1. 3

    Today Filippo posted a follow up question on the openbsd-tech mailing list:

    I recently had the occasion to dive into the softraid crypto code [1] and was quite pleased with the cleanliness of it all. However, I found surprising the default value of 8k PBKDF2 rounds.

    I know it is easy to override and I should have RTFM, but I (naively, I’ll admit) assumed OpenBSD would pick very robust defaults, erring on the conservative side. Is it maybe time to bump it up, or pick it based on a quick machine benchmark?

    If there’s consensus I might also provide a patch for the live benchmark option.

    Thank you

    [1]: https://blog.filippo.io/so-i-lost-my-openbsd-fde-password/

    1. 3

      Is there a Chrome extension that fixes this? That seems like it might be trivial (but risky, too).

      1. 6
      1. 3

        Apparently this can be mitigated in software if running a VMM can be considered a fix.

        1. 5

          why this over OpenNTPD?

          1. 2

            In my link below someone asks this question and phk answers (Google translation): “OpenNTPD have lousy time management and provides no real platform for further development / code sharing to stratum 1 servers, etc.”. Add that the Linux Foundation apparently sponsored the work.

            1. 1

              I’m not sure what “lousy time management” is, but OpenNTPD keeps all my systems (Linux, OpenBSD) within millisecond time accuracy.

            1. 1

              A little off-topic, but really surprised that they don’t have an https server, and there are no checksums visible for the downloads.

              1. 2

                The reasoning on https so far have been something like: the data on the webserver is open/public and the CA system is proven to be close to broken when it comes to ensuring identity, and the encryption part, too it turns out.

                Buying the CDs might give you a reasonable amount of trust in the origin of the code, but you can’t really be sure when it comes to identity trust - it comes with a built-in bootstrap problem. If you trust the CD you will have a signify pubkey which will allow you to verify the integrity and identify of the online releases. Of course you might get this key in some other way. The signature has been released in several places and comparing those seem to be as good as it gets, unless you happen to know one really close to the release process.

                The signed checksums can be found at http://ftp.openbsd.org/pub/OpenBSD/5.5/amd64/SHA256.sig

              1. 1

                I would like to try OpenBSD for experimenting on my Desktop. Perhaps through a virtual-machine for now.

                Is Java available on OpenBSD? Either Oracle JRE or OpenJDK. And is the latest version (8) available?

                1. 3

                  Latest OpenJDK in amd64 -current packages found at http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/ is jdk-1.7.0.21p2v0.tgz which btw. seem to be the same version found in the 5.5 package set.

                1. [Comment removed by author]

                  1. 3

                    Heartbleed occurred after the release had been made - so the OpenSSL library included with 5.5 is vulnerable - so yes patching is required.

                    1. 4

                      I feel a bit dense asking, but how? The release date for OpenBSD 5.5 is May 1, well after heartbleed occurred. Are you saying the release was cut a while back, but only released to the public today?

                      1. 6

                        Yes. The release process basically goes:

                        • unlock tree from 5.4 release, become 5.4-current (occurred july 29, 2013)
                        • ~6 months of rapid development for work to become 5.5
                        • 5.4 is formally released from stuff up to july (occurred november 1, 2013)
                        • slow down, no big changes, abi/api lock, become 5.5-beta
                        • tree locks, hopefully no remaining changes (occurred feb 28, 2014)
                        • developers test final snapshots on all archs, discuss outstanding issues
                        • OPENBSD_5_5 is tagged, considered “5.5 release”
                        • CD images are created for 5.5 release, Theo works on getting artwork, giving CD images to pressing plant
                        • tree unlocks, becomes 5.5-current (occurred march 5, 2014), rapid development starts leading up to 5.6
                        • CDs for 5.5 release start shipping, ftp release happens may 1, 2014

                        So as you can see, 5.5 was created 2 months ago and already burned on CDs that shipped out. We can only backport fixes from -current to the OPENBSD_5_5 tree and issue errata during those 2 months between tagging 5.5 and formally releasing it.

                        1. 1

                          Although the OpenBSD release dates are 1 May and 1 November each year - there is a lot of work goes into ensuring that each release and associated packages are ready for manufacturing to create the CD’s so that they can be delivered on or before the release dates. So although each release happens on the 1 May and 1 November each the code that goes into each release is fixed about 1 to 2 months before the release date. This means that if you run current you start running some of the next release code - you can tell when this is happening as the ports tree is locked and ports are fixed ready for the release. hth :~) PS This is way the releases are such high quality every six months.

                      2. 2

                        Looks like M:tier is officially endorsed by Theo:

                        http://marc.info/?l=openbsd-tech&m=139896061602956&w=2

                        For those not in the know, M:tier provides the binary packages for stable releases:

                        https://twitter.com/jasper_la/status/461576068055707648

                        Does this imply that M:tier’s binary packages are now endorsed, too?

                        1. 1

                          I don’t read it that way; just that they donated money/hardware and their company functions and services are unrelated.

                          1. 2

                            True, but I think people will be much more comfortable with getting binaries from M:tier now that Theo has took the time to specifically thank them for providing some support for the release.

                            I mean, just look at the title of his email alone:

                            Subject: Thanks to M:tier for package signing infrastucture

                            I’d be surprised if they don’t see some spike in the business.

                        2. 2

                          Releasing with a known security flaw surprises me. Why wouldn’t they delay the release to get it fixed?

                          1. 3

                            I’m guessing because it was cut ahead of time and CDs had already gone out

                        1. 1

                          That’s the logo, much the way Hacker News has Y for YCombinator. Lobsters has L.

                          1. 3

                            I think the OP means, why is it red sometimes and black others.

                          1. 1

                            Thanks for this!

                            Only works when I invoke it manually, when put in .xinitrc it does get started normally, but no mouse hiding. Here’s the full .xinitrc:

                            setxkbmap -option ctrl:nocaps
                            xbanish &
                            xrdb -quiet -load $HOME/.Xresources
                            xset fp+ $HOME/.fonts && xset fp rehash
                            xsetroot -cursor_name left_ptr -solid black && bgs -c /home/sramov/pic/5583922156_87619bb8a1.jpg
                            
                            ssh-agent xmonad
                            
                            1. 1

                              Ok, file a bug on the Github repo with some debugging info and I’ll look into it.

                              1. 1

                                Works beautifully when started manually, but when invoked from .xinitrc (on OpenBSD -current with dwm -current) I can reproduce sramovs findings – the cursor does not hide, but the process is running.

                                When started with debug from .xinitrc no debug seems to be produced (?). Debug output is produced when started manually though. Still want a github bug issue opened?

                                1. 1

                                  Can you and @sramov try the latest git code? It’s working for me in an xsession with ratpoison.

                                  1. 1

                                    Still the same when started form xinitrc, but it might be related to some window focus thing in dwm:

                                    When invoked manually with dwm running I see the cursor hiding on creating a new window only if the cursor is not in the new window area; debuging reports ‘creating new window, snooping on it’ and nothing further when I type in this window. If the cursor is not within the area of a newly created xterm I see ‘creating new window, snooping on it’ and then ‘keystroke 50 hiding cursor’ and any new keystroke is reported.

                                    So it seem the keystrokes are not captured from those windows created with a cursor “above”. But if I move the window focus between a few windows and return to new window – then the cursor is correctly hidden when typing and debug reports any keystroke. Want a github issue opened on this peculiar thing?

                                    1. 1

                                      Just for the record: The above problem is solved with this commit https://github.com/jcs/xbanish/commit/5056afe970aa3c1dfb6af5f879ea649a8af90b15. Thanks!

                                      1. 1

                                        Nope, still nothing, after trying the latest git head. I’ve tried with all window mangers I use, cwm, xmonad, mcwm etc… The result is always the same. If I put xbanish & in ~/.xinitrc it just doesn’t work. OpenBSD -stable, various OpenBSD -current snapshots, no cigar…

                                        I don’t use GitHub, so instead of filing an issue, I am posting here.

                                        1. 1

                                          Works here: xbanish-1.1 from packages started from xinitrc, dwm via git, latest OpenBSD -current snapshot.

                                          1. 1
                                            uname -a
                                            OpenBSD ouroboros.ramov.inet 5.4 GENERIC.MP#61 amd64
                                            
                                            pkg_info -qm | grep xbanish
                                            xbanish-1.1
                                            
                                            cat ~/.xinitrc
                                            bgs -c $HOME/bgs/fbdtlbl1305772307_crop.jpg
                                            setxkbmap -option ctrl:nocaps
                                            xbanish &
                                            xrdb -load $HOME/.Xresources
                                            xset fp+ $HOME/.fonts && xset fp rehash
                                            xsetroot -cursor_name left_ptr
                                            
                                            ssh-agent xmonad
                                            

                                            I also tried replacing ssh-agent with exec thinking it might have something to do with that, but the result is the same, I just can’t get it to work.

                                            Doesn’t matter which window manager I try, xmonad, cwm, dwm… Also tried xinit and startx

                                            When I manually start it with -d flag, it seems it only hides the cursor when in xterm. When I switch focus to xombrero for instance, I get no output, even the mouse moves are not reported. Same thing when the cursor is on the root window.

                                            Also tried to comment everything in ~/.xinitrc, except for the xbanish & and exec xmonad lines…

                                            Would love to get to the bottom of this!

                            1. 3

                              Somehow this is not a surprise and AFAIK often seen in airports as real and undisguised surveillance. But this kind of data can be used in a useful way, too: Around here cell data is used to control the traffic lights at the end of the highways leading into town, trying to get a steady traffic flow during rush hours.

                              1. 2

                                What’s HAMMER?

                                1. 2

                                  HAMMER is a file system written for DragonFly that provides instant crash recovery, multi-volume file systems, integrity checking, fine grained history/undo, networked mirroring, and historical snapshots. HAMMER is the default file system for DragonFly.

                                  From http://www.dragonflybsd.org/hammer/.

                                  1. 2

                                    And more HAMMER/HAMMER2 news can be found at http://www.shiningsilence.com/dbsdlog/category/hammer.

                                  1. 4

                                    I used Bloglines for many years, until it got bought and got a UI change that made it ugly. It was threatened to be shut down in 2010 because “RSS was dead”. For three years after that, Google Reader was the most popular RSS reader and is now getting shut down because RSS is dead again in 2013. Maybe these companies should stop proclaiming RSS to be dead while shutting down a service with many thousands of users and instead just say “we don’t want to do this anymore” and leave it to another company.

                                    Back when Bloglines got a UI change, I created den.im in 2009 which was basically a clone of Bloglines' old interface. When I was dragged onto Twitter, I saw it as just another feed of items to read, so I added Twitter support to den.im. Maybe I’m weird in that I actually want to read every tweet that comes across and keep track of unread ones like RSS feeds, but den.im has archived every tweet I’ve seen and posted since then. One thing I particularly like about it is that it also generates meta-items that show up in my timeline when people follow and unfollow me, and I can do direct messages, retweets, and follow new users directly from it, for multiple Twitter accounts.

                                    Over the years I improved the UI of den.im, added search functionality, added Facebook feeds (and then removed them because apparently their API doesn’t export the same things that users see on facebook.com, or so I was told), and made the mobile web interface. I’m now the only user of it, because my beta users abandoned it for Google Reader (and are now asking for den.im access again). I have no desire to put in all of the extra work to rewrite parts of it to scale better and support lots of users, but I haven’t found any other site that I want to switch to.

                                    I hope something new comes out of this Reader shutdown that I can switch to so I can stop making and hosting my own reader. I also hope it does something to spur on the progress of RSS or whatever comes next, since it promotes an open web instead of putting everyone’s content behind things like Facebook and Google+.

                                    1. 1

                                      I have no desire to put in all of the extra work to rewrite parts of it to scale better and support lots of users, but I haven’t found any other site that I want to switch to.

                                      Perhaps people are willing to pay for this as some kind of subscription? I would, especially if the privacy handling is right. I always felt sharing my interest with Google was … bad (like in “if a service has no price you are properly the product”).

                                      1. 1

                                        I couldn’t agree with your comment more. I had built my own RSS aggregator years back (minus the cool domain name) , but I left it for Google Reader years ago as I just wanted something that could be maintained by someone else. Now I’m a man without a country!

                                      1. 3

                                        I was genuinely surprised at how many people are still using Reader. I stopped using it a couple years ago (too many feeds), and recently started using Prismatic. I just had a problem with too much noise and not enough signal, and even experimented with some data mining on feeds to pick out relevant stuff. What are people going to switch to?

                                        1. 3

                                          I did a quick test of https://kiza.eu/software/snownews on a ssh enabled box. After a bit of fiddling with filters it seems usable. Not smooth, not elegant, but working.

                                          Another alternative could be https://feedbin.me or http://theoldreader.com/, while we are waiting for jcs@ to build a privacy respectful, good looking, paid addon to lobste.rs :p

                                          1. 1

                                            I used to use snownews and canto, but my biggest problem is too low of an SNR in the feeds I was interested in. I’ll poke around the other two links, I guess.

                                            1. 1

                                              I never understood the text-mode and dedicated clients for RSS readers. All of the content is in HTML, it’s designed to be viewed in a web browser, and to do anything beyond the article like open links, you have to open a browser anyway. Why not just keep it in the browser?

                                              1. 1

                                                The main issue here – for me at least – is not the client, nor the way the information is formated, but keeping track of what is read and what is not. And being able to do this on a set of machines. This smells like a webservice …

                                                1. 1

                                                  Most of the articles I was reading rendered just fine in lynx. Most of the images were just boring “here’s a stock photo I found on whatever stock image site that looks appropriate”. If I thought that it would benefit, I still had commands to open the feeds in Firefox.

                                            1. 1

                                              A mirror of the presentation videos can be found at http://mirror.fem-net.de/CCC/29C3.

                                                1. 1

                                                  On time. With many fine improvements including pthreads support.

                                                    1. 1

                                                      Neato, I just backed up and formatted my laptop so I could reinstall with a full RAID disk to try this out. Works great.

                                                      1. 1

                                                        Thanks for leading the way by running bleeding edge tests before the rest of us – I’ll follow you :)

                                                        1. 1

                                                          did you do key or passphrase?

                                                          1. 1

                                                            Passphrase, which boot(8) now prompts for.

                                                            1. 1

                                                              excellent!