Slashdot Mirror
The World's Most Secure OS (?)
Anonymous Coward writes "Titled The World's Most Secure OS, this article in The Standard talks about what is needed to be "Secure by Default"" Probably the best OpenBSD article I've read in recent months. Theo doesn't pull his punches (then again, he never does), in particular, discounting the "more eyes means better security" philosophy. Then again, he's probably right.
[ Update: noeld wrote in with a link to a similar article at rootprompt.org. Must be something in the water. ]
For administration it's so nice to have SSH installed by default, so I don't have to worry about some kiddie on my LAN running a port sniffer on my telnet session. It's also kind of nice that it never crashes unless I do something particularly stupid (which I think I have thus far avoided, oh except for that time when I didn't have a swap partition.)
Theo is certainly a character. His work speaks for itself.
The mailing lists are just the way they should be; interesting, very technical, very easy to offend, and really amazingly helpful.
I've also been pleased with the fact that IPSec is built right on in there, so when the time comes for me to play with VPNs, I'm already 90% of the way there.
Now, whether or not I'd call OpenBSD user-friendly or easy to use, that's a different story. I guess I feel pretty good about having a Unix-y/BSD box around that makes me learn more CLI stuff every once in a while.
Free music from Jack Merlot.
While on the whole, I don't agree with MS' practices (coding, design, law, etc.), I have to agree with them on the judgment they made the other day (or week, who am I to remember all this crazy tech news) with regard to the default password on SQLServer 7.0.
There is a certain level of aquired knowledge and experience that I believe is necessary to work at the professional level; especially when it comes to the Internet and public software applications. One of the things that any admin knows (or at least should know!) is that you have a hard password and you change it often (I change mine on my server at home on a weekly basis).
My point is this: while an NT admin (or MCSE brat; whatever is at hand) might be able to get away with using a software with a default password, and then blame it on MS, a REAL admin knows his/her system and knows better than to not change a password. BSD is not only more secure because the default install is smart, it is more secure because the user is too.
BSD is secure because it is developed by security freaks that audit (and reaudit) the code looking for possible exploits and programming errors that could compromise a system. They have a zero tolerance stance when it comes to security, and I can do no more than commend them on this. Good job guys and gals, all of us BSDers are thankful and appreciative for all you hard work.
Rami
--
rJames.org - illustration
I use OpenBSD for my firewall/NAT box at home, and installation is dead-simple, quite painless, and only installs the bare basics - no need to sit through half an hour of clicking widgets to select packages.
I like Linux - None of the BSDs have the software base that Linux has, and it's a lot speedier. I don't need the security for my X box - after all, it's behind the OBSD firewall, and SSH tunneling is my friend when I need to access it from the outside.
What I'd like to see is a Linux distro which installed the bare basics - glibc, gcc, net-utils, bin-utils, file-utils, kernel, etc, X optional. Not something like Mandrake or Red Hat which has evil tendencies to put both GNOME and KDE on your box whether you want to or not.
The closest thing I've come to this is following Linux From Scratch's excellent instructions and compile the entire system from source - this is admittedly a lot of work, but at least you _know_ what's on your box when you install it, and you don't have to worry about vendor-specific kernel modifications and all that crap... And I ended up with a distro of <250MB after installing the most important things, including the full kernel source unpacked. This as opposed to the 800+ I had cluttering my disk after I put Mandrake 7 on it.
So, distributors, are you listening? I think there would be quite a high demand for something like this, especially from power users... BareBones Linux, anyone?
--
Pokéthulhu
Gotta catch you all!
Everytime I read op Bugtraq that "OpenBSD fixed this vulnerability five months ago through a standard audit", I wonder, why the heck don't they make this fix more public, so other OS's (freebsd, linux, whatever) can also profit from it.
I'm not so paranoid to think that OpenBSD wants to keep their fixes to themselves, in order to stay "the most secure OS out there".
So what is it then? Do other OS's developers just don't look at the OpenBSD pages to see what's fixed?
If it's a public tool (e.g. GNU), do the OpenBSD people submit a patch back?
If the OpenBSD keep up the good work, I think everyone can profit from it and then Bugtraq will read "Thanks to OpenBSD, all OS's fixed this vulnerability 5 months ago"
<grub> Reading
OpenBSD does an amazing job of presenting an extremely secure distribution, I will stipulate that right at the get go. I think it's a bit premeture to say that it's the Most Secure OS though. There are a number of implimentation of the DoD B1 security standard (as applies to operating systems, specifically) in the world - these include Trusted Solaris from Sun and PitBull from Argus Systems Group.
Granted, these operating systems take a quite different approach to security (rather than requiring strict application audits as in OpenBSD they instead try to eliminate the need for such audits through strict kernel control manifested in a number of sneaky ways). These systems have been, and are currently widely used by military, intelligence, financial, and, increasingly, high end e-commerce systems. In an attempt to increase public awareness and popularity of PitBull Argus Systems Group has begun giving it away for non-commercial use. Anyone interested in high security servers is highly recommended to check it out. It's no holy grail, and by no means the right solution for every problem, but it is a very interesting take on the problem, and quite a different way of looking at system architecture and administration than most of us get exposed to on a regular basis.
None of this is intended to steal OpenBSD's thunder - it's a great accomplishment, and far closer to existing operating environments than it's B1 counterparts (which makes it more accessable, and more flexable). Often, a B1 system will be severe overkill (or just too much of a pain to configure and manage), where OpenBSD will just work. So I'm not saying that OpenBSD is no good, I'm just saying that choosing the "Most Secure OS" isn't quite so clear cut...
Oh, BTW, there is a Trusted BSD project, but it's fairly young and as I understand it building a trusted OS is quite time consuming. When it's ready I think it will likely kick ass, but it may yet be a long way off.
--
Behold the Power of Cheese!
There is a Linux distribution with much the same philosophy. It's still being worked on from my understanding of things, tho I'm not at all an authoritative source. The name of the distribution is Nexus and the website is here. As usual, the proper reply to "Why isn't there a widget for this?" is "Because you haven't written it yet." If you want this, help out and do what you can.
What makes OpenBSD so secure is not the lack of severs that are installed pointlessly. It's the very, very stringent auditing, the "we don't put it in unless we are 100% certain there are no buffer overflows in it" philosophy. And that philosophy is rather incompatible with the demands of your typical Distro's customer base that always wants all the newest gadgets and features to play around with.
The illegal we do immediately. The unconstitutional takes a little longer.
--Henry Kissinger
If anything, he discounted the idea that more Linux users makes Linux more secure than OpenBSD. He says that most of these people can't write programs over 300 lines, and that they're no real help to the security of the system.
But that doesn't discount the idea that, for a given system, more eyes make for better security. OpenBSD would be more secure if more people were doing the same thing that Theo does with it. Okay, there's a possibility of too many chefs spoiling the stew at some point,I guess, but in general I think that it's pretty clear that more eyes looking at a given system makes that system more secure than it would be with fewer eyes.
Anyone arging that any system Foo is more secure than any system Bar if more people are looking at Foo than at Bar has a problem with their logic. (And, granted, most people have a problem with logic.) Like one person posted, his system is pretty secure now that the power supply has failed...
Rather than say that he discounts the "many eyes" argument, I would say that he brings out how important a few well-trained eyes spending a lot of time on a set of code can be. That's easy to forget (or to never know if all you know about writing code comes from reading ESR...).
FWIW
--
Liberty uber alles.
Theo has a security audit model that works terrifically well - having trusted, talented people audit the crap out of the code and being real finicky about releases.
The Linux model (and the generic Open Source model, at that), relies on a broad pool of users with code access reading and using it. A lot of bugs, many of them security-relat, will be found this way.
However, though security bugs will be found and fixed with the infinite-monkeys methodology, it does fall short on finding security issues proactively. You can find a lot of holes in that fashion, but to really ultra-secure and OS, you need people who are as freakish about security as Theo. The other side of that is that the users who seek out OpenBSD are also likely to be much smarter about security themselves.
Linux is a reasonably secure OS for the "average" user, and the methodologies are adequate for the end result. The companies distributing the OS need to be more proactive about looking for holes, though - there's a lot of ways to root a Linux box, and the consequences of allowing it to happen are sufficiently high that it's worth more work to find holes before they get into the distro.
Say what you will about Microsoft, but their Windows Update is a really nice mechanism for distributing patches and updates - none of the Linux vendors (even Mandrake) come close to that level of functionality. Most Slashdot readers will be fairly proactive about their boxes, but that doesn't mean all Linux users are like that. They need an easier way to patch and update their boxes when holes are found.
- -Josh Turiel
-- Josh Turiel
"2. Do not eat iPod Shuffle."
However, the notion that OpenBSD is the "most secure OS", or even the "most secure OS in common use", is absurd. Nor is it the most secure OS "out of the box". Rather, it is the leader in out-of-the-box security in a rather narrow set of popular, open-source, Unix-like operating systems.
There have been commercially-available mandatory access control Unix-based operating systems on the market for years. The "trusted" variants of the commercial Unices are great examples. These operating systems get their security from the compartmental design of the system, and are thus largely immune to (unavoidable) trivial programmer errors.
A great microcosm of this same competition exists in the free SMTP MTA's. Modern, secure mail transports are written in a compartmentalized fashion, so that a bug in one subsystem doesn't compromise the whole thing, or worse, the whole OS it runs on. Systems like Venema's Postfix and Dan Bernstein's qmail (which has never had a published security hole) are examples of this design.
Meanwhile, legacy MTA's like Sendmail and Exim remain popular, despite a history of insecurity. Sendmail's authors would happily claim that, after literally decades of audit, it is secure despite a monolithic design. Nobody that takes security seriously buys this argument anymore, though, because effective alternatives exist that are built on a more secure design. So what's the difference between Sendmail and OpenBSD? Well, OpenBSD is orders of magnitude more complex and has had less than 10% of the long-term attention that Sendmail has had.
Calling OpenBSD "secure" in light of competition from Argus Secure Solaris or even wrapper systems like SeOS is not much better pitting Sendmail against qmail.
It's definitely true that in practical terms, OpenBSD is a more trustworthy distribution of free Unix code than Red Hat Linux. However, with very few exceptions, OpenBSD's design remains stagnant and embraces an obviously-inferior security model. Who do you expect to implement compartmentalization and Mandatory Access Control first, OpenBSD or Linux?
My money is not on OpenBSD in the long run.
Actually, C1 is higher than C2. B1 and B2 exist as well (I have worked on the development of a B2 secure unix with some B1 features) and all the common "secure" operating systems struggle to maintain C2 level security. To say that any of the mainstream operating systems are the most secure in the world is bizarre.
Regards
If you read the Microsoft NT C2 Configuration article closely, with comprehension, you'll find that it speaks of NT 4.0 being evaluated, but never certified, as being C2 compliant. This was addressed in this BugTraq post. Believe you me, if NT 4.0 had been certified, Microsoft would be singing it to the heavens. But they don't want you to know that. You'll also note that "The C2 Administrator's and User's Security Guide" is itself a MS Windows executable (http://www.microsoft.c om/technet/security/exe/C2SecGuide.exe), hardly the most secure and safe way to transmit data around the Internet. Anyone got an open-standards version of this document?
They also don't want you to know about the man they killed after he first got WinNT 3.51 C2 certified, then told Microsoft that it would not be possible to get C2 certification for WinNT 4.0. Ed Curry, military man, NSA-certified technician, and a former independent contractor for Microsoft first had his business, health, and ultimately life destroyed. I knew Ed only from online encounters in Nick Petreley's InfoWorld forums, but the man was a friend, willing and capable of sharing fascinating information. Ed Curry died in December of 1999 of a stress-induced stroke. He is survived by a wife and young daughter.
What part of "Gestalt" don't you understand?
What part of "gestalt" don't you understand?
It blows the MS mechanism into tiny chunks.
:) You could also use one of the "console GUI" tools such as capt or aptitude, or an X-based tool like GnomeApt.
:)
Debian has apt, which has several advantages over Windows update:
1. Debian is mirrored on several zillion servers, so if one is slow or down, you can simply choose another. Route to MS gets messed up? Too bad for you...please hang up and try again.
2. You can update ALL of your packages, barring those you've had to compile from source, which, considering the sheer volume of Debian packages, =="not bloody many".
3. You can use it from the command line, which is a good idea if you're updating X-Windows
4. You don't have to do anything evil like run ActiveX controls to use apt-get.
5. Apt-get will let you upgrade the ENTIRE SYSTEM AT ONCE. Try using Windows update to move from NT 4.0 to Windows 2000 -- without even rebooting
WMBC freeform/independent online radio.
It doesn't change the fact that they achieved the rating, and that by following the same guidelines, someone else can have their installation certified.
It doesn't, because that fact doesn't exist.
Its been EVALUATED. Not certified.
And no, you can't have YOUR installation certified, either.
Additionally - the 3.5 (not 3.51) Certification - *was* without a network or a floppy drive.
I simply intended to show that NT4 can be made C2 compliant, and put an end to the 3.51/no floppy/no network anecdotes.
You were simply, wrong.
First - its 3.5. On 3 machines (2 x86, 1 Alpha) with a certain service pack. And no floppy, no network card. its not anecdotal. Go find the facts, and read them.
And the default of NT isn't complaint/certifiable. NT 4 has *never* been certified as C2 (Orange Book) secure.
And attempting to put an "end" to the factual complaints based on a badly flawed understanding is not a good idea.
Addison
Most secure OS my @$$. OpenVMS right out of the box is literally orders of magnitude more secure than any *nix. NO buffer overflow exploits (never had 'em, never will). NO means of gaining priviledged access from a nonprived account. NO means of cracking passwords in SYSUAF (thanks to a strong one-way hash). Heck, you need a prived account just to look at SYSUAF! The amazingingly TINY handfull of security wholes which have occassionally cropped up in VMS over the last 23 years have been promptly corrected.
The only ways to break into a VMS system are:
- "Social hacking" -- tricking someone into telling you their password or guessing at sites with poor password policies,
- Packet sniffing at sites where SSH and other secure connection techniques are not used (again, a policy issue),
- Gaining physical access to the console and using documented procedures for by-passing password protection.
That is all. Period. There are NO other ways. Zero. The same cannot be said of ANY other OS.And don't hand me the "closed-source, proprietary OS, security through obscurity" arguements. The OS is better documented than any other in the world (most of it available on the web), including the system internals. Source listings are available for a fee for every part of the OS except those portions related to license handling (for obvious reasons).
I know Karsten from the same online forums that we both knew Ed Curry from. Microsoft did a ton of stuff to him. Some of which simply cannot be sustantiated. For instance after his company was destroyed, at one point he got a job, then his boss' boss got a phone call from Microsoft, and his boss was ordered to fire him. Which kinda sucks when you are supporting a wife and kid.
.sig.
As for the current location of that online community, follow my
BTW a question you probably have right now is whether or not we can be believed. Well we both have sufficient credibility to be automatic +2's on this site, and in fact were among the first batch of moderators selected here. You could also do a Google search for either of us. Or look for Ed Curry.
Yeah, what happened to him is pretty astounding. The lack of press reporting on it is pathetic. But I assure you that the basic story is true.
Regards,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
I am an InfoSec professional, but this is not professional advice. Moreover, I really like OpenBSD, so please don't take this as a BSD flame. :)
:)
The problem with buzzwords is that they so rarely mean what their obvious meaning is. When I see "secure by default", that tells me "I can install OpenBSD in its default install, throw Apache and my MTA-of-choice on it, and it'll still be safe". That's what secure by default suggests to me; that a clean install of the OS and the daemons you need to run your business will be secure, by default.
The problem with it is that this isn't anywhere near to the case. I've got lots of kudos for OpenBSD's large, distributed security audit. I think it's a brilliant idea, and I wouldn't mind seeing Linus say "okay, for the next six months all development is frozen and we're going to audit our codebase".
Unfortunately, security audits are not synonymous with security. (Trust me on this one.) Security is a process, not a product; it cannot be magically generated by anything, not even OpenBSD's vaunted audits. You run into Heisenberg's Catastrophe at some point--assuming that your auditing process was complete and accurate, your codebase is safe; but then you have to audit the audit process to make sure you didn't leave anything out... then you have to audit the audit of the audit... and so on.
These are the main problems with audits that I've found:
LIMITED MANPOWER. The scorn that Theo heaps on the Linux community is, in some sense, warranted. What Theo misses is that where Linux has a huge amount of manpower, mostly of limited skill, OpenBSD has a miniscule amount of manpower, mostly of fairly high skill.
The problem is that security audits are limited by manpower more than they are technical skill. A thousand coders of only amateur skill can go through code at a huge rate; it's not hard to spot unconstrained buffers (buffer overflows), pointers that never get free'd, etc. If they were only ten coders strong, it would not matter how much skill they had, they simply wouldn't have the manpower to do a thorough code review.
INCOMPLETE SECURITY AUDITS. OpenBSD's security audit means they have an extremely high-quality kernel and tools. When even ls has been audited, you know they're doing something. However, Apache, sendmail and other large programs have not been audited by the OpenBSD team. Putting an old, vulnerable version of Apache on an OpenBSD box exposes potential risk.
(Before the OpenBSD people accuse me of FUDding, let me emphasize potential. The root exploit against Apache/Linux might fail on Apache/OpenBSD, due to OpenBSD's security consciousness. The point here is not to say "Apache makes systems insecure"--it's to say that there are a lot of daemons running on modern boxen, and many of these daemons have not been audited.)
INCOMPETENT SYSTEM ADMINISTRATION. Most root exploits I've seen--regardless of operating system--have taken place due to incompetent system administrators. OpenBSD does some things right by shutting down all nonessential ports by default (as opposed to Red Hat, for instance), but these are just Band-Aid measures over the festering, necrotic wound of incompetent sysadmins.
INCONVENIENCE. One of the biggest motivations for people to bypass security precautions is that security is inconvenient. If a user bypasses a precaution, that's worse than if the precaution never existed in the first place. There's a difference between a sysadmin who says "all our passwords are secure, because we use shadow passwords and force our users to change them every month" and the sysadmin who says "I don't know if our passwords are secure, despite the precautions we take".
The former, more likely than not, has users who are so frustrated by the bondage-and-discipline security precautions that they leave their passwords on Post-It notes attached to their monitors. The latter probably has them, too, but at least isn't fooled into thinking he's safe.
OpenBSD has some very useful security precautions, yes--but the most useful precautions are those that are transparent to users (security audits, jailing daemons, etc). The more intrusive your security becomes, the greater the likelihood your own users are going to circumvent them.
LIMITED FEATURES. Remember that oftentimes security is enhanced by adding features. Adding ACLs, for instance, could be a boon to sysadmins everywhere and result in more secure boxen. Since OpenBSD's developers spend so much time auditing, though, they're significantly behind the pack when it comes to keeping current with other Unices.
... All that said, though, if I were setting up a network, all of my machines visible to the outside world (mailserver, webserver, etc.) would be running OpenBSD or Pit Bull or Trusted Solaris. Probably OpenBSD, due to the fact that I already know UNIX reasonably well and I don't need the bondage-and-discipline of Trusted Solaris (see "INCONVENIENCE" above).
I was at IWE along with Karsten and Ben, and held several conversations with Ed. His life was basically destroyed by Microsoft because he wanted to tell the truth.
Regards,
Regards,
-scott
While I did not chat with him extensively, I did see him on the forums, and watch as he attempted to salvage his career and finances from the savaging Microsoft gave him. I also read the report of his death, and grieved with the rest of the IWETHEYers. You can find us at IWETHEY
InThane