Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
YABSD (Yet Another BSD: SecureBSD)

By afabbro in News
Mon Jun 19, 2000 at 01:21:09 PM EST
Tags: Software (all tags)
Software

Yet another BSD is being offered...SecureBSD. There isn't a whole lot of detail on the site, though you can get a preview tarball. Their sole improvement is interesting: use MDA in the kernel to verify checksums of binaries. If the checksum doesn't match, the binary doesn't run. I wish this would get rolled into OpenBSD, but at the moment it looks like it's built for FreeBSD only. They do have the sexiest OS mascot ever, though!


Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o SecureBSD
o Their
o Also by afabbro


Display: Sort:
YABSD (Yet Another BSD: SecureBSD) | 34 comments (34 topical, editorial, 0 hidden)
Cute mascot :)... (none / 0) (#19)
by fengor on Mon Jun 19, 2000 at 03:42:15 AM EST

fengor voted 0 on this story.

Cute mascot :)
hackers do it with bugs.

Is it just me or was this posted "o... (none / 0) (#13)
by eries on Mon Jun 19, 2000 at 03:54:27 AM EST

eries voted 0 on this story.

Is it just me or was this posted "over there" ages ago? Maybe I need to join the MLP club (first rule of MLP club: you don't talk about MLP club!)
Promoting open-source OO code reuse on the web: the Enzyme open-source project

posted on /. a few months ago - ess... (none / 0) (#18)
by martin on Mon Jun 19, 2000 at 04:48:39 AM EST

martin voted -1 on this story.

posted on /. a few months ago - essensially provides extra security services to FreeBSD.

Let's hope Linux resists fragmentat... (none / 0) (#22)
by Bart Meerdink on Mon Jun 19, 2000 at 05:21:04 AM EST

Bart Meerdink voted 0 on this story.

Let's hope Linux resists fragmentation better than *BSD. Maybe is fragmentation prevention and recovery itself a more interesting subject for discussion. I rather like the FreeBSD demon mascotte, though.

Re: Let's hope Linux resists fragmentat... (none / 0) (#29)
by Anonymous Hero on Tue Jun 20, 2000 at 09:26:52 AM EST

Let's hope Linux resists fragmentation better than *BSD. Maybe is fragmentation prevention and recovery itself a more interesting subject for discussion.

Comparing the Linux kernel with fragmentation in the *BSD market is pure FUD. A better comparison is between Linux distributions and *BSD. Why? Because Linux is just a kernel. The BSD's include userland programs like sendmail and apache. And when you look at Linux distributions vs. BSD's, the BSD's win hands down on the fragmentation front. How many Linux distros are there? And how many different sets of rc files are there? The BSD's have different goals in mind, but they all interoperate very easily. Linux distros on the other hand, well, it's a crap shoot. Which kernel do you have? Which version(s) of (g)libc do you have?

[ Parent ]

This is not an OS, this is a kernel... (3.00 / 1) (#14)
by rafael on Mon Jun 19, 2000 at 05:32:04 AM EST

rafael voted 0 on this story.

This is not an OS, this is a kernel patch for FreeBSD. Is it necessary to pretend starting a fork by employing a *BSD name?

While its an interesting idea, I'd ... (none / 0) (#20)
by wozz on Mon Jun 19, 2000 at 06:32:53 AM EST

wozz voted 1 on this story.

While its an interesting idea, I'd be interested to see how they protect the hash database from malicious corruption. I've been meaning to get a FreeBSD box setup to test this since I heard about it, but haven't gotten around to it yet. Anyone got this up and running?
OpenBSD - A Better Solution

... (2.00 / 2) (#11)
by pretzelgod on Mon Jun 19, 2000 at 06:46:12 AM EST

pretzelgod voted -1 on this story.

Old news. This was discussed at OpenBSD Journal last month, when this was actually released. The consensus (which i agree with) was that this isn't terribly useful. To quote one post, "OpenBSD's code wasn't audited just for fun."


-- 
Ever heard of the School of the Americas?


Old news... Not enough write up...... (none / 0) (#5)
by kraant on Mon Jun 19, 2000 at 06:52:09 AM EST

kraant voted -1 on this story.

Old news... Not enough write up...
--
"kraant, open source guru" -- tumeric
Never In Our Names...

Well, it's news, aint't it?... (none / 0) (#8)
by knarf on Mon Jun 19, 2000 at 06:56:01 AM EST

knarf voted 1 on this story.

Well, it's news, aint't it?

advert.... (none / 0) (#9)
by pwhysall on Mon Jun 19, 2000 at 07:23:10 AM EST

pwhysall voted -1 on this story.

advert.
--
Peter
K5 Editors
I'm going to wager that the story keeps getting dumped because it is a steaming pile of badly formatted fool-meme.
CheeseBurgerBrown

Fix the link to the sexy mascot...... (none / 0) (#1)
by joeyo on Mon Jun 19, 2000 at 08:26:53 AM EST

joeyo voted 0 on this story.

Fix the link to the sexy mascot...

--
"Give me enough variables to work with, and I can probably do away with the notion of human free will." -- demi

A very interesting approach to secu... (4.50 / 2) (#6)
by Anonymous 242 on Mon Jun 19, 2000 at 08:31:05 AM EST

lee_malatesta voted -1 on this story.

A very interesting approach to security, but also a proprietary product. SecureBSD is apparently free beer for now, and free beer that can't be used in time sharing, asp, or app rental systems at that. I would like to see the idea perhaps written up as an article or a white paper around the idea of incorporating checksums into an os kernel.

The author of the logo has a great ... (2.50 / 2) (#2)
by davidu on Mon Jun 19, 2000 at 09:07:55 AM EST

davidu voted 1 on this story.

The author of the logo has a great site at Misery.Subnet.At

To be honest. I am much more of a ... (none / 0) (#10)
by Neuromancer on Mon Jun 19, 2000 at 10:02:09 AM EST

Neuromancer voted 1 on this story.

To be honest. I am much more of a Unix guy myself. Few people realize that BSD's are REAL UNIX. I really hope that BSD gains some popularity.

Re: To be honest. I am much more of a ... (none / 0) (#33)
by Anonymous Hero on Tue Jun 20, 2000 at 03:26:24 PM EST

Who thinks that BSD is not a true UNIX?

[ Parent ]
Nice to see some BSD stories for a ... (none / 0) (#3)
by mattc on Mon Jun 19, 2000 at 10:39:34 AM EST

mattc voted 1 on this story.

Nice to see some BSD stories for a change.

Any mroe publicity for BSD is good... (none / 0) (#23)
by The Madpostal Worker on Mon Jun 19, 2000 at 10:49:57 AM EST

The Madpostal Worker voted 1 on this story.

Any mroe publicity for BSD is good
<-- #include "~/.sig" -->

Re: Any mroe publicity for BSD is good... (none / 0) (#25)
by feline on Mon Jun 19, 2000 at 02:11:59 PM EST

What do you mean 'more publicity?' How is a mention of a FreeBSD kernel patch on a site with a readership such as this going to help any?
------------------------------------------

'Hello sir, you don't look like someone who satisfies his wife.'
[ Parent ]

+1 why not, -.5 wo ist die link, ro... (none / 0) (#12)
by warpeightbot on Mon Jun 19, 2000 at 11:02:37 AM EST

warpeightbot voted 1 on this story.

+1 why not, -.5 wo ist die link, round up.

So?... (none / 0) (#4)
by Pelorat on Mon Jun 19, 2000 at 11:10:53 AM EST

Pelorat voted -1 on this story.

So?

Just for the mascot... ;) ... (none / 0) (#16)
by Frigorific on Mon Jun 19, 2000 at 11:13:43 AM EST

Frigorific voted 1 on this story.

Just for the mascot... ;) I'd love more writeup, but another BSD is always nice
Who is John Galt? Rather, who is Vasilios Hoffman?

+1 because it's a good idea. ... (none / 0) (#15)
by jmcneill on Mon Jun 19, 2000 at 11:20:11 AM EST

jmcneill voted 0 on this story.

+1 because it's a good idea. -1 because I'm sick of hearing "Yet another [...]".
``Of course it runs NetBSD.''

Mmmmm... BSD... (1.00 / 1) (#17)
by yoyoboy on Mon Jun 19, 2000 at 11:43:13 AM EST

yoyoboy voted 1 on this story.

Mmmmm... BSD

OpenBSD with more hormones (I mean,... (none / 0) (#7)
by fluffy grue on Mon Jun 19, 2000 at 12:13:27 PM EST

fluffy grue voted -1 on this story.

OpenBSD with more hormones (I mean, just LOOK at that mascot - she's GOT to be on estrogen ;)
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]

It could use a better write-up, but... (1.00 / 1) (#21)
by 3than on Mon Jun 19, 2000 at 01:05:11 PM EST

3than voted 1 on this story.

It could use a better write-up, but I have to say I'm interested. The BSD distro scene is quite interesting, in light of the linux distros. Is it just me, or are the BSD's just not as fluffy as some linux distros? Anyway-is secureBSD a good thing, or just another project with a slick website?

Could open a new form of attack (2.50 / 6) (#24)
by Anonymous Hero on Mon Jun 19, 2000 at 02:10:09 PM EST

For one thing a kernal patch to an established OS an new OS makes does not.

As for security, Obviously you'll have to keep your hash database secure just like if you use Tripwire or any other IDS software. But how easy is it to upgrade software on the system. Granted it shouldn't be hard to upgrade a specific utility and then re-run the hash routine to create a new database but what about a major upgrade of the required system utilities.

As far as I understand it "SecureBSD" doesn't stop an intruder from getting into the machine. It just stops them from replacing your copy of ps with a rootkitted one (question if the intruder has root access and is able to replace files on the machine, what stops them from re-running the hash routine to make their replacments runable?).

Could it also open up a new form of DDOS? Intruder gains root access to machine and then upgrades everything from /current and in the ports tree except the kernel thereby rendering the entire system almost useless?



Re: Could open a new form of attack (2.00 / 1) (#26)
by 3than on Mon Jun 19, 2000 at 02:28:02 PM EST

I was thinking about that myself. What's more, is it possible to configure that feature? Can programs be run without it? I've heard that the biggest problem with OpenBSD is its lack of upgradability. Is the same true of SecureBSD?
But in the scenario that you mention, might it be possible for root to change the hash values? If the system is upgradable, then maybe yes? It seems like a good thing.
Another question-exactly how much is it based on FreeBSD? Like Mandrake to RedHat?
I don't know. It just seems to me that the BSD's are in a great place right now-they are totally getting boosted by linux press, but they're also separate, and they have a proven track record behind them. It's just a damn good thing that there's the kind of initiative that is pushing forward this development...even if I'll probably just use FreeBSD next time I want some Berkely Software Distribution action!

[ Parent ]
Re: Could open a new form of attack (2.50 / 2) (#27)
by DJBongHit on Mon Jun 19, 2000 at 03:13:17 PM EST

Well, to keep intruders from tampering with the hash database but still allow upgrading all that would have to be done would be to keep the hash database on a write-protected floppy and then manually move the tab when you want to upgrade it. That way the only way to mess with the hash table would be to have physical access to the machine (and, as everybody knows, if somebody has physical access to the machine, you're going to have more problems than just him changing your hash tables.)

~DJBongHit

--
GNU GPL: Free as in herpes.

[ Parent ]
Re: Could open a new form of attack (none / 0) (#28)
by kraant on Mon Jun 19, 2000 at 07:44:17 PM EST

Actualy the write protect tab is implemented in software not hardware[1] so a smart hacker should theoreticaly get around it

You'd need to burn it onto CD for it to be realy safe...

But then if your doing that why not just burn a large proportion of the system on CD boot off the CD and burn a new CD when you want to upgrade... tho the hashes to make sure you're running the <bold>right</bold> executable might be a vaguely good idea...

I remember talk about this on #OpenBSD and the general consensus was it was interesting but not all that useful and it was definetly misleading to call it secure just because of one feature...

daniel - who says the moral of this lesson is to not trust write protect tabs

[1]on the i86 line with bios. I'm not sure about other architectures but I think with m68k macs the floppy drive is controlled from a rom[2]

[2]Unfortunatly this rom does't seem to understand little things like multitasking so any floppy reading/writing implemented is done by going raw which means the write protect can be ignored
--
"kraant, open source guru" -- tumeric
Never In Our Names...
[ Parent ]

Another thing to consider (none / 0) (#30)
by wozz on Tue Jun 20, 2000 at 10:47:44 AM EST

There's nothing 'new' about the idea of real time hash checking. I know of several "public" shell systems that catered to the slightly darker-hatted crowd that implemented things like this years ago. This is the first supported release of the idea however (at least that I've seen). Also, I don't think they mean to imply that their system makes you secure. Multiple layers of security is the way to go. I saw some comments below along the lines of "why bother, OpenBSD's been audited". While OpenBSD is a great place to start for a secure platform, don't for a second think it can't be improved by adding on things like this (properly audited and thought through of course). Keep in mind, OpenBSD hasn't had a REMOTE root hole for years, but if you give someone an account on the box, they can probably find their way to root (although probably not an easy task). The capability provided by SecureBSD is another layer that protects the ooey-gooey insides of a box.
OpenBSD - A Better Solution
Re: Another thing to consider (none / 0) (#32)
by Anonymous Hero on Tue Jun 20, 2000 at 03:22:32 PM EST

OpenBSD - No local holes in 2 years.

[ Parent ]
Re: Another thing to consider (none / 0) (#34)
by wozz on Wed Jun 21, 2000 at 11:23:50 AM EST

...which is one less year than they've had a remote hole. I find its harder to secure a UNIX box from the inside than it is from the outside. Not impossible, no, but definately harder. And this could be a useful tool to aid in that.
OpenBSD - A Better Solution
[ Parent ]
Trusted BSD also exists (none / 0) (#31)
by aat on Tue Jun 20, 2000 at 12:15:24 PM EST

This is the second secure BSD project in the past few months to fork off of FreeBSD.
Check out TrustedBSD

Arun

YABSD (Yet Another BSD: SecureBSD) | 34 comments (34 topical, 0 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!