Wow! wow! wow! never had such a painless and fast upgrade of an operating system. sysupgrade(8) FTW! #openbsd
WireSep v0.7.0 is here! Quite some work went into it. Some highlights:
* completely reimplement session management to improve reliability and conformance to the specification
* only malloc after a new session is authenticated and established
* support queuing of multiple packets
* log interface statistics on receiving a USR1 signal
* be silent on startup
* lot's of refinements
* raise status from alpha to beta
Nice presentation about virtual machines on OpenBSD by @mischa: https://2019.eurobsdcon.org/slides/The%20OpenBSD%20hypervisor%20in%20the%20wild,%20a%20short%20story%20-%20Mischa%20Peters.pdf
@kurtm Hi Kurt, you have any experience with Kerberos? I'm researching it a bit and I'm curious if there have been any audits on any Kerberos codebases? I'm also curious if you know of organizations that have a KDC that is publicly accessible over the Internet?
""Stefan Sperling - Game of Trees" https://openbsd.org/papers/eurobsdcon2019-gameoftrees.pdf
Just released v0.6.0 of WireSep, a privilege separated implementation of WireGuard for OpenBSD.
* lot's of small refinements and some code restructuring
* interface public key is no longer needed or allowed, only the private key
* improve DoS resistence in the proxy by looking up sessions in logarithmic time
* improvements to wiresep-keygen(1)
See the ChangeLog for additional details: https://github.com/timkuijsten/wiresep/blob/master/ChangeLog #vpn #openbsd #wireguard
I recall years back that The Register used to be a little critical of OpenBSD. Lately they've been giving credit to the project for being right. For example, yesterday's article on the new attacks:
"The OpenBSD community, for one, came to that conclusion last year when it disabled Hyber-Threading in OpenBSD 6.4."
I'm hereby announcing the first public alpha release of WireSep: a
privilege separated implementation of WireGuard for OpenBSD. I've
been using it for a couple of weeks now with the official WireGuard
for Android client and I didn't experience any major hiccups.
Feedback on the design and implementation is appreciated.
#OpenBSD's different mitigations complement each other, X86FixupGadgets reduces to amount of "unintentional" RETs in the instruction stream, RETGUARD protects function returns themselves.
trapsleds make it difficult for attackers to sloppily target remaining useful gadgets. Random order re-linking (libc/ld.so/libcrypto) at boot means attackers need unique ROP for each machine, each boot. And KARL for the kernel.
Coming at the problem from many different angles..
thanks @aral for opening my eyes on ads and surveillance capitalism. https://lobste.rs/s/ht9utz/by_summer_2019_firefox_browser_will_also#c_njpzij But I’m not sure if we can find a working business model in this capitalistic system that is not about selling the behavior of people. At least I haven’t found it yet ;)
Congrats, #OPNsense, on a major milestone release!
The first firewall distribution to be based on #HardenedBSD, making use of multiple robust exploit mitigations and security hardening techniques.
I look forward to OPNsense's immensely bright future!
@timkuijsten I love those kinds of comments. OK, let’s continue to ignore the elephant in the room that the person is talking about but let me draw your attention to the hair on the toe of a door-mouse that I would like to split.
AGPL is the CopyLeft license that matters for Google because it is what would force them to release their core technology as free software.
As for hypocrisy: oh yes, taking zero money from surveillance capitalists is hypocrisy. They can go fuck right off.
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!