It always make me sad when I hear BSDs are underfunded, OpenBSD was about to "turn off the lights", FreeBSD was in sersious problems before they got 1M$ donation from WhatsApp. Heartbleed bug in OpenSSL? They also didn't have enough (full time) developers to even review the code. Now grsecurity makes me feel bad about it.
Everyone uses their software, firewalls, servers, email serves, openssl is everywhere, corporate/bank cluster without BSD or Linux with grsecurity is unimaginable.
I recently started donating to opensource project I use everyday. I realised how little they ask for, F-Droid, I easily doubled their BTC found used to cover server maintenance, LibreOffice asks for 3EURO donation by default (also BTC)! OpenBSDFundation asks for 10$ per month.
Edit: I also found a nice way how to donate to Tor, there is a site https://oniontip.com/ where you can donate others for running Tor nodes, one of two top 200nodes has WikiLeaks BTC address, another one goes to my wallet and I send it back to TorProject. I had enough free resources, I used them :)
> Most of us can afford to pay it too. That's the real tragedy.
I think the hardest part for me is: I use soooooo much open-source software, that I can't contribute to all of them. Don't get me wrong, I should contribute more than I do, and I'm not excusing myself, but it's a legitimate problem. I'm sure people smarter than me have debated models for this, but I still don't think we have a good answer.
Please, please donate to the library developers. Scan the dependencies for some of your favourite packages and see if there's anything common to a few that might not be obvious. SDL backs so many things, for example, but rarely gets called out.
Grsecurity's approach is superior to OpenBSD's, but both are acceptable.
FreeBSD is actually behind Linux - it lacks an effective access control framework and did not have ASLR until the latest release. At least they're working on it (TrustedBSD, Capsicum).
He's actually talking about the SELinux/"RBAC in general" approach. His only criticism of Grsecurity is that it's not in the mainline and therefore not as effective as it could be.
FreeBSD supports Mandatory Access Control, implemented as part of the TrustedBSD project. It was introduced in FreeBSD 5.0. Since FreeBSD 7.2, MAC support is enabled by default. The framework is extensible; various MAC modules implement policies such as Biba and Multi-Level Security.
and how much of the system is protected by trusted bsd by default: none of it
how many people ever bother to write and deploy a trustedbsd policy: (to first order approximation) nobody
Defaults matter, a feature matrix checkbox is simply deceptive because the fact something isn't on (and configured) by default often means its an insane amount to work to try to enable it and/or thing are unfixably broken when you do (from a user point of view)
unfortunately both these things are true of trustedBSD
The TrustedBSD features are used by appliance vendors who base their product on FreeBSD. Applicances have very narrow profiles of acceptable use and thus it's actually sane to develop policies for them.
That's true. It goes back further than TrustedBSD: Secure Computing Corporation invented Type Enforcement, put it in a high assurance system (LOCK), put it into a BSD-OS for a firewall (Sidewinder firewall), and helped create Flask architecture for integration of type enforcement into vanilla OS's. Flask was ported to Linux in SELinux project. That got enough acceptance that TrustedBSD project was started to do same for FreeBSD. So, full circle back the the OS the tech was first fielded on.
Nonetheless, the old stuff (esp LOCK & LOCK/ix) are still stronger in security architecture and design despite all these years. Good design is timeless I guess. :)
Note: Cambridge's CHERI project and CheriBSD are the cutting-edge for FreeBSD security as they do capability-security from hardware up with FreeBSD already ported. Also supports Capsicum, Flask, and separation kernels if one wanted. True integration of each major branch of INFOSEC. :)
Sounds like a demand problem rather than a FreeBSD problem. I've heard the same about SELinux etc with them overly permissive by default due to user apathy. I'd say Linux is ahead of usability of these controls, even supported by vendors like Tresys. It's also ahead in terms of risky code/tools a major distribution will support vs a major BSD. So, comparisons are a moving target.
Fortunately, the best security approaches (HW-centric) are portable to both w/ FreeBSD getting most prototypes. You can already run capability-secure FreeBSD via Cambridge CHERI project. Criswell's people are doing lots of stuff with FreeBSD and maybe Linux:
That doesn't even include software-related techniques like microkernels, low TCB software, safe low-level languages, and automatic compiler transformations for security that neither are adopting. They're both low-medium assurance by my standards due to cultural refusal to apply what's proven to work. So, I already have predictions about tech-transfer of papers above to Linux/FreeBSD use at large. You can probably guess how optimistic I am. ;)
Sorry if I provided incorrect information, I didn't confirm all of it before posting, just wrote what I read on other sites.I saw they made a huge progress porting C# compiler and VM to BSD, it bodes them well :)
Everyone uses their software, firewalls, servers, email serves, openssl is everywhere, corporate/bank cluster without BSD or Linux with grsecurity is unimaginable.
I recently started donating to opensource project I use everyday. I realised how little they ask for, F-Droid, I easily doubled their BTC found used to cover server maintenance, LibreOffice asks for 3EURO donation by default (also BTC)! OpenBSDFundation asks for 10$ per month.
https://grsecurity.net/contribute.php
Edit: I also found a nice way how to donate to Tor, there is a site https://oniontip.com/ where you can donate others for running Tor nodes, one of two top 200nodes has WikiLeaks BTC address, another one goes to my wallet and I send it back to TorProject. I had enough free resources, I used them :)