Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.rmit.EDU.AU!news.unimelb.EDU.AU!cs.mu.OZ.AU!munnari.OZ.AU!news.mel.connect.com.au!news.mel.aone.net.au!news.netspace.net.au!news.mira.net.au!news.vbc.net!vbcnet-west!garlic.com!news.scruz.net!kithrup.com!news.Stanford.EDU!su-news-hub1.bbnplanet.com!cam-news-hub1.bbnplanet.com!news.bbnplanet.com!news.maxwell.syr.edu!news.bc.net!unixg.ubc.ca!nntp.cs.ubc.ca!psgrain!news.rain.net!pacifier!deraadt From: deraadt@theos.com (Theo de Raadt) Newsgroups: comp.os.linux.advocacy,comp.unix.bsd.misc,comp.os.linux.misc Subject: Re: Linux vs BSD Date: 15 Feb 1997 01:18:44 GMT Organization: Theo Ports Kernels For Fun And Profit Lines: 93 Message-ID: <DERAADT.97Feb14181844@zeus.pacifier.com> References: <32DFFEAB.7704@usa.net> <KETIL-ytqiv47v56j.fsf@pinro.imr.no> <5daavp$8lp@panix2.panix.com> <KETIL-ytqbu9yfheu.fsf@imr.no> <5dfcpj$t45@agate.berkeley.edu> <DERAADT.97Feb7073546@zeus.theos.com> <32FB463E.167EB0E7@freebsd.org> <slrn5fvd0r.ck7.tqbf@char-star.rdist.org> <3304EE2D.41C67EA6@FreeBSD.org> NNTP-Posting-Host: zeus.theos.com In-reply-to: "Jordan K. Hubbard"'s message of Fri, 14 Feb 1997 14:58:53 -0800 Xref: euryale.cc.adfa.oz.au comp.os.linux.advocacy:83968 comp.unix.bsd.misc:2499 comp.os.linux.misc:158464 In article <3304EE2D.41C67EA6@FreeBSD.org> "Jordan K. Hubbard" <jkh@FreeBSD.org> writes: I think that OpenBSD has done a lot, yes, but I also know that security isn't just a one-off effort. It's a constant thing, and it takes a lot of resources to both be and STAY secure in the long run. Just in case anyone mistakenly thinks of this statement as an indication that OpenBSD is _not_ prepared to keep spending this time, our project has and will continue to spend absolutely intense amounts of effort on security. Our attention to security is very nearly fanatical. It's been a major goal of mine since someone broke into my machine and modified a file about a year ago; other security people in the group have their own reasons. I'm not alone in the group when I say that OpenBSD is targetted on being the most secure Unix-like system you can get on a regular machine. Also, very soon we will be giving all our users IPsec. I know enough security experts (good and evil ;-) and enough holes (published and not) to be very sure that we are already more secure than Solaris, Linux, Irix, HPUX (ho ho ho), SunOS, BSDi, FreeBSD, NetBSD, and who knows what else. (I am not chaffing on Linux; some of their people have been very helpful and are doing a better job all the time, I think they might be next in line.) I could be slightly wrong. I think the methodical way the group worked helped a lot. Basically we were fixing all bugs in all critical zones (by the way, src/lib is a critical zone). Most of the time we didn't even investigate if those bugs were succeptable to exploitation or not. Quite simply they were bugs, so they got fixed. Maybe they were holes -- does it really matter? (A few times we have found out that bugs we fixed did later turn out to be holes, and in recent times have been exploited. The recent lpr bug was one example of that, there were others). Fixing some bugs required a lot of code to be written; for instance to solve races involving find(1), a large quantity of changes had to be made. There is also a certain sick joy in teaming up to beat the shit out of weird ftpd bugs for an entire week. Now, when a new class/type of hole is reported via BUGTRAQ or other mailing lists about any other system (Hey, we even check up on Linux or Solaris bugs), we re-check the relevant areas of our source tree to ensure we don't have such a bug. In that area (ie. libc/locale) of or that `class' (ie. trusting getenv data). Any bugs we find are fixed immediately. Things would have gotten easier if we weren't so fanatical and obsessed, and as a result we are still (by ourselves) finding new holes. By now they're getting really tricky (not many buffer overflows or /tmp races these days...) A lot of them are really twisted denial of service attacks, but some are have much higher impact (like the source routing advisory a few days back.) There are about 6 really hard-core security people involved in the group, and another 5 people who have enough interest and experience to help find and fix holes. A couple of the people who help OpenBSD work at a company that is writing a network security scanner; that company also has a very large group of consultants, absolutely top notch experts in various areas. This large group really knows how the systems you use work and where the cracks in the armour are. You can check http://www.secnet.com. By the way, while making software secure, we are being very careful to NOT sacrifice correct behaviour or the flexibility you are accustomed to. Unless we have to, that is. As an example, some people use NFS, and don't have an alternative. But their friends keep telling them that they are a dolt because it is insecure. Well we will make it as secure as we can. (And maybe an alternative to NFS will show up soon...... hmmm ;-) A system which is secure against today's attacks may be insecure against tomorrow's (and vice-versa) so your overall "rating" in the long term is going to be determined more by your degree of organization and comittment to security as a serious concern than any short-term exertion of effort, no matter how heroic. Things change. Quite simply, OpenBSD has a couple of `security fanatics' in the group. And much of the time fanatics manage to keep up with changes in their field. Enough said. I look forward to the FreeBSD group's efforts finding holes we don't have fixed yet. I like finding and fixing new bugs, and I really don't care who found them. ps. In case anyone out there is still running talkd, please kill the bloody thing _everywhere_ until you get a fixed version. -- This space not left unintentionally unblank. deraadt@theos.com www.OpenBSD.org -- We're fixing security problems so you can sleep at night.