This is an interesting conversation. I have no IT background as well but I found the openbsd community, operating system, logic, and culture to be anally retentive about how one can maintain a "higher" level of privacy and security compared to its counterparts, by default.
I figured it is appealing because there are so many factors to a newcomer (networking, ssh, files, bios, installation, checksums, drivers, hardware, software, omg, blah blah blah) and if the operating system is not closed as much as possible then the new user remains clueless about the potential attack surfaces or vectors (ways to attacks). However, I like the OpenBSD approach of closing mostly everything and if you do want a specific service in your architecture, you actually have to suffer to figure out how a service works then enable it so essentially you are hacking your machines for more "convenience" or "usability" which gives you more insight to how a human or machine could potentially break in. I initially had the intention to use openbsd as virtual machines but there's too much magic in VMs even when taking into account the cost savings of virtualizing 1 computer into multiple "logical" computers (in other words, making the computer think that it is actually multiple machines by splitting the computing power, storage, and memory). Now, I'd rather run everything as low level as possible without making it prohibitively expensive. I've heard that there are authors that can write scripts or code that can traverse across the hypervisor( software things that virtualizes a machine to make it think that it is many machines) so I'd rather stay away from that in the production environment. Using virtual box to run openbsd on a vm is still helpful for testing and learning but I do not think that production stuff should be run as a vm if one is anally retentive about achieving higher levels of security/privacy in a insecure environment like the internet. I definitely have fallen into that boat. Now I guess I understand the comment when I got introduced to internet security about things depending on the specific use cases. In the end, there is no such thing as pure security or privacy but there are definitely ways to increase the threshold, resources, and time needed to compromise a system. That is the best we humans can do currently in this current society. With that said, it is still worth doing. Thanks for maintaining and keeping OpenBSD available. On Sun, Sep 27, 2015 at 3:22 PM, Matt Hamilton <m...@quernus.co.uk <javascript:_e(%7B%7D,'cvml','m...@quernus.co.uk');>> wrote: > > On 27 Sep 2015, at 22:57, Theo de Raadt <dera...@cvs.openbsd.org > <javascript:_e(%7B%7D,'cvml','dera...@cvs.openbsd.org');>> wrote: > > > >>> On 27 Sep 2015, at 22:38, Eric Furman <ericfur...@fastmail.net > <javascript:_e(%7B%7D,'cvml','ericfur...@fastmail.net');>> wrote: > >>> > >>> You really don't get it. Running OpenBSD in a VM gives you no > >>> security benefits of OpenBSD. Your base security will be your > >>> host, in this case FreeBSD. And on top of that you are running > >>> a very complex piece of software, the VM. Who knows what > >>> security holes are in it. > >> > >> > >> I do get it. I guess you wrote this before reading my last reply. That > >> explains the situation. > >> > >> Yes, the base security will be my host. Putting an OpenBSD VM on there > >> does not (IMHO) significantly decrease the security of that host. I > >> agree that it is adding complexities and there could be potentially > >> unforeseen security issues due to the combination. e.g. something like > >> OpenBSD's ability to generate random number could somehow be > >> affected by the underlying VM that would not be present on bare metal. > > > > Any additional code you run, beyond the minimum, increases your exposure > > Indeed. Which is why you are typing this on a typewriter, right? I mean, I > donât know what editor you use, emacs, vi, mg, whatever⦠but that is > additional code right? That has increased your attack surface. But you deem > that an appropriate compromise to absolute security as you want feature and > convenience. > > > You are so clueless. It's amazing. > > > No. The fact that I have tried an experiment and have a setup that has > different priorities on itâs requirements to someone elseâs setup or > requirements is not clueless. It is different. OpenBSD just does not offer > the functionality (e.g. a large, redundant filesystem, ala ZFS) I need to > get the job I want to do done on itâs own. So I need additional software to > achieve that. End of story. Yes it is a larger attack surface, yes it is > added complexity. I fully understand that. But I need additional software > to achieve my end goals. > > This thread started with someone who is starting to learn and wanted to > know which OS, OpenBSD or FreeBSD would be best for their requirements. I > donât feel putting forward an idea that you could run OpenBSD as a VM and > have both is so unreasonable. > > -Matt > > â > Matt Hamilton > Quernus > m...@quernus.co.uk <javascript:_e(%7B%7D,'cvml','m...@quernus.co.uk');> > +44 117 325 3025 > 49b Easton Business Centre > Felix Road, Easton > Bristol, BS5 0HE > > Quernus Ltd is a company registered in England and Wales. Registered > number: 09076246 > > -- danny nguyen linkedIn <https://www.linkedin.com/pub/danny-n/7/b63/379> -- danny nguyen linkedIn <https://www.linkedin.com/pub/danny-n/7/b63/379>
