I recall years back that The Register used to be a little critical of OpenBSD. Lately they've been giving credit to the project for being right. For example, yesterday's article on the new attacks:

theregister.co.uk/2019/05/14/i

"The OpenBSD community, for one, came to that conclusion last year when it disabled Hyber-Threading in OpenBSD 6.4."

I'm hereby announcing the first public alpha release of WireSep: a
privilege separated implementation of WireGuard for OpenBSD. I've
been using it for a couple of weeks now with the official WireGuard
for Android client and I didn't experience any major hiccups.
Feedback on the design and implementation is appreciated.
github.com/timkuijsten/wiresep

modern programming is less about not reinventing the wheel and more about using a sports car to move firewood across the yard

Happy to read smtps port 465, nowadays "submissions", is the recommended port for mail submission again. Always felt "first require encryption" -> "then do application level stuff" was superior to "start application level stuff" -> "then you may start using encryption" (submission 587). RFC8314 👍

Too bad even Apple themselves are not using RFC 6186 anymore :( "Use of SRV Records for Locating Email Submission/Access Services"

#OpenBSD's different mitigations complement each other, X86FixupGadgets reduces to amount of "unintentional" RETs in the instruction stream, RETGUARD protects function returns themselves.

trapsleds make it difficult for attackers to sloppily target remaining useful gadgets. Random order re-linking (libc/ld.so/libcrypto) at boot means attackers need unique ROP for each machine, each boot. And KARL for the kernel.

Coming at the problem from many different angles..

thanks @aral for opening my eyes on ads and surveillance capitalism. lobste.rs/s/ht9utz/by_summer_2 But I’m not sure if we can find a working business model in this capitalistic system that is not about selling the behavior of people. At least I haven’t found it yet ;)

Congrats, #OPNsense, on a major milestone release!

The first firewall distribution to be based on #HardenedBSD, making use of multiple robust exploit mitigations and security hardening techniques.

I look forward to OPNsense's immensely bright future!

#FreeBSD #infosec #networking

forum.opnsense.org/index.php?t

Yayy!! my Wireguard implementation just shook hands with someone elses implementation in Singapore 😀

@timkuijsten I love those kinds of comments. OK, let’s continue to ignore the elephant in the room that the person is talking about but let me draw your attention to the hair on the toe of a door-mouse that I would like to split.

AGPL is the CopyLeft license that matters for Google because it is what would force them to release their core technology as free software.

As for hypocrisy: oh yes, taking zero money from surveillance capitalists is hypocrisy. They can go fuck right off.

@brynet Hey Bryan, I'm implementing a daemon and I'm thinking of re-execing the parent (that can then load all secrets after it spawned all the chilldren) but I'm curious why you've changed it for pflogd to re-exec the chilldren instead of the parent: github.com/openbsd/src/commit/

@cynicalsecurity @brynet We've known that HT was a bucket of sewage since at least 2005. I interviewed Colin Percival then on caching problems with HT. Sadly, Onlamp has deleted that article (lesson: control your own platform).

Intel's response to that article was to try to get Yahoo to fire Colin. Yahoo backed FreeBSD, but CP didn't work there.

There's at least 13 years of bogosity catching up to Intel.

And hosting MeetBSD, while nice and all, won't make up for it.

Running the first IPv6 Tor relay in the Top 10 of AS3265. Tnx @mischa for sponsoring the hardware and the rackspace! metrics.torproject.org/rs.html

Show more
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!