Theo de Raadt: "You've been smoking something mind altering" (2007)

75 points - today at 4:05 PM

Source

Comments

tptacek today at 6:04 PM
One of his dumber takes. Virtualization replaces an ultra-functional general-purpose kernel evolved over decades to support every conceivable application with a drastically smaller "kernel" (KVM and the userland hypervisor). It's a drastic attack surface reduction, and the empirical data bears that out: kernel LPEs aren't even newsworthy (there's whole repos full of unnamed, unremarked-upon LPEs), and KVM escapes are very rare.
Gualdrapo today at 5:38 PM
"Torvalds, via e-mail, says De Raadt is “difficult” and declined to comment further."

https://www.forbes.com/2005/06/16/linux-bsd-unix-cz_dl_0616t...

Imagine being so hard you're labelled as "difficult" by no other but Linus Torvalds

vlovich123 today at 6:22 PM
> A simple tool was presented, iofuzz, that exposes exploitable security flaws in most, if not all, virtual machines available today. To the knowledge of the author, no similar research has been conducted before. The results produced by crashme, a tool well known for over a decade, locating trivial flaws dem- onstrates this. No virtual machine tested was robust enough to withstand the testing procedure used, and multiple exploitable flaws were presented that could allow an attacker restricted to a vir- tualised environment to reliably escape onto the host system. The results obtained demonstrate the need for further research into virtualisation security and prove that virtualisa- tion is no security panacea.

https://taviso.decsystem.org/virtsec.pdf

He’s not wrong based on the research at the time. The mistake is presenting this as if it’s something that will be true for all time. Is virtualization a panacea? No. CPU manufacturers can’t even protect against side channel attacks. But it’s completely missing what this provides which is that the difficulty and cost of creating an exploit is higher today than 20 years ago. And it’s amusing to hear someone blasting away at the security of others when BSD has its own share of problems and architectural weaknesses are discovered through popularity of your system being an attack target, not because you’re smarter than everyone else and made better choices (sometimes it can be true in places, but harder to maintain for a big piece of software like an OS)

Gud today at 8:33 PM
I don't understand the constant (almost always unsubstantiated) criticism of the *BSDs from many Linux advocates.

Personally I evaluate each OS by it's merit, and I've concluded that OpenBSD, FreeBSD and some Linux distributions(I use arch btw) are solid operating systems.

On the server I prefer FreeBSD because of it's amazing flexibility, and stable yet evolutionary base system and in my opinion, superior init system. Simple RC scripts FTW.

I use Arch Linux for superior software and hardware support, related to client usage.

I use OpenBSD for various network appliances.

deleted today at 8:25 PM
ranger_danger today at 8:47 PM
I wished more people would take issue with developers' bad attitudes.

I know this is an extremely unpopular take, but I refuse to use software where the main dev(s) are openly abusive to others. Sadly this includes the majority of open source operating systems and many other very popular applications... but it's my decision and you're welcome to disagree with me. I am not trying to prevent others from using said software, and I don't look down on them for it.

I think if everyone was always forced to separate the art from the artist, then boycotting wouldn't even be a thing, so there should probably be some kind of middle ground.

deleted today at 5:49 PM
rustcleaner today at 7:02 PM
If OpenBSD pretended Qubes OS was a feature prototype/reference OS build and made a fork of OpenBSD to feature-match Qubes OS (calling it QuBSD or something), that would be great!
cptroot today at 5:25 PM
I would love to know how OP came across this email nearly 20 years after the fact
DonHopkins today at 6:31 PM
My favorite Theologism:

    "My favorite part of the "many eyes" argument is how few bugs 
    were found by the two eyes of Eric (the originator of the 
    statement).  All the many eyes are apparently attached to a 
    lot of hands that type lots of words about many eyes, and 
    never actually audit code." -Theo de Raadt
https://en.wikipedia.org/wiki/Linus%27s_law
dstnn today at 8:51 PM
Dude is 100% right
mvdtnz today at 9:40 PM
I don't know who this guy is but this is just a shitty way to interact with people. Presumably he's successful or we wouldn't be talking about him without any introduction, but I wouldn't hire this person to sweep the floors at my office.
worik today at 9:11 PM
That is old news, Theo was harsh, arrogant and rude. He was not always right, but always RIGHT!!

But ten years ago. What is the point now?

znpy today at 6:51 PM
I think de Raadt and OpenBSD are hugely overrated and some takes are as dumb as the one in the post.

OpenBSD is only secure because because it does pretty much nothing and does it very slowly (its firewall just recently broke the 4gbps firewalling capabilty, for example) but somehow a cult has formed around it ¯\_(ツ)_/¯

jurgenaut23 today at 7:39 PM
god bless usenet. The good ol' flame wars aren't what they are used to anymore with all this moderation and trolling feeding each other around here.
oooyay today at 6:00 PM
Even very smart, very accomplished people can be very wrong. Xen is seeing a resurgence from Xen Orchestra and I've used it in my homelab. It's quite pleasant. I also, of course, use de Raadt's software as well.