Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are the BSDs Dying? Some Security Researchers Think So (csoonline.com)

Posted by msmash on from the closer-look dept.

itwbennett writes: The BSDs have lost the battle for mindshare to Linux, and that may well bode ill for the future sustainability of the BSDs as viable, secure operating systems, writes CSO's JM Porup. The reason why is a familiar refrain: more eyeballs mean more secure code. Porup cites the work of Ilja von Sprundel, director of penetration testing at IOActive, who, noting the "small number of reported BSD kernel vulnerabilities compared to Linux," dug into BSD source code. His search 'easily' turned up about 115 kernel bugs. Porup looks at the relative security of OpenBSD, FreeBSD and NetBSD, the effect on Mac OS, and why, despite FreeBSD's relative popularity, OpenBSD may be the most likely to survive.

19 of 196 comments (clear)

  1. BSD is Dying? by sconeu · · Score: 5, Funny

    I won't believe it until Netcraft confirms it!

    --
    General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    1. Re:BSD is Dying? by Netcraft+Confirms+It · · Score: 5, Funny

      I'm sad to say it's true.

    2. Re:BSD is Dying? by Daetrin · · Score: 5, Funny

      This is what happens when we complain too much about the quality of recent posts. They dig up some "BSD is dying" article to try and make us feel all warm and fuzzy from the nostalgia.

      --
      This Space Intentionally Left Blank
    3. Re:BSD is Dying? by Bruce+Perens · · Score: 3, Funny

      My sinister viral GPL cabal has been successful! Baw ha ha ha ha :-)

      --
      Bruce Perens.
  2. MacOS X? by Kenja · · Score: 4, Interesting

    While not an "official" BSD, OS X is based on NeXT which is based on BSD and it uses the MACH kernel.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
  3. Hogwash by thegarbz · · Score: 4, Funny

    The authorities here on Slashdot have repeatedly said that right now was the golden age of BSD due to Debian's adoption systemd. There are no Linux users left. BSD is the only system that remains in widespread use.

  4. "more eyeballs mean more secure code"?! by Anonymous Coward · · Score: 5, Insightful

    The reason why is a familiar refrain: more eyeballs mean more secure code.

    After Heartbleed and the other issues affecting OpenSSL, and Shellsheck affecting bash, why the hell would anyone still be pushing this disproven "more eyeballs" narrative?!

    The OpenBSD project proves that security doesn't come from "more eyeballs". It comes from having software developers who know what they're doing, and who take their work very seriously, and who show immense discipline, and who don't put up with bullshit, and who put security first and foremost.

    You could have two million "eyeballs" of offshore "programmers" in India looking at some code, and it will likely still end up being much less secure than code doing the same work but written by a couple of OpenBSD's developers.

    Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.

    1. Re: "more eyeballs mean more secure code"?! by Anonymous Coward · · Score: 3, Interesting

      Give us links to each and every one of those bug reports so we can judge the severity of these alleged bugs on our own. If the BSD devs aren't fixing them it's probably because they're very minor bugs, or perhaps aren't even valid bugs to begin with.

    2. Re:"more eyeballs mean more secure code"?! by Hylandr · · Score: 5, Insightful

      Why the hell would anyone still be pushing this disproven "more eyeballs" narrative?!

      It's important to not that if there weren't eyeballs on the code we would never have known about the vulnerabilities to fix to begin with.

      They would have only been discovered and exploited by the malicious and never disclosed unless the attack was discovered while the company responsible would spin the issue and would ( in most cases ) not spend the money to secure other installations.

      Because flaws cannot be hidden, overlooked or covered up, researchers and other interested parties can perform their own independent audit of the software powering their systems.

      -- More eyeballs does in fact mean more secure code. -- Think of it as a global oversight committee.

      --
      ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
    3. Re:"more eyeballs mean more secure code"?! by Anonymous Coward · · Score: 5, Insightful

      That comment is neither interesting nor insightful. It's just pushing the age old misrepresentation of the quote.

      Many eyeballs makes all bugs shallow does not - and have never - meant that there will be no bugs, or that they will not lie dormant for a potentially long time. It simply refers to the fact the the more eyes that see a bug, the quicker someone will come up with a fix. Exactly what these researchers are claiming.

      The OpenBSD project proves that security doesn't come from "more eyeballs".

      I'm sorry, that you didn't RTFA is pretty damned obvious, but did you even read the blurb? There is no such "proof". Rather, they proved the opposite.

      Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.

      Again, a half-truth. Yes, it's true, but the more people who are involved in a project, the greater the probability that your "good people" turn out to be really good. And the more people you have, the more people you have to fix mundane stuff which doesn't require "really good people" to fix - which frees up your "really good people" to deal with the hairy stuff, and the more eyeballs you have who might for some reason find bugs which needs the attention of the "really good people".

      Quantity is a quality of it's own.

    4. Re: "more eyeballs mean more secure code"?! by fmoliveira · · Score: 3, Informative

      van Sprundel also praised OpenBSD's response to his bug findings, saying that De Raadt responded within a week, and OpenBSD patched the flaws within a few days.

    5. Re:"more eyeballs mean more secure code"?! by koavf · · Score: 5, Informative

      Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.

      Did you read the article? Theo De Raadt says as much:

      Theo De Raadt, the founder of OpenBSD, agreed with van Sprundel that more eyeballs on OpenBSD would make the operating system more secure. "I remember reading his first slides, which were mostly about the impact of small API misuses," De Raadt tells CSO Online by email. "Unfortunately, this is a problem of the volume of code relative to manpower. Ensuring all code is 100 percent bug-free and handles all exceptional conditions is a rather difficult problem."

  5. No by DaMattster · · Score: 5, Interesting

    "Some" researchers are saying the BSDs are dying so it must be true, huh? "Read it on the internet, hot damn, must be true then." Bullshit! The BSDs have a large community that is passionate about their choice of operating system. I have been using OpenBSD since 1998 and I will only stop using it once the community completely collapses, development ceases, and the foundation folds. The day that happens, I will have to find another hobby altogether and just keep a smartphone and tablet handy. Learning and using OpenBSD has made me far more knowledgeable about computers, operating systems, networks, and security than any other platform out there. If it weren't for my college roommate introducing me to OpenBSD, I believe I would just be another Microsoft wanker. OpenBSD taught me how the internet works and opened a wealth of knowledge. OpenBSD turned me from a computer power user into a true System Administrator. Ever since that day when I asked my roommate just what the heck OpenBSD was, my life would never be the same.

  6. If true, it's a shame by walterbyrd · · Score: 4, Interesting

    IMO:

    BSDs have a superior architecture in many respects. This is especially true since the systemd takeover.

    Administration on BSD servers just makes more sense. Linux seems to be all over the map. I think there are over 1000 Linux distros. Many distros want to change around the directory structure. Simple things, like starting services on bootup, and setting up static IP, become difficult with Linux because everybody wants to pull Linux in different direction - often for no good technical reason.

    Linux certainly has advantages over BSD. But I think BSD gets a lot of stuff right.

    Again: all JMHO.

    1. Re:If true, it's a shame by geek · · Score: 5, Interesting

      1000 distros sure, but you can completely ignore 990 of them. The other Of the remaining 10, probably 6 are copies of the major 4, Debian, RedHat, Gentoo, Arch.

      People keep bringing up the many distro thing but honestly, no one really gives a shit. Those are hobbyist toys and they almost universally die out after a few years. In those few years a handful of people learn a lot and contribute to the community.

      The BSD's are fine. I used them once upon a time. The problem is they are inflexible and all they want to do is emulate a long gone era of computing that just isn't functional today. Linux will at least adapt to peoples needs, BSD's will stand there and bitch about you being on their lawn.

  7. Is it just that the pie is growing? by Voyager529 · · Score: 5, Interesting

    First off, I submit that BSD is finding its home in appliances. FreeNAS and pfSense are both fairly popular, and both BSD based. Commercially, the Nintendo Switch is based on BSD, and Cisco, McAffee, and Juniper all have appliances using BSD at their core. Also, as others have pointed out, OSX.

    That said, there are so many copy/paste tutorials for Debian and its derivatives like Ubuntu and Raspbian. With BSD lagging behind severely, for every person who prefers BSD and can successfully use it to do what they need, there are five more less-technical users who are able to fall into the pit of success with a Bitnami or Turnkey Linux distribution.

    BSD may well be superior for certain tasks, especially networking, but the fact of the matter is that expecting BSD to simultaneously be competitive in the numbers game against Linux when Linux has an ecosystem which BSD lacks. That ecosystem encourages users looking to get something done to use that product, rather than adhere to principles which otherwise have little effect on them. I know systemd is hated in these parts, almost universally, but if I need to spin up a Wordpress instance, it takes me ten minutes to grab Turnkey Linux and start addding my content, rather than the half hour or more it would take to spin up BSD, manually install an AMP stack, figure out the BSD equivalent of /var/www, Google all the MySQL commands to create the database at the CLI since I don't have Adminer or phpMyAdmin to do it, and then add Wordpress. As a non-developer and non-distributor, the BSD vs. GPL vs. MIT license situation affects me very little, so the fact that both Debian and BSD are free-as-in-beer means that they compete on how much of my time they take to spin up.

    This is why I use pfSense and FreeNAS. It's also why most of my appliances are Turnkey Linux based.

  8. Re: BSDs dying? by rl117 · · Score: 5, Interesting

    systemd was what pushed me into trying out FreeBSD seriously for the first time, three years ago, after 15+ years of Debian as a user and develop. So many stupid problems. FreeBSD was like a breath of fresh air, and I wish I'd tried it out years ago. Today, I'm using FreeBSD increasingly, contributing to the ports here and there, and finding it to be mostly pretty good. Not as polished as Debian in every respect, but the package manager is continually improving and it's on a par with apt at this point. And being able to install straight onto ZFS is huge; Debian and Ubuntu need to get this into their installers.

  9. Re:BSDs dying? by Drunkulus · · Score: 5, Funny

    Systemd is the reason Linus is now running freebsd at home.

  10. Re:BSDs dying? by Anne+Thwacks · · Score: 3, Funny
    I've heard systemd is under suspicion of being a serial killer!

    So that explains why my serial ports don't work any more!

    --
    Sent from my ASR33 using ASCII