Not blocked necessarily, but if they want to leverage a stolen token, they’re now forced down a more difficult and highly visible pathway.

You can imagine anomaly detection along the lines if “hey your rails app just made a type of request that it has never made before”, but even just monitoring the metrics of the proxy could tip you off if something is going on.

Yeah they did this - except the contraband was automatically recognised and both images were banned via hash.

When action is taken on the first image, the collided image could also be censored.

It doesn't support "vmware tools" as such, but does support the virtual interfaces for network, disk, ballooning etc...

http://man.openbsd.org/OpenBSD-current/man4/virtio.4

Additionally, with a "home/office" router, there's many ways that IPv6 may be implemented by their ISP (e.g. static configured prefix, DHCPv6, prefix delegation etc...) all which require specific configuration on the WAN and LAN side to make it work.

So, I agree, but splitting that particular part into a different FAQ/walkthrough is going to be a better approach.

Adding an unpredictable delay in between when an application frees some memory, and it becomes available for reuse elsewhere will likely reduce the window of vulnerability where an exploit may be able to leverage the issue.

Okay, okay. Personally, I think the fact that OpenBSD did not support any of the current virtualisation solutions, and now have an appropriate one in the works says a lot about their position.

And, frankly, what use is an organisations "position" on VM hosting to a user? It either supports it or it doesn't, and if you don't plan on developing it the reasons don't really matter.

EDIT: I'm also going to point out that mailing list posts in general rarely stand on their own, and exist within a context.

A premise which he rightly shat directly on, and is his statement is completely congruent with the presence of a VM hypervisor in OpenBSD.

OpenBSD has happily run as a guest for a long time now, with various virtio drivers being added some time ago. Solutions like virtualbox and xen reach far into the system and are still a no-go on OpenBSD.

vmm on the other hand is a very literal OpenBSD implementation of a hypervisor. Minimal cruft means very little device emulation, virtio support only etc... The code is simple and readable[1], as opposed to other monstrosities.

I would take a punt and guess that the reason OpenBSD hasn't had a hypervisor is that a) all of the current solutions were inappropriate, and b) nobody had the time/effort to implement an appropriate one.

[1] http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/arch/amd64/...

Might be that they were asked to continue to provide services.

AWS uses Xen and domU support is a lot more invasive - OpenBSD had supported it in the past but I believe it was dropped?

OpenBSD is a research operating system.

A lot of their development and deployment methods do not align with the needs/wants of large infrastructure deployments (e.g. biannual releases, supported for 1 year).

Happy to cull/reinvent legacy to suit modern systems and practices (e.g. utf8, doas, opensmtpd/ntpd/bgpd/sshd etc...)

Refusal to support hardware without documentation or binary kernel blobs.

Focus on simplicity and correctness, rather than legacy and kludges, which often gets in the way of sysadmins wanting to Get Stuff Working.

Take your pick?

Additionally, he's still right. Don't rely on it to enforce security boundries (e.g. host untrusted systems and trusted systems on different tin) and his rant is totally congruent with virtualisation having a place in OpenBSD

I agree with what you say regarding perimeter security, a concept quickly decreasing in relevance in today's environments. Unfortunately, when you have thousands of people working for you that don't know how to computer, you have to take steps to ensure that the data and functionality that they're handling remains protected.

Additionally, a large amount of attack surface exists on the client side, and with these two factors at play you're dealing with a lot of non-trivial trust relationships within your organisation.

Yes, ideally every system would be an island, and everyone who was supposed to operate it could do so securely and competently enough that they'd realise if something was wrong.

Until then, corporate workstations live in a locked down world where all external access is monitored and scrutinised.

If your job involves idling on Freenode maybe take it up with management?

EDIT: phrasing

It's also a great source of information when monitoring egress communication, so I would just make sure you know what you're doing.

Additionally, if they have aggressive egress filtering, its likely that the only DNS communication will be via an internal resolver which is going to be monitored - iodine is going to leave a LOT of shit in those logs.

5.7 is the latest official release. 5.8 is due on Nov 1.