Security of OpenBSD

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Security of OpenBSD

Josef Pospisil
Hey, thank you all for this mailing list.

I have a question regarding the security of OpebBSD.

I am asuming that linux has some mathematics and logic that lets you
get into every system just for e.g. because of portknocking! 
That opens an Interface for people that know the system to do
everything! I also think that linux is not beeing verified ragarding
these paid programer backholes.

Can someone be that kind and explain to me if the whole code of OpenBSD
was checked at least once since the openBSD was founded? That there are
no backholes like i was describing?

It would be beautifull if someone could answer me!

Greetings

Josef Pospisil


Reply | Threaded
Open this post in threaded view
|

Re: Security of OpenBSD

R0me0 ***
I think the OpenBSD code review is taken so seriously thank is more than a
good practice matter.

https://www.openbsd.org/security.html




Em seg, 3 de jun de 2019 às 22:33, Josef Pospisil <[hidden email]>
escreveu:

> Hey, thank you all for this mailing list.
>
> I have a question regarding the security of OpebBSD.
>
> I am asuming that linux has some mathematics and logic that lets you
> get into every system just for e.g. because of portknocking!
> That opens an Interface for people that know the system to do
> everything! I also think that linux is not beeing verified ragarding
> these paid programer backholes.
>
> Can someone be that kind and explain to me if the whole code of OpenBSD
> was checked at least once since the openBSD was founded? That there are
> no backholes like i was describing?
>
> It would be beautifull if someone could answer me!
>
> Greetings
>
> Josef Pospisil
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Security of OpenBSD

Peter Nicolai Mathias Hansteen
In reply to this post by Josef Pospisil

> 4. jun. 2019 kl. 00:32 skrev Josef Pospisil <[hidden email]>:
>
> Can someone be that kind and explain to me if the whole code of OpenBSD
> was checked at least once since the openBSD was founded? That there are
> no backholes like i was describing?

Code auditing (aka ‘reading the code like the devil reads the Bible’) is very much part of the project lifestyle. A good place to start for taking in how the project works is the project website itself, start at the top with the project goals page http://www.openbsd.org/goals.html and work your way through at your own pace.

There are of course other, less official propaganda presentations like my own «OpenBSD and you» (https://home.nuug.no/~peter/openbsd_and_you/) that will if nothing else show you highlights I thought important while composing a user group presentation (and some minor brushups since then), with links to further info.

- Peter


Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.





signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Security of OpenBSD

Stuart Henderson
In reply to this post by Josef Pospisil
On 2019-06-03, Josef Pospisil <[hidden email]> wrote:
> Hey, thank you all for this mailing list.
>
> I have a question regarding the security of OpebBSD.

You can't really trust an answer to this question. What if somebody put
in a backdoor but they're the person who answers saying everything's fine?

> I am asuming that linux has some mathematics and logic that lets you
> get into every system just for e.g. because of portknocking! 
> That opens an Interface for people that know the system to do
> everything! I also think that linux is not beeing verified ragarding
> these paid programer backholes.
>
> Can someone be that kind and explain to me if the whole code of OpenBSD
> was checked at least once since the openBSD was founded? That there are
> no backholes like i was describing?

OpenBSD's own code generally gets a fair bit of review (and, importantly,
tries to avoid practices which are considered unsafe). One can't say
the same about all 3rd party code in the OS (including the compiler
toolchain) though obviously we try to avoid junk software.

The existence of bugs like "heartbleed" shows that code review doesn't
always find things in time anyway. Was it a backdoor or "just a bug"?
Who can tell? And on another level there are various CPU bugs like the
Intel ones that have been discovered over the last couple of years, it
all comes down to "who do you trust?"

Also see Ken Thompson's classic paper, "Reflections on Trusting Trust",
especially the moral.


Reply | Threaded
Open this post in threaded view
|

Re: Security of OpenBSD

ropers
On 04/06/2019, Stuart Henderson <[hidden email]> wrote:
> Also see Ken Thompson's classic paper, "Reflections on Trusting Trust",
> especially the moral.

That moral brought back memories of The Hacker Crackdown by Bruce
Sterling, which is freely available online and which I'd happily
recommend to anyone remotely interested.
Sterling's non-fiction book recounts how what Thompson described as
"an explosive situation brewing" actually played out in practice.
That's history now, but it's recent history and still relevant, as
well as entertaining to read about:

https://en.wikipedia.org/wiki/The_Hacker_Crackdown#External_links

Reply | Threaded
Open this post in threaded view
|

Re: Security of OpenBSD

lists-2
In reply to this post by Josef Pospisil
Mon, 3 Jun 2019 22:32:16 +0000 Josef Pospisil <[hidden email]>
> Hey, thank you all for this mailing list.
>
> I have a question regarding the security of OpebBSD.

See https://www.openbsd.org/security.html