Just released v0.6.0 of WireSep, a privilege separated implementation of WireGuard for OpenBSD.
* lot's of small refinements and some code restructuring
* interface public key is no longer needed or allowed, only the private key
* improve DoS resistence in the proxy by looking up sessions in logarithmic time
* improvements to wiresep-keygen(1)
See the ChangeLog for additional details: https://github.com/timkuijsten/wiresep/blob/master/ChangeLog #vpn #openbsd #wireguard
I recall years back that The Register used to be a little critical of OpenBSD. Lately they've been giving credit to the project for being right. For example, yesterday's article on the new attacks:
"The OpenBSD community, for one, came to that conclusion last year when it disabled Hyber-Threading in OpenBSD 6.4."
I'm hereby announcing the first public alpha release of WireSep: a
privilege separated implementation of WireGuard for OpenBSD. I've
been using it for a couple of weeks now with the official WireGuard
for Android client and I didn't experience any major hiccups.
Feedback on the design and implementation is appreciated.
#OpenBSD's different mitigations complement each other, X86FixupGadgets reduces to amount of "unintentional" RETs in the instruction stream, RETGUARD protects function returns themselves.
trapsleds make it difficult for attackers to sloppily target remaining useful gadgets. Random order re-linking (libc/ld.so/libcrypto) at boot means attackers need unique ROP for each machine, each boot. And KARL for the kernel.
Coming at the problem from many different angles..
thanks @aral for opening my eyes on ads and surveillance capitalism. https://lobste.rs/s/ht9utz/by_summer_2019_firefox_browser_will_also#c_njpzij But I’m not sure if we can find a working business model in this capitalistic system that is not about selling the behavior of people. At least I haven’t found it yet ;)
Congrats, #OPNsense, on a major milestone release!
The first firewall distribution to be based on #HardenedBSD, making use of multiple robust exploit mitigations and security hardening techniques.
I look forward to OPNsense's immensely bright future!
@timkuijsten I love those kinds of comments. OK, let’s continue to ignore the elephant in the room that the person is talking about but let me draw your attention to the hair on the toe of a door-mouse that I would like to split.
AGPL is the CopyLeft license that matters for Google because it is what would force them to release their core technology as free software.
As for hypocrisy: oh yes, taking zero money from surveillance capitalists is hypocrisy. They can go fuck right off.
A minimalist window manager for X11 in 110 lines of C, did you say?
@brynet Hey Bryan, I'm implementing a daemon and I'm thinking of re-execing the parent (that can then load all secrets after it spawned all the chilldren) but I'm curious why you've changed it for pflogd to re-exec the chilldren instead of the parent: https://github.com/openbsd/src/commit/86ab39f347a8012d18607354315c7e469c2a9d61
@cynicalsecurity @brynet We've known that HT was a bucket of sewage since at least 2005. I interviewed Colin Percival then on caching problems with HT. Sadly, Onlamp has deleted that article (lesson: control your own platform).
Intel's response to that article was to try to get Yahoo to fire Colin. Yahoo backed FreeBSD, but CP didn't work there.
There's at least 13 years of bogosity catching up to Intel.
And hosting MeetBSD, while nice and all, won't make up for it.
See me in a Dutch documentary on precarious work (“the gig economy“) tomorrow on VPRO Tegenlicht. Airs at 21:05:
Running the first IPv6 Tor relay in the Top 10 of AS3265. Tnx @mischa for sponsoring the hardware and the rackspace! https://metrics.torproject.org/rs.html#search/as:AS3265
Very easy to reproduce the Zerodium Tor Browser 7.x NoScript bypass vulnerability https://gist.github.com/x0rz/8198e8e22b1f70fddb9c815c1232b795 #TorBrowser #vulnerability https://t.co/k1mUJZUo77
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!