Hacker News new | past | comments | ask | show | jobs | submit login

It always make me sad when I hear BSDs are underfunded, OpenBSD was about to "turn off the lights", FreeBSD was in sersious problems before they got 1M$ donation from WhatsApp. Heartbleed bug in OpenSSL? They also didn't have enough (full time) developers to even review the code. Now grsecurity makes me feel bad about it.

Everyone uses their software, firewalls, servers, email serves, openssl is everywhere, corporate/bank cluster without BSD or Linux with grsecurity is unimaginable.

I recently started donating to opensource project I use everyday. I realised how little they ask for, F-Droid, I easily doubled their BTC found used to cover server maintenance, LibreOffice asks for 3EURO donation by default (also BTC)! OpenBSDFundation asks for 10$ per month.

https://grsecurity.net/contribute.php

Edit: I also found a nice way how to donate to Tor, there is a site https://oniontip.com/ where you can donate others for running Tor nodes, one of two top 200nodes has WikiLeaks BTC address, another one goes to my wallet and I send it back to TorProject. I had enough free resources, I used them :)




Most of us can afford to pay it too. That's the real tragedy.

All of us should consider doing something similar, allocate a couple $ a month and give it to people who make our lives/jobs easier or better.


> Most of us can afford to pay it too. That's the real tragedy.

I think the hardest part for me is: I use soooooo much open-source software, that I can't contribute to all of them. Don't get me wrong, I should contribute more than I do, and I'm not excusing myself, but it's a legitimate problem. I'm sure people smarter than me have debated models for this, but I still don't think we have a good answer.


Please, please donate to the library developers. Scan the dependencies for some of your favourite packages and see if there's anything common to a few that might not be obvious. SDL backs so many things, for example, but rarely gets called out.


Grsecurity's approach is superior to OpenBSD's, but both are acceptable.

FreeBSD is actually behind Linux - it lacks an effective access control framework and did not have ASLR until the latest release. At least they're working on it (TrustedBSD, Capsicum).


Some interesting insights on Grsecurity's approach by OpenBSD's Nick Holland in the comments section:

https://www.digitalocean.com/community/tutorials/an-introduc...


Link directly to the comment:

https://www.digitalocean.com/community/tutorials/an-introduc...

And here is the referenced email with a bit of context:

http://osdir.com/ml/general/2014-02/msg44493.html


He's actually talking about the SELinux/"RBAC in general" approach. His only criticism of Grsecurity is that it's not in the mainline and therefore not as effective as it could be.


Substitute "Untrusted user" for "possibly buggy server code" and you will see why Grsecurity's approach can have value in single-user systems.


FreeBSD supports Mandatory Access Control, implemented as part of the TrustedBSD project. It was introduced in FreeBSD 5.0. Since FreeBSD 7.2, MAC support is enabled by default. The framework is extensible; various MAC modules implement policies such as Biba and Multi-Level Security.


and how much of the system is protected by trusted bsd by default: none of it

how many people ever bother to write and deploy a trustedbsd policy: (to first order approximation) nobody

Defaults matter, a feature matrix checkbox is simply deceptive because the fact something isn't on (and configured) by default often means its an insane amount to work to try to enable it and/or thing are unfixably broken when you do (from a user point of view)

unfortunately both these things are true of trustedBSD


The TrustedBSD features are used by appliance vendors who base their product on FreeBSD. Applicances have very narrow profiles of acceptable use and thus it's actually sane to develop policies for them.


That's true. It goes back further than TrustedBSD: Secure Computing Corporation invented Type Enforcement, put it in a high assurance system (LOCK), put it into a BSD-OS for a firewall (Sidewinder firewall), and helped create Flask architecture for integration of type enforcement into vanilla OS's. Flask was ported to Linux in SELinux project. That got enough acceptance that TrustedBSD project was started to do same for FreeBSD. So, full circle back the the OS the tech was first fielded on.

LOCK System http://www.cyberdefenseagency.com/publications/LOCK-An_Histo...

Sidewinder firewall http://www.ittoday.info/AIMS/DSM/83-10-35.pdf

Flask project/architecture https://www.cs.utah.edu/flux/fluke/html/flask.html

Nonetheless, the old stuff (esp LOCK & LOCK/ix) are still stronger in security architecture and design despite all these years. Good design is timeless I guess. :)

Note: Cambridge's CHERI project and CheriBSD are the cutting-edge for FreeBSD security as they do capability-security from hardware up with FreeBSD already ported. Also supports Capsicum, Flask, and separation kernels if one wanted. True integration of each major branch of INFOSEC. :)

https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/


Sounds like a demand problem rather than a FreeBSD problem. I've heard the same about SELinux etc with them overly permissive by default due to user apathy. I'd say Linux is ahead of usability of these controls, even supported by vendors like Tresys. It's also ahead in terms of risky code/tools a major distribution will support vs a major BSD. So, comparisons are a moving target.

Fortunately, the best security approaches (HW-centric) are portable to both w/ FreeBSD getting most prototypes. You can already run capability-secure FreeBSD via Cambridge CHERI project. Criswell's people are doing lots of stuff with FreeBSD and maybe Linux:

https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/

http://sva.cs.illinois.edu/pubs.html

Examples for Linux include these:

http://scholar.lib.vt.edu/theses/available/etd-10112006-2048...

https://web.archive.org/web/20120509155852/http://archives.e...

https://docs.google.com/file/d/0B1i_Zf52vJctMTA4YTI1MmUtNzdj...

That doesn't even include software-related techniques like microkernels, low TCB software, safe low-level languages, and automatic compiler transformations for security that neither are adopting. They're both low-medium assurance by my standards due to cultural refusal to apply what's proven to work. So, I already have predictions about tech-transfer of papers above to Linux/FreeBSD use at large. You can probably guess how optimistic I am. ;)


MinGW-w64 also lacks ASLR and DEP. As a result most FOSS Windows packages lack them as well:

https://sourceware.org/bugzilla/show_bug.cgi?id=19011


FreeBSD did not have serious problems, they were doing reasonably well. Clearly they can do more now but that is definitely not true.


Sorry if I provided incorrect information, I didn't confirm all of it before posting, just wrote what I read on other sites.I saw they made a huge progress porting C# compiler and VM to BSD, it bodes them well :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: