Hacker News new | ask | show | jobs
by oil25 2439 days ago
I've really been enjoying using OpenBSD full time, both on my desktop (AMD Ryzen build) as well as laptops (Lenovo X230, X1 Carbon). Everything literally "just works", the documentation is impeccable, and I love being able to install a new kernel and base system with one simple command ("sysupgrade"). About the only thing I still use Linux for is a browser with U2F support and Bluetooth - both are disabled in OpenBSD for security.
5 comments
messe 2439 days ago
> Bluetooth [is] disabled in OpenBSD for security

A clarification on that point: OpenBSD's bluetooth stack was unmaintained and removed due to code rot; it's not that bluetooth as a protocol is inherently insecure.

link
wahern 2439 days ago
> it's not that bluetooth as a protocol is inherently insecure

Bluetooth is a ridiculously complex protocol. Complexity is the enemy of security. There's no fixed threshold beyond which complexity makes something "insecure", and Wi-Fi and even USB aren't exactly simple (both have had their share of implementation exploits across operating systems), but AFAIU there's a strong sentiment that Bluetooth is far too complex for the benefit it brings, which perhaps explains why OpenBSD's stack was unmaintained.

link
dTal 2439 days ago
Course, now we have Bluetooth: Wired Edition with USB-C layering many different optional protocols over the base transport. I understand the rationale, but I fear it means the days of "just works" USB may be coming to an end...
link
dchest 2439 days ago
Here's a list of Bluetooth security problems according to NIST: https://twitter.com/dchest/status/952981861080461312 (full PDF: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpubli...)
link
floatboth 2439 days ago
I'm not sure why U2F would be "disabled for security". I guess it's just that nobody has implemented all the required things. For the USB tokens, you need userspace USB HID access and hotplug notifications. I did that in Firefox for FreeBSD :)
link
oil25 2439 days ago
When I asked in IRC, I was told U2F was not implemented in browsers on OpenBSD because, "do you really want browsers to have full access to your USB stack?"
link
floatboth 2439 days ago
"full access to your USB stack" is not very meaningful (and honestly sounds like a WebUSB criticism, maybe someone thought U2F required WebUSB?!)

You only have access to the devices which you have permission to access. On FreeBSD, we have a devd config that sets the u2f group on U2F tokens.

link
beefhash 2439 days ago
tbf, that IRC channel may not exactly be super canonical.

https://cvsweb.openbsd.org/cgi-bin/cvsweb/www/index.html?rev...

"remove freenode channel from index, it lacks any form of sensible moderation."

link
theli0nheart 2439 days ago
Pardon my ignorance, but why would U2F support be disabled for security? Isn't that the entire point of U2F?
link
earthscienceman 2439 days ago
This comment is really interesting to me. What wifi chip is in your X1 carbon? I would love to try a BSD on my t480s. What windowing system are you using?
link
oil25 2439 days ago
Either xfce or dwm. Here's a great guide to OpenBSD on a 5th generation X1 carbon: https://jcs.org/2017/09/01/thinkpad_x1c
link
heinrichhartman 2439 days ago
Very cool! What kind of software do you use on your machines?

- Are you doing docker in a Linux VM?

- Any graphical Applications other than Firefox and emacs?

link