On Fri, Sep 19, 2003 at 12:54:13PM +1200, Christopher Sawtell wrote:
> Of course we all know that it's impossible to prove a negative, but
> even an attempt to improve the effectiveness of the quality control
> would be appreciated by us all. How? In exactly the same way as the
> virus and worm writers discover the holes. It would be sensible to
> offer real prizes to the virus writers. The cost would be miniscule
> compared to the cost of the clean up operations. But if that were to
> happen the whole anti-virus industry would become redundant, so it
> won't happen. Thre are too many billions involved.
This wouldn't work. Look at the flaws like the recent DCOM flaw in
Windows NT, and the the buffer management flaw in OpenSSH. These flaws
have existed unnoticed in the respective code bases for more than five
years. It's very difficult to speed up the process of finding security
flaws, especially when it's often not known to be a flaw until some
clever person invents a new class of exploit; you only need to look at
the Windows 'shatter' class of vulnerability to see what I mean.
> Theo de Raadt and his helpers have made a (nearly)secure o/s. I say
> 'nearly' above because, as I understand it, it is impossible to make a
> totally secure o/s on the x86 architecture, because there is no
> possibility at the hardware level, of preventing buffer overflows, or
> bit patterns in the stack area of memory being executed, or the text
> area of a program being written over. That's my understanding of the
> x86 archetecture, I'd love to be corrected. x86 was a wonderful
It sounds like you're talking about the W^X (write xor execute) support
that was added to OpenBSD 3.3 and 3.4. Indeed, the specific W^X support
added to OpenBSD 3.3 was not a complete implementation for x86 due to
complexities that did not exist on other CPU families such as SPARC.
You'll find that 3.4 has effectively the same level of protection in the
x86 and PPC port as was added to the other ports in 3.3.
There are similar patches floating around for the Linux kernel.
The approach taken by deraadt@ and the rest of the OpenBSD team seems to
be a good one, but for all the development, there still are and will be
security flaws found in OpenBSD and every other operating system.
> There is absolutly no reason why William Gates III and his helpers
> cannot spend a mere bagatelle of their umpteen billions to at least
> attempt to emulate the OpenBSD ideal.
Microsoft have made a small attempt to clean up their act recently. The
likes of Windows Server 2003 is off to a better start with respect to
security and default configuration. But having said that, it seems that
the cost of making Windows highly secure is much higher than
> > Who assumes liability for free operating systems like Linux, HURD
> > and {Free,Net,Open}BSD?
> That's the rub for us isn't it? Some sort of fidelity fund I suppose.
Indeed. I don't imagine it would make big companies like IBM and HP
want to as involved with Linux as they have been recently, either.
Cheers,
-mjg
--
Matthew Gregan |/
/| [EMAIL PROTECTED]
