On Thursday 12 June 2008 18:43:40 you wrote:
> On Jun 12, 2008, at 8:19 AM, David Naylor wrote:
> > I think this argument is rather mute, just because there are no
> > programs
> > exploiting security vulnerabilities does not been there are not
> > vulnerabilities,
> But it is far from moot if you are interested in the actual threat
> against your system.  In a sense, using a less popular OS is a form of
> "security by obscurity" which is not to be heavily relied on, but
> still it does make a real, practical, difference in the case that you
> described.

Very true, however having a large scale usage of FreeBSD (for example, if a 
government were to adopt it) would bring pressure to bare.  For anything but 
such a large scale adoption in the medium to long term then it is a 
valuable 'asset'.  

> > and a determined cracker would create his own program.
> You have not articulated what you are trying to defend against.  Do
> you anticipate determined crackers going after your particular system
> and what resources will such attackers have?  We can't talk about a
> system being "secure" in general, but the question needs to be framed
> in terms of "secure against what".

This is a general enquiry.  What had sparked my interest in this subject is 
the above mentioned article.  In this case it is a workstation used to access 
and manage account and cash flows.  The threat would be anyone gaining access 
to 'divert' funds to incorrect  accounts, for obvious personal gains.  

Specifically, the two threats would be remote attach (such as spyware being 
deployed, or gaining remote access) or physical access (in which case keeping 
the username and password safe will be the only option?  Assuming their is no 
compromise on the human side)

> > That said I hope there are, actually, no vulnerabilities.
> That is demanding too much.  What you need to hope for is a
> combination of "no known unpatched vulnerabilities at the moment" and
> more importantly "procedures and practices to keep things that way".
> As Bruce Schneier likes to say, "Security is not a product but a
> process".  The vast majority of actual system compromises involve
> failure of system administrators to keep systems patched and follow
> good security practices.

Good point!  Thank goodness for automatic signed incremental updates (that 
actually work)

Leason: always keep your system up-to-date!  (With security patches)

> One reason that I switched from Linux to FreeBSD is that I find it
> much easier to maintain FreeBSD, particularly in terms of security
> updates.  I have been responsible for Linux machines that did get
> rooted because I was having problems keeping them up-to-date for a
> variety of reasons.
> > [Security through obscurity is just an illusion]
> In your post you mentioned concern about spyware.  It is not an
> illusion that FreeBSD has not been targeted by spyware writers while
> Windows has.  Even if some of that is the consequence of security by
> obscurity, it is no illusion.  Of course we need to understand that
> those security benefits from obscurity are fragile, but we shouldn't
> dismiss it entirely.

Point taken.  

> Again, what sorts of benefits such things may add (or subtract)
> depends on the nature of the attacker.

Thank you for your feedback


Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to