter agencies for =
several years.
>>>=20
>>> Rumors + FUD or do you have any proof?
>>>=20
>>=20
>> When I heard that I checked, and receipt of payments was confirmed by =
developer himself. That is my recollection, I am merely human whose =
memory can not be perfect, check that on your own. This even if =
confirmed as a fact, does not mean he left back doors or weak spots in =
code.
>>=20
>> The rest is for everyone: to do one's own home work:
>>=20
>> 1. who don't care just dismiss what is said
>>=20
>> 2. Who do care to verify if receipt of payments is the fact, just =
verify on your own (I never think of myself to be considered the source =
of absolute truth. Merely as a help to point into direction where who is =
interested may find something helpful)
>>=20
>> If one verifies the fact of payment(s), the decide for yourself:
>>=20
>> A. Audit the code (I for one realize I will not be able to find fishy =
spots in that sophisticated code, so this can not be my choice)
>>=20
>> B. Accept that it is likely that good enough programmers did audit =
code, hence there are no weak (or worse) spots in it
>>=20
>> C. Accept that what top programmer wrote is not that easy to audit, =
and just shy away from what may (just merely may) be not quite kosher. =
If you care, of course.
>>=20
>>=20
>> And again, do your own thinking, this may, just merely may help =
someone.
>>=20
>>=20
>> Valeri
>>=20
>>> On 8/6/20 10:26, Valeri Galtsev wrote:
>>>>=20
>>>>=20
>>>>> On Jun 7, 2020, at 11:26 PM, Anatoli <me@anatoli.ws> wrote:
>>>>>=20
>>>>> IMO
>>>>>=20
>>>>> * FreeBSD: servers (performance, stability, relative security, =
zfs),
>>>>>   competes directly with Linux
>>>>>=20
>>>>> * OpenBSD: routers/firewalls, desktops (the most secure OS
>>>>=20
>>>> The most secure=E2=80=A6 if you dismiss the fact that one of the =
developer (who wrote network stack if my memory serves me) was =
simultaneously receiving payments from one of three letter agencies for =
several years.
>>>>=20
>>>> Valeri
>>>>=20
>>>>> and a really
>>>>>   good desktop, but its absence of server-class performance is its
>>>>>   weakest side + no zfs (just ffs2) and limited virtualization (no =
SMP)
>>>>>   so not suitable for any serious server load where absolute =
security is
>>>>>   not a must). The king in its niche (paranoid security)
>>>>>=20
>>>>> * NetBSD: toasters & freezers (runs on anything, otherwise not =
sure
>>>>>   what's the point :), competes with FreeBSD and Linux (and Linux =
now
>>>>>   supports more archs/platforms than Net). IMO no clear vision and =
thus
>>>>>   attracts too little resources both human and economic. IMO =
midterm not
>>>>>   much hope for survival, same as DFly and smaller BSDs.
>>>>>=20
>>>>> I believe that OS development is an economy of scale (doing things =
more
>>>>> efficiently or having other advantaged with increasing size) with =
a
>>>>> tendency for a monopoly in the same niche.
>>>>>=20
>>>>> There are some features that the larger players establish as a
>>>>> commodity, but that are very time-intensive and complex to develop =
(e.g.
>>>>> virtualization, wifi ac and now ax). So what Linux implemented =
more than
>>>>> a decade ago, the BSDs are just catching up now.
>>>>>=20
>>>>> Linux world had 2 "obstacles" to its almost flawless growth =
recently
>>>>> (systemd and a ZFS alternative). Now that the things have almost =
settled
>>>>> up, if they don't commit any more serious errors I don't see how =
the
>>>>> BSDs (except OpenBSD as it's not a direct competitor) could =
compete with
>>>>> it in the long term.
>>>>>=20
>>>>> Now with ZoL/OpenZFS the long-term future even for FreeBSD is not =
that
>>>>> clear (and the recent iX decisions [1] [2] are a clear sign).
>>>>>=20
>>>>> [1] =
https://arstechnica.com/gadgets/2020/06/truenas-isnt-abandoning-bsd-but-it=
-is-adopting-linux/
>>>>> [2] https://www.truenas.com/TrueOS-Discontinuation/
>>>>>=20
>>>>>=20
>>>>> On 7/6/20 22:35, Wesley wrote:
>>>>>> greetings,
>>>>>>=20
>>>>>> There were freebsd and netbsd (maybe others?) in BSD world.
>>>>>> What points did they focus by design?
>>>>>> what are their use scenes then?
>>>>>>=20
>>>>>> Thank you.
>>>>>> _______________________________________________
>>>>>> freebsd-questions@freebsd.org mailing list
>>>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>>>> To unsubscribe, send any mail to =
"freebsd-questions-unsubscribe@freebsd.org"
>>>>> _______________________________________________
>>>>> freebsd-questions@freebsd.org mailing list
>>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>>> To unsubscribe, send any mail to =
"freebsd-questions-unsubscribe@freebsd.org"
>>>>=20
>>>> _______________________________________________
>>>> freebsd-questions@freebsd.org mailing list
>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>> To unsubscribe, send any mail to =
"freebsd-questions-unsubscribe@freebsd.org"
>>>>=20
>>=20
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to =
"freebsd-questions-unsubscribe@freebsd.org"




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?373EDB20-C750-42E2-A41B-EA61F6E49807>