On Wed, 4 Oct 2000, Kenneth E. Lussier wrote:
> I have a simple question.
*snort* ;-)
> Several people today have mentioned that OpenBSD is more secure. I won't
> get into that.
Ever notice that, whenever someone says they're not going to get into
something, they promptly get into it? ;-)
> But, several people made the claim that there hasn't been a single remote
> exploit in OpenBSD in over three years.
In "the default install". The "default install" has no services enabled.
Thus, no remote exploits in the default install. As I've said off the list,
even MS Windows is secure if the power is turned off.
> Am I missing something, or are the OpenBSD folks just not looking??
OpenBSD's advantage isn't that it is "secure". I've always liked the quote,
"Security is a process, not a state of being." OpenBSD's strengths come from
the fact that security is the first goal of the designers. They design things
following best practices for secure, robust software. They consider the
security impact of changes. And they follow the policy that everyone is out
to get you -- because they are.
On Wed, 4 Oct 2000, Tony Lambiris wrote:
> Someone misinformed you, because at www.openbsd.org, in big red letters:
> "Three years without a remote hole in the default install!" -- Quote
See above. This is misinformation.
> Also, almost all of the vulnerabilities you have listed are not part of
> the base install. They are ports you can add at a later date if you wish.
What, exactly, is the point of an OS that does not do anything? Why are you
installing OpenBSD if you're not going to use it? Wouldn't you be better off
with a shoe box?
> As well, some of the other exploits can happen under 'certain conditions'.
Is this like the fact that Intel's Pentium III 1.13 GHz is unstable under
"certain conditions"? To quote one Slashdot poster, "Those conditions being:
(1) Chip plugged into board. (2) Board powered up."
A security hole is a security hole. Stop apologizing for OpenBSD.
> The rest are proof-of-concepts.
The concept being that there is a security hole. Thus, proof that there is
a security hole. Again, stop apologzing for OpenBSD.
> "In other cases we have been saved from full exploitability of complex
> step-by-step attacks because we had fixed one of the intermediate steps."
This is where OpenBSD shines. They design with security in mind. That
includes defense in depth. Thus, a security breach in one component may not
compromise the whole system.
> ... but saying that the OpenBSD team isn't looking for bugs is probably
> the most absurd statement I've heard all year.
Needlessly inflammatory, but correct.
Of course, show me any OS development team that isn't looking for bugs.
Besides Microsoft's. ;-)
> Not only has the OpenBSD team, and others audited the _entire_ source code
They've audited the entire kernel source. Not the entire distribution.
Additionally, just because they've audited it does not mean there are no holes
left. It does mean there are fewer holes. But holes have been found after
their audits.
> Also, just to be fair, these stats were taken from securityfocus.com:
> Number of OS Vulns by year..
> 1999: OpenBSD = 4, Redhat = 41
> 2000: OpenBSD = 7, Redhat = 40
>
> Hmm, 11 or 81. Which seems more secure to you?
Again, this is misinformation. OpenBSD does not enable anything by default,
and they don't install even 10% of the packages Red Hat does. You're
comparing apples to the whole orchard.
--
Ben Scott <[EMAIL PROTECTED]>
Net Technologies, Inc. <http://www.ntisys.com>
Voice: (800)905-3049 x18 Fax: (978)499-7839
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
