ฝัง
- เผยแพร่เมื่อ 4 ต.ค. 2024
- Subscribe to our weekly newsletter: www.tfir.io/dnl
Become a patron of this channel: / tfir
Follow us on Twitter: / tfir_io
Like us on Facebook: / tfirmedia
Discussing the state of security on Linux, Greg credited the OpenBSD community for being right about their ideology of security over performance. This is just a clip, watch the full interview here: www.tfir.io/20...
I’d have to agree with him. Linux needs to start valuing security again just as highly, maybe even more so, than performance. We don’t want to make the same mistake that Intel has made with their security.
until the grsec stuff gets upstreamed, i think linux "valuing security" will never really happen. i've lost hope in it. openbsd is very good in this area, but struggles in others. right now you have to choose the insecure fast os or the secure slow os and it sucks.
In the _short term_ Linux needs to be more proactive and less reactive in terms of security. OpenBSD has anticipated vulnerabilities before they were disclosed. Linux? Well, at least Linux is no longer acting so shocked by all the new threats. Yet OpenBSD still leads, whereas Linux still follows. And OpenBSD has far fewer resources.
I subscribe to both Linux and OpenBSD mailing lists. It’s remarkable how differently they approach and prioritize security. Linux emphasizes userland security and mainlining new hardware into the kernel as sanely as possible, whereas OpenBSD is emphatic about low-level security and paying attention to what the CPU is doing at all times. A middle ground between these two extremes would go a long way.
_Long term_ Linux should continue pursuing more open and secure CPU architectures. They already do this to a degree, but they could do better.
This interview is great though. Gives me just a tiny bit of hope for Linux.
Intel make no mistake, don't be mistaken here.
Yeah....mistake...**cough**
Kira You’re right, Intel’s security vulnerabilities could very well have been intentional.
OpenBSD, the makers of OpenSSH and so many more goodies.. of course they got it right, nothing compares.
child
OpenSSH is slow and bloated
@@_nom_ Compared to what?
Maybe slow in comparison. Bloated, definitely not, compared to any other modern OS
I will gladly take a performance hit if it means enhanced security.
OpenBSD was right about a bunch of things, just like how RMS was right about software, privacy, freedoms, etc.
More gets done by 'unreasonable' people lol!
Hand over the nonfree software and nobody gets hurt.
RMS was right about being a skin eating communist hippie.
@@br9809 What is hate for? Commie/non-commie/monarchie, as long as the person works for people's good and not hurting them, it is all good.
@@br9809 why do you hate freedom?
They were right for the "wrong reasons" until the Linux guys said disable hyperthreading. Damn, if wasn't a high-horsed statement I'd don't know what is...
Can't let go of the Kool aid
He did not mention the reasons though. So, unless we hear the rest of what he thinks are the "reasons", its wrong to pass judgement.
OpenBSD has been right of all these years, and we are still counting
There are many security measure can be taken without mindless following OpenBSD. What OpenBSD thinks is not even a big issue. Disabling HT is huge performance lost when you have large scale servers; think about the huge number of threads gone.
@@wonghow One year later here ... > Ok, therefore we should only use hyperthreading on embedded devices. At least in theory. In reality it can't happen
openbsd is always right
@0:49
"If you're running a system that you don't trust your users, you have to disable hyper threading."
What user actions makes spectrum and/or meltdown an issue?
What if you do trust your users (or you are the only user), what is it that you need to know to not do, so that you do not fall victim to the spectrum or meltdown vulnerabilities?
By knowing what to avoid doing, you can avoid the performance hit by not disabling hyper-threading. Is that correct?
Every cloud service cannot trust its users.
And if that webpage has java, it can probably see data in adjacent registers. These are two examples of this in the real world.
Basically, as soon as you run a web client, it's game over.
Those issues can actually be exploited through javascript in the browser.
Well, if you ever are on a network, if you ever serve any network function or parse responses from network services you use, then by a very small stretch of the imagination you will be "on the network" and you will be handling someone elses data. Running someone elses javascript on your browser means that you are literally running their code on your CPU. You can hope that "I will not let someone in" but it isn't as easy as "I just don't create users and hand out passwords to my laptop". You are going to have to close off quite a bit of the common usages of a modern computer.
Also, "trust your user" means you need to trust every application (even if running as "you"), not only to not be malicious but also not exploitable. If your applications do no have any scripting or similar "dynamic" execution the risk is lower. If you are not on a network it's far less of a risk.
Basically it means if you _only_ run trusted code (e.g. a dedicated database server) you can safely disable all spectre mitigations and regain the performance.
For linux see: make-linux-fast-again.com/
But never do that on machines that might run untrusted code.
BSD and Solaris (and now it's derivatives) are better engineered then Linux. Popularity doesn't make something better.
Solaris was trying to be OpenSolaris but failed. In Linux case is not popularity; it is best choice. What is the point of being secure but not productive? There are way more applications on Linux than BSD or Solaris. Solaris had to use some Linux desktop technologies for productivity otherwise Solaris is stuck with 90s UI CDE and apps.
@@wonghow same logic Microsoft Windows users talks about; there's more programs for Windows than GNU/Linux...
@@Joe-ud1de that's exactly what I was going to say too. "It's not the popularity of Windows, it's because it's productive." I guess by How Wong's way of thinking then that makes Windows better than Linux. (I do realize it's a year later)
@@wonghow How Wrong. FIFY
I like his new beard.
But this primarily affects Intel Processors right? So AMD cpu's should be ok to keep hyperthreading???
Not always. They had their problems too not so heavy as Intel but still.
@@sesom07 The SMU in Ryzen seems to be a good target for attacks. Ryzen didn't even really listen to MSR changes (on changing frequency and voltage) but once the SMU told it to do so, it abides faithfully. Look on ryzen_nb_smu and you'll be surprised at what rights that the SMU is capable of.
Anyway AMD won't release BKDG for 17h and many parts of the PPR remains outdated sincd 2017. I did request it but all AMD employees just won't even respond. Kinda bad times as Intel doesn't have a good offering and AMD CPUs documentation is scarce unless you work in a company that partners with them
Not all Intel CPU has HT. And then, would you think the Xeon servers 12 threads per CPU are disabled? If you have 10 Xeon; that is 60 threads ! I don't think so. Why would you have this kind of performance lost for what OpenBSD thinks? that is really mindless to follow OpenBSD
@@wonghow
"Disably hyperthreading if you don't trust your users or applications." They are right that this mitigates the vulnerability, and they know that it drops performance. If it wasn't obvious, they care much more about security than performance. Besides, if your opinion on this topic differs, you can just go ahead and enable hyperthreading, they aren't stopping you.
The one down-vote was Linus himself? :-D
I'd guess Linus would upvote this one
That was always true, from the very beginning..
Mad props
Guys I literally found gigachad
Thanks
On intel, AMD doesnt have this problem
Yes they do. I'm using a Zen 1 processor in my laptop. To properly mitigate spectrev2 and retbleed, I need to disable SMT (hyper threading).
cat /sys/devices/system/cpu/vulnerabilities/*
And to think, Linus called all of us OpenBSD users 'Masturbating monkeys'. If you ask me, he's the clueless Computer School Dropout. Theo DeRaadt makes Linus look like a total amateur.
Yes they were right, and YOU were WRONG. Not just on this one either Greg.
Hello Theo,
Long time no talk. If you will recall, a while back I was the CTO at
NETSEC and arranged funding and donations for the OpenBSD Crypto
Framework. At that same time I also did some consulting for the FBI,
for their GSA Technical Support Center, which was a cryptologic
reverse engineering project aimed at backdooring and implementing key
escrow mechanisms for smart card and other hardware-based computing
technologies.
My NDA with the FBI has recently expired, and I wanted to make you
aware of the fact that the FBI implemented a number of backdoors and
side channel key leaking mechanisms into the OCF, for the express
purpose of monitoring the site to site VPN encryption system
implemented by EOUSA, the parent organization to the FBI. Jason
Wright and several other developers were responsible for those
backdoors, and you would be well advised to review any and all code
commits by Wright as well as the other developers he worked with
originating from NETSEC.
This is also probably the reason why you lost your DARPA funding, they
more than likely caught wind of the fact that those backdoors were
present and didn't want to create any derivative products based upon
the same.
This is also why several inside FBI folks have been recently
advocating the use of OpenBSD for VPN and firewalling implementations
in virtualized environments, for example Scott Lowe is a well
respected author in virtualization circles who also happens top be on
the FBI payroll, and who has also recently published several tutorials
for the use of OpenBSD VMs in enterprise VMware vSphere deployments.
Merry Christmas...
If you're serious, why don't you write to Theo directly then?
@@randomness3235 This is an exact copy of a(n) (long-debunked) email that TdR received and forwarded to the mailing list over a decade ago for transparency. It lives on as a copypasta.
@@richardmatthewstallman4174 lol, thanks for the info.
Why should I accept disabling HT, effectively almost halving my computing power, on a computer or laptop I use at home? I have a firewall, script blocker, pihole, but even without those I see absolutely zero need to run with HT disabled....
I agree it's probably good for cloud providers, but every single Linux PC and VM I run will have "mitigations=off" as the first thing I do.
If you run a web browser on that computer in your house, then "the user" is not just the people in your house, but every web site visited by every user in your house. Maybe that's an "okay" risk, but you should at least keep it in mind.
Hyperthreading uses the same transistors on CPU as with no hyperthreading, it just uses them more efficiently by allowing multiple threads to run on the same physical core. It does not double CPU performance. Usually you get 10-30% more performance, depending on task and load, which also produces more heat (probably 3-5%). For that reason, sometimes when you disable HT, you get better performance (for example CPU can run higher Hz). If you have multicore CPU like for ex.12C24T disabling HT would have much less of a detrimental impact on performance than with for ex. 2c4T. If normal load on your CPU is below 70% you could probably safely disable HT with zero or near zero negative performance impact and possibly lower power usage and heat generation slightly while making your system more secure. Ultimately it comes down to your threat model and risk tolerance.
I used PC-BSD Isotope for a couple of years and really liked it although it was a little slow for a modern OS. (It's based on Free BSD) I have yet to try TrueOS (the newly renamed PC-BSD) and I've never tried OpenBSD - I would try OpenBSD IF they made a Desktop version. - " TrueOS (like OpenBSD) uses LibreSSL, instead of the standard out of the box OpenSSL that FreeBSD comes with." according to Wikipedia.. which is why I mention it. Perhaps I'll try TrueOS, if it's a desktop version that's just as secure as Open BSD.
All it takes is using pkg_add to install whatever you want. If that's too much work, then maybe OpenBSD isn't for you.
@@sterlingarcher7910 "install whatever you want" - I've never seen OpenBSD, I don't know what bits and pieces it may or may not have to make a complete desktop experience, that's why I used PC-BSD. You assume that 1) I know all of these bits and pieces and you assume 2) I must be lazy if I'm not willing to go through the steps to add these bits and pieces I have no knowledge of. Kinda silly of you for that. Tell ya what pal, why don't you give me a complete detailed list of bits and pieces i need to make Open BSD a complete desktop experience and see how far I get with pkg_add. If you are willing to do that, i'll be willing to add them. You picked a good nickname, Sterling certainly shares your condescending tone.
@@DivergentDroid If you´re using any kind of UNIX/LINUX flavour you should be fine with getting a "desktop version" up and running. There are some good step-by-steps to get a desktop version up and running but even without any help you should be fine. And for the record I don´t assume you´re lazy but from all the UNIX/Linux flavours I went through, OpenBSD was the most simplistic one to get up and running.
OpenBSD comes with fvwm out of the box, packages for GNOME and Xfce are available.
@@paianis See, I never used a system that was not a "desktop" system. You mentioned a desktop environment(s) which I understand. I talked to a guy earlier that explained it like this: " The biggest difference between a "Server" and a "desktop" install is "what gets installed by default". A desktop will install a graphical environment and packages you would typically want (web browsers, email) a "Server" OS won't install those by default." - I had never seen OpenBSD and didn't know what it came with or didn't come with. Heck, I didn't know if it was strictly text based or not as some are. I didn't even know that It would have Xorg or similar or not - something I didn't want to mess with. I have decided first I'm going to test Trident (or Project Trident) TrueOS's new desktop branch After I get that up, I'll try OpenBSD with any desktop items I think I'll need and compare them. Thanks.
I understood nothing but "OpenBSD was right".
Nice try
what is the point OpenBSD being right when OpenBSD is never chosen for renderfarms, servers, custom designed devices, phones, desktops, VM, productivity? Linux is the best choice for all of these. There are more contribution to Linux than any BSD.
Sp you don't use OpenSSH ?
@@autohmae No I don't use OpenSSH when situation not required to. Not all situations require OpenSSH; there are other types of connections.
Less used does not mean useless. I'm not a BSD user, but probably there is an use case for BSD. After all, we use GNU/Linux distributions when every desktop runs Windows and MacOS from a market share point.
@@jvnz1 OpenBSD makes a good firewall/router. FreeBSD makes a good server. NetBSD is probably useful for embedded devices.
autohmae OpenSSH has nothing to do with OpenBSD running anywhere lol
Do those security guys ever care about the performance/watt impact these things have? There wil literally be tons and tons more CO2 emmited because of it.
there are countless industries spitting out carbon and all sorts of pollutants, rain forests burning, wars littering entire countries with toxic and radioactive dusts from DU munition, seas are becoming plastic soup and for you the system programmers attempting to fix Intel's mistakes should "care" ? what are they supposed to do ? leave systems unpatched and open to threats to spare some marginal power ? it is like clearing the ash tray while the house is burning.
Have you decided how many fewer videos you are going to watch this year? just to save those power stations burning the coal to provide them, you know
Do People like you ever care if their Credit-Card Informations get stolen? Or the Bank Accaunt data gets stolen..?
And "tons of tons more CO2": You are plain stupid.... let me proof why:
You can watch Videos, read Mails, Chat... and do most BASIC FUNCTIONS of a NORMAL OFFICE (Writing, printing and co) on a fucking Tablet.... and ARM-CPUs do not even know about HT at all.... see how much Power you could save by not using a INTEL-CPU at all by NOT compromising on the daily stuff you are doing!
And now Sir: Please shut down the PC and read some Books...
You clearly do lack any fundamental understanding of a lot of Things in this World. :)
@@rembrandt2323 Actually, modern ARM64 CPUs, along with other modern CPU architectures support SMT (aka Hyper Threading), and therefore are susceptible to similar attacks. Are they as vulnerable as Intel CPUs, no, but they're definitely not immune. To completely avoid it you either have to use an older pre-SMT based CPU or a platform such as RISC which doesn't support it at all.
MUH C02 EMISSIONS REEEEEE