As I said in my first post "Now with this post I don`t want to start any wars. I know that nothing is bullet proof and so on but as a wannabe OBSD user I`m "just" interested in if this compromise was analysed and especially how the code has changed from then, what did you do to make sure that this does not repeat"
Now why did I post the Wired story? Because when I read the archive I was expecting that the penetration has been taken seriously and analysed publicly in detail. But instead it was dismissed as a joke. And it doesn`t matter if it`s form 2002, what`s important to me is how you deal with the problem. One can get flawed picture that this is how you deal with remote exploits. I was really looking forward to read your comments on how that and that developer did that and that error in analyizing the situation and how the changes you made to the exploited program changed other programs and such but instead ppl feel endangered. Ok, thanks for all the info. Flaming is starting, I have better things to do.. like make X work on OBSD. Bye On Tue, Apr 15, 2008 at 12:42 PM, Richard Toohey <[EMAIL PROTECTED]> wrote: > What's your point? > > Is OpenBSD perfect? No. > > Does it have flaws? Yes. > > Can it be broken? Yes, and you've dug something out > from six years ago that may or not prove that. But the same can > be said of Linux, Windows, Mac OS, etc., etc. > > Has every flaw/bug been discovered? No. > > Will there be more issues found? Yes. > > Does it tackle security pro-actively? Yes. > > Does it prefer security and openness and doing things correctly > over bells & whistles and best performance whatever the cost? Yes - > security and correctness are priorities - but you could find that > out from http://www.openbsd.org/goals.html. Does that mean that > it will be perfect? No. > > Are the developers/leaders perfect? No. > > Is OpenBSD the One True Secure High Performance Operating System > for every imaginable task? No ... but then nor is anything else. > > Is OpenBSD for you? Only you can decide ... and even if it is, it > may not be the best tool for EVERY job. > > HTH. > > > > On 15/04/2008, at 10:28 PM, Jernej Makovsek wrote: > > > Reading the archive it seems to me that el8 was taken as a joke: > > > > List: openbsd-misc > > Subject: Re: main openbsd server compromised ? > > From: e <eliab () spack ! org> > > Date: 2002-08-15 17:11:01 > > [Download message RAW] > > > > no, el8 is not a serious zine, it's a joke, i'm sure reading a little > > more of the zine would have made that obvious > > > > List: openbsd-misc > > Subject: Re: main openbsd server compromised ? > > From: e <eliab () spack ! org> > > Date: 2002-08-16 18:40:17 > > [Download message RAW] > > > > * dayioglu ([EMAIL PROTECTED]) wrote: > > > > > On Thu, 2002-08-15 at 20:11, e wrote: > > > > > > > no, el8 is not a serious zine, it's a joke, i'm sure reading a little > > > > more of the zine would have made that obvious > > > > > > > > > > Not to cause a flame-war but the disclosed mail traffic of K2 seem > > > very "normal". I did read the whole thing and to create so many > > > "joke mails" is, err, at least unusual. > > > > > > Are you sure you read it all? > > > > > > > quite sure, el8 has been known to do this same type of thing before. > > > > > > And that`s that. But > > onhttp://www.wired.com/culture/lifestyle/news/2002/08/54400 I read > > that "OpenBSD co-founder Theo de Raadt, cited as a top el8 target, > > angrily refused to discuss the compromise (link > > http://www.openssh.com/txt/trojan.adv) in late July of a file server > > maintained by the open-source, Unix-based operating-system project. On > > Aug. 1, a dangerous Trojan horse program was discovered amid the code > > for OpenBSD, which is used by thousands of organizations and renowned > > for its security.". > > > > And: > > "Christopher "Ambient Empire" Abad, a security expert with Qualys, > > confirmed that excerpts of e-mails and other files stolen from his > > directory on a server were published in el8's latest zine". > > > > So it appears to me that what el8 posted wasn`t a joke. Did I missed > > something again? > > > > With regards, > > Jernej > > > > On Tue, Apr 15, 2008 at 1:59 AM, Ted Unangst <[EMAIL PROTECTED]> > wrote: > > > > > On 4/14/08, Jernej Makovsek <[EMAIL PROTECTED]> wrote: > > > > > > > Now with this post I don`t want to start any wars. I know that > nothing > > > > is bullet proof and so on but as a wannabe OBSD user I`m "just" > > > > interested in if this compromise was analysed and especially how the > > > > code has changed from then, what did you do to make sure that this > > > > does not repeat. And if it was a third party app, why wasn`t it > > > > configured within a jail? Ok, I learned that sysjail was announced on > > > > May 22 2006, but surely you have chroot capability. And sysjail is > > > > connected with systrace... Well again, don`t want to start any flame, > > > > just interested how your community responded and responds to issues > > > > like that. > > > > > > > > > > Sure, I'll just sum up 6 years of pretty continuous development for > > > you. Unfortunately, it would take too long to read and I don't want > > > to waste any of your time, so I'll just summarize it as "lots of > > > changes".
