Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD, Security, and Theo de Raadt

Posted by Roblimo on from the they-got-most-of-it-right dept.

AdamK writes "Here's a very interesting article on security and OpenBSD. It also briefly mentions Linux, comparing the two." A quote from the story: "OpenBSD is so secure that it even got the attention of the U.S. Department of Justice, which stores and transmits top-secret data using 260 copies of the OS."

5 of 178 comments (clear)

  1. And are the DOJ security experts? by Paul+Crowley · · Score: 3

    Many, many people use Windows NT to store and transmit top-secret data. Does that mean that NT is secure, or just that the expertise to properly evaluate security is much rarer than the willingness to believe marketing that says what you want to hear?

    And, of course, it can be misleading to speak of a "secure operating system" - security is a property of the system as a whole. A Windows NT mail hub can store and forward a PGP-encrypted message without the contents of the message being any more readable, and an OpenBSD machine can be configured with open "telnet" ports and guessable passwords.

    The care and effort put into OpenBSD's security aspects is of course useful and laudable, but it won't do you the user any good if you don't understand your own role in keeping the system secure.
    --

    --
    Xenu loves you!
  2. Re:Security... by DaveTerrell · · Score: 3

    I assume if OpenBSD puts such an emphasis on security, shadowed passwords would be a default setting which would have stopped the method you've outlined here. I'm amazed that the disgruntled system admin didn't use them, but that may go some way to explain why he was let go.

    This is not true. You can't directly get to a root shell like you can with single user mode (or, if single user prompts for a password, try lilo: linux rw init=/bin/sh --don't forget to umount /, then just reboot the machine, shutdown won't work) on linux. You can just pop in an install floppy and mount your / filesystem and edit the passwd file though. Physical access = root access. Shadowing the passwords doesn't change that, you can still edit /etc/shadow.

  3. Re:Security... by Spectre · · Score: 3

    *chuckle*

    In general, physical access to the machine allows access to everything, typically through a method such as what you employed. BSD is no different from Linux (or DOS, or NT, or about anything else) in this regard.

    Yes, a person could use a cryptographic hack to keep all file systems encrypted, but the performance hit is usually bad enough that most people find it far, far more economical (and effective) to lock the servers in a machine room with restricted access...

    --
    "Flame away, I wear asbestos underwear"
  4. My Take, from someone that uses it daily. by D3 · · Score: 3

    Here we use OpenBSD as part of our IDS solution. It has a couple of qualities that make it a great choice. First, it is very secure as a default installation. Second, BSD in general has some of the fastest network sniffing capabilities of any OS. Third, some OS's like Linux and Solaris don't know how many packets they've really dropped so you can't tell for certain how good they are doing. Fourth, it is FREE. The DOJ has contractors just as any agency (even NSA has contractors for some things I'm told). If you get people that understand what they need and what works best for the situation it isn't surprising to see it used by Gov't.

    As for limitations, it comes with X and Netscape. Also, there are some new programs that are supposed to allow you to compile Linux binaries and run them. I haven't used this but it sounds cool. So, basically it isn't much more limited than Linux for software. Last I saw it doesn't support dual CPUs and I'm not sure about RAID so it gives up quite a lot to Linux there. Maybe once Linux becomes too mainstream and Linus too much of an icon, all the 'real' computer hacks will turn to OpenBSD for the next revolution? Just kidding.

    Lastly, I know that people have been donating hardware (like gigabit ether) that will help keep it a viable, quality OS.

    --
    Do really dense people warp space more than others?
  5. Security... by schon · · Score: 3

    This reminds me...

    A couple of weeks ago, I got a call from a company that was letting
    their sysadmin go (and not on good terms, either), and needed someone
    to hack their (linux) servers, as nobody else knew root passwords; I
    got called in; downtime was not an issue, so (with the aid of a
    rescue disk) it was just a matter of rebooting the boxes and editing
    the passwd file...

    After seeing how simple it was to get into the boxes, they immediately
    asked if I could switch the boxes over to BSD, as the previous people
    they had called (a BSD shop) had told them that if they had used
    BSD, then there was no way anyone could get into the boxes, as BSD is
    "uncrackable."

    Now, I don't have any experience with BSD (I tried installing it, but
    there are no drivers for my home machine, which I use as a testbed,)
    so I didn't have any firm comeback; but I would like to know (from
    the BSD people who will be reading this) if the same technique I used
    would be possible on a BSD machine. (I'm hard pressed to think of how
    this could be done, short of encrypting the root FS, or something
    similar.)

    Can anyone shed some light on this? Is BSD really "uncrackable", or
    are these other guys just blowing smoke?