OpenBSD 3.5 Reviewed

eeg3 writes "NewsForge has a review of OpenBSD 3.5. It encompasses a fair amount of information, more specifically it details security, cryptography, installation, and new features." While not afraid to point out OpenBSD's shortcomings as a desktop OS, it's still a good tour of possibly the most secure OS. NewsForge and Slashdot are both owned by OSDN.

Re:Question

[Creepy+Crawler]

---Is what you're saying that a little less security is okay if it's more usable? If so, why isn't Windows given a little more credit?

Hmmmm, interesting question. Let me present you problems that Ive not found Windows to handle.

1: Allowing graphical interface but NOT allowing 3D graphic card operations used (Simple with X, deny access to DRI)

2: Allowing programs from remote TRUSTED computers to have their graphical output displayed locally. (X was made for this exact purpose)

3: Making user accounts with almost no permission to the local computer (remote mounted directory trees)

4: The ability of an extremly fine grained system security model (NSA patches, now in the 2.6 kernel)

5: Being able to fix terminal (as in bad) errors within your servers woithout having to rely on external help (Domain Admin accts either locked out or scrambled in Win2k3- no known way to harvest other than full reinstall)

6: Does not need a desktop environment to run. Just instead open the Xserver and have onload the program needed for work.

7: Can be done on a Xterminal or bare-bones PC with network connection. I know of no Windows OS that this can be said for.

Im sure there's more... but Oh well ;)

Re:Question

"The BSDs tend to lack the hardware support of Linux too and other things that just make Linux
nicer for desktops."

Let me think of how to put this in a nice way...

BZZZZZZZZT! Try again. BSD usually the hardware before Linux has it, off the top of my head I can think of USB2 and FireWire.

Happy trolling!

Re:Question

[Creepy+Crawler]

Very valid questions.. But Im a consultant.

I service mainly Small Business Owners with IT advice, equipment, installation, and integration of said equipment.

When a business owner says they're having a problem with a User on a Linux desktop playing 3d games on work computers, I respond with the correct way to deal with it. I do not lecture how good/bad the owner is handling business, or other "moral" concerns.

And yes, it doesnt stop Flash games, or other nuisance games.. Just stopping 3d based hardware acceleration stops a large class of games. But that part is just that.. A PART in stopping game playing.

And if I had a business with more than 2 people (I have a hired worker-on call mostly), as long as the said work is done, I'd not have a problem letting a salaried worker either play games or go home. As long as they're not breaking any laws (no matter how asanine some are) I really dont mind.

Case in point. Im pretty leinant. Some small buisiness owners I do work for arent.

Re:Question

[Foolhardy]

UNIX security model is much more easy to grasp and implement than whatever MS kludged together in the various pro versions of their environment.

I don't find the NT security model to be hard to understand; what don't you understand? It hasn't changed much since the first version.

There's no such thing as chroot/jail in windows isn't it?

Yes, they are called sessions. Each session has a set of symbolic links in the Object Manager that connect devices to a session's namespace. The Object Manager is like Linux's VFS. Change/delete those links and win32 can't get to the devices they point to. For example, if you changed the C:->\Device\HarddiskVolume1 link to point to \Device\HarddiskVolume1\MyDir, processes in that session cannot access files outside of \MyDir.

I'm perfectly aware that an XP registry is rife with cryptic and mulply overridden account policy keys that only a specialized enterprise admin might make something out of it (that's probably why SPs often FSCK up deployed servers...).

Are you saying that group policies are cryptic, despite the paragraphs per entry in the description tab? Here is how policy overriding works. Group policies applied from the domain always replace local settings; they would be useless without this. Computer policies override user policies in a single GPO object when a conflict exists. When you connect GPO objects to an orginizational object you get to pick what order the GPOs are applied in. When in doubt, lookup the "Effective Policy" in Local Security Policy. Policies overwrite each other; redundant entries are not created.
Personally, I haven't had any problems with service packs.

When a security hole exposes a 'nobody' or 'www' jailed server I can patch it in no time being 100% shure the only service involved is the one I'm working on; sometimes I go to the point of duplicating shared libs (openssl) for the various servers... Windows is unsafe because of sloppy code and also because it has a byzantine security model.

If I had an unprivledged local service breached on a NT machine, the only thing I would worry about is local exploits, same as on a UNIX. You can duplicate libraries if you want, but that's a bit pointless.
The security model is just different, not bad.

Re:different solutions for different problems

Actually, you are completely wrong. OpenBSD's performance is on par with netbsd, linux and freebsd 4 (freebsd 5 is still noticably slower than the others), benchmark it for yourself.

And openbsd is more secure than another OS doing the same job, wether it be serving webpages or whatever. Apart from code audits, theres stuff like removal of most setuid root apps, priviledge seperation in everything from syslogd to tcpdump, W^X, propolice, non-executable stack and heap, malloc and mmap randomization, stricter malloc/free checking than shit like glibc, strlcpy/strlcat and friends that glibc are too dense to add, swap encryption, and I am probably forgetting stuff.

To sum up, you are a moron, don't spew bullshit without learning the facts.