Hacker News new | past | comments | ask | show | jobs | submit login
SecBSD: Unix-like operating system focused on computer security (secbsd.org)
95 points by protomyth on Feb 27, 2019 | hide | past | favorite | 31 comments

IMHO stock OpenBSD is a better start. Concise and secure. Sending all traffic through a VPN is probably a bad idea, it is better IMO to put /some/ traffic through the VPN that you want separated. Private browse through VPN, preferably in a VM. The "I'm not a robot" thread (https://news.ycombinator.com/item?id=19155643) from a few days ago showed just how much can be gleaned by javascript, that's probably enough to work out if your private browser is on the same computer as the non-private.

I think this is more geared at pentesters and such, think bsd-backed kali?

I’m not so keen on the VPN by default thing though.. I hope they plan to upstream metasploit back to ports at least.

It says nothing about who the Dark Intelligence Team is, but this Google cache[0] has a little bit more info:

>We are security enthusiasts from China, Germany, France, Netherlands, Norway, Switzerland, Mexico, India and Russia. Some of us have used *nix systems since 1999.

>Coding && DeCoding && Talks && Beers && Wine && Pizzas && Good Music && Stuff && Hacking.

So at least nine contributors, unless they're counting one person as being from multiple countries.

[0] https://webcache.googleusercontent.com/search?q=cache:E2OiV-...

Heh, good catch.

So pretty much Kali for OpenBSD? Also, why use a VPN by default when many of the tools are intended to be run on the local network?

I suspect the idea is that a VPN will provide encryption for all network traffic by default, preventing others on the local network from packet sniffing.

I use non-VPN IPSEC on my LAN. Works nicely

Is security not an illusion with the current computer architectures? Sometimes it feels like we have to go back to architectures that separate code from data (Harvard) to really be secure.

Nah, you could still e.g. use a use after free to smash the return address or a vtable on a Harvard machine and execute a ROP chain. If it did speculative execution too it would probably be vulnerable to spectre. There's nothing special about Harvard machines when it comes to security.

Imho, to use a metaphor, not much different than the glass windows of a car protecting the car contents. And then of course, some owners just leave the windows down, other 'car windows' have special foils, multilayer, some even have bullet resistent qualities, but give it time and physical access and it's always a car compromised in the end.

A Harvard architecture, by itself, doesn't do anything to prevent code reuse attacks.

Indeed. The NX bit (which differentiates between executable and writable data) roughly approximates Harvard Architecture-like differences between types of memory, and likewise it cannot prevent code reuse attacks.

”OpenVPN + ProtonVPN”? IMHO that is a red flag. Wireguard would be a better alternative.

From the WireGuard homepage:

> WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come.

I agree that WireGuard will be great when it's done. Is there something I'm missing?

Maybe he meant that ProtonVPN has a pretty shady reputation on HN due to their business connections to TesoNet, which is a data mining company. Its a lot more complicated than that, but if you see ProtonVPN being shot down on HN, that's why.

Further reading: https://news.ycombinator.com/item?id=17258203 https://news.ycombinator.com/item?id=17775326

Personally, even if there isn't anything actually shady going on, I would want my VPN provider to be beyond reproach. Any smart VPN provider wouldn't want even tenuous connections to data mining companies. It feels a bit dirt to recommend Private Internet Access since they were the ones who pointed this out on HN, but so far AFAIK they are the only ones that have have been court-tested. Other options would be TorGuard or Mullvad VPN. Mullvad even already supports WireGuard!

I just run my own VPN from a $5/month DigitalOcean droplet... I feel like all the public VPNs are like big honeypots I'd rather stay away from.

> ProtonVPN has a pretty shady reputation on HN due to their business connections to TesoNet, which is a data mining company

Does that mean ProtonMail also is no longer trustworthy?

> I just run my own VPN from a $5/month DigitalOcean droplet... I feel like all the public VPNs are like big honeypots I'd rather stay away from.

I guess that depends on your threat vector. I mainly want copyright hounds and data miners (including my ISP) to stay out of my way. For this a public VPN is perfect. Hell, in a weird way, if PIA somehow turned out be a NSA honeypot they would be even better for that purpose since they'd essentially be untouchable by copyright holders. In general, I guess a personal VPN is more private on a micro level (no VPN provider that can spy on you) but less private on a macro level (any determined actor can trace your DO VPN back to you since you are the only user)

> Does that mean ProtonMail also is no longer trustworthy?

That is, again, for yourself to decide. Personally I think the Proton company isn't malicious and just really bungled up the launch of ProtonVPN by going at it together with / through TesoNet, and their VPN efforts will forever be tainted by that. But, that has very little to do with their mail branch, which preceded ProtonVPN and which so far seems a pretty good offering to me if you want your mail to be encrypted-at-rest.

I wouldn't use a VC-backed, for-profit company for anything privacy related. Selling users out behind the scenes to advertisers and TLA's is an easy way to get money. Better to get hosting in a jurisdiction without police-state-style activities, with privacy protections, and/or from a nonprofit or public-benefit organization incentivized to look after users. A for-profit, non-VC company with long history of steady, honest business is also a decent option if you can't find/afford/use safer jurisdictions. Prgmr.com is an example of the last one from what I've observed.

These allegations were actually spread by a competing VPN service, so they should be taken with a grain of salt, and the allegations have also been refuted: https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn...

For most VPN companies, you basically have to blindly trust them that they aren't doing anything nefarious. ProtonVPN is different because it's been thoroughly checked and vetted by Mozilla (https://blog.mozilla.org/futurereleases/2018/10/22/testing-n...) and also because there is full transparency regarding who runs the service. You can find the names of the former CERN scientists who created the service, along with their past scientific publications, and things that prove who they are.

“I just run my own VPN from a $5/month DigitalOcean droplet”

Good call IMHO. That’s what I would do as well if I felt the need to use a VPN.

AFAIK ProtonVPN’s offering is based on OpenVPN and I just don’t see the benefit of using that protocol when a more modern alternative is available (i.e. Wireguard). The fact that ProtonVPN is located in Switzerland is not a selling point that matters to me, YMMV.

”Is there something I'm missing?”

It seems to me that 'zx2c4 just hasn’t come around to reword that paragraph yet.

If Wireguard is good enough for Latacora then I would feel safe using it.

This question has come up before, see e.g. https://news.ycombinator.com/item?id=16326421 and https://news.ycombinator.com/item?id=17848471

They said they want contributors, but I don't see any link for contributing. And their twitter account basically is only focus on raising money

The code isn't public yet. I imagine that if you want to get involved at this stage you'd need to contact them directly. Their email address and public-key are available here: https://www.secbsd.org/dark-intelligence-team.html

> The code isn’t public yet

Can’t take it seriously from a security perspective, then.

I am getting a lot of mental "red flags" over this one. its a bunch of distros of things, some of which are pentest, some of which are less clear to me, it has confusing statements about VPN. Kali is understood. It has a sense of purpose, a community, quite strong public statements of intent and purpose.

This one. I mean sure, that lock-pick you bought from a guy in the pub, he said it was only for testing padlocks, but now you see other people testing doors along the hall and you're wondering what you just walked into...

Why can't they just be honest and call it an OpenBSD distro, rather than a Unix-like operating system.

Just when I google about Tails alternative..

this is not a tails alternative. it's a workstation for pen-testing. like Kali

>not microkernel, multiserver

Huge TCB, they already fucked up. So much for security.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact