* Posts by pitrh

17 publicly visible posts • joined 22 Apr 2014

OpenBSD enthusiast cooks up guide for the technically timid

pitrh

For those who want a little more background, here is another piece

Nice to see that Carnat's writings get a bit of an airing.

For those who are looking for a bit more background here is a piece I wrote a couple of years back - as a 3 piece series at the APNIC blog https://blog.apnic.net/2021/10/28/openbsd-part-1-how-it-all-started/ or if you prefer the slightly rawer thing as one piece https://nxdomain.no/~peter/what_every_it_person_needs_to_know_about_openbsd.html (or if you want nicer formatting and are OK with G's tracking https://bsdly.blogspot.com/2021/09/what-every-it-person-needs-to-know.html). Anyway, either version has copious links to other hopefully useful material.

Venturing beyond the default OS on Raspberry Pi 5

pitrh

Re: arm64 versions of OpenBSD (and likely FreeBSD) should work too

Installing either OpenBSD or FreeBSD is not as hard as what seems to be the general perception out there.

The hardest part might be to make physical install media if needed. In the OpenBSD case, once you have done the "boot bsd.rd" (or simply waited out the short countdown) bit, you only need to come up with a hostname. The rest is basically pressing Enter at any prompt. Basically, the defaults make sense.

For the FreeBSD part, I must admit my last brush with the FreeBSD installer was when I needed to check something while writing a piece on my M2 MacBookAir. Installing FreeBSD/arm64 in a qemu vm was quick and straightforward. Again, mostly pressing Enter at the prompts.

If you don't want to sacrifice your Pi just yet, both OpenBSD and FreeBSD (or for that matter NetBSD) should install and run well on anything reasonable x86-ish you would have lying around.

pitrh
Devil

arm64 versions of OpenBSD (and likely FreeBSD) should work too

The more adventurous among us might be tempted to try something like OpenBSD/arm64 (https://www.openbsd.org/arm64.html), or for that matter FreeBSD's offerings.

That might even be material for a followup article.

The battle between open source and 'sort of' open source is as old as software

pitrh

A bit of history and some advice on productive interactions with open source communities

It is worth mentioning that the Internet would not be around in anything like its present form without rather a lot of open source.

As in "where did the TCP/IP reference implementation come from?

I recently did a writeup and presentation on "Open Source in Enterprise Environments", with some advice about how to productively interact with open source communities for a talk that was originally intended for colleagues at $DAYJOB but it has also worked reasonably well as a user group talk.

The full text (which I adlib on when presenting) can be found as https://nxdomain.no/~peter/opensource_enterprise_notes.html or if you would like to be tracked by Big G in return for incrementally nicer formatting, https://bsdly.blogspot.com/2022/09/open-source-in-enterprise-environments.html

Comments welcome, of course.

ChatGPT's odds of getting code questions correct are worse than a coin flip

pitrh

Superficially plausible (to the ignorant) bulls**t

I would tend to agree with the main points of the article.

In my own experience, the bots tend to produce material that seems plausible to anyone who does not know the first thing about the subject at hand.

Out of curiosity I tried to make ChatGPT generate pf.conf (OpenBSD firewall config) to spec, and well, the results are available at https://bsdly.blogspot.com/2023/06/i-asked-chatgpt-to-write-pfconf-to-spec.html or trackerless https://nxdomain.no/~peter/chatgpt_writes_pf.conf.html

TL;DR: the bot produces superficially (to the ignorant) *bullshit*.

OpenBSD 7.1 is out, including Apple M1 support

pitrh

Re: The "What every IT person needs to know about OpenBSD" article series

Exactly. I tried to make the links clickable but my post-initial post editing time ran out, sorry.

pitrh

The "What every IT person needs to know about OpenBSD" article series

If you've read to the end of comments, you might be interested enough in the subject that you could be enticed to read a reference-rich 3-piece article series over at apnic.net, starting with https://blog.apnic.net/2021/10/28/openbsd-part-1-how-it-all-started/, also available as one piece minus APNIC's edits as https://bsdly.blogspot.com/2021/09/what-every-it-person-needs-to-know.htm, by yours truly about the time OpenBSD 7.0 was finalized.

Where are the (serious) Russian cyberattacks?

pitrh

We did see a marked increase in ssh password groping just before the invasion

I tend to agree with the general direction of the article. Whatever the .ru side is attempting they appear to come up rather short when it comes to tangible results.

That said, we did see a marked increase in some kinds of malicious-but-stupid traffic just before the invasion.

My field notes with a slightly sensational headline can be found at https://bsdly.blogspot.com/2022/02/predicting-developments-in-real-world.html with a few updates since the original publication.

UK Parliament hack: Really, a brute-force attack? Really?

pitrh

Feeding them false info, rate limiting, blackholing, etc, all would likely have helped

I've been doing all of these for a while with various systems in my care.

And as the article points out, these techniques have been around for quite a while, and if whoever was in charge of PM's mail etc systems didn't bother to use any of them, that's very bad practice indeed.

One moderately laughable piece I wrote recently focuses mainly on auto-clobbering bruteforcers, but has pointers to other resources too: http://bsdly.blogspot.com/2017/04/forcing-password-gropers-through.html

That's random: OpenBSD adds more kernel security

pitrh

Reasons to use OpenBSD incremented by one

Yes, one more reason to at least start considering OpenBSD as part of your portfolio.

If you need a not-too-many-minutes rundown of other good reasons, my "OpenBSD and you" propaganda slides are up at https://home.nuug.no/~peter/openbsd_and_you/ (freshly updated in spots for some reason)

Don't click that Google Docs link! Gmail hijack mail spreads like wildfire

pitrh

Never got one. Could I see headers, pleas?

I appear to be one of the few who did not get one of these. Nothing on the gmail account I occasionally use for G-ish things, but no sign at my own site eiter.

So I'm trying to find out whether some of these were indeed aimed at some of our users but were quietly taken care of by greylisting. If you have any of these messages preserved, would care to share Received: headers so we can check for any patterns to search for in preserved greylist dumps?

- Peter

Inside OpenSSL's battle to change its license: Coders' rights, tech giants, patents and more

pitrh

The point is, changing the license without contributors' explicit consent is illegal

The specific content and any perceived merits of the various licenses are all irrelevant.

It's the "if we don't hear anything back we assume we have your consent" part that's simply not legal in any jurisdiction anywhere that has the concept of copyright.

If they want to change the license, fine. Contributors who agree with the new license will give their consent. For those who do not explicitly give their consent, any contributed code needs to be replaced with code under the new license, in some manner consistent with fairly straightforward copyright law.

The legalities are not at all complicated. Performing a full license audit of their tree is likely to be time consuming (just ask the people who did just that on the OpenBSD source and ports trees at least once), but unless they get everyone explicitly on board with the new license they will need to go through one.

If the various supposedly legality-savvy organizations such as those Theo mentions in his "GCC licence change" message actually approved this, "worse than useless" is a much too mild characterization of those organizations.

OpenBSD 6.0 lands

pitrh

Re: Yay!

The only possible breakage that comes to mind is wxallowed (ikely) needed for /usr/local - if your /usr/local is *not* on a separate partition, you will need to either make it so before upgrading or reinstall. Otherwise upgrades from N.m to N.m++ tend to be ultra-smooth.

The simple sysmerge cases are even handled by rc.firstboot, and you will be notified by email to root of anything that needs another sysmerge run. Most of my 'keeping your system in trim' blog post should stil apply - http://bsdly.blogspot.com/2012/07/keeping-your-openbsd-system-in-trim.html - but it's probably time to give that a freshening up as well.

OpenSSH has user enumeration bug

pitrh

Re: public / private key authentication

I don't think you can keep the pond scum from trying, as in I think sshd will let them try and keep failing.

The last post: Building your own mail server, Part 3

pitrh

Re: Citadel - takes about 20 minutes

A typical OpenBSD install takes about 5 minutes or less, and if you know the packages you want to install, inside of 20 minutes is not unrealistic. For the vi challenged, OpenBSD actually comes with a second editor in the base system - the emacs clone mg(1), which is essenstially 'emacs as just a text editor'.

pitrh

Don't forget OpenBSD's spamd(8) - built in greylister and more

Nice series and I love the fact that you're using OpenBSD. However, I tend to think that building an OpenBSD mail server and not mentioning the built-in greylister spamd(8) is something of an omission. I've built a few rather similar systems myself, sometimes with spamd(8) on a gateway with other 'firewall' configuration, sometimes single box configs that run all the services. Setting up with spamd(8) would of course also mean tackling a minimal PF configuration, which may sound a bit foreign if OpenBSD is unfamiliar territory to start with, but I suspect the performance would be slightly better than with postgrey, and you would also gain the potential entertainment that greytrapping offers.

I've written some articles about these systems over the years, see eg the gentle introduction http://bsdly.blogspot.com/2013/05/keep-smiling-waste-spammers-time.html, the slightly more verbose http://bsdly.blogspot.com/2014/02/effective-spam-and-malware.html and about blacklists management with spamd tools http://bsdly.blogspot.com/2013/04/maintaining-publicly-available.html as well as of course a few items on incidents involving systems I run.

OpenBSD founder wants to bin buggy OpenSSL library, launches fork

pitrh

Ted Unangst has more of the backgroud

Ted Unangst, the OpenBSD developer who can be said to have 'instigated' the events that lead to the fork that's now referred to as libressl has a nice writeup on his blog about how it all happened, including links to earlier analysis of the heartbleed bug and how it went undiscovered: http://www.tedunangst.com/flak/post/origins-of-libressl