Mail from Theo to the list this morning:

From: Theo de Raadt
To: announce@cvs.openbsd.org
Date: Nov 1, 2005 1:30 AM
Subject: OpenBSD 3.8 released November 1, 2005

Go and get it!  (Please remember to check the primary mirrors please — thanks)

OpenBSD 3.8 RELEASED

Nov 1, 2005.

We are pleased to announce the official release of OpenBSD 3.8. This is our 18th release on CD-ROM (and 19th via FTP). We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install. As in our previous releases, 3.8 provides significant improvements, including new features, in nearly all areas of the system:

It's official, Open Office.org 2.0 was released today. You can get yours here. The most exciting new features, most of which we've mentioned before are OpenDocument format, a edesigned user interface,  a new database module, improved PDF support, a redesigned spreadsheet module, and enhanced desktop integration, but there are a whole host of stability and speed imporvements under the hood. Go take a look.

A great big "Happy Birthday!" today to Theo and the gang over at OpenBSD. It was 10 years ago today that the security-focused group spun off to start work on the project that has given us OpenSSH, PF, and a constnt crusade for companies to provide harware documentation for everyone. Here's to many more!

And as long as we're talking about OpenBSD: OpenBSD 3.8 is scheduled for delivery on Nov. 1st, and they're taking preorders.

(see all our posts on OpenBSD)

Very interesting article posted to the NYCBug mailing list: Max Bruning of the OpenSolaris project compares three of the biggest open source operating system projects. His conclusion? It's amazing how much they have in common, and he anticiates even more overlap with the solaris code now open sourced. That in and of itself isn't a hugh revelation, but he does a great job of explaining some of the concepts of kernel design without getting so detailed you have to actually be a kernel hacker to understand what he's saying. It's a nice rundown of where the projects differ, particularly with respect to hardware abstraction, and what the consequences of the differing approaches are.

A reminder: Early registration for ShmooCon 2006 closes Saturday. Until then, you can get in for $75. After that, it's $150. The Shmoo Group guys bill ShmooCon pretty modestly as "the annual East coast hacker converntion," but it's one of the premier events of the year for hackers and security experts around the country. This year's conference will be divided into three tracks:

1. Break It! A track dedicated to the demonstration of techniques, software, and devices devised with only one purpose in mind—technology exploitation. You will bear witness to some of the most devious minds, source code, and gadgets on the planet that focus their energies on breaking the technology we mindless sheep keep on buying. Baaaaa.

2. Build It! A track that showcases inventive software & hardware solutions—from distributed computing or stealth p2p networks to miniature form-factor community wireless network node hardware or robotics even. Let loose your inner geek, and feel free to gawk. With all the neat stuff, it's important to take notes—that way we all have evidence to shoot down some sleazeball patents 5 years from now.

3. Bof It! A track that promotes the open discussion of critical information security issues in a "birds of a feather" format. From lightning open source code audits or wireless insecurity discussion panels to DRM rants or anonymity & privacy strategies—it's down and dirty, with plenty of controversy for folks who like hashing it out with fellow hackers.  Feel free to throw your Shmooballs here, but no fisticuffs, please. Settle your differences with some head-to-head Xbox in the evening, instead.

No specifics on the individual sessions yet—the cfp is still open—but it will be a great opportunity to meet great people from throughout the hacking community. New this year will be the Hacker Arcade, a "Chuck-E-Cheese" with all the games hacked by Con goers and proceeds donated to the American Red Cross (who may be on call during the BoF sessions…).

According to eWeek SSH Communications, the creators of SSH, came out on the offensive against OpenSSH this week as part of the launch of SSH Tectia 5.0 claiming that OpenSSH is good, but it's not enterprise strength like Tectia:

OpenSSH certainly has its place, and we are not competing with them. We truly have a different class of product that is more suitable for business-critical applications.

In particular, SSH Communications claims that OpenSSH provides poor sftp and application connectivity support, nevermind that OpenSSH encrypts the vast majority of the world's VPN traffic.

Needless to say, the open SSH team was not amused, considering that accoring to their numbers OpenSHH is deployed on 87% of all internet-facing servers, and 92% of servers that provide SSH access. It is also the SSH implementation of choice for router and firewall vendors from Cisco and Foundry to D-Link and Linksys.

I just got the email from Theo: the OpenBSD 3.8 theme song "Hackers of the Lost RAID" has been released. For those of you who aren't familiar, on each OpenBSD release CD the team includes a song written to commemorate that particular release; s the release date gets closer, they make the theme available for download on the website. This time "song" is a bit of a misnomer, it's really more in the style of an old time radio play portraying the adventures of Puffiana Jones as he tries to uncover the documentation for the "lost RAID." Those of you who have been playing along at home will recognize this as a deliberate dig at Adaptec, IBM/Mylex, and others who refused to give the team documentation for their controller APIs and thwarted the efforts of Theo & Co. to reverse engineer them. The song is available for download as both MP3 and OGG, and the lyrics and the story behind them is on the download page.

I'm also going to pass along Theo's request to the Open Source community: please don't give your money to comapnies that not only don't support but actively thwart open source development. Please do reward companies that do provide documentation. And if you really want a product from a vendor that doesn't play nice, explain to them how much you're looking to spend on their product—RAID solutions aren't cheap—and pester them for the docs. The complete list of who's been bad and good is also on the download page.

For many of you this will be extremely short notice, but I just found out about it, and I thought I'd pass it along: Ohio LinuxFest 2005 will be this Saturday, October 1st, at the Greater Columbus convention Center. If you're in Ohio or Western PA this weekend, the conference is free and it looks like they have some really great talks lined up:

Morning Keynote
LINUX: Architecture choices and decision points
Chris Hicks, IBM Americas Linux on Power Executive

Different types of servers have long had different operating systems and different architectures. Linux creates commonality in an operating system although there are some nuances. And the hardware architectures are different. Why? Each was designed with different types of workloads in mind. It can be valuable to know the key differences in architectures that can run Linux. Each has incredible strengths when paired with the right kind of workload. Knowledge can be a key to exploiting those differences and avoiding risks presented when you get the wrong workload / architecture pairing. Linux has not changed the "laws of physics", but it has made it easier to exploit diverse architectures with common skills.

Chris Hicks, IBM Americas Linux on Power Executive, will discuss IBM's Power architecture, Intel, Opteron and even throw in a little mainframe to help in understanding how they differ and what works well for which workloads. In addition Chris will talk to some "cool things" IBM is doing with Linux on Power architecture.

Afternoon Keynote
Linux: Past, Present, and Future
Jerry Mayfield, Senior Corporate Business Strategist Novell, Inc.

During this keynote address, Jerry Mayfield from Novell will provide some historical content to explain how Linux has evolved over the past 10 years to get to where it is today. More importantly, he will discuss how Linux will evolve over the next few years, from multiple perspectives.

• From the perspective of a developer… What does the roadmap look like?

• From the perspective of a user… What are the challenges we are facing?

• From the perspective of a business… How do we capitalize on Linux?

Jerry Mayfield is a Senior Corporate Business Strategist for Novell. In this capacity, he is responsible for the development and delivery of product and company strategy information. Prior to joining Novell in 1990, Jerry was the Central Operations LAN and Unix Marketing Specialist for WANG Laboratories. Before joining WANG Laboratories in 1988, Jerry was the Unix and communications support group leader for Concurrent Computer Corp., a manufacturer of Real-Time Unix systems.

Other Talks:

Currently available for Linux, OS X, and Windows (although porting to something else shouldn't be too difficut) Celtx is an open source tool for managing screenwriting and movie production workflows, including revision, scheduling, and casting, released under the Mozilla license and based on the Mozilla framework. It's a web services-based application that includes and integrated server and be run locally or from a server to allow content sharing and collaborative workflows. Currently at version 0.9.3, it's intended to be an entierprise class tools when it moves out of beta.

I'm not sure how long these have been hiding along with some other betas (but then what at Google isn't beta these days) in the "Special Searches", but Google has introduced two specialty searches for people looking for information related specifically to Linux and BSD. It's a useful little feature, especially when looking for docs and information on compiling software for various platforms.

The big F/OSS news this weekend has been Massachusetts' Enterprise Technical Reference Model, published Friday, which requires state agencies to switch to open document formats over the next 18 months. Specifically, the document requires that text documents be archived OpenDocument XML, the OpenOffice.org document format. The move is seen as both a victory for open source software and a blow to Microsoft, since Office doesn't support the format. I'd be lying if I said I wasn't absolutely thrilled.

The thing to remember here, though, is that the reference model specifies a file format, not a software suite. While the gut reaction is that OpenDoc means OpenOffice, the format is an open standard, and there's nothing at all to prevent Microsoft from adding OpenDoc support to Office in the next 18 months. And this is as it should be. The purpose of open standards is to allow end users access to and control over their information. Open source projects should and normally do support open file formats because it makes practical and ethical sense, but there is no hard link between the two. A commercial product is welcome to support an open file format, either natively or through implicit or explicit conversion. And on the other hand, there is nothing to stop an open source project from developing a proprietary file format. It will be an open format because people who want to can read the code, but it doesn't need to be standards compliant. Of course, in many cases open source and open format go hand in hand. There are notable exceptions, though, including at least one other format the reference model approves: PDF. Adobe has been very open with the PDF file spec, and many open and closed source applications have been developed to support it. But that hasn't stopped Adobe's own programs from being the premier PDF creation and manipulation. Can Word become to OpenDoc what Adobe is to PDF? Probably if Microsoft sets its mind to it, especially with Word 12 due out soon. Most people wouldn't even notice if the default save format changed. They certainly wouldn't notice another selection being added to the "Save As…" drop dopwn. And again, that's as it should be. As long as users have access to their data in an open format, Commercial developers are welcome to play along if they think they can provide a service people are willing to pay for. In fact StarOffice and IBM Workplace already fit into that niche.

What would be nice, of course, would be for Massachusetts and other governments entities to start requiring that government offices deploy software that not only uses open formats, but has open source that has been vetted by by a large community of programmers, and that can be modified as needed to fit the needs of particular organizations and projects.

Open formats, though—particularly standards-based open formats—are a huge step in the right direction.

SSRN published a paper by E. Gabriella Coleman of Rutgers' Center for Cultural Analysis last week entitled "Three Ethical Moments in Debian." The paper is available for free download, and examines the way open source projects deal with ethical questions and identity crises. The fist moment she looks at is what she calls "ethical enculturation," the period of apprenticeship at the beginning of a devlopers envolvement in a F/OSS project when s/he begins to internalze the ideals, mores, and best practices of the community. The second is "the process of legal pedagogy and production through which developers confront,
internalize, and develop concrete meanings of freedom as these are hinged to legal and technical
issues", or as we normally call them, "licensing disputes". And the thrid "ethical moment" is crisis:

During these moments, we find that while developers may share a common ethical ground, they often disagree about the implementation of its principles. Though the content of these debates certainly matters (and will be discussed to some extent), my primary focus is on the productive affective stance that these crises induce. I argue these are moments of assessment, in which people turn their attentive, ethical being toward an unfolding situation and engage in very difficult questions. In this mode, passions are animated and values are challenged and sometimes reformulated. Crises can be evaluated as moments of ethical production in terms of not only their functional outcomes but also their ability to move people to reflexively articulate their ideals—an important condition of possibility for further action. Such dialogical and conflicted debate reflects the active engagement of participants who renew and sometimes alter their ethical commitments. Thus, crisis can be vital to establishing and reestablishing the importance of normative precepts.

In other words, falme wars aren't really soul-destroying, pointless free-for-alls that can permanently tear OS communities apart, they're productive opportunities to redefine our selves and cathartic experiences that clear the air.

Sounds good to me. Now if you'll excuse me, I think I just saw a newbie top posting…

In al seriousness, though, this is an interesting look at an OS project in terms of the way the community functions, rather than in terms of the way the product is produced.

[via]

Since one of the scheduled speakers couldn't make it because of logistical problems, Eric Allman agreed to step in at the last minute and talk about his latest project, Domain Keys Identified Email, or DKIM. For those of you who don't know who Eric is, he's the creator of Sendmail. So when he thinks email needs a new protocol, it's a big deal.

The basic idea is this: we have effective means of encrypting messages so that they can't be tampered with in transit (PGP, S/MIME). What we don't have yet is an effective means of verifying that message is from the sender it claims to be from, or of knowing whether we should trust that sender. This is particularly important when attempting to identify spam and trying to prevent the spread of viruses that open up a person's address book and attempt to replicate using borrowed identities.

The DKIM solution is essentially to enforce reverse DNS lookups. When mail is sent, certain header fields will be signed with a signature contained in a new DKIM-signature header. The public key for the signature will be contained in a speical subdomain of the DNS server for the domain from which the message is sent, and the receiver will veryfy the message by sending a request to signer._domainkey.dnsdomain.tld. if the DNS server has a key on file, it will send it to the recipient and if the dignature can be decoded and a checksum of the message completed, the message will be accepted as authentic.

In theory, it's a great plan, particularly for spam. It will force RDNS correctness which will be a great step forward in and of itself. It will also be very difficult for spam to come through because the responsibility for providing DKIM keys will lie with the DNS SOA entity and spammers will be forced to actually obtain accounts rather than preying on open SMTP relays. DKIM can also be combined with SMTP-Auth to secure relays and end-to-end encryption of a user's choice. Furthermore, it should be all but transparent to users, since in most cases the signer will be the domain and signing and decoding should be handled by the MTA, allowing for normal POP or IMAP deliverey.

There are a couple of potential catches, though. Many users will not want their messages signed by their ISP, and ISPs may not want to take on the responsibility for what their user's send. In that case, users will end up with personal keys. For DNS purposes, then, each person sending an email would be treated as his/her own domain, greatly increaseing DNS traffic and making caching difficult. Under current practice, receiving email for every user at fqdn.domain.tld requires only one RDNS lookup for the TTL of the record, and many people don't even bother with the because RDNS is so unreliable. Simply enforcing RDNS lookups would significantly increase traffic. Looking up every user@fqdn.domain.tld would increase DNS traffic almost exponentially. On the other hand, DNS queries don't take up much bandwidth. The other issue is the notorious insecurity of DNS itself. Few protocols have been more historically prone to exploitation and although a man in the middle attack is a more expensive way to spoof sender adresses than simple header rewriting, it's certainly not inconceivable.

In many ways, this was one of the most interesting sessions, but it covered far too much ground to give an effective recap of the technical details. Essentially, there were two parts to the talk. First was a rundown of several of Michael's favorite network monitoring tools: net-snmp, MRTG, and NetFlow. The what to use when breakdown was something like this: SNMP gives unparalleled depth of information, but was designed for a time when the internet was friendlier. Use it behind a firewall. Several firewalls. MRTG provides great graphis and resource-per-time graphs, such as disk usage or network traffic patterns over a period of years or months. And the various tools that use the NetFlow protocol and amnipulate NetFlow data can be configured tell you just about anything you might want to know about traffic on your net and are indispenible for troubleshooting, recovering form attacks, and setting tripwires. He's posted links to tutorials on all three systems on his site.

The second part of the talk was about how to use system administration "wrap your boss around your little finger," and he gave some great advice the should really be common sense, but probably isn't. First, don't talk to you manager the way you'd talk to a tech (unless your manager happens to be a tech). Put your requests and explanations to him/her in a way that makes sense in the context of the business you're doing. Second, give your superiors lots of information, because if there's something missing or someththing they don't understand, the holes will get filled with misinformation on the way up the food chain. And finally, talk in terms of money, particulary when trying to "sell" open source solutions. Talk about "better" and more robust, but also talk about up front costs and total cost of ownership, and compare it to the current implementation or whatever will be competing with it.

Good advice.

Now that I've had some time to digest everything, it's time to talk in a little more depth about Saturday's presentations. First up, Dru Lavigne's presentation on BSD Certification. I've been skeptical of this project. There's no denying that BSD, particularly FreeBSD, enjoys wide deployment in enterprise settings where employers might like  sysadmins to be certified. It's also clear that having a certification might help with advocacy: more organizations might be willing to adpot BSD OSs if there were some official recognition for qualified admins. What's been unclear to me, though, is how a specifically BSD cert will be of any practical value since so many of the basic concepts are already covered by SAGE.

After listening to Dru's talk, though, I'm more convinced. I knew they had done a lot of research, but I didn't realize how extensive it is, and how extensive the plans for further review are. It certainly looks like they have the tools in place to figure out exactly where the BSD cert will fit into existing certification schemes. toward that end, take a minute to drop by and fill out the latest survey, if you haven't already.