*BSD News Article 89516


Return to BSD News archive

#! rnews 7991 bsd
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!metro!metro!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!cpk-news-hub1.bbnplanet.com!su-news-hub1.bbnplanet.com!news.bbnplanet.com!news.pbi.net!news5.crl.com!nexp.crl.com!usenet
From: "Jordan K. Hubbard" <jkh@FreeBSD.org>
Newsgroups: comp.os.linux.advocacy,comp.unix.bsd.misc,comp.os.linux.misc
Subject: Re: Linux vs BSD
Date: Fri, 14 Feb 1997 14:58:53 -0800
Organization: Walnut Creek CDROM
Lines: 121
Message-ID: <3304EE2D.41C67EA6@FreeBSD.org>
References: <32DFFEAB.7704@usa.net> <KETIL-ytqiv47v56j.fsf@pinro.imr.no> 	<5daavp$8lp@panix2.panix.com> <KETIL-ytqbu9yfheu.fsf@imr.no> 	<5dfcpj$t45@agate.berkeley.edu> <DERAADT.97Feb7073546@zeus.theos.com> <32FB463E.167EB0E7@freebsd.org> <slrn5fvd0r.ck7.tqbf@char-star.rdist.org>
NNTP-Posting-Host: time.cdrom.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 3.01 (X11; I; FreeBSD 3.0-CURRENT i386)
Xref: euryale.cc.adfa.oz.au comp.os.linux.advocacy:84526 comp.unix.bsd.misc:2543 comp.os.linux.misc:159345

Thomas H. Ptacek wrote:
> I still feel that FreeBSD, Inc. is not sufficiently open and forthcoming
> with security issues that come to their attention. Representatives of
> FreeBSD, Inc. have explicitly stated, in public, that notifying their
> users of security issues discovered by FreeBSD proponents (as opposed to
> security issues discovered by criminals) amounts to "airing their dirty
> laundry". Evidently, FreeBSD, Inc. would like their thousands of users

I really don't know how you got this impression, and I myself have
certainly *never* come out in a public forum and said claimed that
raising legitimate security issues is tantamount to airing our dirty
laundry.  I really do think you must have gotten something confused our
out of context as I don't know anyone on the FreeBSD core team who feels
this way.  People not connected with the project are wont to say all
kinds of things, naturally, but there's very little that I can do about
that.

Suffice it to say, we take do security seriously and we have spent many,
many hours working on security issues.  To somehow imply that FreeBSD
just doesn't care about security (but OpenBSD, champion of the weak and
the downtrodden, does) is to do a grave disservice to the many
volunteers who have put significant effort into it.

You also have it entirely wrong that FreeBSD, Inc. somehow discourages
disclosure of security issues.  First off, FreeBSD, Inc. as a company
actually rarely holds much of an opinion on anything - it's little more
than a paper-tiger holding company for the trademark and a collection
point for project funding.  We don't have massive board meetings where
General Secretary Hubbard hammers the table with his shoe and calls for
the heads of all those who would dare to even mention the word
"security" without a special double secret clearance.

The FreeBSD Project, a far more substantial organization (though,
ironically, of lesser legal substance) also has *nothing* against the
disclosure of security issues and *never has*.  The whole 2.1.6 flapp
with Karl Denninger leading a personal witch-hunt against us was
*claimed* to be an incident of the project/core/lunarians/Hitler trying
to cover things up when that was, in fact, a complete and total
fabrication and not even remote close to the truth.  At no point was a
"cover up" ever discussed or even contemplated, and what slowed things
up so much in the process of verifying, fixing and circulating an
advisory for this problem were the stupid *flame wars* about the bug
which ate up 99% of our time for the first 3 days.  Let me make an
analogy:

You're a fireman and you get called to a small house fire.  You arrive
at the location with your truck and your 4 buddies, and before you can
even get the hoses uncoiled you're attacked by a fat, raving maniac in a
smelly tank-top swinging an axe at you and screaming "My HOUSE is on
FIRE!  MY HOUSE IS ON FIRE!!! SAVE MY HOUSE RIGHT NOW!!!" 

As several attempt to restrain him while others hook the hose to a
nearby hydrant, he charges and, with the first wild swing of his axe,
severs the hose and causes the free end to whip around wildly, spraying
maniac and firemen alike with water and causing everyone to crawl around
frantically, avoiding hose and axe alike as the deranged home-owner
staggers around the lawn, swinging his axe and screaming at anyone
within range.  Meanwhile, unattended, the fire quietly consumes the
house.  Of course afterwards, it's claimed by the home owner (now
dressed in a suit and tie for the cameras) that the firemen never wanted
to put out the fire at all and spent the whole time having a bar-b-que
while watching his house burn.  Laughed about it.  Yep.  Just another
damn cover-up on the part of those lazy and inept city workers!

That was our first 3 days of the whole broo-ha-ha, and frankly it's
amazing that we managed to get anything out at all during that time,
much less a full CERT advisory and the mechanisms for a new 2.1.7 point
release jump-started on what was supposed to be a dead branch.


> Of course, FreeBSD and I have two very different perspectives on this
> situation. FreeBSD, Inc. operates from the perspective of experienced

No, the FreeBSD Project operates from many different perspectives.  We
are a more diverse group than you might think.  Please, half of these
little flare-ups occur because one person in a project says something
which incenses someone else and, before you know it, it's "the project
this" and "the project that", his or her personal opinions now somehow
transformed to a statement of fact about the collective will of the
entire project.  Why do you think I resigned as president of the FreeBSD
Project?  It was even easier, far too easy, to do that in my case and
that whole type of categorization is just bogus.  You can't take a
diverse project like any of the *BSDs and reduce its collective opinion
down to a sound bite.

> familiarity with the workings of the computer underground. Unlike the
> FreeBSD Project, I work under the assumption that any security problem
> found in FreeBSD's code has been discovered previously by someone else
> with the ability and willingness to exploit it. Therefore, from my
> perspective, there's no point in not fully disclosing issues as their
> existance becomes apparent.

Again, you base much on an initially false premise and so come to a
seriously flawed conclusion at the end.  No, not unlike the FreeBSD
Project.  "Like the FreeBSD Project, you work under the assumption that
any security problem found ..."  We make exactly the same assumptions
you do, and if you've drawn the conclusion that we deem disclosure evil
then you should refer to the 3rd paragraph of this reply.

> clear that, in most cases, I'm taking my cues from the OpenBSD project,
> who, I feel, have put far more effort into securing 4.4BSD than FreeBSD.

I think that OpenBSD has done a lot, yes, but I also know that security
isn't just a one-off effort.  It's a constant thing, and it takes a lot
of resources to both be and STAY secure in the long run.  A system which
is secure against today's attacks may be insecure against tomorrow's
(and vice-versa) so your overall "rating" in the long term is going to
be determined more by your degree of organization and comittment to
security as a serious concern than any short-term exertion of effort, no
matter how heroic.  Things change.

The FreeBSD Project has, admittedly, fallen down in the past where
security is concerned, and no one knows this more clearly than we do
after all the sleep lost and the hour spent answering many thousands of
emails on the topic.  However, as Nietzche said, that which does not
kill us makes us stronger, and you can bet that all of us have a *much*
stronger interest in security than we did before. :)

-- 
- Jordan Hubbard
  FreeBSD core team / Walnut Creek CDROM.