Return to BSD News archive
#! rnews 7991 bsd Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!metro!metro!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!cpk-news-hub1.bbnplanet.com!su-news-hub1.bbnplanet.com!news.bbnplanet.com!news.pbi.net!news5.crl.com!nexp.crl.com!usenet From: "Jordan K. Hubbard" <jkh@FreeBSD.org> Newsgroups: comp.os.linux.advocacy,comp.unix.bsd.misc,comp.os.linux.misc Subject: Re: Linux vs BSD Date: Fri, 14 Feb 1997 14:58:53 -0800 Organization: Walnut Creek CDROM Lines: 121 Message-ID: <3304EE2D.41C67EA6@FreeBSD.org> References: <32DFFEAB.7704@usa.net> <KETIL-ytqiv47v56j.fsf@pinro.imr.no> <5daavp$8lp@panix2.panix.com> <KETIL-ytqbu9yfheu.fsf@imr.no> <5dfcpj$t45@agate.berkeley.edu> <DERAADT.97Feb7073546@zeus.theos.com> <32FB463E.167EB0E7@freebsd.org> <slrn5fvd0r.ck7.tqbf@char-star.rdist.org> NNTP-Posting-Host: time.cdrom.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 3.01 (X11; I; FreeBSD 3.0-CURRENT i386) Xref: euryale.cc.adfa.oz.au comp.os.linux.advocacy:84526 comp.unix.bsd.misc:2543 comp.os.linux.misc:159345 Thomas H. Ptacek wrote: > I still feel that FreeBSD, Inc. is not sufficiently open and forthcoming > with security issues that come to their attention. Representatives of > FreeBSD, Inc. have explicitly stated, in public, that notifying their > users of security issues discovered by FreeBSD proponents (as opposed to > security issues discovered by criminals) amounts to "airing their dirty > laundry". Evidently, FreeBSD, Inc. would like their thousands of users I really don't know how you got this impression, and I myself have certainly *never* come out in a public forum and said claimed that raising legitimate security issues is tantamount to airing our dirty laundry. I really do think you must have gotten something confused our out of context as I don't know anyone on the FreeBSD core team who feels this way. People not connected with the project are wont to say all kinds of things, naturally, but there's very little that I can do about that. Suffice it to say, we take do security seriously and we have spent many, many hours working on security issues. To somehow imply that FreeBSD just doesn't care about security (but OpenBSD, champion of the weak and the downtrodden, does) is to do a grave disservice to the many volunteers who have put significant effort into it. You also have it entirely wrong that FreeBSD, Inc. somehow discourages disclosure of security issues. First off, FreeBSD, Inc. as a company actually rarely holds much of an opinion on anything - it's little more than a paper-tiger holding company for the trademark and a collection point for project funding. We don't have massive board meetings where General Secretary Hubbard hammers the table with his shoe and calls for the heads of all those who would dare to even mention the word "security" without a special double secret clearance. The FreeBSD Project, a far more substantial organization (though, ironically, of lesser legal substance) also has *nothing* against the disclosure of security issues and *never has*. The whole 2.1.6 flapp with Karl Denninger leading a personal witch-hunt against us was *claimed* to be an incident of the project/core/lunarians/Hitler trying to cover things up when that was, in fact, a complete and total fabrication and not even remote close to the truth. At no point was a "cover up" ever discussed or even contemplated, and what slowed things up so much in the process of verifying, fixing and circulating an advisory for this problem were the stupid *flame wars* about the bug which ate up 99% of our time for the first 3 days. Let me make an analogy: You're a fireman and you get called to a small house fire. You arrive at the location with your truck and your 4 buddies, and before you can even get the hoses uncoiled you're attacked by a fat, raving maniac in a smelly tank-top swinging an axe at you and screaming "My HOUSE is on FIRE! MY HOUSE IS ON FIRE!!! SAVE MY HOUSE RIGHT NOW!!!" As several attempt to restrain him while others hook the hose to a nearby hydrant, he charges and, with the first wild swing of his axe, severs the hose and causes the free end to whip around wildly, spraying maniac and firemen alike with water and causing everyone to crawl around frantically, avoiding hose and axe alike as the deranged home-owner staggers around the lawn, swinging his axe and screaming at anyone within range. Meanwhile, unattended, the fire quietly consumes the house. Of course afterwards, it's claimed by the home owner (now dressed in a suit and tie for the cameras) that the firemen never wanted to put out the fire at all and spent the whole time having a bar-b-que while watching his house burn. Laughed about it. Yep. Just another damn cover-up on the part of those lazy and inept city workers! That was our first 3 days of the whole broo-ha-ha, and frankly it's amazing that we managed to get anything out at all during that time, much less a full CERT advisory and the mechanisms for a new 2.1.7 point release jump-started on what was supposed to be a dead branch. > Of course, FreeBSD and I have two very different perspectives on this > situation. FreeBSD, Inc. operates from the perspective of experienced No, the FreeBSD Project operates from many different perspectives. We are a more diverse group than you might think. Please, half of these little flare-ups occur because one person in a project says something which incenses someone else and, before you know it, it's "the project this" and "the project that", his or her personal opinions now somehow transformed to a statement of fact about the collective will of the entire project. Why do you think I resigned as president of the FreeBSD Project? It was even easier, far too easy, to do that in my case and that whole type of categorization is just bogus. You can't take a diverse project like any of the *BSDs and reduce its collective opinion down to a sound bite. > familiarity with the workings of the computer underground. Unlike the > FreeBSD Project, I work under the assumption that any security problem > found in FreeBSD's code has been discovered previously by someone else > with the ability and willingness to exploit it. Therefore, from my > perspective, there's no point in not fully disclosing issues as their > existance becomes apparent. Again, you base much on an initially false premise and so come to a seriously flawed conclusion at the end. No, not unlike the FreeBSD Project. "Like the FreeBSD Project, you work under the assumption that any security problem found ..." We make exactly the same assumptions you do, and if you've drawn the conclusion that we deem disclosure evil then you should refer to the 3rd paragraph of this reply. > clear that, in most cases, I'm taking my cues from the OpenBSD project, > who, I feel, have put far more effort into securing 4.4BSD than FreeBSD. I think that OpenBSD has done a lot, yes, but I also know that security isn't just a one-off effort. It's a constant thing, and it takes a lot of resources to both be and STAY secure in the long run. A system which is secure against today's attacks may be insecure against tomorrow's (and vice-versa) so your overall "rating" in the long term is going to be determined more by your degree of organization and comittment to security as a serious concern than any short-term exertion of effort, no matter how heroic. Things change. The FreeBSD Project has, admittedly, fallen down in the past where security is concerned, and no one knows this more clearly than we do after all the sleep lost and the hour spent answering many thousands of emails on the topic. However, as Nietzche said, that which does not kill us makes us stronger, and you can bet that all of us have a *much* stronger interest in security than we did before. :) -- - Jordan Hubbard FreeBSD core team / Walnut Creek CDROM.