upvote

points

by cperciva11 hours ago |
comments
upvoteby gucci-on-fleek6 hours ago|
next
[-]
I'm somewhat skeptical here, because I notified the FreeBSD security team of a vulnerability a few years ago, and I never got a response, even after a follow-up email a few weeks later. To be fair, my report was about a non-core component, and the vulnerability wouldn't be very easy to exploit, but Debian, OpenBSD, SUSE, and Gentoo all patched it within a week [0].

That being said, I'm not suggesting that anyone should judge an entire OS based off of how they handle a single minor report, since everything else that I've seen suggests that FreeBSD takes security reports quite seriously. But then you could also use this same argument for the Linux kernel bug, since it's pretty rare for a patch to be mismanaged like this there too :)

[0]: https://www.maxchernoff.ca/p/luatex-vulnerabilities#timeline

reply
upvoteby stingraycharles3 hours ago|
parent|
[-]
Linux Kernel doesn’t differentiate between security bugs and other bugs, which is the main complaint here I think. They have the same process.

So the issue is bigger than the mishandling of a single issue, it’s a fundamental process issue around security for one of the most impactful projects in the entire space.

reply
upvoteby krupan10 hours ago|
prev|
next
[-]
If you are switching to a BSD for security reasons, why FreeBSD? Isn't OpenBSD the super secure one? Sorry, it's been a while since I've looked at those projects
reply
upvoteby loloquwowndueo9 hours ago|
parent|
next
[-]
The person suggesting FreeBSD is a FreeBSD developer (Colin Percival - actually according to Wikipedia FreeBSD engineering lead), would be weird for him to suggest openbsd.
reply
upvoteby Rendello6 hours ago|
parent|
[-]
I'm reminded of another legendary HN thread:

https://news.ycombinator.com/item?id=35079

reply
upvoteby guiambros4 hours ago|
parent|
next
[-]
Also hilarious to see Drew Houston responding a bit later on the same thread:

> we're in a similar space -- http://www.getdropbox.com (and part of the yc summer 07 program) basically, sync and backup done right (but for windows and os x). i had the same frustrations as you with existing solutions.

> let me know if it's something you're interested in, or if you want to chat about it sometime.

>drew (at getdropbox.com)

reply
upvoteby liamwire4 hours ago|
parent|
prev|
[-]
It may well have been your point, but that it's the exact same person makes this even better
reply
upvoteby andai10 hours ago|
parent|
prev|
[-]
I haven't switched to BSD but I've been thinking about it for a while. I just saw Vultr has both FreeBSD and OpenBSD!
reply
upvoteby landr0id10 hours ago|
prev|
next
[-]
FreeBSD didn’t have user land ASLR until 2019 and, amongst other mitigations, still doesn’t have kASLR. It’s not a serious operating system for people who care about security. If you want FreeBSD and security take Shawn Webb’s HardenedBSD.
reply
upvoteby kelnos10 hours ago|
parent|
next
[-]
Last I read, ASLR is a good thing to have, but overall is usually not difficult to defeat. It's a speed bump, not a brick wall.

I don't think it's reasonable to say that an OS that lacks it isn't "serious" about security.

reply
upvoteby landr0id10 hours ago|
parent|
[-]
>Last I read, ASLR is a good thing to have, but overall is usually not difficult to defeat.

For local attackers there may be easier avenues to leak the ASLR slide, but for remote attackers it's almost universally agreed it significantly raises the bar.

>I don't think it's reasonable to say that an OS that lacks it isn't "serious" about security.

When they implemented it in 2019 it had been an 18-year-old mitigation. If you are serious about security, you implement everything that raises the bar. The term "defense-in-depth" exists for a reason, and ASLR is probably one of the easiest and most effective defense-in-depth measures you can implement that doesn't necessarily require changes from existing code other than compiling with -pie.

reply
upvoteby abrookewood8 hours ago|
parent|
prev|
next
[-]
Is there anywhere that provides a good overview of the various OS protection technologies/approaches that exist and which OSes have implemented them?
reply
upvoteby user393938210 hours ago|
parent|
prev|
[-]
So you have one example in hand and trash talked FreeBSD’s entire security team. Bold claims are fine but this is lazy.

FreeBSD isn’t secure, I suspect you’re sitting on a pile of 0 days for it?

reply
upvoteby landr0id10 hours ago|
parent|
[-]
Ask yourself why Mythos was so easily able to develop a remote STACK buffer overflow vulnerability.
reply
upvoteby nozzlegear8 hours ago|
parent|
[-]
Define "so easily"?
reply
upvoteby landr0id7 hours ago|
parent|
[-]
They exploited a linear stack buffer overflow. Not a write-what-where or arb write. A linear stack buffer overflow in 2026! There are at least two distinct failures there:

1. No strong stack protectors.

2. No kASLR.

That's 20-year-old exploit methodology.

reply
upvoteby tclancy9 hours ago|
prev|
next
[-]
There’s always a guy. It’s great that your favorite distro is definitely safer. An order of magnitude fewer exploits will mean only a few thousand or so, I suppose. Ozymandis used Gentoo.
reply
upvoteby dag1008 hours ago|
parent|
next
[-]
Calling FreeBSD "just a distro" is verging on insulting. It's an operating system.
reply
upvoteby shakna5 hours ago|
parent|
prev|
next
[-]
Well, as they're a FreeBSD dev, I would be surprised if they pointed anyone in a different direction.
reply
upvoteby 6 hours ago|
parent|
prev|
next
[-]
deleted
reply
upvoteby LoganDark8 hours ago|
parent|
prev|
next
[-]
FreeBSD is not a distro. It's not even Linux; it's a completely different kernel and operating system that traces back to even before Linux. It's honestly closer to Darwin than it is to Linux; macOS is technically a BSD. (Not FreeBSD though.)
reply
upvoteby steve19776 hours ago|
parent|
[-]
Darwin is its own thing really. There are parts from BSD, there are also parts from Mach and there are also unique parts.
reply
upvoteby GalaxyNova8 hours ago|
parent|
prev|
[-]
FreeBSD is not a distro
reply
upvoteby stackghost6 hours ago|
parent|
[-]
What does the D in BSD stand for again?
reply
upvoteby tom_alexander1 minutes ago|
parent|
next
[-]
That's more of a historical artifact. The BSDs started as a set of patches for AT&T Unix that were _distributed_ by Berkeley. Eventually they became an entire operating system. _Then_ the various BSDs that we know today (FreeBSD, OpenBSD, NetBSD, DragonflyBSD) all forked and became completely independent operating systems. For decades, FreeBSD's kernel and userland has been developed independently from the OpenBSD kernel and userland which is developed independently from NetBSD's kernel and userland, etc. You could not take an OpenBSD program and run it on FreeBSD. Even recompilation from source isn't necessarily enough since the BSDs support different syscalls.

They are completely independent operating systems with a distant shared history.

reply
upvoteby shaky-carrousel6 hours ago|
parent|
prev|
next
[-]
Distribution. Which is a different word than distro, with a different meaning. Like smart and smartass.
reply
upvoteby einsteinx234 minutes ago|
parent|
[-]
While you’re correct that FreeBSD is not a Linux distribution, the word “distro” is literally short for distribution. It doesn’t have a different meaning like smart and smartass, it’s more like repo and repository.
reply
upvoteby beng-nl6 hours ago|
parent|
prev|
[-]
Distribution. But it’s not a Linux distribution.
reply
upvoteby dijit3 hours ago|
prev|
next
[-]
FreeBSD is quite lax when it comes to security- especially defaults and configs.

The preference is for usability over security.

Famously: https://vez.mrsk.me/freebsd-defaults

I appreciate your work on the project, but I can’t in good conscience suggest people switch while are such bad defaults.

reply
upvoteby f30e3dfed1c96 hours ago|
prev|
next
[-]
Been constructing a lot of infrastructure servers recently, almost all of them FreeBSD VMs running under bhyve on FreeBSD physical hosts. It's a very simple, clean, pleasant environment to work in. And they all run tarsnap. ;-)
reply
upvoteby eahm11 hours ago|
prev|
next
[-]
Also funny they never show Debian in those tests/videos.
reply
upvoteby cperciva10 hours ago|
parent|
next
[-]
Debian is probably the best of all the Linuxes, but still suffers from split-brain: If patches are sent upstream first, Debian can't start digesting them until they're already public.

With FreeBSD there's never any question of "who should this get reported to".

reply
upvoteby JoshTriplett10 hours ago|
parent|
[-]
> Debian can't start digesting them until they're already public

Not sure what you mean by this. Debian is able to handle coordinated disclosures (when they're actually coordinated), and get embargoed security updates out rapidly without breaking the embargo.

Is there some other aspect of this that you're referencing?

reply
upvoteby cperciva5 hours ago|
parent|
next
[-]
The key words there are "when they're actually coordinated". Debian doesn't own the Linux kernel, and the kernel developers don't bother with coordinated disclosure, so the happy path of coordinated disclosure only happens when reporters make the non-obvious choice of reporting vulnerabilities to people other than the maintainers.
reply
upvoteby JoshTriplett3 hours ago|
parent|
[-]
Fair enough; yeah, at the point where the embargo failed, it was important that patches get to distros as fast as possible in order to ship the fixes.
reply
upvoteby pavon7 hours ago|
parent|
prev|
[-]
The fact that the kernel security team has decided coordinating disclosure is someone else's problem so it happens inconsistently.
reply
upvoteby juujian11 hours ago|
parent|
prev|
[-]
How so?
reply
upvoteby 11 hours ago|
parent|
[-]
deleted
reply
upvoteby 11 hours ago|
parent|
next
[-]
deleted
reply
upvoteby 11 hours ago|
parent|
prev|
[-]
deleted
reply
upvoteby ComplexSystems6 hours ago|
prev|
next
[-]
While I am sure FreeBSD is more secure than your average Linux distro, I sure hope they are using these new AI models to harden everything.
reply
upvoteby homebrewer4 hours ago|
prev|
next
[-]
Has everyone here already forgotten about the WireGuard tire fire?

https://lwn.net/Articles/850098

https://news.ycombinator.com/item?id=26507507

tl;dr: deeply insecure WireGuard implementation committed directly into the FreeBSD kernel with zero review.

Was this process problem fixed?

reply
upvoteby pjmlp4 hours ago|
prev|
next
[-]
Only to be thrown out of the windows with a plain "curl | sh".
reply
upvoteby skydhash1 hours ago|
parent|
[-]
curl | sh is more prevalent in Linux where you can expect a stable ABI from the kernel and sometimes GNU libc. No such things in BSD land. Packages are built against a release always. They don't maintain binary compatibility.
reply
upvoteby pjmlp1 hours ago|
parent|
[-]
Hardly an argument against random shell scripts execution, quite often elevated.

Not everyone installs only what is available in pkgsrc.

reply
upvoteby bananamogul7 hours ago|
prev|
next
[-]
FreeBSD just slaps at the problem. OpenBSD solves it.

I kid, I kid...

reply
upvoteby 7 hours ago|
prev|
[-]
deleted
reply