“As someone with extensive experience and nuance in the #FreeBSD community, I will just say that #OPNsense and closely affiliated #HardenedBSD are basically unintentionally hilarious clown projects” 🤔
https://news.ycombinator.com/item?id=17431242
Man, Hacker News holds nothing back. But that’s a bold claim and I’d like to see more evidence than a couple of anecdotes
Also, I don’t want to stoke any bad feelings so hopefully there’s only constructive criticism, not name calling or personal strife
@kurtm @cypnk It's interesting that only those who don't write exploits think exploit mitigations are dead.
I've yet to see a full ASLR defeat for what ASLR was intended for: remote attacks.
Sure, ASLR isn't perfect. Information leak vulnerabilities can break it. But that means you now need multiple vulnerabilities to target a single one.
Thanks to ASLR, the landscape of exploit authorship has changed forever.
@kurtm @cypnk Take a look at this commentary from me yesterday: https://bsd.network/@lattera/100300567645347988
Essentially, security is about driving up the economic cost for a successful attack. By combining multiple exploit mitigations, we do just that.
Those who oppose the work #HardenedBSD is doing focus solely on ASLR, willfully ignoring all the other exploit mitigations we're layering on for a holistic, defense-in-depth strategy.
Bottom line: HBSD drives up the cost of a successful attack.
@kurtm @cypnk Their focus on ASLR is misguided, too. They want to argue that those who implement ASLR claim ASLR is the end-all-be-all of exploit mitigations. They want to claim that we believe ASLR applies to every situation. It doesn't.
For example, ASLR was not meant to protect against browsers introducing local code execution from remote entities (javascript being downloaded and executed). To say ASLR is dead because of timing attacks in the browser is foolish.
@lattera I somewhat suspect some of the folks who attack you are those who have helped keep those mitigations out of FreeBSD for so long.
@kurtm I can say unequivocally that they are.
@lattera I'm just reminded of the folks at Theo's BOF who were "but we need to dicuss the performance impacts of fixing this".
But putting locks on my car doors makes it slightly less aerodynamic!
@kurtm Your car has windows that are easy to break. Your locks are useless! ;P
@cypnk The person who said that called ASLR obsolete. As in no reason to implement it.
There is some serious hate for OPNsense and HardenedBSD. To an irrational degree. Sock puppets, anonymous websites, etc. The tone the commenter takes is similar to past attacks.
I'm an OpenBSD person; I don't use any of the OSes in question. I'm just sharing what I have seen in the past several years.