freebsd vs. netbsd

Valeri Galtsev galtsev at kicp.uchicago.edu
Tue Jun 9 15:04:54 UTC 2020 


> On Jun 8, 2020, at 11:38 PM, Anatoli <me at anatoli.ws> wrote:
> 
> If you're talking about the allegations that Jason Wright planted
> backdoors into OpenBSD for FBI, then you invented about 90% of the
> story.
> 
> The story is about Gregory Perry's (a former technical consultant for
> the FBI) allegations that Jason Wright (an ex-dev) and NETSEC (the
> company he and some others worked for) accepted US government money to
> put backdoors into OpenBSD's network stack, in particular the IPSEC
> stack, around 2000-2001.
> 
> This information is public, was discussed multiple times and nothing
> extraordinary resulted from it.
> 
> After the allegations went public, extensive audits were conducted
> internally and externally and nothing serious or of intentional nature
> was found by anyone.
> 
> For those interested, here are some links:
> 1. A TL;DR version about the story by ArsTechnica: [1];
> 2. Theo De Raadt (founder of OpenBSD) mail disclosing the allegations
>    made privately to him: [2];
> 3. His follow-up email: [3];
> 4. A follow-up email from Gregory Perry (the one making allegations)
>    after his initial email was made public by Theo [4]
> 5. Damien Miller (OpenSSH/OpenBSD) comments about feasibility of such
>    implantation, very insightful for those interested in technical
>    details (as the entire thread) [5];
> 6. All allegations denied by named participants: [6];
> 7. A follow-up to the story from the past year (2019), a FOIA request
>    to the FBI to disclose any involvement with OpenBSD: [7].
> 
> If you're talking about this story, nothing new or interesting. If
> you're talking about something else, then the burden of proof is on the
> one making the claim. So don't say "check that on your own". You're
> making a public claim, provide the proof or be considered just a
> FUD-spreader.
> 
> 
> On the other hand, no software project, public or private, is immune to
> governments trying to insert backdoors, though Bruce Schneier believes
> this would be just plain stupid: [8].
> 
>> I too was considering OpenBSD the most secure operating system out
>> there. Till the moment I've learned ..."
> 
> So even *if* we suppose that there were any backdoors planted in OpenBSD
> (which was never demonstrated by anyone publicly), do you have any
> better alternative than OpenBSD? Some OS guaranteed to be free from
> government backdoors? Any OS better suited for entire system audits due
> to its simplicity and a small, clean code base? Any OS with a better
> secure development and peer review process?
> 
> If not, what's your point then?
> 
> [1]: https://arstechnica.com/information-technology/2010/12/openbsd-code-audit-uncovers-bugs-but-no-evidence-of-backdoor/
> [2]: https://marc.info/?l=openbsd-tech&m=129236621626462&w=2
> [3]: https://marc.info/?l=openbsd-tech&m=129296046123471
> [4]: https://www.csoonline.com/article/2136901/an-fbi-backdoor-in-openbsd-.html
> [5]: https://marc.info/?l=openbsd-tech&m=129237675106730&w=2
> [6]: https://www.itworld.com/article/2744922/openbsd-fbi-allegations-denied-by-named-participants.html
> [7]: https://news.ycombinator.com/item?id=20489904
> [8]: https://www.schneier.com/blog/archives/2010/12/did_the_fbi_pla.html
> 

Thanks for nice write-up. Now everyone who haven’t heard this story (not everyone is as old as some of us), have it in meticulous detail and unbiased presentation. So, they can make their own independent judgement for themselves. Which is the most important, thanks again!

Valeri

> On 8/6/20 12:44, Valeri Galtsev wrote:
>> 
>> 
>> On 2020-06-08 09:25, Anatoli wrote:
>>>> The most secure… if you dismiss the fact that one of the developer (who wrote network stack if my memory serves me) was simultaneously receiving payments from one of three letter agencies for several years.
>>> 
>>> Rumors + FUD or do you have any proof?
>>> 
>> 
>> When I heard that I checked, and receipt of payments was confirmed by developer himself. That is my recollection, I am merely human whose memory can not be perfect, check that on your own. This even if confirmed as a fact, does not mean he left back doors or weak spots in code.
>> 
>> The rest is for everyone: to do one's own home work:
>> 
>> 1. who don't care just dismiss what is said
>> 
>> 2. Who do care to verify if receipt of payments is the fact, just verify on your own (I never think of myself to be considered the source of absolute truth. Merely as a help to point into direction where who is interested may find something helpful)
>> 
>> If one verifies the fact of payment(s), the decide for yourself:
>> 
>> A. Audit the code (I for one realize I will not be able to find fishy spots in that sophisticated code, so this can not be my choice)
>> 
>> B. Accept that it is likely that good enough programmers did audit code, hence there are no weak (or worse) spots in it
>> 
>> C. Accept that what top programmer wrote is not that easy to audit, and just shy away from what may (just merely may) be not quite kosher. If you care, of course.
>> 
>> 
>> And again, do your own thinking, this may, just merely may help someone.
>> 
>> 
>> Valeri
>> 
>>> On 8/6/20 10:26, Valeri Galtsev wrote:
>>>> 
>>>> 
>>>>> On Jun 7, 2020, at 11:26 PM, Anatoli <me at anatoli.ws> wrote:
>>>>> 
>>>>> IMO
>>>>> 
>>>>> * FreeBSD: servers (performance, stability, relative security, zfs),
>>>>>   competes directly with Linux
>>>>> 
>>>>> * OpenBSD: routers/firewalls, desktops (the most secure OS
>>>> 
>>>> The most secure… if you dismiss the fact that one of the developer (who wrote network stack if my memory serves me) was simultaneously receiving payments from one of three letter agencies for several years.
>>>> 
>>>> Valeri
>>>> 
>>>>> and a really
>>>>>   good desktop, but its absence of server-class performance is its
>>>>>   weakest side + no zfs (just ffs2) and limited virtualization (no SMP)
>>>>>   so not suitable for any serious server load where absolute security is
>>>>>   not a must). The king in its niche (paranoid security)
>>>>> 
>>>>> * NetBSD: toasters & freezers (runs on anything, otherwise not sure
>>>>>   what's the point :), competes with FreeBSD and Linux (and Linux now
>>>>>   supports more archs/platforms than Net). IMO no clear vision and thus
>>>>>   attracts too little resources both human and economic. IMO midterm not
>>>>>   much hope for survival, same as DFly and smaller BSDs.
>>>>> 
>>>>> I believe that OS development is an economy of scale (doing things more
>>>>> efficiently or having other advantaged with increasing size) with a
>>>>> tendency for a monopoly in the same niche.
>>>>> 
>>>>> There are some features that the larger players establish as a
>>>>> commodity, but that are very time-intensive and complex to develop (e.g.
>>>>> virtualization, wifi ac and now ax). So what Linux implemented more than
>>>>> a decade ago, the BSDs are just catching up now.
>>>>> 
>>>>> Linux world had 2 "obstacles" to its almost flawless growth recently
>>>>> (systemd and a ZFS alternative). Now that the things have almost settled
>>>>> up, if they don't commit any more serious errors I don't see how the
>>>>> BSDs (except OpenBSD as it's not a direct competitor) could compete with
>>>>> it in the long term.
>>>>> 
>>>>> Now with ZoL/OpenZFS the long-term future even for FreeBSD is not that
>>>>> clear (and the recent iX decisions [1] [2] are a clear sign).
>>>>> 
>>>>> [1] https://arstechnica.com/gadgets/2020/06/truenas-isnt-abandoning-bsd-but-it-is-adopting-linux/
>>>>> [2] https://www.truenas.com/TrueOS-Discontinuation/
>>>>> 
>>>>> 
>>>>> On 7/6/20 22:35, Wesley wrote:
>>>>>> greetings,
>>>>>> 
>>>>>> There were freebsd and netbsd (maybe others?) in BSD world.
>>>>>> What points did they focus by design?
>>>>>> what are their use scenes then?
>>>>>> 
>>>>>> Thank you.
>>>>>> _______________________________________________
>>>>>> freebsd-questions at freebsd.org mailing list
>>>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>>>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>>>>> _______________________________________________
>>>>> freebsd-questions at freebsd.org mailing list
>>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>>>> 
>>>> _______________________________________________
>>>> freebsd-questions at freebsd.org mailing list
>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>>>> 
>> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list