[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Distrowatch review of OpenBSD



On Wed, 7 Jul 2004, Jon Drews wrote:

> anyone else to make sure that their OS is secure. The record speaks
> for itself - in the nearly nine years of OpenBSD's existence, only one
> remote security hole in the default install has been discovered (and
> that hole was immediately closed)

... only one hole in 9 years, well, only if it's not a Thursday, a blue 
moon in June, every other Tuesday, any Friday the 13th, all arbor days, 
Canada Day, Bastille Day, or any day that the earth has its southern 
hemisphere tilted towards the sun.  Then yeah, in 9 years it's quite a 
record.

Then there's this exploit:

http://nlug.org/mail/nlug__2000_11/0150.html

While I'll agree that OpenBSD is secure upon install, I wish people would
quite claiming its "superior" security record.  First and foremost, any
system not running any services is going to be a lot more secure than a
system that runs a service.  The minute you turn on a service in OpenBSD
you've made it by default less secure than the claim.  This lulls people
into a false sense of security.  OpenBSD is SECURE!  Yet, is it still as
secure the minute you turn on one or all of http, OpenSSH, and smtp?  NO.  
Let's call a spade a spade here.  RedHat could probably make some of the 
same claims if you installed it without any services.  The fact is, you're 
running this software for a reason and that's to provide a service.  So to 
rely on OpenBSD's track record is a red herring.  It lulls people into a 
false sense of security.  

I'm sure a few of us won't forget the multiple OpenSSH exploits that came 
out in rapid fire succession a couple years ago.  It finally drove home 
the point I had tried to make with my boss that while SSH is a secure 
protocol it does not make it a secure service.  He finally had given in to 
shutting down wide open ssh access on the server several months before 
those exploits came out.  

That's not to discount Theo's work.  He has just as important a role in 
the software community as RMS, ESR, Linus, and Alan Cox.  Theo has done a 
lot of good.  While I complained about those OpenSSH exploits, I could not 
live without it.  Sometimes a little paranoia pays off.

Sean...

--
The punk rock will get you if the government don't get you first.
	--Old 97's
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
KG4NRC  http://www.rimboy.com  Your source for the crap you know you need.


-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.