
SecBSD: Unix-like operating system focused on computer security - protomyth
https://www.secbsd.org/
======
6c696e7578
IMHO stock OpenBSD is a better start. Concise and secure. Sending all traffic
through a VPN is probably a bad idea, it is better IMO to put /some/ traffic
through the VPN that you want separated. Private browse through VPN,
preferably in a VM. The "I'm not a robot" thread
([https://news.ycombinator.com/item?id=19155643](https://news.ycombinator.com/item?id=19155643))
from a few days ago showed just how much can be gleaned by javascript, that's
probably enough to work out if your private browser is on the same computer as
the non-private.

~~~
cyberpunk
I think this is more geared at pentesters and such, think bsd-backed kali?

I’m not so keen on the VPN by default thing though.. I hope they plan to
upstream metasploit back to ports at least.

------
blotter_paper
It says nothing about who the Dark Intelligence Team is, but this Google
cache[0] has a _little bit_ more info:

>We are security enthusiasts from China, Germany, France, Netherlands, Norway,
Switzerland, Mexico, India and Russia. Some of us have used *nix systems since
1999.

>Coding && DeCoding && Talks && Beers && Wine && Pizzas && Good Music && Stuff
&& Hacking.

So at least nine contributors, unless they're counting one person as being
from multiple countries.

[0]
[https://webcache.googleusercontent.com/search?q=cache:E2OiV-...](https://webcache.googleusercontent.com/search?q=cache:E2OiV-7ZhGIJ:https://secbsd.org/dark-
intelligence-team.html)

~~~
dmix
Heh, good catch.

------
snazz
So pretty much Kali for OpenBSD? Also, why use a VPN by default when many of
the tools are intended to be run on the local network?

~~~
Apes
I suspect the idea is that a VPN will provide encryption for all network
traffic by default, preventing others on the local network from packet
sniffing.

~~~
elchief
I use non-VPN IPSEC on my LAN. Works nicely

------
bantunes
Is security not an illusion with the current computer architectures? Sometimes
it feels like we have to go back to architectures that separate code from data
(Harvard) to really be secure.

~~~
zerohp
A Harvard architecture, by itself, doesn't do anything to prevent code reuse
attacks.

~~~
qubex
Indeed. The NX bit (which differentiates between executable and writable data)
roughly approximates Harvard Architecture-like differences between types of
memory, and likewise it cannot prevent code reuse attacks.

------
cpach
”OpenVPN + ProtonVPN”? IMHO that is a red flag. Wireguard would be a better
alternative.

~~~
TimTheTinker
From the WireGuard homepage:

> WireGuard is not yet complete. You should not rely on this code. It has not
> undergone proper degrees of security auditing and the protocol is still
> subject to change. We're working toward a stable 1.0 release, but that time
> has not yet come.

I agree that WireGuard will be great when it's done. Is there something I'm
missing?

~~~
jorvi
Maybe he meant that ProtonVPN has a pretty shady reputation on HN due to their
business connections to TesoNet, which is a data mining company. Its a lot
more complicated than that, but if you see ProtonVPN being shot down on HN,
that's why.

Further reading:
[https://news.ycombinator.com/item?id=17258203](https://news.ycombinator.com/item?id=17258203)
[https://news.ycombinator.com/item?id=17775326](https://news.ycombinator.com/item?id=17775326)

Personally, even if there isn't anything actually shady going on, I would want
my VPN provider to be beyond reproach. Any smart VPN provider wouldn't want
even tenuous connections to data mining companies. It feels a bit dirt to
recommend Private Internet Access since they were the ones who pointed this
out on HN, but so far AFAIK they are the only ones that have have been court-
tested. Other options would be TorGuard or Mullvad VPN. Mullvad even already
supports WireGuard!

~~~
TimTheTinker
I just run my own VPN from a $5/month DigitalOcean droplet... I feel like all
the public VPNs are like big honeypots I'd rather stay away from.

> ProtonVPN has a pretty shady reputation on HN due to their business
> connections to TesoNet, which is a data mining company

Does that mean ProtonMail also is no longer trustworthy?

~~~
jorvi
> I just run my own VPN from a $5/month DigitalOcean droplet... I feel like
> all the public VPNs are like big honeypots I'd rather stay away from.

I guess that depends on your threat vector. I mainly want copyright hounds and
data miners (including my ISP) to stay out of my way. For this a public VPN is
perfect. Hell, in a weird way, if PIA somehow turned out be a NSA honeypot
they would be even better for that purpose since they'd essentially be
untouchable by copyright holders. In general, I guess a personal VPN is more
private on a micro level (no VPN provider that can spy on you) but less
private on a macro level (any determined actor can trace your DO VPN back to
you since you are the only user)

> Does that mean ProtonMail also is no longer trustworthy?

That is, again, for yourself to decide. Personally I think the Proton company
isn't malicious and just really bungled up the launch of ProtonVPN by going at
it together with / through TesoNet, and their VPN efforts will forever be
tainted by that. But, that has very little to do with their mail branch, which
preceded ProtonVPN and which so far seems a pretty good offering to me if you
want your mail to be encrypted-at-rest.

------
8d10fee0c89cfb5
They said they want contributors, but I don't see any link for contributing.
And their twitter account basically is only focus on raising money

~~~
blotter_paper
The code isn't public yet. I imagine that if you want to get involved at this
stage you'd need to contact them directly. Their email address and public-key
are available here: [https://www.secbsd.org/dark-intelligence-
team.html](https://www.secbsd.org/dark-intelligence-team.html)

~~~
toyg
_> The code isn’t public yet_

Can’t take it seriously from a security perspective, then.

------
ggm
I am getting a _lot_ of mental "red flags" over this one. its a bunch of
distros of things, some of which are pentest, some of which are less clear to
me, it has confusing statements about VPN. Kali is understood. It has a sense
of purpose, a community, quite strong public statements of intent and purpose.

This one. I mean sure, that lock-pick you bought from a guy in the pub, he
_said_ it was only for testing padlocks, but now you see other people testing
doors along the hall and you're wondering what you just walked into...

------
mastrsushi
Why can't they just be honest and call it an OpenBSD distro, rather than a
Unix-like operating system.

------
agumonkey
Just when I google about Tails alternative..

~~~
DyslexicAtheist
this is not a tails alternative. it's a workstation for pen-testing. like Kali

------
snvzz
>not microkernel, multiserver

Huge TCB, they already fucked up. So much for security.

~~~
agumonkey
[https://www.allacronyms.com/TCB](https://www.allacronyms.com/TCB)

