The World's Most Secure OS

Anonymous Coward writes "Titled The World's Most Secure OS, this article in The Standard talks about what is needed to be "Secure by Default"" Probably the best OpenBSD article I've read in recent months. Theo doesn't pull his punches (then again, he never does), in particular, discounting the "more eyes means better security" philosophy. Then again, he's probably right. [ Update: noeld wrote in with a link to a similar article at rootprompt.org. Must be something in the water. ]

Why don't other OSs profit from OpenBSD audits?

[Leto2]

Everytime I read op Bugtraq that "OpenBSD fixed this vulnerability five months ago through a standard audit", I wonder, why the heck don't they make this fix more public, so other OS's (freebsd, linux, whatever) can also profit from it.

I'm not so paranoid to think that OpenBSD wants to keep their fixes to themselves, in order to stay "the most secure OS out there".

So what is it then? Do other OS's developers just don't look at the OpenBSD pages to see what's fixed?
If it's a public tool (e.g. GNU), do the OpenBSD people submit a patch back?

If the OpenBSD keep up the good work, I think everyone can profit from it and then Bugtraq will read "Thanks to OpenBSD, all OS's fixed this vulnerability 5 months ago"

Most Secure Well Known OS perhaps...

[kabir]

OpenBSD does an amazing job of presenting an extremely secure distribution, I will stipulate that right at the get go. I think it's a bit premeture to say that it's the Most Secure OS though. There are a number of implimentation of the DoD B1 security standard (as applies to operating systems, specifically) in the world - these include Trusted Solaris from Sun and PitBull from Argus Systems Group.

Granted, these operating systems take a quite different approach to security (rather than requiring strict application audits as in OpenBSD they instead try to eliminate the need for such audits through strict kernel control manifested in a number of sneaky ways). These systems have been, and are currently widely used by military, intelligence, financial, and, increasingly, high end e-commerce systems. In an attempt to increase public awareness and popularity of PitBull Argus Systems Group has begun giving it away for non-commercial use. Anyone interested in high security servers is highly recommended to check it out. It's no holy grail, and by no means the right solution for every problem, but it is a very interesting take on the problem, and quite a different way of looking at system architecture and administration than most of us get exposed to on a regular basis.

None of this is intended to steal OpenBSD's thunder - it's a great accomplishment, and far closer to existing operating environments than it's B1 counterparts (which makes it more accessable, and more flexable). Often, a B1 system will be severe overkill (or just too much of a pain to configure and manage), where OpenBSD will just work. So I'm not saying that OpenBSD is no good, I'm just saying that choosing the "Most Secure OS" isn't quite so clear cut...

Oh, BTW, there is a Trusted BSD project, but it's fairly young and as I understand it building a trusted OS is quite time consuming. When it's ready I think it will likely kick ass, but it may yet be a long way off.
--

Re:I wonder...

[-brazil-]

What makes it so hard for RedHat or any other company that produces Linux distros to come up with a super secure system like OpenBSD or FreeBSD?

What makes OpenBSD so secure is not the lack of severs that are installed pointlessly. It's the very, very stringent auditing, the "we don't put it in unless we are 100% certain there are no buffer overflows in it" philosophy. And that philosophy is rather incompatible with the demands of your typical Distro's customer base that always wants all the newest gadgets and features to play around with.

NT4 *not* C2 certified

[KMSelf]

If you read the Microsoft NT C2 Configuration article closely, with comprehension, you'll find that it speaks of NT 4.0 being evaluated, but never certified, as being C2 compliant. This was addressed in this BugTraq post. Believe you me, if NT 4.0 had been certified, Microsoft would be singing it to the heavens. But they don't want you to know that. You'll also note that "The C2 Administrator's and User's Security Guide" is itself a MS Windows executable (http://www.microsoft.c om/technet/security/exe/C2SecGuide.exe), hardly the most secure and safe way to transmit data around the Internet. Anyone got an open-standards version of this document?

They also don't want you to know about the man they killed after he first got WinNT 3.51 C2 certified, then told Microsoft that it would not be possible to get C2 certification for WinNT 4.0. Ed Curry, military man, NSA-certified technician, and a former independent contractor for Microsoft first had his business, health, and ultimately life destroyed. I knew Ed only from online encounters in Nick Petreley's InfoWorld forums, but the man was a friend, willing and capable of sharing fascinating information. Ed Curry died in December of 1999 of a stress-induced stroke. He is survived by a wife and young daughter.

What part of "Gestalt" don't you understand?

Re:NT4 *not* C2 certified

[Animats]

OK. Here's NSA's official list of certified products, with the NSA Trusted System logo one very seldom sees. NT 4.0 with Service Pack 6A and additional "C2" fixes made the list, at the lowest evaluated level, after four years of work. That's not much of an achievement.

NSA's computer security evaluation program hasn't been very popular. NSA also evaluates security equipment like padlocks and safes, and back in the '80s when they started evaluating computer systems, they thought much the same approach would work. Early on, evaluations were conducted by in-house NSA staff, under a "two-try" system; the system was evaluated once, and if it didn't pass but looked promising, the vendor was given hints on what to fix. The second try was pass/fail; no further tries were allowed. It wasn't considered the job of the evaluation team to debug the system.

The current scheme is much more vendor-friendly. Evaluation is usually done by outside contractors paid by the vendor. The vendor can keep trying to pass as long as they pay the vendor. NSA then reviews the evaluation. That's how NT 4 got through.

Even under the same criteria, the new approach is much easier to pass. Under the old scheme, vendors didn't go for evaluation until they were really confident of their ability to pass, since outright rejection was possible. Now, vendors can submit whatever they've got and keep debugging until they wear down the evaluation contractor. That's not good. Note that it took Microsoft years of trying to get NT 4 through.

C2 is a very low standard. Nothing below B2 is really serious. It's embarassing that NT can't make C2 out of the box.

The list is depressing. Little has been added in recent years. The security properties of commercial products are so weak today that it's embarassing. Yes, the criteria are dated, but that's not the big problem.

It's for real

[tilly]

I know Karsten from the same online forums that we both knew Ed Curry from. Microsoft did a ton of stuff to him. Some of which simply cannot be sustantiated. For instance after his company was destroyed, at one point he got a job, then his boss' boss got a phone call from Microsoft, and his boss was ordered to fire him. Which kinda sucks when you are supporting a wife and kid.

As for the current location of that online community, follow my .sig.

BTW a question you probably have right now is whether or not we can be believed. Well we both have sufficient credibility to be automatic +2's on this site, and in fact were among the first batch of moderators selected here. You could also do a Google search for either of us. Or look for Ed Curry.

Yeah, what happened to him is pretty astounding. The lack of press reporting on it is pathetic. But I assure you that the basic story is true.

Regards,
Ben