On Wed, Oct 04, 2000 at 10:01:00PM -0400, Kenneth E. Lussier wrote:
> I have a simple question. Several people today have mentioned that
> OpenBSD is more secure. I won't get into that. But, several people made
> the claim that there hasn't been a single remote exploit in OpenBSD in
Someone misinformed you, because at www.openbsd.org, in big red letters:
"Three years without a remote hole in the default install!" -- Quote
Also, almost all of the vulnerabilities you have listed are not part of the
base install. They are ports you can add at a later date if you wish. As well,
some of the other exploits can happen under 'certain conditions'. The rest are
proof-of-concepts. Take the lpd exploit. Quoted from openbsd.org:
"In other cases we have been saved from full exploitability of complex
step-by-step attacks because we had fixed one of the intermediate steps. An
example of where we managed such a success is the lpd advisory that Secure
Networks put out."
> over three years. I've heard this claim a lot out of the OpenBSD folks.
> So, I was parusing Security Foucus, and I decided to do a little search
> for OpenBSD. Below are the results of that search. Three quarters of
> these are remote (and I'm not counting DoS). Am I missing something, or
> are the OpenBSD folks just not looking??
You should've done your research before writing that last line. I'm not going
to get into it for multiple reasons (for one, I already have, and two,
openbsd.org has all the answers to your questions), but saying that the OpenBSD
team isn't looking for bugs is probably the most absurd statement I've heard
all year.
Not only has the OpenBSD team, and others audited the _entire_ source code
and fixed _many_ vulnerabilities (how many times have the other BSD's posted a
vulnerability, just to have an OpenBSD developer follow up with, "This has been
fixed in OpenBSD since 1998"). Not only that, but they practice proactive
security. That means when they write new code, they have security in mind while
writing it, unlike alot of other coders, where they will fix the bug once the
problem arises.
I highly suggest you peruse openbsd.org, and while you're there, check out the
FAQ.
Also, just to be fair, these stats were taken from securityfocus.com:
Number of OS Vulns by year..
1999: OpenBSD = 4, Redhat = 41
2000: OpenBSD = 7, Redhat = 40
Hmm, 11 or 81. Which seems more secure to you?
--
Tony Lambiris [[EMAIL PROTECTED]]
OpenBSD: Because I care. [www.openbsd.org]
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
