Re: [tlug] Confessions of a closet OpenBSD user

[Josh Glover <jmglov@example.com>]

Matt Doughty wrote:
> 
> No the anti-TheoBSD rhetoric is largely due to a perception of arogance coming
> from the OpenBSD community.

I agree with you here, but it is very often just that, a perception. I 
think that a lot of that goes back to Theo. Theo is widely perceived to 
be arrogant, and many very important developers (Alan Cox may be the 
most visible one, but I seem to recall Linus taking a poke at Theo a 
couple years back) tend to reinforce this image with their comments.

> This might not be from the developers, but the average
> OpenBSD user is the first to gloat about security problem you may have because you
> were 'stupid' enough to use something else.


> The reality is that there are several
> OSes that are, for all practical purposes, just as secure as OpenBSD.

Exactly. I would argue that any Unix, in the hands of a 
security-concious, on the ball (read: Bugtraq and vuln-dev) sysadmin is 
"as secure as OpenBSD", whatever that means.

However, of all the Unices I have used, OpenBSD is noteable for not 
making it a pain in my ass to secure. I have complaints with Redhat 
here, and even mighty Solaris comes outta the box with some junk on it 
these days.

> You can't 
> sing your own praise in regards to auditing code to catch poor programming of others, and not 
> expect a outpouring of derision when things like off by one errors, things that can be caught
> by using bounds checking gcc flags, show up in your flagship software.

You cannot catch *all* OBOEs this way, just the ones that overflow 
bounds. Having an OBOE in a memory copy routine, or an array shift, or a 
vectory operation, can be just as deadly as one that actually exceeds a 
bound.

The only way to debug software completely is to give it to the users 
(and the security community). Eventually, most bugs get caught.

> As a result, I am very onesided in my criticism of OpenBSD. I apply the same rules to
> most things.

Interesting. I find that as a security guy, I often *have* to be over 
the top, in my professional capacity, to accomplish anything at all. If 
I say, "well, there may be risks involved with this," (my honest 
analysis), management seems to always ignore the minor risks. But as you 
know, it doesn't take all that many minor leaks to bring even a mighty 
ship to the point where an attack could sink it. (OK, maybe not the 
*best* network metaphor I have ever dreamed up, but you get the 
picture.) So I need to breathe fire: "No! We absolutely *cannot* do 
this! If we do, it is just a matter of time before we get owned! And do 
you know what that means!? [insert gratuitous rant about IP 
(Intellectual Property, here, not Internet Protocol) theft and lost time 
and lost trust here]" to even reach a compromise sometimes.

But we had a minor incident once, which I was able to clean up quickly 
and with no damage, and *now* they listen to me. For now, anyway. ;)

Och, the battle against the forces of darkness is ne'erending!


-- 
Josh Glover <jmglov@example.com>

Associate Systems Administrator
INCOGEN, Inc.