Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Slashdot Deals: Deal of the Day - 6 month subscription of Pandora One at 46% off. ×

Submission + - Untamed OpenBSD gets a pledge(2), hazing follows

ConstantineM writes: Two weeks after making a presentation on the new tame(2) in OpenBSD, Theo de Raadt has untamed the tame(), and declared it as the new pledge() system call instead.

The call bears system call number 108 , which has been the only unchanged part about it since its original introduction to syscalls.master some 3 months prior as sys_tame(int flags), having since hazed its way through multiple incarnations to arrive at the present and more modern-looking sys_pledge(const char *request, const char **paths).

What's it for? Pledge is OpenBSD's answer to capsicum(4) capabilities and libcapsicum from FreeBSD and seccomp(2) from Linux, but done the OpenBSD way — fewer knobs and easier IU for higher adoption. In his presentation, Theo proclaims that "tame() implementation is only 1200 lines of code", and programmes "can use it with 3-10 changes", and that some hundred ones have already been tamed with minimal effort (and are currently pledging).

Some examples include cat , mkdir and patch , which all require merely two lines of code each. The original idea for syscall 108 came from the recent file(1) rewrite, which originally required 300 lines of systrace code to sandbox, which can now be accomplished in merely 4 lines with pledge .

The interface has not been declared stable or cross-platform yet, but the mailing list posts and commits do show active adoption within OpenBSD.

Submission + - OpenBSD keyboard problems fixed by pms(4) and a forcible mouse port reset

ConstantineM writes: Theo de Raadt writes in on tech@ a fascinating story from the s2k15 hackathon in Brisbane about the reasons that the mice and keyboards were problematic on the new ThinkPad X1, specifically, having keyboard repeat and shutter during install, eventually being figured out to happen due to the large and extra sensitive touchpad. It all came down to the pms driver, or lack thereof, as it's missing only on the RAMDISK kernels used on the install media, and they were the only ones being visibly affected.

The solution is to forcibly reset the mouse port at attach., de Raadt proclaims. Some other keyboard issues, notably boot -c not working on some machines, were also determined to be caused by the mouse ports, too.

But the changes are risky, and require lots of testing prior to commit, due to the plethora of keyboard controller models, so, it didn't make the cut for the upcoming 5.7 release.

Submission + - OpenSSH will feature key discovery and rotation for easier switching to Ed25519

ConstantineM writes: OpenSSH developer Damien Miller wrote tomorrow from Down Under about a new feature he implemented and committed for the next upcoming 6.8 release of OpenSSH — hostkeys@openssh.com — an OpenSSH extension to the SSH protocol for sshd to automatically send all of its public keys to the client, and for the client to automatically replace all keys of such server within ~/.ssh/known_hosts with the fresh copies as supplied (provided the server is trusted in the first place, of course). The protocol extension is simple enough, and is aimed to make it easier to switch over from DSA to the OpenSSL-free Ed25519 public keys. It is also designed in such a way as to support the concept of spare host keys being stored offline, which could then seamlessly replace main active keys should they ever become compromised.

Submission + - First release of LibreSSL portable is available.

ConstantineM writes: It has finally happened. Bob Beck of The OpenBSD Foundation has just announced that the first release of LibreSSL portable is now available, and can be found in the LibreSSL directory of your favourite OpenBSD mirror. libressl-2.0.0.tar.gz has been tested to build on various versions of Linux, Solaris, Mac OS X and FreeBSD. This is intended to be an initial portable release of OpenBSD's libressl to allow the community to start using it and providing feedback, and has been done to address the issue of incorrect portable versions being attempted by third-parties. Support for additional platforms will be added as time and resources permit.

Submission + - Bob Beck gives a 30-day status update on LibreSSL at BSDCan in Ottawa

ConstantineM writes: Bob Beck — OpenBSD, OpenSSH and LibreSSL developer and the director of Alberta-based non-profit OpenBSD Foundation — gave a talk earlier today at BSDCan 2014 in Ottawa, discussing and illustrating the OpenSSL problems that have led to the creation of a big fork of OpenSSL that is still API-compatible with the original, providing for a drop-in replacement, without the #ifdef spaghetti and without its own "OpenSSL C" dialect.

Bob is claiming that the Maryland-incorporated OpenSSL Foundation is nothing but a for-profit front for FIPS consulting gigs, and that noone at OpenSSL is actually interested in maintaining OpenSSL, but merely adding more and more features, with the existing bugs rotting in bug-tracking for a staggering 4 years (CVE-2010-5298 has been independently re-discovered by the OpenBSD team after having been quietly reported in OpenSSL's RT some 4 years prior). Bob reports that the bug-tracking system abandoned by OpenSSL has actually been very useful to the OpenBSD developers at finding and fixing even more of OpenSSL bugs in downstream LibreSSL, which still remain unfixed in upstream OpenSSL. It is revealed that a lot of crude cleaning has already been completed, and the process is still ongoing, but some new ciphers already saw their addition to LibreSSL — RFC 5639 EC Brainpool, ChaCha20, Poly1305, FRP256v1, and some derivatives based on the above, like ChaCha20-Poly1305 AEAD EVP from Adam Langley's Chromium OpenSSL patchset.

To conclude, Bob warns against portable LibreSSL knockoffs, and asks the community for Funding Commitment — Linux Foundation is turning a blind eye to LibreSSL, and instead is only committed to funding OpenSSL directly, despite the apparent lack of security-oriented direction within the OpenSSL project upstream. Funding can be directed to the OpenBSD Foundation.

Submission + - OpenBSD 5.5 Released (openbsd.org)

ConstantineM writes: Just as per the schedule, OpenBSD 5.5 was released today, May 1, 2014. The theme of the 5.5 release is Wrap in Time, which represents a significant achievement of changing time_t to int64_t on all platforms, as well as ensuring that all of the 8k+ OpenBSD ports still continue to build and work properly, thus doing all the heavy lifting and paving the way for all other operating systems to make the transition to 64-bit time an easier task down the line. Signed releases and packages and the new signify utility are another big selling point of 5.5, as well as OpenSSH 6.6, which includes lots of DJB crypto like chacha20-poly1305, plus lots of other goodies.

Submission + - OpenSSH no longer has to depend on OpenSSL (gmane.org)

ConstantineM writes: What has been planned for a long time now, prior to the infamous heartbleed fiasco of OpenSSL (which does not affect SSH at all), is now officially a reality — with the help of some recently adopted crypto from DJ Bernstein, OpenSSH now finally has a compile-time option to no longer depend on OpenSSL — `make OPENSSL=no` has now been introduced for a reduced configuration OpenSSH to be built without OpenSSL, which would leave you with no legacy SSH-1 baggage at all, and on the SSH-2 front with only AES-CTR and chacha20+poly1305 ciphers, ECDH/curve25519 key exchange and Ed25519 public keys.

Submission + - OpenSSH 6.5 released (with lotsa D. J. Bernstein crypto) 1

ConstantineM writes: OpenSSH 6.5 has been released, which is dubbed a feature release. It's the first release with lots of D. J. Bernstein crypto in public domain (6.4 did not contain any DJB code whatsoever), from ChaCha20-Poly1305 stream cipher and MAC, to key exchange with Curve25519 (and a new private key format). The new key exchange is now the default (when supported by both sides), but the new transport cipher is an option. Additionally, the portable version has some extra code-hardening, and a switch to a ChaCha20-based arc4random() PRNG for platforms that don't provide their own.

Submission + - OpenBSD Foundation Receives A Commitment for 100k, sets annual goal to 150k (openbsdfoundation.org)

ConstantineM writes: Bob Beck, director of the OpenBSD foundation, writes on misc@ — 'To all of you who have donated, please allow me to give you a huge "Thank You". In a nutshell, we have in one week gone from being in a dire situation to having a commitment of approximately $100,000 in donations to the foundation. From a developer's perspective let me assure you that this reaffirms the worth of what we are supporting and makes us want to work on it that much more.' Based on the updated list of significant contributors, in addition to the donation by the Mircea Popescu of MPEx Bitcoin securities exchange, genua, Google and many others have joined in. 'We would like to continue to build on your groundswell of support, and have set a target for $150,000 this year in fundraising.', Bob concludes.

Submission + - OpenBSD Moving Towards Signed Packages — based on D. J. Bernstein crypto

ConstantineM writes: It's official: "we are moving towards signed packages", says Theo de Raadt on the misc@ mailing list. This is shortly after a new utility, signify, was committed into the base tree. The reason a new utility had to be written in the first place is that gnupg is too big to fit on the floppy discs, which are still a supported installation medium for OpenBSD. Signatures are based on the Ed25519 public-key signature system from D. J. Bernstein and co, and his public domain code once again appears in the base tree of OpenBSD, only a few weeks after some other DJB inventions made it into the nearby OpenSSH as well.

Submission + - Interview with John McAfee on Russia Today by Sophie Shevardnadze (25 minutes) (youtube.com)

ConstantineM writes: John McAfee has been interviewed on Russia Today in a 25-minute show by Sophie Shevardnadze. John has discussed his views on encryption, surveillance, operating systems, politics and paranoia, and even Kim Dotcom came to light. When asked about the possibility of encryption helping the criminals: "You cannot pre-emptively restrict your freedoms because of the fear of how something might be used. Everything that has ever been developed has been used for a bad purpose. Baseball bats, which are fun for baseball players to hit balls, they've also been used to beat people to death. We just cannot restrict ourselves because something might be used in the wrong way."

Submission + - OpenBSD introduces signify, a sign and verify utility in base

ConstantineM writes: Perhaps in the light of the recent NSA disclosures, OpenBSD developer tedu@ has committed a new utility, signify, to aid OpenBSD in signing and verifying releases and packages. Why a new tool? He bluntly says that all the other tools were Not Invented Here. But another reason is that OpenBSD can still be installed from a floppy disc, and gnupg will just never ever fit. The one and only supported algorithm is Ed25519 from DJB. More details are in his blog.

Submission + - Why I'm turning JavaScript off by default (tommorris.org)

ConstantineM writes: I don’t want web designers redesigning the “experience” of using the web. The unification of the user experience of using computers is a positive thing. If you use old software from the early days of computing, everything had a different user experience. If you use Windows or OS X, you’ll know of software that behaves differently from the norm. If you are a reasonably perceptive user, you’ll see it, and then you’ll be annoyed by it.

Submission + - Apple and Linux vendors are behind Microsoft and OpenBSD on exploit mitigation (openbsd.org)

ConstantineM writes: Microsoft has all significant exploit mitigation techniques fully integrated and enabled, says Theo de Raadt at Yandex ruBSD, whilst giving a 10-year summary of the methods employed by OpenBSD. In year 2000, OpenBSD started a development initiative to intentionally make the memory environment of a process less predictable and less robust, without impacting the well-behaved programs. Concepts like the random stack gap, W^X, ASLR and PIE are explained. Some of them, like the random stack gap, are implemented with a 3-line change to the kernel, yet it appears that FreeBSD is still shipping without it. Theo de Raadt also identifies that although Linux has the code for all of these techniques, most vendors enable them very sparingly, and, in general, support is disabled; Apple does have ASLR, but other methods appear missing.

Submission + - Theo de Raadt gives a 10-year summary on exploit mitigation in OpenBSD

ConstantineM writes: Microsoft has all significant exploit mitigation techniques fully integrated and enabled, claims Theo de Raadt at Yandex ruBSD, whilst giving a 10-year summary of the methods employed by OpenBSD. In year 2000, OpenBSD started a development initiative to intentionally make the memory environment of a process less predictable and less robust, without impacting the well-behaved programs. Concepts like the random stack gap, W^X, ASLR and PIE are explained. Some of them, like the random stack gap, are implemented with a 3-line change to the kernel, yet it appears that some other vendors are still shipping without it.

2 pints = 1 Cavort