Date: Tue, 9 Jun 2020 10:04:50 -0500 From: Valeri Galtsev <galtsev@kicp.uchicago.edu> To: Anatoli <me@anatoli.ws> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: freebsd vs. netbsd Message-ID: <373EDB20-C750-42E2-A41B-EA61F6E49807@kicp.uchicago.edu> In-Reply-To: <00225a04-237d-9051-9aea-12c192106a20@anatoli.ws> References: <171506d5-19aa-359e-c21d-f07257c52ebd@freenetMail.de> <62d10000-e068-922e-23bd-f7a61e7a4e89@anatoli.ws> <ACE27C81-9437-41D6-BBD4-FA7A7B791428@kicp.uchicago.edu> <6a4f6a15-ec43-03f6-1a41-a109e445f026@anatoli.ws> <f667e8f9-b279-a3ce-3fc4-224ba17f4bbb@kicp.uchicago.edu> <00225a04-237d-9051-9aea-12c192106a20@anatoli.ws>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Jun 8, 2020, at 11:38 PM, Anatoli <me@anatoli.ws> wrote: >=20 > If you're talking about the allegations that Jason Wright planted > backdoors into OpenBSD for FBI, then you invented about 90% of the > story. >=20 > The story is about Gregory Perry's (a former technical consultant for > the FBI) allegations that Jason Wright (an ex-dev) and NETSEC (the > company he and some others worked for) accepted US government money to > put backdoors into OpenBSD's network stack, in particular the IPSEC > stack, around 2000-2001. >=20 > This information is public, was discussed multiple times and nothing > extraordinary resulted from it. >=20 > After the allegations went public, extensive audits were conducted > internally and externally and nothing serious or of intentional nature > was found by anyone. >=20 > For those interested, here are some links: > 1. A TL;DR version about the story by ArsTechnica: [1]; > 2. Theo De Raadt (founder of OpenBSD) mail disclosing the allegations > made privately to him: [2]; > 3. His follow-up email: [3]; > 4. A follow-up email from Gregory Perry (the one making allegations) > after his initial email was made public by Theo [4] > 5. Damien Miller (OpenSSH/OpenBSD) comments about feasibility of such > implantation, very insightful for those interested in technical > details (as the entire thread) [5]; > 6. All allegations denied by named participants: [6]; > 7. A follow-up to the story from the past year (2019), a FOIA request > to the FBI to disclose any involvement with OpenBSD: [7]. >=20 > If you're talking about this story, nothing new or interesting. If > you're talking about something else, then the burden of proof is on = the > one making the claim. So don't say "check that on your own". You're > making a public claim, provide the proof or be considered just a > FUD-spreader. >=20 >=20 > On the other hand, no software project, public or private, is immune = to > governments trying to insert backdoors, though Bruce Schneier believes > this would be just plain stupid: [8]. >=20 >> I too was considering OpenBSD the most secure operating system out >> there. Till the moment I've learned ..." >=20 > So even *if* we suppose that there were any backdoors planted in = OpenBSD > (which was never demonstrated by anyone publicly), do you have any > better alternative than OpenBSD? Some OS guaranteed to be free from > government backdoors? Any OS better suited for entire system audits = due > to its simplicity and a small, clean code base? Any OS with a better > secure development and peer review process? >=20 > If not, what's your point then? >=20 > [1]: = https://arstechnica.com/information-technology/2010/12/openbsd-code-audit-= uncovers-bugs-but-no-evidence-of-backdoor/ > [2]: https://marc.info/?l=3Dopenbsd-tech&m=3D129236621626462&w=3D2 > [3]: https://marc.info/?l=3Dopenbsd-tech&m=3D129296046123471 > [4]: = https://www.csoonline.com/article/2136901/an-fbi-backdoor-in-openbsd-.html= > [5]: https://marc.info/?l=3Dopenbsd-tech&m=3D129237675106730&w=3D2 > [6]: = https://www.itworld.com/article/2744922/openbsd-fbi-allegations-denied-by-= named-participants.html > [7]: https://news.ycombinator.com/item?id=3D20489904 > [8]: = https://www.schneier.com/blog/archives/2010/12/did_the_fbi_pla.html >=20 Thanks for nice write-up. Now everyone who haven=E2=80=99t heard this = story (not everyone is as old as some of us), have it in meticulous = detail and unbiased presentation. So, they can make their own = independent judgement for themselves. Which is the most important, = thanks again! Valeri > On 8/6/20 12:44, Valeri Galtsev wrote: >>=20 >>=20 >> On 2020-06-08 09:25, Anatoli wrote: >>>> The most secure=E2=80=A6 if you dismiss the fact that one of the = developer (who wrote network stack if my memory serves me) was = simultaneously receiving payments from one of three letter agencies for = several years. >>>=20 >>> Rumors + FUD or do you have any proof? >>>=20 >>=20 >> When I heard that I checked, and receipt of payments was confirmed by = developer himself. That is my recollection, I am merely human whose = memory can not be perfect, check that on your own. This even if = confirmed as a fact, does not mean he left back doors or weak spots in = code. >>=20 >> The rest is for everyone: to do one's own home work: >>=20 >> 1. who don't care just dismiss what is said >>=20 >> 2. Who do care to verify if receipt of payments is the fact, just = verify on your own (I never think of myself to be considered the source = of absolute truth. Merely as a help to point into direction where who is = interested may find something helpful) >>=20 >> If one verifies the fact of payment(s), the decide for yourself: >>=20 >> A. Audit the code (I for one realize I will not be able to find fishy = spots in that sophisticated code, so this can not be my choice) >>=20 >> B. Accept that it is likely that good enough programmers did audit = code, hence there are no weak (or worse) spots in it >>=20 >> C. Accept that what top programmer wrote is not that easy to audit, = and just shy away from what may (just merely may) be not quite kosher. = If you care, of course. >>=20 >>=20 >> And again, do your own thinking, this may, just merely may help = someone. >>=20 >>=20 >> Valeri >>=20 >>> On 8/6/20 10:26, Valeri Galtsev wrote: >>>>=20 >>>>=20 >>>>> On Jun 7, 2020, at 11:26 PM, Anatoli <me@anatoli.ws> wrote: >>>>>=20 >>>>> IMO >>>>>=20 >>>>> * FreeBSD: servers (performance, stability, relative security, = zfs), >>>>> competes directly with Linux >>>>>=20 >>>>> * OpenBSD: routers/firewalls, desktops (the most secure OS >>>>=20 >>>> The most secure=E2=80=A6 if you dismiss the fact that one of the = developer (who wrote network stack if my memory serves me) was = simultaneously receiving payments from one of three letter agencies for = several years. >>>>=20 >>>> Valeri >>>>=20 >>>>> and a really >>>>> good desktop, but its absence of server-class performance is its >>>>> weakest side + no zfs (just ffs2) and limited virtualization (no = SMP) >>>>> so not suitable for any serious server load where absolute = security is >>>>> not a must). The king in its niche (paranoid security) >>>>>=20 >>>>> * NetBSD: toasters & freezers (runs on anything, otherwise not = sure >>>>> what's the point :), competes with FreeBSD and Linux (and Linux = now >>>>> supports more archs/platforms than Net). IMO no clear vision and = thus >>>>> attracts too little resources both human and economic. IMO = midterm not >>>>> much hope for survival, same as DFly and smaller BSDs. >>>>>=20 >>>>> I believe that OS development is an economy of scale (doing things = more >>>>> efficiently or having other advantaged with increasing size) with = a >>>>> tendency for a monopoly in the same niche. >>>>>=20 >>>>> There are some features that the larger players establish as a >>>>> commodity, but that are very time-intensive and complex to develop = (e.g. >>>>> virtualization, wifi ac and now ax). So what Linux implemented = more than >>>>> a decade ago, the BSDs are just catching up now. >>>>>=20 >>>>> Linux world had 2 "obstacles" to its almost flawless growth = recently >>>>> (systemd and a ZFS alternative). Now that the things have almost = settled >>>>> up, if they don't commit any more serious errors I don't see how = the >>>>> BSDs (except OpenBSD as it's not a direct competitor) could = compete with >>>>> it in the long term. >>>>>=20 >>>>> Now with ZoL/OpenZFS the long-term future even for FreeBSD is not = that >>>>> clear (and the recent iX decisions [1] [2] are a clear sign). >>>>>=20 >>>>> [1] = https://arstechnica.com/gadgets/2020/06/truenas-isnt-abandoning-bsd-but-it= -is-adopting-linux/ >>>>> [2] https://www.truenas.com/TrueOS-Discontinuation/ >>>>>=20 >>>>>=20 >>>>> On 7/6/20 22:35, Wesley wrote: >>>>>> greetings, >>>>>>=20 >>>>>> There were freebsd and netbsd (maybe others?) in BSD world. >>>>>> What points did they focus by design? >>>>>> what are their use scenes then? >>>>>>=20 >>>>>> Thank you. >>>>>> _______________________________________________ >>>>>> freebsd-questions@freebsd.org mailing list >>>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >>>>>> To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org" >>>>> _______________________________________________ >>>>> freebsd-questions@freebsd.org mailing list >>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >>>>> To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org" >>>>=20 >>>> _______________________________________________ >>>> freebsd-questions@freebsd.org mailing list >>>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >>>> To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org" >>>>=20 >>=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?373EDB20-C750-42E2-A41B-EA61F6E49807>