Posts by pitrh

With KDE riding high on OpenBSD - why not user that as the base for the EU standard OS?

TL;DR - KDE runs well on OpenBSD (See eg rsadowski's blog post here https://rsadowski.de/posts/2024-05-20-kde6-on-openbsd/), large chunks of the system is developed and maintained in Europe anyway, so why not use that instead?.

The project is formally headquartered in Canada, but in reality there are enough European developers (mainly German and French, but other nations represented) involved that I for one think that OpenBSD (https://www.openbsd.org) would be quite well suited as the basis for a general purpose standard operating system for European users.

I wrote a thing a few years back about hows and whys -- nicely edited and split into three chunks by APNIC at https://blog.apnic.net/2021/10/28/openbsd-part-1-how-it-all-started/ (part one of three) or the whole thing at my playground https://www.bsdly.net/~peter/what_every_it_person_needs_to_know_about_openbsd.html - the main points stand aft er four years, but I'm sure there are bits that could do with updating.

So enjoy! Discuss! :)

You could do worse than try OpenBSD on your existing hardware

I appreciate that penguin wrangling is the more common activity here, but this reminds me of my 2021 piece

"The Impending Doom of Your Operating System Going to or Past 11, Versus the Lush Oasis of Open Source Systems" https://nxdomain.no/~peter/2021_wild_wild_world_of_windows.html (or with trackers in return for nicer formatting https://bsdly.blogspot.com/2021/07/the-impending-doom-of-your-operating.html

where the TL;DR is "Will the uncertainty over forced obsolescence of fairly recent hardware force Microsoft and Apple users to switch to open source alternatives?", with the conclusion being that it is at any rate a lot easier to communicate with open source developers (in this case OpenBSD ones) than reaching an actual person with the code within reach in the corporate world.

Single Packet Authentication FTW, eh?

Oh, nice to see somebody actually implemented Singoe Packet Authentication on an industrial scale.

I'm sure portknockers-turned-SPAfanbois will be proud.

For background, this reminds me strongly of of the fortunately long gone days of the noughties through the early twenty-teens when those who thought port knocking was an excellent idea, only to be more or less replaced by the Much More Secure And Actually Excellent idea of Single Packet Authentication.

I wrote a rant about port knocking way back when, "Why Not Use Port Knocking?" (https://nxdomain.no/~peter/why_not_use_port_knocking.html, really part of the "Hail Mary Cloud" sequence -- summary up at https://nxdomain.no/~peter/hailmary_lessons_learned.html).

I suppose you can say at least in some security contexts, size actually matters (at least the size of the data your adversary needs to get right in order to gain access).

For those who want a little more background, here is another piece

Nice to see that Carnat's writings get a bit of an airing.

For those who are looking for a bit more background here is a piece I wrote a couple of years back - as a 3 piece series at the APNIC blog https://blog.apnic.net/2021/10/28/openbsd-part-1-how-it-all-started/ or if you prefer the slightly rawer thing as one piece https://nxdomain.no/~peter/what_every_it_person_needs_to_know_about_openbsd.html (or if you want nicer formatting and are OK with G's tracking https://bsdly.blogspot.com/2021/09/what-every-it-person-needs-to-know.html). Anyway, either version has copious links to other hopefully useful material.

A bit of history and some advice on productive interactions with open source communities

It is worth mentioning that the Internet would not be around in anything like its present form without rather a lot of open source.

As in "where did the TCP/IP reference implementation come from?

I recently did a writeup and presentation on "Open Source in Enterprise Environments", with some advice about how to productively interact with open source communities for a talk that was originally intended for colleagues at $DAYJOB but it has also worked reasonably well as a user group talk.

The full text (which I adlib on when presenting) can be found as https://nxdomain.no/~peter/opensource_enterprise_notes.html or if you would like to be tracked by Big G in return for incrementally nicer formatting, https://bsdly.blogspot.com/2022/09/open-source-in-enterprise-environments.html

Comments welcome, of course.

Superficially plausible (to the ignorant) bulls**t

I would tend to agree with the main points of the article.

In my own experience, the bots tend to produce material that seems plausible to anyone who does not know the first thing about the subject at hand.

Out of curiosity I tried to make ChatGPT generate pf.conf (OpenBSD firewall config) to spec, and well, the results are available at https://bsdly.blogspot.com/2023/06/i-asked-chatgpt-to-write-pfconf-to-spec.html or trackerless https://nxdomain.no/~peter/chatgpt_writes_pf.conf.html

TL;DR: the bot produces superficially (to the ignorant) *bullshit*.

We did see a marked increase in ssh password groping just before the invasion

I tend to agree with the general direction of the article. Whatever the .ru side is attempting they appear to come up rather short when it comes to tangible results.

That said, we did see a marked increase in some kinds of malicious-but-stupid traffic just before the invasion.

My field notes with a slightly sensational headline can be found at https://bsdly.blogspot.com/2022/02/predicting-developments-in-real-world.html with a few updates since the original publication.

Feeding them false info, rate limiting, blackholing, etc, all would likely have helped

I've been doing all of these for a while with various systems in my care.

And as the article points out, these techniques have been around for quite a while, and if whoever was in charge of PM's mail etc systems didn't bother to use any of them, that's very bad practice indeed.

One moderately laughable piece I wrote recently focuses mainly on auto-clobbering bruteforcers, but has pointers to other resources too: http://bsdly.blogspot.com/2017/04/forcing-password-gropers-through.html

Reasons to use OpenBSD incremented by one

Yes, one more reason to at least start considering OpenBSD as part of your portfolio.

If you need a not-too-many-minutes rundown of other good reasons, my "OpenBSD and you" propaganda slides are up at https://home.nuug.no/~peter/openbsd_and_you/ (freshly updated in spots for some reason)

Never got one. Could I see headers, pleas?

I appear to be one of the few who did not get one of these. Nothing on the gmail account I occasionally use for G-ish things, but no sign at my own site eiter.

So I'm trying to find out whether some of these were indeed aimed at some of our users but were quietly taken care of by greylisting. If you have any of these messages preserved, would care to share Received: headers so we can check for any patterns to search for in preserved greylist dumps?

- Peter

The point is, changing the license without contributors' explicit consent is illegal

The specific content and any perceived merits of the various licenses are all irrelevant.

It's the "if we don't hear anything back we assume we have your consent" part that's simply not legal in any jurisdiction anywhere that has the concept of copyright.

If they want to change the license, fine. Contributors who agree with the new license will give their consent. For those who do not explicitly give their consent, any contributed code needs to be replaced with code under the new license, in some manner consistent with fairly straightforward copyright law.

The legalities are not at all complicated. Performing a full license audit of their tree is likely to be time consuming (just ask the people who did just that on the OpenBSD source and ports trees at least once), but unless they get everyone explicitly on board with the new license they will need to go through one.

If the various supposedly legality-savvy organizations such as those Theo mentions in his "GCC licence change" message actually approved this, "worse than useless" is a much too mild characterization of those organizations.

Ted Unangst has more of the backgroud

Ted Unangst, the OpenBSD developer who can be said to have 'instigated' the events that lead to the fork that's now referred to as libressl has a nice writeup on his blog about how it all happened, including links to earlier analysis of the heartbleed bug and how it went undiscovered: http://www.tedunangst.com/flak/post/origins-of-libressl