Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] For all you vi heathen ;-)

Well, I don't think that there's much point in further argument against
"use this product to be secure" statements, so I'm going to leave that
alone for the moment, except to point out that "This system has been hacked
less than this other system" is not a terribly useful comparison. It's easy
to make a piece of software that's been hacked less: simply have far fewer
users of it. That's not to say that such information and using less popular
systems can't contribute to the security of a system, but if you want to be
reasonably secure, you need to do a proper security analysis, not just say,
"All I need to do is think about the particular products I'm using" and be
done with it.

On 2020-07-20 00:28 +0900 (Mon), Benjamin Kowarsch wrote:

> I mentioned OpenBSD for two simple reasons:
> * courtesy, this is a form of open source people after all

Yet you didn't mention NetBSD or FreeBSD. Not to mention all the great
security work being done on Linux systems and in Linux distributions. Why
does OpenBSD deserve courtesy yet these other systems do not?

> * I got the impression that the OpenBSD project prioritises security.

It appears to me that you got the impression not only that they prioritise
security, but that they do so more than other Unix distributions. That you
and so many others have this impression certainly speaks to the quality of
their marketing, but does not speak to the quality of their security.

What you probably don't know is that there have been incidents where, for
example, OpenBSD shipped a release that was vulnerable to attacks that
NetBSD shipping at the same was not vulnerable. This was due to OpenBSD
starting unnecessary servers (in this case, SSH) by default, which violates
a beginner security guideline. There was of course good mitigation for the
issue, but you didn't get it by taking the "I'm going to use product X and
then I'll be secure" approach.

> Now, I will grant you that prioritising security is not anywhere near as
> good as designed with security in mind from the start, but priority on
> security is still better than not prioritising security.

And who is it that you feel is not prioritizing security? And what's your
evidence for this? Marketing materials again?

> I'd rather trust a regime by which certain stuff is excluded until it has
> been shown to meet the regime's security policy. That appears to be the
> regime under which OpenBSD is operating.
> ...
> It most certainly is not the regime under which Linux, Windows, and
> MacOS are being developed/maintained. In their realms features trump
> security and reliability ***more often than not***.

Depending on your application and the balance you're trying to strike,
OpenBSD suffers from the exact same problem. Their networking system has
just as many security problems as those of any other Unix system, yet they
insist on shipping it. As I said, "install this product" without
considering the context and without building some sort of _security model_
for _your system_ almost invariably leads to either "it doesn't work, and
so is useless" or "it's more easily hacked than need be."

(FWIW, much as I'm a BSD fan, these days I would generally go to Linux for
securing server software because its containerisation is so much easier to
configure securely, thanks to products like Docker.)

Curt J. Sampson      <>      +81 90 7737 2974

To iterate is human, to recurse divine.
    - L Peter Deutsch

Home | Main Index | Thread Index