Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: OpenBSD security flaw

  1. #11
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Funny you should bring up Microsofts development ways. Last night in my Linux + class, a guy that had worked doing some things for Microsoft was recounting some of the horror he had seen at Windows camp. It surely made Camp crystal lake seem like a dream, at least Jason didn't have software bugs

    He said while he was there, that it was the time when office 97' was being released. They had Office 97' and Office 2,000 not only finished, but, instead of being like BSD and checking for bugs BEFORE releasing, that they released it and let other people find the bugs.

    Then when all of those bugs were found, they applied them to office 2,000 and released it whenever that dark day was they released it. I can hardly believe a company with that kinf od cash power would do something like this. If my company was like them....Well, there isn't much hope for them left, but they are at least starting to try.

    But if I had that kind of money, I would be hiring hackers 24/7 to come in, and try their best to crack the software. That damned registration would be out the window. They have things about registration where useability is taken away so that peopl can't pirate it as easy.

    I'd stop that. The new office, is nice. But the price tag on it......I could get a new computer for that price, and download Vi and Emacs. I only use word when I HAVE to do a project for school. I got Office XP Pro when it came out for $200.00 from my school. I use word, that's about it. I can do everything I need to though, in Vi. It sucks when schools are almost forced into using that because it's what alot of businesses use.

    When start my company in a few years, you'll MAYBE see ONE copy of office lying around. Other than that, we will be using Vi and Emacs. I need to learn C better than I do. I'll code my own office suite. And give it away free with my OS.

    < Excited >

    I got an Email from Patrick V, the dude who created Slackware. He was asking about the tutorial I wrote!!!

    < /Excited >

    BSD and Linux are free, and very useable. Both can be used as servers. And both can be secured. But is one really better than the other for a desktop? I think Linux is.....Hmmmm *Off to start a new thread in the OS forum about which is better from a desktop perspective*

    Ohhh, gore used a big word like forum, and about!

  2. #12
    well on the brighter side atleast openbsd is more secure than M$,can it not be forgiven !!!

  3. #13
    Senior Member
    Join Date
    Mar 2003
    Posts
    452
    In any case, remote hole one or two, OpenBSD is still one of the most secure operating systems out of the box. The developers of the operating system take security very seriously.


    --PuRe
    Like this post? Visit PuRe\'s Information Technology Community. We\'ve also got some kick ass Technology Forums. Shop for books and dvds on LiveWebShop.com

  4. #14
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    FYI, here's the explanation & patch reference posted on security-annonce@openbsd.org:

    -----Original Message-----
    From: owner-security-announce@openbsd.org
    [mailtowner-security-announce@openbsd.org]On Behalf Of Daniel
    Hartmeier
    Sent: February 7, 2004 18:55
    To: security-announce@openbsd.org
    Subject: IPv6 MTU handling problem


    An IPv6 MTU handling problem has been reported by Georgi Guninski[1],
    which could be used by an attacker to cause a denial of service attack
    against hosts reachable through IPv6.

    When the MTU (maximum transfer unit) for an IPv6 route is set very low,
    the TCP stack will enter an endless recursion when the next TCP packet
    is sent. This can be exploited remotely by sending ICMP6 'packet too
    big' messages containing such low MTU values. The kernel will
    effectively lock up, causing denial of service. It is not believed that
    this problem can be used to execute arbitrary code.

    IPv6 is enabled by default, but the problem can only be exploited
    remotely against hosts which are reachable through IPv6. Hosts with
    IPv4 connectivity only are not affected.

    The problem is fixed in -current, patches for 3.4-stable and 3.3-stable
    are available at

    ftp://ftp.openbsd.org/pub/OpenBSD/pa.../011_ip6.patch
    ftp://ftp.openbsd.org/pub/OpenBSD/pa.../016_ip6.patch

    [1] http://www.guninski.com/obsdmtu.html

    Ammo
    Credit travels up, blame travels down -- The Boss

  5. #15
    Senior Member
    Join Date
    Aug 2001
    Posts
    251
    My OpenBSD box is currently impossible to remotely exploit...

    'cause its turned off, and everythings unplugged.

    Dhej
    The owl of Minerva spreads its wings only with the falling of dusk. -Hegel

  6. #16
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    There is an exploit I coded with my foot that would **** your box up no matter what you unplugged Yea....Bored.

  7. #17
    Senior Member
    Join Date
    Aug 2001
    Posts
    251
    Originally posted here by gore
    There is an exploit I coded with my foot that would **** your box up no matter what you unplugged
    I guess technically they could classify that as a local exploit and still keep their tally down to one in 7 years...

    Yea....Bored.
    I second that. I just got home from work early, its 6:30AM and not 7:40AM. I find it funny that eventhough I work outdoors at night, 32 degrees is too warm to work. Yet the 6 degrees in the forcast for Sunday night is prime weather. And I'm not talking celsius temps either. Making snow at a ski "resort" really changes your weather perspective..., oh well, gotta enjoy the income while it lasts, I'm hearing that I'm out of work in about a week or two, now I have to look for a job in a city that just had 400 tech support people lose their jobs and flood the market so now my tech skills are absolutely worthless. Not to mention my truck is on its last legs 'cause its main bearing went out on me, and silly me I thought that I had ample money saved up to last me 'till I found another job and now I'm trying to figure out how to get enough money for a new friggin' engine.

    My life is turning into a country song: my trucks broke, I'm gonna be out of work, my girlfriend lives 800 miles away (until May), and get this my dog is sick. . . And I hate country music.

    Back on topic, for a bit.

    Your "boot" would be the only local exploit on my box 'cause it doesn't have a monitor or a keyboard, as I only ever ssh into is when I have it running anyway.

    Ok, I'm done filling the database with worthless bits of my life..., for now.
    The owl of Minerva spreads its wings only with the falling of dusk. -Hegel

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •