Slashdot Mirror
The World's Most Secure OS (?)
Anonymous Coward writes "Titled The World's Most Secure OS, this article in The Standard talks about what is needed to be "Secure by Default"" Probably the best OpenBSD article I've read in recent months. Theo doesn't pull his punches (then again, he never does), in particular, discounting the "more eyes means better security" philosophy. Then again, he's probably right.
[ Update: noeld wrote in with a link to a similar article at rootprompt.org. Must be something in the water. ]
does that mean that bill gates has been telling me naughty lies? i thought windows 2000 was the most secure...
oh i feel so used now...
*burns all his clothes and jumps into the shower sobbing*
Be you Admins? nay, we are but lusers!
you mean other peoples emails?
oh *that* sensitive data...
Be you Admins? nay, we are but lusers!
What makes it so hard for RedHat or any other company that produces Linux distros to come up with a super secure system like OpenBSD or FreeBSD?
Not to say that linux is insecure, but why can't they just configure linux to be secure right out of the box. Default installations shouldn't include freaky services and programs. Users should add the programs that they want by themselves.
For administration it's so nice to have SSH installed by default, so I don't have to worry about some kiddie on my LAN running a port sniffer on my telnet session. It's also kind of nice that it never crashes unless I do something particularly stupid (which I think I have thus far avoided, oh except for that time when I didn't have a swap partition.)
Theo is certainly a character. His work speaks for itself.
The mailing lists are just the way they should be; interesting, very technical, very easy to offend, and really amazingly helpful.
I've also been pleased with the fact that IPSec is built right on in there, so when the time comes for me to play with VPNs, I'm already 90% of the way there.
Now, whether or not I'd call OpenBSD user-friendly or easy to use, that's a different story. I guess I feel pretty good about having a Unix-y/BSD box around that makes me learn more CLI stuff every once in a while.
Free music from Jack Merlot.
While on the whole, I don't agree with MS' practices (coding, design, law, etc.), I have to agree with them on the judgment they made the other day (or week, who am I to remember all this crazy tech news) with regard to the default password on SQLServer 7.0.
There is a certain level of aquired knowledge and experience that I believe is necessary to work at the professional level; especially when it comes to the Internet and public software applications. One of the things that any admin knows (or at least should know!) is that you have a hard password and you change it often (I change mine on my server at home on a weekly basis).
My point is this: while an NT admin (or MCSE brat; whatever is at hand) might be able to get away with using a software with a default password, and then blame it on MS, a REAL admin knows his/her system and knows better than to not change a password. BSD is not only more secure because the default install is smart, it is more secure because the user is too.
BSD is secure because it is developed by security freaks that audit (and reaudit) the code looking for possible exploits and programming errors that could compromise a system. They have a zero tolerance stance when it comes to security, and I can do no more than commend them on this. Good job guys and gals, all of us BSDers are thankful and appreciative for all you hard work.
Rami
--
rJames.org - illustration
The power source of my home computer stopped working yesterday. Now that is the most secure system in the world.
If you can hack it, you are truly a real guru.
I use OpenBSD for my firewall/NAT box at home, and installation is dead-simple, quite painless, and only installs the bare basics - no need to sit through half an hour of clicking widgets to select packages.
I like Linux - None of the BSDs have the software base that Linux has, and it's a lot speedier. I don't need the security for my X box - after all, it's behind the OBSD firewall, and SSH tunneling is my friend when I need to access it from the outside.
What I'd like to see is a Linux distro which installed the bare basics - glibc, gcc, net-utils, bin-utils, file-utils, kernel, etc, X optional. Not something like Mandrake or Red Hat which has evil tendencies to put both GNOME and KDE on your box whether you want to or not.
The closest thing I've come to this is following Linux From Scratch's excellent instructions and compile the entire system from source - this is admittedly a lot of work, but at least you _know_ what's on your box when you install it, and you don't have to worry about vendor-specific kernel modifications and all that crap... And I ended up with a distro of <250MB after installing the most important things, including the full kernel source unpacked. This as opposed to the 800+ I had cluttering my disk after I put Mandrake 7 on it.
So, distributors, are you listening? I think there would be quite a high demand for something like this, especially from power users... BareBones Linux, anyone?
--
Pokéthulhu
Gotta catch you all!
The way I see it:
And what is so great about these three groups is that they steal code from each other. What is in one will eventually turn up in the other.
-- The universe began. Life started on a billion worlds...
-- Except on one where stupidity was there first.
Everytime I read op Bugtraq that "OpenBSD fixed this vulnerability five months ago through a standard audit", I wonder, why the heck don't they make this fix more public, so other OS's (freebsd, linux, whatever) can also profit from it.
I'm not so paranoid to think that OpenBSD wants to keep their fixes to themselves, in order to stay "the most secure OS out there".
So what is it then? Do other OS's developers just don't look at the OpenBSD pages to see what's fixed?
If it's a public tool (e.g. GNU), do the OpenBSD people submit a patch back?
If the OpenBSD keep up the good work, I think everyone can profit from it and then Bugtraq will read "Thanks to OpenBSD, all OS's fixed this vulnerability 5 months ago"
<grub> Reading
OpenBSD does an amazing job of presenting an extremely secure distribution, I will stipulate that right at the get go. I think it's a bit premeture to say that it's the Most Secure OS though. There are a number of implimentation of the DoD B1 security standard (as applies to operating systems, specifically) in the world - these include Trusted Solaris from Sun and PitBull from Argus Systems Group.
Granted, these operating systems take a quite different approach to security (rather than requiring strict application audits as in OpenBSD they instead try to eliminate the need for such audits through strict kernel control manifested in a number of sneaky ways). These systems have been, and are currently widely used by military, intelligence, financial, and, increasingly, high end e-commerce systems. In an attempt to increase public awareness and popularity of PitBull Argus Systems Group has begun giving it away for non-commercial use. Anyone interested in high security servers is highly recommended to check it out. It's no holy grail, and by no means the right solution for every problem, but it is a very interesting take on the problem, and quite a different way of looking at system architecture and administration than most of us get exposed to on a regular basis.
None of this is intended to steal OpenBSD's thunder - it's a great accomplishment, and far closer to existing operating environments than it's B1 counterparts (which makes it more accessable, and more flexable). Often, a B1 system will be severe overkill (or just too much of a pain to configure and manage), where OpenBSD will just work. So I'm not saying that OpenBSD is no good, I'm just saying that choosing the "Most Secure OS" isn't quite so clear cut...
Oh, BTW, there is a Trusted BSD project, but it's fairly young and as I understand it building a trusted OS is quite time consuming. When it's ready I think it will likely kick ass, but it may yet be a long way off.
--
Behold the Power of Cheese!
BTW, is a cut-down version of OpenBSD still OpenBSD?
Okay I have to admit I don't know shit about BSD, but I could see the point to have such a project... Even if it's just to say to your boss "look pops, it's OpenBSD booting a write-protected media, it's bound to be secure!"
---
"Hasta la victoria siempre!" El Comandante
There is a Linux distribution with much the same philosophy. It's still being worked on from my understanding of things, tho I'm not at all an authoritative source. The name of the distribution is Nexus and the website is here. As usual, the proper reply to "Why isn't there a widget for this?" is "Because you haven't written it yet." If you want this, help out and do what you can.
If anything, he discounted the idea that more Linux users makes Linux more secure than OpenBSD. He says that most of these people can't write programs over 300 lines, and that they're no real help to the security of the system.
But that doesn't discount the idea that, for a given system, more eyes make for better security. OpenBSD would be more secure if more people were doing the same thing that Theo does with it. Okay, there's a possibility of too many chefs spoiling the stew at some point,I guess, but in general I think that it's pretty clear that more eyes looking at a given system makes that system more secure than it would be with fewer eyes.
Anyone arging that any system Foo is more secure than any system Bar if more people are looking at Foo than at Bar has a problem with their logic. (And, granted, most people have a problem with logic.) Like one person posted, his system is pretty secure now that the power supply has failed...
Rather than say that he discounts the "many eyes" argument, I would say that he brings out how important a few well-trained eyes spending a lot of time on a set of code can be. That's easy to forget (or to never know if all you know about writing code comes from reading ESR...).
FWIW
--
Liberty uber alles.
"The Department of Defense has four classes of operating system...but Windows NT...are at level C2"
This is a common misconception, promulgated by marketing droids. Operating systems are not given security classifications, particular hardware and software installations are.
To use NT as an example, 3.51 was given a C2 classification, provided it did not have a floppy drive or network card installed.
I read somewhere the following quote:
"The only truly secure system is one which is switched off, disconnected from all networks, buried in a bunker made of six foot thick concrete with armed guards posted outside. Even then I wouldn't stake my life on it being secure!"
I tend to think this is overkill. Like everything in life, security is a trade-off. The more secure the system, the less usable it is.
OpenBSD is pretty good if you need high security, but is overkill for home users (and office workers). For this reason OpenBSD will never have the same popularity as Linux or Windows.
It still has its place though, in ensuring that standards are maintained in these other OS's as I believe that it really sets the benchmark for what should be possible with any OS. BrendanB.
Also, last time I looked, Windows NT got C2 only under very specific circumstances that have nothing to do with any actual productive environment.
The illegal we do immediately. The unconstitutional takes a little longer.
--Henry Kissinger
Theo has a security audit model that works terrifically well - having trusted, talented people audit the crap out of the code and being real finicky about releases.
The Linux model (and the generic Open Source model, at that), relies on a broad pool of users with code access reading and using it. A lot of bugs, many of them security-relat, will be found this way.
However, though security bugs will be found and fixed with the infinite-monkeys methodology, it does fall short on finding security issues proactively. You can find a lot of holes in that fashion, but to really ultra-secure and OS, you need people who are as freakish about security as Theo. The other side of that is that the users who seek out OpenBSD are also likely to be much smarter about security themselves.
Linux is a reasonably secure OS for the "average" user, and the methodologies are adequate for the end result. The companies distributing the OS need to be more proactive about looking for holes, though - there's a lot of ways to root a Linux box, and the consequences of allowing it to happen are sufficiently high that it's worth more work to find holes before they get into the distro.
Say what you will about Microsoft, but their Windows Update is a really nice mechanism for distributing patches and updates - none of the Linux vendors (even Mandrake) come close to that level of functionality. Most Slashdot readers will be fairly proactive about their boxes, but that doesn't mean all Linux users are like that. They need an easier way to patch and update their boxes when holes are found.
- -Josh Turiel
-- Josh Turiel
"2. Do not eat iPod Shuffle."
"buffer overflows" (which overwhelm a machine with data packets)...
Correct me if I'm wrong, but a buffer overflow is _not_ overwhelming a machine with data packets. That sounds more like a DoS attack. A buffer overflow is more like declaring a static char a[20] then exploiting the 20-character limit, inserting malicious instructions in the "over-the-20-character-buffer" overflow to be executed. If the program is, say, a daemon or a program run as root, well the overflowed instructions are also executed as root, allowing one to create an account, open a port for himself, yadda yadda yadda...
Buffer overflows have plagued the software industry for years, and are obviously more apparent in OS's that are connected to the Net. I'm sure MS Office is just full of 'em, but they're not always easy to discover.
Anyway, they seem to have C2 certification for NT4.
However, the notion that OpenBSD is the "most secure OS", or even the "most secure OS in common use", is absurd. Nor is it the most secure OS "out of the box". Rather, it is the leader in out-of-the-box security in a rather narrow set of popular, open-source, Unix-like operating systems.
There have been commercially-available mandatory access control Unix-based operating systems on the market for years. The "trusted" variants of the commercial Unices are great examples. These operating systems get their security from the compartmental design of the system, and are thus largely immune to (unavoidable) trivial programmer errors.
A great microcosm of this same competition exists in the free SMTP MTA's. Modern, secure mail transports are written in a compartmentalized fashion, so that a bug in one subsystem doesn't compromise the whole thing, or worse, the whole OS it runs on. Systems like Venema's Postfix and Dan Bernstein's qmail (which has never had a published security hole) are examples of this design.
Meanwhile, legacy MTA's like Sendmail and Exim remain popular, despite a history of insecurity. Sendmail's authors would happily claim that, after literally decades of audit, it is secure despite a monolithic design. Nobody that takes security seriously buys this argument anymore, though, because effective alternatives exist that are built on a more secure design. So what's the difference between Sendmail and OpenBSD? Well, OpenBSD is orders of magnitude more complex and has had less than 10% of the long-term attention that Sendmail has had.
Calling OpenBSD "secure" in light of competition from Argus Secure Solaris or even wrapper systems like SeOS is not much better pitting Sendmail against qmail.
It's definitely true that in practical terms, OpenBSD is a more trustworthy distribution of free Unix code than Red Hat Linux. However, with very few exceptions, OpenBSD's design remains stagnant and embraces an obviously-inferior security model. Who do you expect to implement compartmentalization and Mandatory Access Control first, OpenBSD or Linux?
My money is not on OpenBSD in the long run.
The topic of an OpenBSD bootable business card (or simply a small CD-ROM installation) was raised on misc@openbsd.org recently. I believe there's an interest in the project, and one correspondant was going to contact one of the people who'd helped put together the LinuxCare BBC (a pimp-ass Linux-on-a-CD distro that's with me always). Sorry, forget names, but check the past couple of weeks of archives.
My suggestion was that such a distro would be a great admin/rescue/demo tool, particularly if it allowed someone to set up a firewall with the system. One plus of OpenBSD is its union mount method, which allows mouting nonwritable media ass if they were a writable filesystem (I've heard that this may be a feature of the 2.4 Linux kernel as well). This allows for both the security of having nonvolatile media, and the flexibility of a mutable fileystem. Pretty cool.
What part of "Gestalt" don't you understand?
What part of "gestalt" don't you understand?
I linked to a checklist of things you need to change to match their configuration, so I didn't intend to mean a default install of NT is compliant. I simply intended to show that NT4 can be made C2 compliant, and put an end to the 3.51/no floppy/no network anecdotes.
main(O){10<putchar(4^--O?77-(15&5128 >>4*O):10)&&main(2+O);}
Actually, C1 is higher than C2. B1 and B2 exist as well (I have worked on the development of a B2 secure unix with some B1 features) and all the common "secure" operating systems struggle to maintain C2 level security. To say that any of the mainstream operating systems are the most secure in the world is bizarre.
Regards
If you read the Microsoft NT C2 Configuration article closely, with comprehension, you'll find that it speaks of NT 4.0 being evaluated, but never certified, as being C2 compliant. This was addressed in this BugTraq post. Believe you me, if NT 4.0 had been certified, Microsoft would be singing it to the heavens. But they don't want you to know that. You'll also note that "The C2 Administrator's and User's Security Guide" is itself a MS Windows executable (http://www.microsoft.c om/technet/security/exe/C2SecGuide.exe), hardly the most secure and safe way to transmit data around the Internet. Anyone got an open-standards version of this document?
They also don't want you to know about the man they killed after he first got WinNT 3.51 C2 certified, then told Microsoft that it would not be possible to get C2 certification for WinNT 4.0. Ed Curry, military man, NSA-certified technician, and a former independent contractor for Microsoft first had his business, health, and ultimately life destroyed. I knew Ed only from online encounters in Nick Petreley's InfoWorld forums, but the man was a friend, willing and capable of sharing fascinating information. Ed Curry died in December of 1999 of a stress-induced stroke. He is survived by a wife and young daughter.
What part of "Gestalt" don't you understand?
What part of "gestalt" don't you understand?
Besides, evaluation requires huge amounts of $$$ and documentation, and may not actually involve an exhaustive code audit. (C2 certainly does not.) Frankly, Theo is not impressed with TOS evaluations, and might have to wea ken OpenBSD's crypto to get such a rating.
It is much more reliable to just turn things off until you have time to audit them.
OTOH, Theo's decisions are not flawless. C2 would require ACLs, and Theo does n't want them in OpenBSD. I think he's correct, that they usually are a problem, but I think that an admin should have the option of using them.
We digress a little here, but M$ introduced Windows Update as part of Windows 98, in mid '98. The Red Hat update wizard they have arrived with the debut of RH 6.0, whenever that was. Sure, the Linux update wizards are robust and capable, but the Microsoft one was there real early in the game, and it works very well. They update any apps that Microsoft is willing to allow into the MS sandbox (for instance, Flash and Shockwave updates can be downloaded from it), but not third-party apps in general.
They also have an Office Update site as well that uses the same technology (a funky ActiveX control) to check for and patch Office 2000 code.
What Microsoft doesn't do is roll every single update into Windows Update - a lot of the security hole patches for servers are only accessible from the kbase article or the Security homepage. Windows Update is more focused on the consumer OS and apps.
- -Josh Turiel
-- Josh Turiel
"2. Do not eat iPod Shuffle."
10 programmers, working every day for 18 months would have to audit over 65k of source per day to reach 350 megabytes. My guess that on average, 65k of source would end up being about 1800 lines of code.
I wonder (a) how much of that is in comments and (b) if perhaps some portions do not need to be audited.
Actually, GCC should be highly discouraged on a firewall/bastion host. Never give the kiddies any breaks.
I like music
[shudder]
I greatly admire Theo's work. I just don't think you'd want two of him on the same project, maybe even the same planet.
--
--
E_NOSIG
well, duh. no networking, no services of any kind, and, well, that's it.
:)
if you don't have console access, you can't get into even the least secure minix box
- Entertaining Bits from the Ancient Kernel Tree
It blows the MS mechanism into tiny chunks.
:) You could also use one of the "console GUI" tools such as capt or aptitude, or an X-based tool like GnomeApt.
:)
Debian has apt, which has several advantages over Windows update:
1. Debian is mirrored on several zillion servers, so if one is slow or down, you can simply choose another. Route to MS gets messed up? Too bad for you...please hang up and try again.
2. You can update ALL of your packages, barring those you've had to compile from source, which, considering the sheer volume of Debian packages, =="not bloody many".
3. You can use it from the command line, which is a good idea if you're updating X-Windows
4. You don't have to do anything evil like run ActiveX controls to use apt-get.
5. Apt-get will let you upgrade the ENTIRE SYSTEM AT ONCE. Try using Windows update to move from NT 4.0 to Windows 2000 -- without even rebooting
WMBC freeform/independent online radio.
This reminded me of an experience I had about ten years ago. Right after college, I spent a few months working at a retail PC store while looking for a good engineering job. One day, a guy came in asking for advice on how he could keep his system secure while he was at work. He claimed that "they" were getting onto his PC, he knew this because files that were in one directory would be moved to another directory. I assumed that he was leaving his PC on so that he could dial into it from work but, when I mentioned this during the conversation, he told me that his PC was turned off all day. I explained that with no power, his HDD would not be spinning and there was no way that anyone could access it remotely. With a completely straight face he responded, "They can". He finally left relieved when I suggested that he unplug the phone line from the jack during the day.
Just wanted to let you know that power or not, "they" can still get at you.
Take a look at the BSD-derived OS shipped with the Sidewinder firewall, which they call SecureOSTM. Secure Computing has compartmentalization implemented in what they call Type Enforcement.
I do not deploy Linux. Ever.
Yet no distribution of linux is as secure as OpenBSD. Your entire line of reasoning is specious, and you conclusion is unwarranted.
Theo is correct. Security analysis is difficult - even most experienced programmers have no idea how to properly apply security in their code. "More eyes" in this case are largely irrelevant and maybe even detrimental if they don't know what they are doing.
In any case, it doesn't appear that the linux community has mustered "more eyes" than the OpenBSD team, and your presumption with regards to this is largely naive.
It doesn't change the fact that they achieved the rating, and that by following the same guidelines, someone else can have their installation certified.
It doesn't, because that fact doesn't exist.
Its been EVALUATED. Not certified.
And no, you can't have YOUR installation certified, either.
Additionally - the 3.5 (not 3.51) Certification - *was* without a network or a floppy drive.
I simply intended to show that NT4 can be made C2 compliant, and put an end to the 3.51/no floppy/no network anecdotes.
You were simply, wrong.
First - its 3.5. On 3 machines (2 x86, 1 Alpha) with a certain service pack. And no floppy, no network card. its not anecdotal. Go find the facts, and read them.
And the default of NT isn't complaint/certifiable. NT 4 has *never* been certified as C2 (Orange Book) secure.
And attempting to put an "end" to the factual complaints based on a badly flawed understanding is not a good idea.
Addison
Most secure OS my @$$. OpenVMS right out of the box is literally orders of magnitude more secure than any *nix. NO buffer overflow exploits (never had 'em, never will). NO means of gaining priviledged access from a nonprived account. NO means of cracking passwords in SYSUAF (thanks to a strong one-way hash). Heck, you need a prived account just to look at SYSUAF! The amazingingly TINY handfull of security wholes which have occassionally cropped up in VMS over the last 23 years have been promptly corrected.
The only ways to break into a VMS system are:
- "Social hacking" -- tricking someone into telling you their password or guessing at sites with poor password policies,
- Packet sniffing at sites where SSH and other secure connection techniques are not used (again, a policy issue),
- Gaining physical access to the console and using documented procedures for by-passing password protection.
That is all. Period. There are NO other ways. Zero. The same cannot be said of ANY other OS.And don't hand me the "closed-source, proprietary OS, security through obscurity" arguements. The OS is better documented than any other in the world (most of it available on the web), including the system internals. Source listings are available for a fee for every part of the OS except those portions related to license handling (for obvious reasons).
There should be a secure OS which can be used for a webserver (or similar) without any tweaking or installing additional software, which is secure out of the box.
Oh wait, there is, and it's called OpenBSD.
And I want security, and OpenBSD makes that possible with a default installation. This is why I downloaded and installed it in the first place. It was either that or FreeBSD (I was a linuxhead for a long time, used Slack, Redhat, and Debian) and security won. I do admin and analyst work for a living, I really don't want to come home and have to worry about if I got hax0r3d. I'd far and away prefer that some other people were going through code line by line for me. Hence, OpenBSD.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Sure, but the WOL feature doesn't wake up your system every time it sees a packet, or even every time it sees a packet which could conceivably be interpreted as belonging to it. If it did, no machine on a NetBIOS network would ever go to sleep, due to the dramatic quantity of broadcast traffic.
One of these days I need to look up what WOL DOES wake up on, and just what a "Magic Packet" entails.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I know this is flamebait-esque, but MacOS9 and below being secure is certainly an artifact of the OS just not doing that much.
UNIX has tended to run, as standard services, a much larger set of applications. Until recently Apples used only Appletalk to speak to one another, and TCP/IP to speak to the rest of the world (Or to NT boxen or Linux boxen which were willing to deal with them.) So there really wasn't any way to do anything to a Mac remotely.
MacOS is also a single-user operating system (Does that change in X?) with only a local login context. I'd guess there's a PC-Anywhere equivalent for it by now (Ah yes, VNC seems to be in beta) so there's another potential source of vulnerability. ph34r me as I hax0r your mac from my Wince handheld.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I know Karsten from the same online forums that we both knew Ed Curry from. Microsoft did a ton of stuff to him. Some of which simply cannot be sustantiated. For instance after his company was destroyed, at one point he got a job, then his boss' boss got a phone call from Microsoft, and his boss was ordered to fire him. Which kinda sucks when you are supporting a wife and kid.
.sig.
As for the current location of that online community, follow my
BTW a question you probably have right now is whether or not we can be believed. Well we both have sufficient credibility to be automatic +2's on this site, and in fact were among the first batch of moderators selected here. You could also do a Google search for either of us. Or look for Ed Curry.
Yeah, what happened to him is pretty astounding. The lack of press reporting on it is pathetic. But I assure you that the basic story is true.
Regards,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
Else Microsoft would be jumping up and down screaming about how they were really certified. Instead they play BS word games and nobody calls them on it. :-(
Regards,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
I am an InfoSec professional, but this is not professional advice. Moreover, I really like OpenBSD, so please don't take this as a BSD flame. :)
:)
The problem with buzzwords is that they so rarely mean what their obvious meaning is. When I see "secure by default", that tells me "I can install OpenBSD in its default install, throw Apache and my MTA-of-choice on it, and it'll still be safe". That's what secure by default suggests to me; that a clean install of the OS and the daemons you need to run your business will be secure, by default.
The problem with it is that this isn't anywhere near to the case. I've got lots of kudos for OpenBSD's large, distributed security audit. I think it's a brilliant idea, and I wouldn't mind seeing Linus say "okay, for the next six months all development is frozen and we're going to audit our codebase".
Unfortunately, security audits are not synonymous with security. (Trust me on this one.) Security is a process, not a product; it cannot be magically generated by anything, not even OpenBSD's vaunted audits. You run into Heisenberg's Catastrophe at some point--assuming that your auditing process was complete and accurate, your codebase is safe; but then you have to audit the audit process to make sure you didn't leave anything out... then you have to audit the audit of the audit... and so on.
These are the main problems with audits that I've found:
LIMITED MANPOWER. The scorn that Theo heaps on the Linux community is, in some sense, warranted. What Theo misses is that where Linux has a huge amount of manpower, mostly of limited skill, OpenBSD has a miniscule amount of manpower, mostly of fairly high skill.
The problem is that security audits are limited by manpower more than they are technical skill. A thousand coders of only amateur skill can go through code at a huge rate; it's not hard to spot unconstrained buffers (buffer overflows), pointers that never get free'd, etc. If they were only ten coders strong, it would not matter how much skill they had, they simply wouldn't have the manpower to do a thorough code review.
INCOMPLETE SECURITY AUDITS. OpenBSD's security audit means they have an extremely high-quality kernel and tools. When even ls has been audited, you know they're doing something. However, Apache, sendmail and other large programs have not been audited by the OpenBSD team. Putting an old, vulnerable version of Apache on an OpenBSD box exposes potential risk.
(Before the OpenBSD people accuse me of FUDding, let me emphasize potential. The root exploit against Apache/Linux might fail on Apache/OpenBSD, due to OpenBSD's security consciousness. The point here is not to say "Apache makes systems insecure"--it's to say that there are a lot of daemons running on modern boxen, and many of these daemons have not been audited.)
INCOMPETENT SYSTEM ADMINISTRATION. Most root exploits I've seen--regardless of operating system--have taken place due to incompetent system administrators. OpenBSD does some things right by shutting down all nonessential ports by default (as opposed to Red Hat, for instance), but these are just Band-Aid measures over the festering, necrotic wound of incompetent sysadmins.
INCONVENIENCE. One of the biggest motivations for people to bypass security precautions is that security is inconvenient. If a user bypasses a precaution, that's worse than if the precaution never existed in the first place. There's a difference between a sysadmin who says "all our passwords are secure, because we use shadow passwords and force our users to change them every month" and the sysadmin who says "I don't know if our passwords are secure, despite the precautions we take".
The former, more likely than not, has users who are so frustrated by the bondage-and-discipline security precautions that they leave their passwords on Post-It notes attached to their monitors. The latter probably has them, too, but at least isn't fooled into thinking he's safe.
OpenBSD has some very useful security precautions, yes--but the most useful precautions are those that are transparent to users (security audits, jailing daemons, etc). The more intrusive your security becomes, the greater the likelihood your own users are going to circumvent them.
LIMITED FEATURES. Remember that oftentimes security is enhanced by adding features. Adding ACLs, for instance, could be a boon to sysadmins everywhere and result in more secure boxen. Since OpenBSD's developers spend so much time auditing, though, they're significantly behind the pack when it comes to keeping current with other Unices.
... All that said, though, if I were setting up a network, all of my machines visible to the outside world (mailserver, webserver, etc.) would be running OpenBSD or Pit Bull or Trusted Solaris. Probably OpenBSD, due to the fact that I already know UNIX reasonably well and I don't need the bondage-and-discipline of Trusted Solaris (see "INCONVENIENCE" above).
I was at IWE along with Karsten and Ben, and held several conversations with Ed. His life was basically destroyed by Microsoft because he wanted to tell the truth.
Regards,
Regards,
-scott
While I did not chat with him extensively, I did see him on the forums, and watch as he attempted to salvage his career and finances from the savaging Microsoft gave him. I also read the report of his death, and grieved with the rest of the IWETHEYers. You can find us at IWETHEY
InThane
This is all kind of disheartening - 250 results, not a one really gives any information about what several people claim MS did to this man. And the only page that really mentioned his the cause of his death mentioned it because his lawsuit against MS was dropped because of it!
I was hoping that the IWETHEY users could give links to the archives, since I couldn't find anything after a fairly quick look - I concentrated more on the Google search. It's kind of sad that there doesn't seem to be anything on the web explaining what MS did - maybe someone should write something.
You are in a maze of twisty little relative jumps, all alike.
Just to add another voice to all those which have told you're full of jackpoo SuSE comes with a nice utility called YaST which stands for yet another setup tool. Has has several nice features such as system configuration and package handling. YaST which as of 6.4 comes in an X based GUI version (as opposed to ASCII GUI) which allows you to update your whole system from SuSE's ftp servers. I think YaST is a bit more useful than the Windows Update because it lets you control the package management better. The Windows Update won't run a conflict catcher like YaST does which sometimes causes problems with things. The only real important difference in my opinion is that Windows Update is web based because they have a browser that is tightly integrated with the OS which with monopoly argumentsaside is a good thing because it means less third party dependence.
I'm a loner Dottie, a Rebel.
The big VMS bug: DECnet.
While I love VMS, don't get me wrong, there are a lot of people out there with VMS boxen which have a DECnet daemon that has SYSPRV enabled.
This doesn't strike them as bad, until some user with NETMBX runs tell.com, runs authorize.exe through tell, and gets SETPRV. :)
That said, I'd rather run a webserver on VMS than any other OS. The ability to use ACLs to control access by CGIs to specific files is far too attractive; most *nix systems wind up having to grant world read/write access to things that CGIs generate, which is just dumb and bad.
Frankly, if you want security in VMS, you pretty much have to deny your users NETMBX and install individual applications with it. The problem is you have to install a lot of applications.
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore