The totally-not-meme operating system OpenBSD :marseycarp3: is adding guided encrypted root to their installer. :marseyglow2: . An Orange Site user asks if their security is any better than Linux :marseypenguin:

https://news.ycombinator.com/item?id=35067198

my take on the OpenBSD question

I personally like OpenBSD because it runs on a lot of obscure hardware. I posted that extremely weird Chinese MIPS laptop (yes, not x86 or ARM, Intel or AMD - see this thread https://rdrama.net/h/slackernews/post/137520/homegrown-chink-laptop-marseyjewoftheorientnot-intel-or) and OpenBSD supports it entirely, the last remaining OS to do so. However, most of the OS itself is pretty meh. The filesystem situation is godawful and performance is balls on top of a lack of hardware support. The upgrade path is weird for anything but a server you’ll keep an eye on every six months (never got the obsession with “OpenBSD routers”). And I really don’t find the security posture to be anything but posturing - https://isopenbsdsecu.re/ is biased and troll-y but the info is good.

the drama

Good question: Is OpenBSD more secure than a mainstream Linux distribution, notably Debian, in their default configurations?

The code is less, but there are fewer developers too. For example, basic support for disk encryption (an important security feature) has been added to the installer in 2023 in OpenBSD.

Perhaps people familiar with the software development process in both could chime in.

:ma#rseytroll:

Questioning OpenBSD’s security approach is bound to get bites.

Yes and No. Both modern Linux and OpenBSD have their pros and cons. For example, security works better in the onion layers, which can increase complexity. With Linux, you get a modern stack such as Linux containers or ZFS if you want those excellent filesystem features. Are you using containers for development and deploying apps? Using Linux would simplify the process (of course, you can set Linux VM under OpenBSD and run Docker). On the other hand, OpenBSD is a compact OS. Less code == fewer bugs (at least in theory). Some of their code, such as OpenSSH, is wildly used by Linux, Windows, and major IT vendors in their devices. OpenBSD devs do write reliable code. In short, use whatever gets your work done quickly, which also keeps you or your devs/users happy. That is all matter. Apart from that, it would be best if you took all other precautions to secure your OS, such as regularly applying patches, and firewalls, installing adblocker, not downloading unwanted stuff and clicking on the links, regardless of whether it is Win11, macOS, Debian/Ubuntu Linux, or OpenBSD.

:marseylongpost#:

Dude uses a lot of words not to say much or answer the question.

OpenBSD's default configuration has basically nothing running. Once you actually set it up for a use case, it isn't much better (you'll likely be running software you would on Linux that wasn't audited) and might even be worse given it lacks a lot of security features Linux has (meaning you have less control over how to lock down things in the case of a hack).

:marseyhesrigh#t:

This is probably the biggest thing with openbsd that’s posturing -

Nothing besides the base system has security guarantees.

The second you install something with pkg_add you’re no longer running a “zero holes” system. Is it still cool the base system is designed with security in mind? Kind of. Is it really useful? Not particularly. Usually you have an OS to run other applications.

False. OpenBSD's daemons are patched, sandboxed and reviewed and lots of software it's compiled with secure CFLAGS and LDFLAGS among some tweaks for browsers with pledge and unveil.

It's not false. No significant services are running by default, and for it to do anything useful you have to install and/or enable whatever services you want. Semantics doesn't change that.

Again the dude is right. There’s some security shit they add but it’s mostly security theatre imo.

Linux has a richer set of security features available than OpenBSD, in some areas.

One is the mandatory access control of SELinux, used extensively in Android (probably the most widely-used Linux distribution of them all). This has no OpenBSD equivalent, as far as I know.

Another is that the Linux kernel has some compiled-in exploit mitigations enabled that OpenBSD doesn't, such as automatic bounds checks on fixed-size array access (based on UBSan).

That's not true. There is pledge(2) and unveil(2) (just to start) and the whole point of them is to make it usable. Some Linux distros have a basic config for SELinux, but if you need to change it for anything, it's so difficult that most people just end up disabling it, thus making it less secure than a default OpenBSD install.

Besides this, it changes the perspective of who is the best person to configure the secure features. OpenBSD makes this a decision for the developer of the application, who should know better about it than a random sysadmin who most probably won't even open the source code to know better (this is the approach SELinux takes).

pledge and unveil are not even close to being full alternatives to something like SELinux.

It’s pretty common in the *BSD space to come up with a couple good ideas and then beat them to death as though Linux doesn’t have a similar method or an older one that was invented first. :marseyeyeroll:

…

Your comment is clearly sarcastic in tone, yet since the words are mostly truthful, I'll take your apology, and hope you actually learned something from this encounter, although it seems unlikely.

Best of luck to you.

:marseyxd#:

New snappy quote? I saw this down thread and it’s very funny.

There’s plenty more seethe in the thread, including someone saying the OpenBSD community is very mean (they are).

Jump in the discussion.

No email address required.

lain yaml/toml If you’re not remembered, then you never existed. :marseylain:

1yr ago #3743206

@chiobu

Are you able to make a marsey of the openbsd mascot “puffy”

I can send 1k DC.

30 Context

X ching/chong :marseyrevolution:

Anarcho-Syndicalist-Trotskyist-Stalinist Cuban Revolutionary :!marseydragon2:

lain 1yr ago #3743386

i dont think i can ahhahahah it looks r-slurred

39 Context

X 1yr ago #3743390

:marseya#dmire:

It’s beautiful!

19 Context

lain 1yr ago #3743418

i'll try again when i'm less :marseydrunk:

12 Context

cyberdick pedda/modda Dead name deez nutz ya queer. 🍒🍆 X 1yr ago #3745191

nooo that is amazing as it is

5 Context

pobrecito dood/bro :pepeduck2:

X 1yr ago #3743417

lmao pooner lips

10 Context

pobrecito 1yr ago #3743435

8 Context

Bellicose-Twink kill/carp The stories and information posted here are artistic works of fiction and falsehood. X 1yr ago #3743983

I am equal parts delighted and horrified that "pooner" has made it out of /tttt/ (formerly /lgbt/).

garlicdoors ahoy/hoy :marseypop2:

lain 1yr ago #3743365

:#marseysphericalcow:

16 Context

garlicdoors 1yr ago #3743373

Do you pop it with cow cowtools?

lain 1yr ago #3743396

 ____________________________________
/ Factcheck: You really believe that \
\ shit? Lmao dumbass neighbor 🤣   /
 ------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

peepeehands drink/drunk good morning lain 1yr ago #3743237

I'll chip in 4k DC

peepeehands 1yr ago #3743372

:marseykingcrown#:

peepeehands 1yr ago #3743503

It's hard to gift @chiobu need this link or you will get :#parrotultrafast:

https://rdrama.net/@chiobu?nocss=a

4 Context

MISANDRY thug/hunter the way u move it makes me step outta line 1yr ago #3743327

>securityschizoing when there's backdoors on RING -3 if you're using common consumer electronics

Hang yourself

:#marseyropeyourself2:

18 Context

MISANDRY 1yr ago #3743376

>he doesn’t use libreboot

11 Context

MISANDRY thug/hunter the way u move it makes me step outta line lain 1yr ago #3743404

:marseywave: I do and I also run ubports on my Pixel 3a - sadly no LUKS comedy supported unlike sailfish but sailfish is still butt atm, wbu?

MISANDRY 1yr ago #3743442

:gigachad2#:

I have a beater x200 I’ll run libreboot on. Talk about a dramatic project, huh? :marseytrans2#:

Darn ubports on the daily is impressive. I’ve run it on the og Pinephone but can’t say it’s amazing. That thing is a potato though.

My actual daily tech is Glowie-friendly. I use a Ryzen rig with Fedora, iPad M1, and iPhone 14PM.

MISANDRY thug/hunter the way u move it makes me step outta line lain 1yr ago #3743471

Darn ubports on the daily is impressive.

Come to fosdem - there's a bunch of people sporting ubports as their daily driver all the time.

Pixel 3a with UBPorts is easily ran as a daily driver with its only bug currently being that GPS is fricking slow as shit (it doesnt cheat with positional approximation based on IP).

I still have a secondary set of tech to use in front of normies - which is a ryzen/radeon (DONT BUY RADEON HOLY FRICK ANYTHING POST NAVI SUCKS) setup running void, a samsung flip-phone and a samsung gear watch.

MISANDRY 1yr ago #3743655

FOSSDEM

Hopefully some day I’ll go to a tech conference but I literally just got a real job. Flights to Europe ain’t exactly cheap either.

UBports

That’s pretty nuts. Glad the pixel hw works for a lot of people.

Radeon

Isn’t that the fricking truth. I’m running 6.1 and my 6600 won’t drive 2x4k displays without constant lag spikes. I had an intel nuc with an iGPU that had no issues with it.

Void

I really ought to fire up that in a VM, my meme distro of choice was always Guix but I understand that’s even crazier.

gmensing fed/feyd Culturally Enriched™ lain 1yr ago #3745350

I reported the dpc latency multi-monitor issue to them over a year ago. They haven't really done shit about it still.

But also, this issue only occurs on windows so you deserve it.

3 Context

gmensing 1yr ago #3745358

naw this is linux 6.1

2 Context

gmensing fed/feyd Culturally Enriched™ lain 1yr ago #3745387

Im on 6.2 and its fine, so I assume its been fixed on linux.

MISANDRY thug/hunter the way u move it makes me step outta line lain 1yr ago #3743673 Edited 1yr ago

Isn’t that the fricking truth. I’m running 6.1 and my 6600 won’t drive 2x4k displays without constant lag spikes.

ROCm made me want to kill myself more than getting unpatched on-prem Exchange servers that are also running ESXi 6.0 (also without patches), a domain-wide AV that is configured specifically to configure frick-all, open RDP ports on NAT "for easier troubleshooting" and a PHP mess without any documentation for the CRM.

Also didn't I mention that the ticketing system was ConnectWise, which had NO DOCUMENTATION WHATSOEVER and is held together by c*m and prayers?

just got a real job

How are the first impressions (if its a cybsec/IT related position)?

MISANDRY 1yr ago #3743864

Heck yeah dude. I love WFH and it’s easy. Glad to be doing IT work and no more wagie retail.

Our infra is a similar hellscape. I’ll spare the deets but we’re reliant on software from 04 that a one off company makes and doesn’t even want to give us licenses anymore lol. Along with all of our OSes being beyond EOL. Pretty funny I’m kind of clueless about the RHEL install because it’s from the same era I was in middle school. I’ve never used classic init in daily - always systemd or upstart at worst.

Ain’t really my place though, I’m there to keep a lot of the users off the sysadmins back.

KazuhoYoshiiFan arr/drama MISANDRY 1yr ago #3746470

complaining about ring -3 shit is cope by people who are too lazy to install Linux or even stop using Google Chrome

beatin_n_feastin they/them MISANDRY 1yr ago #3745968

1 Context

johnnypoop Sein/Feld MasterBaiter 1yr ago #3743287

:#directlypointingsoyjak:

MIIIIIIIIPS

johnnypoop 1yr ago #3743383

It’s all about RISC-V in 2023

6 Context

johnnypoop Sein/Feld MasterBaiter lain 1yr ago #3743394

I hope but sals law applies

:marseysal:

johnnypoop 1yr ago #3743405

Shit is shipping.

(((permissive licensing))) took the dub

johnnypoop Sein/Feld MasterBaiter lain 1yr ago #3743422

:#marseysunglassesoff:

Lord_Vivec Ima/god lain 1yr ago #3743584

meme arch without SIMD.

'kay boomer.

Lord_Vivec 1yr ago #3743596

More like SMD

:marseysmug#:

Lord_Vivec Ima/god 1yr ago #3743573

SELinux/MAC is a meme of security that basically is a patch around using insecure software that doesn't do the needful.

Essentially as every modern operating system that runs on consumer hardware is multi-user and file based rather than object capability based there will never be anything close to a "secure" system. You need an object capability system to avoid situations where ambient authority is the main security risk.

Lord_Vivec 1yr ago #3743614

Object capability spergs are pretty cool.

I think the most I was exposed to it was https://spritelyproject.org/ of which one part is applying capabilities to the fediverse.

I don’t fully understand it but it does sound cool :marseyantiwork:

Lord_Vivec Ima/god lain 1yr ago #3743677

The more pertinent and practical way to handle security is just to use simple daemons with well audited codebases as much as possible. That is basically the argument of OpenBSD, whereas the Linux argument is burying insecure software under layers of security.

KazuhoYoshiiFan arr/drama Lord_Vivec 1yr ago #3746491

This isn't a good argument imo, since you can have the best software in the world but still all it takes is one exploit and you get pwned. That isn't to say audited codebases are useless, for high security applications it should be done as much as possible. But even though it's a lot less "pure", the linux approach is better because it's progressively less likely the attacker will be able to chain together exploits to escape layers of isolation the more such layers there are. Qubes is even better since it stacks requiring the attacker to have a VM escape handy on top of other security measures. OpenBSD security is meme tier in comparison.

Lord_Vivec Ima/god KazuhoYoshiiFan 1yr ago #3746563

And ultimately you can bury all of that under that but all it takes is flaws in the hardware like meltdown to cause serious damage to applications.

I'm not arguing that openBSD is the best at security because I don't actually use it. I'm not system administrating outside of my work. I am saying that the Linux approach is not going to work because attempting to bury insecure problems is stupid. You might see it as good security practices but I just see it as adding multiple points of failure. It's like doing an evaluation on a building and seeing that one of the major support structures is cracked. Rather than replace it or as rebuild the structure you just stack bandaid fixes until you think that it's not going to fail because it can't possibly rip off 100 fixes at once. I'm sorry to tell you but in basically any other industry that's not acceptable practice.

KazuhoYoshiiFan arr/drama Lord_Vivec 1yr ago #3746668

It's not adding multiple points of failure; the entire point is that the attacker must chain together an exploit for EACH layer of security they are subjected to. On a Qubes OS system that might entail something like pdf reader exploit -> AppArmor escape -> Xen hypervisor escape -> ssh keys stolen. Having all three of those work against the target seems quite unlikely! But on OpenBSD, once they exploit the pdf reader ~/.ssh is theirs for the taking. It's just never going to be as secure.

And for the record, I don't think this is the best approach. I think there should be a bigger effort towards formal verification of normal software (no, rust doesn't count) so that it can be made impossible to pwn the pdf reader in the first place. But we live in a time period where almost all software is insecure so the only way forward is multiple layers of defense.

Lord_Vivec 1yr ago #3743831

But like…there’s only a couple daemons.

There’s not even a db in base.

Lord_Vivec Ima/god lain 1yr ago #3743844

Yeah, I'm not even arguing that either :) I'm arguing that rather than say, doing a LAMP stack with a standard config, the OpenBSD way is to go through and customize everything and also to skip kitchen sink applications like Apache or MySQL.

Lord_Vivec 1yr ago #3743899

Rolling your own SQL server as a backend to openbsd httpd would be more secure than a LAMP stack on, say, RHEL you think?

Lord_Vivec Ima/god lain 1yr ago #3743993

Or just using SQLite which has no network awareness with a dedicated _sqlite user :)

Or you know, just disabling network capability and running with least privilege on any of the rdbms systems

Lord_Vivec 1yr ago #3744026

I do like the popularity of SQLite increasing but I’m not sure it’s a great fit for a lot of applications.

Granted OpenBSD isn’t know for it performance either.

Lord_Vivec Ima/god lain 1yr ago #3744253

For sure. I mostly do SQL server at job because Indians and Windows go together like lamb and Rogan Josh.

More comments

BrokeBackBuck shit/ass You're a cute twink and I suck dick for cock 1yr ago #3745011

My lab has to use OpenBSD for the entry point to our network. It's literally just a box with public keys inside. We may as well run a Raspberry Pi for all the work this thing does.

But it's officially secure enough for government work :marseyboomer:

BrokeBackBuck 1yr ago #3745382

So my biggest things with OpenBSD as a router or appliance is the filesystem is too dogshit to survive a cable pull (it literally has no journaling) and the release schedule gives you one year of support.

BrokeBackBuck shit/ass You're a cute twink and I suck dick for cock lain 1yr ago #3746076

Our filesystem is quite literally just ssh keys and the routing information

It's a great OS if you don't use it in any way for anything :marseyboomer:

1yr ago #3743325

I like PF, it's a good firewall.

pobrecito 1yr ago #3743379

I like pfSense, devs are very dramatic.

iStillMissEd buter/toast Old strags best strags 1yr ago #3743822

Why can't people jsut learn how to use SELinux?

aminobastard friend/of/earth :marseybowing:

1yr ago #3743917

where my BeOS neigubors at?

Snappy beep/boop Join !friendsofsnappy :marseysnappynraged:

1yr ago #3743188

:#marseyfart:

Snapshots:

https://isopenbsdsecu.re/:

The totally-not-meme operating system OpenBSD is adding guided encrypted root to their installer. . An Orange Site user asks if their security is any better than Linux

my take on the OpenBSD question

the drama

Jump in the discussion.

Jump in the discussion.

Jump in the discussion.

Jump in the discussion.

Jump in the discussion.

Jump in the discussion.

More options

More options

More options

Jump in the discussion.

Jump in the discussion.

Jump in the discussion.

More options

More options

More options

More options

Jump in the discussion.

Jump in the discussion.

Jump in the discussion.

More options

More options

More options

Jump in the discussion.

Jump in the discussion.

More options

Jump in the discussion.

More options

More options

More options

Jump in the discussion.

Jump in the discussion.

Jump in the discussion.

Jump in the discussion.

Jump in the discussion.

Jump in the discussion.

Jump in the discussion.

Jump in the discussion.

Jump in the discussion.

More options

More options

More options

Jump in the discussion.

Jump in the discussion.

More options

More options

More options

More options

More options

More options

More options

Jump in the discussion.

More options

Jump in the discussion.

More options

More options

Jump in the discussion.

Jump in the discussion.

Jump in the discussion.

Jump in the discussion.

Jump in the discussion.

More options

More options

More options

Jump in the discussion.

Jump in the discussion.

More options

More options

More options

More options

Jump in the discussion.

Jump in the discussion.

Jump in the discussion.

Jump in the discussion.

Jump in the discussion.

Jump in the discussion.

More options

More options

Top Poster of the Day:

cyberdick