« Rev
@FreeBSD1   224
Fwd »


Anonymous
Linux codebase is fucking huge and not always written by experts. OpenBSD codebase is smaller and constantly audited
but you also have the fact that there are less eyeballs on openbsd's code
Anonymous
You can’t check for backdoors on proprietary software
Besides, you can't check for backdoors in open source software either https://en.m.wikipedia.org/wiki/Underhanded_C_Contest
K
You can
No unless you’re given access to the source code
Anonymous
It is as easy to hide a backdoor in open source as it is to hide one in closed source
K
but you also have the fact that there are less eyeballs on openbsd's code
Linux has a wide user base but many less contribute to the code. OpenBSD is the opposite
Anonymous
If you think otherwise then you haven't seen an actual backdoor
Anonymous
Nah, it's just a bot doing random stuff with the kernel until it crashes
and it just does all the possible stuff until it crashes?
Anonymous
It is as easy to hide a backdoor in open source as it is to hide one in closed source
it might be easy, but with closed source you dont even have to try, just put it there and call it a day
Anonymous
Well, essentially google compiles the kernel with kasan, ktsan and many other sanitizers
Anonymous
You want technical details?
yeah im curious
Anonymous
And then they wait for their injected code to crash the kernel
Anonymous
That's how 70-80% of linux kernel bugs are found
Anonymous
The remaining 10% are found by improving security of the kernel by adding exploit mitigation
Anonymous
There is a very tiny percentage of bugs that are ever found by reading code
Anonymous
still, you haven't given me a good reason to not strip down intel ME
Anonymous
It just isn't possible to find vulnerabilities by reading code and I'll show you why
Anonymous
So, go to the home page of the C standard
Anonymous
And just read it
Anonymous
You'll realise why reading the code is the worst way to find bugs
Anonymous
Just go and read it
Anonymous
It can do more depending on what the vendor lets it do
so the vendor basiclly does what it wants with the enclave and I have no control over it?
Anonymous
You're telling me that you can memorize several thousands of rules in that C standard? And that each of them would be on your tongue and you'd iterate through each of them for every single line of code you write?
Anonymous
That's just not how it works at scale
Anonymous
And you're trusting that the compiler implements the standard correctly
Anonymous
Which it doesn't
Anonymous
You're trusting that your standard library, malloc, etc respect the standard
Anonymous
Which they don't
Anonymous
Which they don't
why dont they? what is their reason?
Anonymous
Reading code is not going to help you find vulnerabilities
Anonymous
why dont they? what is their reason?
It's impossible to accurately implement something this complex
Anonymous
How would you do it?
Anonymous
How would you do it?
I can't, I just started learning C
Anonymous
I can't, I just started learning C
Yeah, so you haven't even been made aware that there's actually a standards body for it
Anonymous
If you read the standard
Anonymous
You'll agree with me
Anonymous
You cannot find vulnerabilities by reading code
Anonymous
You cannot remember all of those rules
Anonymous
Even if you memorized, iterating through all of that would be impossible
Anonymous
Btw if you want I can tell you how to setup linux and find your own vulnerability
Anonymous
You'll find your own vulnerability with 0 knowledge of C in 5 seconds - 5 hours
Anonymous
And once you do that you'll realise that vulnerability counts themselves have nothing to do with security
Anonymous
If you don't believe me I invite you to see for yourself
Anonymous
so what does count as security?
Well, I'll talk later
Anonymous
But essentially BSD does have a problem
Anonymous
BSD is like putting huge locks on your doors
Eliab/Andi
But essentially BSD does have a problem
So what is your OS solution?
Anonymous
And having a really strong door
Anonymous
But leaving the windows wide open
Anonymous
....
Anonymous
So what is your OS solution?
none apparently at this point
Eliab/Andi
none apparently at this point
Yep More Trolling IMO
Anonymous
So what is your OS solution?
Modern OSes like fuchsia running on zircon, formally verified oses like sel4
Anonymous
Modern OSes like fuchsia running on zircon, formally verified oses like sel4
even then there will still be userspace software with garbage security
Anonymous
Fuchsia will sandbox everything
Anonymous
So you support Googles tracking
I hope its opensource so at least we can remove those components
Eliab/Andi
Fuchsia will sandbox everything
Yep lik3 Chrome OS does and you still have to usw your Google account
Eliab/Andi
Wonderful
Anonymous
So you support Googles tracking
I thought this was freebsd group but no, this is twitter Me: hey, I like roses Random guy: so, YOU hate vegetables! Or even better Me: I like pineapple Me: I like pizza Random guy: then you'll love pineapple pizza What
Eliab/Andi
Yep ...let him troll
Anonymous
I hope its opensource so at least we can remove those components
Realise that android satisfies the definition of FLOSS
Anonymous
I don't see how google would close off fuchsia either
AMIR
Modern OSes like fuchsia running on zircon, formally verified oses like sel4
any other information about zircon? what's the origin of this kernel ?
AMIR
thanks
Anonymous
Completely written from scratch
Anonymous
Based off nothing
Anonymous
Zircon is what you'll eventually want in mission critical environments
AMIR
just curious
Candy
You cannot remember all of those rules
I don't really agree with this. It's quite feasible to know almost all the weird edge cases to the C language standard, but I'd say it's mostly irrelevant. I doubt there are many vulnerabilities in C code that are due to weird edge cases in the language that most competent C programmers don't know about. It's more a case of analyzing code by hand being inherently difficult anyway when searching for bugs.
Anonymous
You cannot tolerate windows having a BSOD or Linux kernel panicking in your self driving car
« Rev
@FreeBSD1   224
Fwd »