Forgot your password?
typodupeerror

Submission Summary: 0 pending, 15 declined, 6 accepted (21 total, 28.57% accepted)

+ - First release of LibreSSL portable is available.

Submitted by ConstantineM
ConstantineM (965345) writes "It has finally happened. Bob Beck of The OpenBSD Foundation has just announced that the first release of LibreSSL portable is now available, and can be found in the LibreSSL directory of your favourite OpenBSD mirror. libressl-2.0.0.tar.gz has been tested to build on various versions of Linux, Solaris, Mac OS X and FreeBSD. This is intended to be an initial portable release of OpenBSD's libressl to allow the community to start using it and providing feedback, and has been done to address the issue of incorrect portable versions being attempted by third-parties. Support for additional platforms will be added as time and resources permit."

+ - Bob Beck gives a 30-day status update on LibreSSL at BSDCan in Ottawa

Submitted by ConstantineM
ConstantineM (965345) writes "Bob Beck — OpenBSD, OpenSSH and LibreSSL developer and the director of Alberta-based non-profit OpenBSD Foundation — gave a talk earlier today at BSDCan 2014 in Ottawa, discussing and illustrating the OpenSSL problems that have led to the creation of a big fork of OpenSSL that is still API-compatible with the original, providing for a drop-in replacement, without the #ifdef spaghetti and without its own "OpenSSL C" dialect.

Bob is claiming that the Maryland-incorporated OpenSSL Foundation is nothing but a for-profit front for FIPS consulting gigs, and that noone at OpenSSL is actually interested in maintaining OpenSSL, but merely adding more and more features, with the existing bugs rotting in bug-tracking for a staggering 4 years (CVE-2010-5298 has been independently re-discovered by the OpenBSD team after having been quietly reported in OpenSSL's RT some 4 years prior). Bob reports that the bug-tracking system abandoned by OpenSSL has actually been very useful to the OpenBSD developers at finding and fixing even more of OpenSSL bugs in downstream LibreSSL, which still remain unfixed in upstream OpenSSL. It is revealed that a lot of crude cleaning has already been completed, and the process is still ongoing, but some new ciphers already saw their addition to LibreSSL — RFC 5639 EC Brainpool, ChaCha20, Poly1305, FRP256v1, and some derivatives based on the above, like ChaCha20-Poly1305 AEAD EVP from Adam Langley's Chromium OpenSSL patchset.

To conclude, Bob warns against portable LibreSSL knockoffs, and asks the community for Funding Commitment — Linux Foundation is turning a blind eye to LibreSSL, and instead is only committed to funding OpenSSL directly, despite the apparent lack of security-oriented direction within the OpenSSL project upstream. Funding can be directed to the OpenBSD Foundation."

+ - OpenBSD 5.5 Released->

Submitted by ConstantineM
ConstantineM (965345) writes "Just as per the schedule, OpenBSD 5.5 was released today, May 1, 2014. The theme of the 5.5 release is Wrap in Time, which represents a significant achievement of changing time_t to int64_t on all platforms, as well as ensuring that all of the 8k+ OpenBSD ports still continue to build and work properly, thus doing all the heavy lifting and paving the way for all other operating systems to make the transition to 64-bit time an easier task down the line. Signed releases and packages and the new signify utility are another big selling point of 5.5, as well as OpenSSH 6.6, which includes lots of DJB crypto like chacha20-poly1305, plus lots of other goodies."
Link to Original Source

+ - OpenSSH no longer has to depend on OpenSSL->

Submitted by ConstantineM
ConstantineM (965345) writes "What has been planned for a long time now, prior to the infamous heartbleed fiasco of OpenSSL (which does not affect SSH at all), is now officially a reality — with the help of some recently adopted crypto from DJ Bernstein, OpenSSH now finally has a compile-time option to no longer depend on OpenSSL — `make OPENSSL=no` has now been introduced for a reduced configuration OpenSSH to be built without OpenSSL, which would leave you with no legacy SSH-1 baggage at all, and on the SSH-2 front with only AES-CTR and chacha20+poly1305 ciphers, ECDH/curve25519 key exchange and Ed25519 public keys."
Link to Original Source

+ - OpenSSH 6.5 released (with lotsa D. J. Bernstein crypto) 1

Submitted by ConstantineM
ConstantineM (965345) writes "OpenSSH 6.5 has been released, which is dubbed a feature release. It's the first release with lots of D. J. Bernstein crypto in public domain (6.4 did not contain any DJB code whatsoever), from ChaCha20-Poly1305 stream cipher and MAC, to key exchange with Curve25519 (and a new private key format). The new key exchange is now the default (when supported by both sides), but the new transport cipher is an option. Additionally, the portable version has some extra code-hardening, and a switch to a ChaCha20-based arc4random() PRNG for platforms that don't provide their own."

+ - OpenBSD Foundation Receives A Commitment for 100k, sets annual goal to 150k->

Submitted by ConstantineM
ConstantineM (965345) writes "Bob Beck, director of the OpenBSD foundation, writes on misc@ — 'To all of you who have donated, please allow me to give you a huge "Thank You". In a nutshell, we have in one week gone from being in a dire situation to having a commitment of approximately $100,000 in donations to the foundation. From a developer's perspective let me assure you that this reaffirms the worth of what we are supporting and makes us want to work on it that much more.' Based on the updated list of significant contributors, in addition to the donation by the Mircea Popescu of MPEx Bitcoin securities exchange, genua, Google and many others have joined in. 'We would like to continue to build on your groundswell of support, and have set a target for $150,000 this year in fundraising.', Bob concludes."
Link to Original Source

+ - OpenBSD Moving Towards Signed Packages — based on D. J. Bernstein crypto

Submitted by ConstantineM
ConstantineM (965345) writes "It's official: "we are moving towards signed packages", says Theo de Raadt on the misc@ mailing list. This is shortly after a new utility, signify, was committed into the base tree. The reason a new utility had to be written in the first place is that gnupg is too big to fit on the floppy discs, which are still a supported installation medium for OpenBSD. Signatures are based on the Ed25519 public-key signature system from D. J. Bernstein and co, and his public domain code once again appears in the base tree of OpenBSD, only a few weeks after some other DJB inventions made it into the nearby OpenSSH as well."

+ - Interview with John McAfee on Russia Today by Sophie Shevardnadze (25 minutes)->

Submitted by ConstantineM
ConstantineM (965345) writes "John McAfee has been interviewed on Russia Today in a 25-minute show by Sophie Shevardnadze. John has discussed his views on encryption, surveillance, operating systems, politics and paranoia, and even Kim Dotcom came to light. When asked about the possibility of encryption helping the criminals: "You cannot pre-emptively restrict your freedoms because of the fear of how something might be used. Everything that has ever been developed has been used for a bad purpose. Baseball bats, which are fun for baseball players to hit balls, they've also been used to beat people to death. We just cannot restrict ourselves because something might be used in the wrong way.""
Link to Original Source

+ - OpenBSD introduces signify, a sign and verify utility in base

Submitted by ConstantineM
ConstantineM (965345) writes "Perhaps in the light of the recent NSA disclosures, OpenBSD developer tedu@ has committed a new utility, signify, to aid OpenBSD in signing and verifying releases and packages. Why a new tool? He bluntly says that all the other tools were Not Invented Here. But another reason is that OpenBSD can still be installed from a floppy disc, and gnupg will just never ever fit. The one and only supported algorithm is Ed25519 from DJB. More details are in his blog."

+ - Why I'm turning JavaScript off by default ->

Submitted by ConstantineM
ConstantineM (965345) writes "I don’t want web designers redesigning the “experience” of using the web. The unification of the user experience of using computers is a positive thing. If you use old software from the early days of computing, everything had a different user experience. If you use Windows or OS X, you’ll know of software that behaves differently from the norm. If you are a reasonably perceptive user, you’ll see it, and then you’ll be annoyed by it."
Link to Original Source

+ - Apple and Linux vendors are behind Microsoft and OpenBSD on exploit mitigation->

Submitted by ConstantineM
ConstantineM (965345) writes "Microsoft has all significant exploit mitigation techniques fully integrated and enabled, says Theo de Raadt at Yandex ruBSD, whilst giving a 10-year summary of the methods employed by OpenBSD. In year 2000, OpenBSD started a development initiative to intentionally make the memory environment of a process less predictable and less robust, without impacting the well-behaved programs. Concepts like the random stack gap, W^X, ASLR and PIE are explained. Some of them, like the random stack gap, are implemented with a 3-line change to the kernel, yet it appears that FreeBSD is still shipping without it. Theo de Raadt also identifies that although Linux has the code for all of these techniques, most vendors enable them very sparingly, and, in general, support is disabled; Apple does have ASLR, but other methods appear missing."
Link to Original Source

+ - Theo de Raadt gives a 10-year summary on exploit mitigation in OpenBSD

Submitted by ConstantineM
ConstantineM (965345) writes "Microsoft has all significant exploit mitigation techniques fully integrated and enabled, claims Theo de Raadt at Yandex ruBSD, whilst giving a 10-year summary of the methods employed by OpenBSD. In year 2000, OpenBSD started a development initiative to intentionally make the memory environment of a process less predictable and less robust, without impacting the well-behaved programs. Concepts like the random stack gap, W^X, ASLR and PIE are explained. Some of them, like the random stack gap, are implemented with a 3-line change to the kernel, yet it appears that some other vendors are still shipping without it."

+ - fuse support in OpenBSD -current

Submitted by ConstantineM
ConstantineM (965345) writes "File system in userland support — fuse — was included in OpenBSD 5.4 source tree, but not built by default, hence not officially supported. This has since changed in 5.4-current. The undeadly editors have tracked down the author, Sylvestre Gallon, and asked him about his experience of getting libfuse into OpenBSD. Which userland file systems are supported? So far, it's sshfs-fuse and ntfs-3g (both are in the ports tree due to the GPL)."

+ - FUSE support in OpenBSD 5.4-current: last, but not least

Submitted by ConstantineM
ConstantineM (965345) writes "FUSE(4) has been included in OpenBSD 5.4, but was not build into the default kernels yet, hence, not officially supported. This has since changed in 5.4-current. The undeadly editors have tracked down the author, Sylvestre Gallon, a first-time OpenBSD contributor, and asked him about his experience of getting libfuse into OpenBSD. Long story short: it involves some vfs grokking, improved fusebufs and a BSD rewrite of the GPL libfuse. Although to actually enjoy the feature, you'd still have to subject yourself to GPLv2 in the ports tree: sysutils/sshfs-fuse and ntfs-3g ports are available."

+ - OpenSSH has a new cipher, chacha20-poly1305, from D.J. Bernstein!

Submitted by ConstantineM
ConstantineM (965345) writes "Inspired by a recent Google initiative to adopt ChaCha20 and Poly1305 for TLS, OpenSSH developer Damien Miller has added a similar protocol to ssh, chacha20-poly1305@openssh.com, which is based on D. J. Bernstein algorithms that are specifically optimised to provide the highest security at the lowest computational cost, and not require any special hardware at doing so. Some further details are in his blog, and at undeadly. The source code of the protocol is remarkably simple — less than 100 lines of code!"

If you think the system is working, ask someone who's waiting for a prompt.

Working...