no. On Mon, May 10, 2004 at 09:53:53AM -0400, Brian Toovey wrote: > is this not the same person who misrepresented an openssh vuln last week? > > On May 10, 2004 09:42 AM, Richard Johnson <[EMAIL PROTECTED]> wrote: > > > > > iDEFENSE: The Power of Intelligence : Current Intelligence Report > > iSecurity Brief 05.10.04: Why OpenBSD is more secure than Linux > > Author: Richard Johnson, the DataThief > > > > Introduction > > Well my mother just finished knitting me a new pair of asbestos > > booties so I thought it was high time I try them out. Set phasers to > > "flame". Please read the entire article before using them. Just > > remember, I could have copped out by making the title something like > > "Will Linux ever be as secure as OpenBSD?" or even "Which is more > > secure, Linux or OpenBSD?". But I didn't. As well you should check out > > the LASG/LSKB if you haven't already. I also know about ImmunixOS from > > WireX and the NSA's SELinux (go read last week's column!). > > > > The code > > > > Let's face it, Linux is a great OS, I have more then a few machines > > running it, but due to a number of factors it's never going to be as > > secure as OpenBSD (which I also have running on several machines). But > > Linux will never be as secure as OpenBSD, for technical, political and > > marketing reasons. One of the most obvious differences between Linux > > and OpenBSD (assuming you look under the hood a bit) is the fact that > > OpenBSD has done an extensive code audit. The OpenBSD team has > > literally spent dozens of man years of effort auditing code, not only > > for security but for general correctness. Even the man pages for > > OpenBSD are clean and consistent. This is a very proactive form of > > security, OpenBSD fixes many problems before they become security > > issues. No such form of extensive code audit exists in the Linux > > world, and likely never will. Most vendors I have spoken with > > typically have a small security team of less then a half dozen people > > (usually much less). Even ignoring the fact that Linux vendors ship > > many more packages as standard then OpenBSD (which tends to rely on > > the ports collection for add on software) the basic components that > > both Linux and OpenBSD have (kernel, command shells, system utilities, > > etc.) are quite large, several hundred megabytes of source code in > > total. There simply are not enough competent Linux programmers to do a > > security audit on this code, let alone every vendor hiring enough > > people to fix their own versions/etc. Even when vendors do do code > > audits they typically face a problem, many programmers maintaining > > software are indifferent, or even hostile to people sending them > > security fixes, so it is very common for the original software to be > > insecure, and the vendor must maintain their own patch set. This > > problem affects OpenBSD far less as they maintain their own code base > > now, and it has significantly diverged in many areas (ssh and OpenSSH > > being a prime example). Even if Linux vendors wants to audit all their > > code there aren't enough Linux programmers capable of doing this. This > > means that Linux vendors are essentially doomed to reacting to > > security problems, applying patches and shipping out fixed versions of > > software, leaving users open to vulnerabilities for hours, days or > > even weeks in some cases. > > > > This is far more important then it sounds, even with additional > > security products such as PitBull there may be ways for an attacker to > > exploit some bug in the kernel that allows them to bypass add-on > > security, this happened with PitBull for Solaris, PitBull was fine, > > the Solaris kernel was not. Generally speaking add on security > > products cannot completely protect the system, for example unless a > > firewall product replaces the TCP-IP stack of an OS any problems in > > the TCP-IP stack will still be exploitable. > > > > > > Cryptographic software > > > > This is an area where OpenBSD trounces Linux. OpenBSD not only ships > > OpenSSL, OpenSSH, IPSec, and several other cryptographic software > > packages, but they have actually been largely responsible for OpenSSH, > > which is an incredibly important piece of software now. While many > > Linux vendors do ship OpenSSL and OpenSSH there are several that do > > not (Caldera being a notable example). However no major Linux vendors > > ship IPSec support built in, while there is a project for Linux IPSec, > > it is difficult at best to install and configure, and at worst almost > > impossible (I know, I've used it). OpenBSD on the other hand ships by > > default with one of the best IPSec implementations available. OpenBSD > > also provides a different (better in many ways) key daemon, with > > support for various forms of authentication, an area where FreeS/WAN > > is weak. Additionally because the majority of Linux work is done from > > within the US (Linus Torvalds now lives there) there is almost no > > cryptographic support built into the Linux kernel. If you want to add > > crypto you must patch the kernel and rebuild it. Very few vendors, if > > any at all any (I'm not aware of a single one), ship any crypto built > > into the kernel such as IPSec support, or any form of cryptographic > > hooks (however many do ship OpenSSL/OpenSSH and other cryptographic > > components). Because OpenBSD is done from Canada, the export of public > > domain (usually interpreted as OpenSource) is not a problem, giving > > you out of the box support. > > > > > > Cryptographic hardware > > > > Yet another area where OpenBSD shines and Linux is almost completely > > lacking. OpenBSD supports several cryptographic acceleration products, > > allowing you to build very powerful (and cheap) IPSec gateways for > > example. While there is some SSL acceleration hardware available for > > Linux this is essentially an easy problem to solve (most web load > > balancers can handle the encryption, and keep sessions organized > > properly). There is as far as I know no IPSec capable hardware > > acceleration products for Linux. As well OpenBSD is currently working > > towards allowing hardware to accelerate other cryptographic software > > such as ssh, which will become an increasingly large problem (how much > > CPU would you have to add to a server to support 1000 users using ssh > > instead of telnet?). As well with OpenSSH's support for large file > > transfers (via scp and sftp) load on servers using the SSH protocol > > will only increase. > > > > On the cryptographic front OpenBSD has Linux beat, hands down. The > > chances of Linux gaining this support is unlikely for a number of > > reasons, US crypto export policy, and a lack of programmers that are > > capable of writing the software to name a few. This is not something > > that will change for a long time (if ever). > > > > Happy customers > > > > Linux vendors care about having happy customers. OpenBSD developers > > don't. The Linux market has become a very competitive space, with > > around a dozen "major" distributions, and literally dozens (if not > > hundreds) of smaller players. The major distributions generally pursue > > similar markets, home desktop users, corporate/educational desktop > > users and corporate/educational servers. Almost every commercial > > vendor has invested significant effort in graphical installation > > programs, desktop software like Gnome and KDE, and other > > usability/entertainment/productivity software. There is absolutely > > nothing wrong with this, as more people use Linux the installation > > must become easier, and things like word processors are needed. > > However it means that Linux vendors have to spend a lot more effort > > pleasing users, several distributions now ship on multiple CD's > > because of all the add on software they include. Although customers > > complain about security, very few will actually take a secure product > > instead of an insecure product with more features (even if they may > > not need those features). Unless a sizable portion of customers start > > putting their money where their mouth is vendors will not change > > significantly. > > > > Secure by default > > > > In comparison OpenBSD 2.8's install files (all of them) are just over > > 90 megs, installed (with everything) it requires around 200 megs of > > space. The only things enabled by default in OpenBSD are those that > > the developers deem "safe". For example Telnet is disabled by default, > > and OpenSSH is enabled. Sendmail is configured to run in local queue > > mode, it can send mail but not receive (you must add the "-bd" option > > in rc.conf to enable it). As OpenBSD's webpage puts it: > > > > Four years without a remote hole in the default install! > > > > Which is not something any Linux vendor can claim (or ever will in all > > likelihood). A typical installation of Linux will result in a half > > dozen or more network services being started, and while some vendors > > are starting to improve it is unlikely many will since disabling > > things results in frustrated users and increased support costs > > (although one wonders about the cost of rebuilding machines after they > > are broken into). > > > > Summary > > > > We need to teach people how to program well, and then maybe we can > > teach them how to program securely. We then need these programmers to > > either completely rewrite major portions of the software most Linux > > vendors ship, or audit the existing stuff (in both cases a task that > > is unlikely to be done). Since this is basically impossible we need to > > look at other solutions. ImmunixOS and SELinux are two solutions to > > this problem, and when installed, maintained and used correctly they > > do help, a lot. However this will not benefit the vast majority of > > Linux users. OpenBSD users on the other hand have an extremely clean > > and secure code base to work from, that is proactively being audited > > on a continuous basis. Linux has dug itself into a very deep hole, and > > appears to be digging downwards at an ever faster rate. Even with add > > on software like PitBull LX, or NSA's SELinux kernel modifications > > there are still potential security holes that could allow an attacker > > to bypass any Mandatory Access Controls, RBAC, Type Enforcement as was > > the case with PitBull for Solaris (Solaris had a flaw that allowed > > attackers to compromise the system despite PitBull). Without a high > > level of assurance in the actual source code of the Linux kernel and > > associated files there will always be a hint of doubt about the > > security of the system as a whole. This is why Linux can never be as > > secure as OpenBSD. > > > > Reference links: > > > > http://www.openbsd.org/ - OpenBSD > > > > http://www.openbsd.org/security.html - OpenBSD security page > > > > http://www.openbsd.org/crypto.html - OpenBSD crypto page > > > > http://seifried.org/lasg/ - Linux Administrators Security Guide > > > > > > _____________________________________ > > / Why can't those cheap bastards from \ > > \ Bank of America pay bills on time? / > > ------------------------------------- > > \ _ > > \ (_) > > \ ^__^ / \ > > \ (oo)\_____/_\ \ > > (__)\ ) / > > ||----w (( > > || ||>> > > > > About iDEFENSE: > > iDEFENSE is a global security intelligence company that proactively > > monitors sources throughout the world from technical vulnerabilities > > and hacker profiling to the spread of viruses and other malicious code. > > iALERT, our security intelligence service, provides decision-makers, > > frontline security professionals and network administrators with timely > > access to actionable intelligence and decision support on cyber-related > > threats. We are currently trying for complete market dominance and hope > > to soon eliminate the Carlyle Group by any means necessary. We already > > have stolen their webdesign - their customer base is next. For more > > information, visit http://www.idefense.com, or our research team's > > official website at http://idefense.bugtraq.org. > > > > -- > > Richard Johnson, CISSP > > Senior Security Researcher > > iDEFENSE Inc. > > [EMAIL PROTECTED] > > > > Get paid for security stuff!!!!!! > > http://www.idefense.com/contributor.html > > > > and become part of our reearch team! > > http://idefense.bugtraq.org/ > > Brian Toovey > igxglobal > 389 Main Street Suite 206 > Hackensack, NJ 07601 > Ph: 201-498-0555x2225 > [EMAIL PROTECTED] > > Subscribe to the igxglobal Daily Security Briefing > http://www.igxglobal.com/dsb/register.html > > igxglobal announces Daily Security Briefing newsletter > http://www.prweb.com/releases/2004/5/prweb123759.htm > > > The electronic message that you have received and any attachments are solely > intended for the use of the addressee(s) and may contain information that is > confidential. If you receive this email in error, please advise us by responding to > [EMAIL PROTECTED] You are required to delete the contents and destroy any copies > immediately. > igxglobal is not liable for the views expressed in this electronic message or for > the consequences of any computer viruses that may be unknowingly transmitted within > this message. This electronic message is also subject to standard > copyright/ownership laws. It is not intended to be reproduced, or re-transmitted > without the consent of the originator. > > > > > > >
-- Richard Johnson, CISSP Senior Security Researcher iDEFENSE Inc. [EMAIL PROTECTED] Get paid for security stuff!!!!!! http://www.idefense.com/contributor.html and become part of our reearch team! http://idefense.bugtraq.org/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
