Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Links Operating Systems BSD

The World's Most Secure OS (?) 180

Anonymous Coward writes "Titled The World's Most Secure OS, this article in The Standard talks about what is needed to be "Secure by Default"" Probably the best OpenBSD article I've read in recent months. Theo doesn't pull his punches (then again, he never does), in particular, discounting the "more eyes means better security" philosophy. Then again, he's probably right. [ Update: noeld wrote in with a link to a similar article at rootprompt.org. Must be something in the water. ]
This discussion has been archived. No new comments can be posted.

The World's Most Secure OS (?)

Comments Filter:
  • There are no other open source OS's that have undergone such a rigorous audit. Hell in the article they state that even "the U.S. Department of Justice uses 260 copies of OpenBSD to store and transmit its most sensitive data."

    wrighty.

  • does that mean that bill gates has been telling me naughty lies? i thought windows 2000 was the most secure...

    oh i feel so used now...

    *burns all his clothes and jumps into the shower sobbing*
  • you mean other peoples emails?

    oh *that* sensitive data...
  • What makes it so hard for RedHat or any other company that produces Linux distros to come up with a super secure system like OpenBSD or FreeBSD?

    Not to say that linux is insecure, but why can't they just configure linux to be secure right out of the box. Default installations shouldn't include freaky services and programs. Users should add the programs that they want by themselves.
  • by dragonfly_blue ( 101697 ) on Tuesday August 22, 2000 @11:23PM (#834207) Homepage
    I've been running it on my web server for Zarakas [zarakas.com] and Dragonfly Dynamix [dragonflydynamix.com] and my other domains for most of this year. I don't use X or anything, so it runs PHP, MySQL, SSL, and Apache just fine with a P-133 and 32 (!) MB RAM.

    For administration it's so nice to have SSH installed by default, so I don't have to worry about some kiddie on my LAN running a port sniffer on my telnet session. It's also kind of nice that it never crashes unless I do something particularly stupid (which I think I have thus far avoided, oh except for that time when I didn't have a swap partition.)

    Theo is certainly a character. His work speaks for itself.

    The mailing lists are just the way they should be; interesting, very technical, very easy to offend, and really amazingly helpful.

    I've also been pleased with the fact that IPSec is built right on in there, so when the time comes for me to play with VPNs, I'm already 90% of the way there.

    Now, whether or not I'd call OpenBSD user-friendly or easy to use, that's a different story. I guess I feel pretty good about having a Unix-y/BSD box around that makes me learn more CLI stuff every once in a while.

  • Potential investors regularly contact de Raadt with offers of financial backing, he notes, but he has rebuffed them all: "I talked to a venture capitalist a couple of weeks ago. I ended up convincing him to just give us a donation."

    Every open-source project needs someone like this on the team, regardless of his/her other abilities.
    - Derwen

  • by Lonesmurf ( 88531 ) on Tuesday August 22, 2000 @11:28PM (#834209) Homepage
    While on the whole, I don't agree with MS' practices (coding, design, law, etc.), I have to agree with them on the judgment they made the other day (or week, who am I to remember all this crazy tech news) with regard to the default password on SQLServer 7.0.

    There is a certain level of aquired knowledge and experience that I believe is necessary to work at the professional level; especially when it comes to the Internet and public software applications. One of the things that any admin knows (or at least should know!) is that you have a hard password and you change it often (I change mine on my server at home on a weekly basis).

    My point is this: while an NT admin (or MCSE brat; whatever is at hand) might be able to get away with using a software with a default password, and then blame it on MS, a REAL admin knows his/her system and knows better than to not change a password. BSD is not only more secure because the default install is smart, it is more secure because the user is too.

    BSD is secure because it is developed by security freaks that audit (and reaudit) the code looking for possible exploits and programming errors that could compromise a system. They have a zero tolerance stance when it comes to security, and I can do no more than commend them on this. Good job guys and gals, all of us BSDers are thankful and appreciative for all you hard work.

    Rami
    --
  • The power source of my home computer stopped working yesterday. Now that is the most secure system in the world.

    If you can hack it, you are truly a real guru.
  • Now, whether or not I'd call OpenBSD user-friendly or easy to use, that's a different story. I guess I feel pretty good about having a Unix-y/BSD box around that makes me learn more CLI stuff every once in a while.

    Well to install and configure I found it pretty easy (once I'd squashed the hardware bugs :) Admittedly I'm only using it as a firewall / NAT box, but it easy to configure and disable all external traffic. If in the future I need http or ftp access then this too will be easy to add and I'll know that the source had been scoured with a fine tooth comb.

    wrighty.

  • If I recall my Linux lore correctly, you'll excuse me if I'm wrong, it's been a year since I last used it, Slackware was supposed to have been the bare bones "secure" distro that you added to it what you wanted. I'm not sure if this is still true or not with slack 7, but that's why sysad's were so in love with slack. Now then, on the process of auditing the code like Theo and his tribe of BSDites did in 18 months, was in my opinion a direct result of the liscensing used. BSD allows for this sort of thing more freely than the GPL by letting one person take all of the BSD liscenced apps and rewriting them to fit his needs, in this case, to be more secure. With the GPL you can't do this without a nasty code split that results in incompatibilities in libraries and apps, like say there's a "kernel-secure" and "kernel-normal" I would think the "kernel-secure" would be incompatible with a great many things "kernel-normal" would be and then linux would lose it's great asset, of being flexible. This is all just my opinion though, and I must say, linux is "secure enough" for the majority. Windows I don't believe is, and I'm nearly ashamed to be using it, but Flash, Dreamweaver, Photoshop and Illustrator are only available for win and mac, and macs don't have games I want to play.

  • As a happy OpenBSD user, I must say that I'd love to see a Linux distro that looked like this.

    I use OpenBSD for my firewall/NAT box at home, and installation is dead-simple, quite painless, and only installs the bare basics - no need to sit through half an hour of clicking widgets to select packages.

    I like Linux - None of the BSDs have the software base that Linux has, and it's a lot speedier. I don't need the security for my X box - after all, it's behind the OBSD firewall, and SSH tunneling is my friend when I need to access it from the outside.

    What I'd like to see is a Linux distro which installed the bare basics - glibc, gcc, net-utils, bin-utils, file-utils, kernel, etc, X optional. Not something like Mandrake or Red Hat which has evil tendencies to put both GNOME and KDE on your box whether you want to or not.

    The closest thing I've come to this is following Linux From Scratch [linuxfromscratch.org]'s excellent instructions and compile the entire system from source - this is admittedly a lot of work, but at least you _know_ what's on your box when you install it, and you don't have to worry about vendor-specific kernel modifications and all that crap... And I ended up with a distro of <250MB after installing the most important things, including the full kernel source unpacked. This as opposed to the 800+ I had cluttering my disk after I put Mandrake 7 on it.

    So, distributors, are you listening? I think there would be quite a high demand for something like this, especially from power users... BareBones Linux, anyone?
    --

  • The way I see it:

    • OpenBSD - Optimised for security
    • FreeBSD - Optimised for performance
    • NetBSD - Optimised for portability

    And what is so great about these three groups is that they steal code from each other. What is in one will eventually turn up in the other.

  • Of all out-of-the-box OSes OpenBSD probably is the most secure. But if you want security you don't use a default installation. Other OSes just need some more work to get at the same level.
  • Bear in mind all the good work of the openbsd people can be so easily made for naught... by the installation of any of a number of ports.

    Still, the fact there is a concerted effort on the OS level makes it possible to be tackle the security concerns at the applications level...

    I say good job to the openbsd peeps.

    Cheers,
    edward.

  • Who do you think killed the power supply? ;)
    Ph33R my 5ki11z!

  • by Leto2 ( 113578 ) on Tuesday August 22, 2000 @11:53PM (#834218) Homepage
    Everytime I read op Bugtraq that "OpenBSD fixed this vulnerability five months ago through a standard audit", I wonder, why the heck don't they make this fix more public, so other OS's (freebsd, linux, whatever) can also profit from it.

    I'm not so paranoid to think that OpenBSD wants to keep their fixes to themselves, in order to stay "the most secure OS out there".

    So what is it then? Do other OS's developers just don't look at the OpenBSD pages to see what's fixed?
    If it's a public tool (e.g. GNU), do the OpenBSD people submit a patch back?

    If the OpenBSD keep up the good work, I think everyone can profit from it and then Bugtraq will read "Thanks to OpenBSD, all OS's fixed this vulnerability 5 months ago"

  • Now would be a good time to remind you of kha0s Linux
    http://www.kha0s.org (thats a zero, not an "o") which tries aims to be secure by default.

    I wonder if Redmond Linux will try and be as secure as windows (http://www.redmondlinux.org/)

    --
    dont Mark me up as informative

    (Reverse physcology for those bastards who keep on moderating me down from 1 to zero)
  • The only truly secure box is the one that is turned off. If you want a secure linux box, then pull the plug out of the back of the damn wall.

    BSD is better or should I say it is easier to install the OS so that all the obviously compromising crap is turned off or not installed.

    What I want to know is whether or not the more expensive Redhat secure server could stand up next to a properly configured standard issue BSD box?

  • I agree completely with you, but please don't go round making statements about 'NT admins' vs. 'real admins'. NT is a serious OS, and it requires serious admin skills. Unfortunately, there are millions of NT installations, and only thousands of BSD ones. Since the supply of good sysdamins is limited, NT acquires the reputation for poor admin. This isn't the fault of the product.

    On passwords, how many people do you think look at the root password dialogue box on a Unix install and say 'I can't think of a good one, I'll just make it "password" for now, and change it later'? I'd guess it's a hell of a lot. That's why the whole MSSQL thing was blown out of proportion - a weak password is just as bad as not having one at all, and perhaps worse.

    Finally, the next time /.ers are tempted to casually condemn what they view as MCSE incompetence, they should perhaps imagine a world where Linux has millions of seats and NT has thousands. Linux would be viewed as dangerously fragmented, difficult to find good admin people for, and frequently badly configured. Meanwhile, NT would be a slick, powerful operating system, with generally savvy and competent users. In other words, perceptions would be pretty much the reverse of now. I won't get into the reality of those perceptions just now - I left my asbestos suit at home today...
  • by kabir ( 35200 ) on Wednesday August 23, 2000 @12:24AM (#834222)
    OpenBSD does an amazing job of presenting an extremely secure distribution, I will stipulate that right at the get go. I think it's a bit premeture to say that it's the Most Secure OS though. There are a number of implimentation of the DoD B1 security standard (as applies to operating systems, specifically) in the world - these include Trusted Solaris [sun.com] from Sun and PitBull [argus-systems.com] from Argus Systems Group.

    Granted, these operating systems take a quite different approach to security (rather than requiring strict application audits as in OpenBSD they instead try to eliminate the need for such audits through strict kernel control manifested in a number of sneaky ways). These systems have been, and are currently widely used by military, intelligence, financial, and, increasingly, high end e-commerce systems. In an attempt to increase public awareness and popularity of PitBull Argus Systems Group has begun giving it away [argusrevolution.com] for non-commercial use. Anyone interested in high security servers is highly recommended to check it out. It's no holy grail, and by no means the right solution for every problem, but it is a very interesting take on the problem, and quite a different way of looking at system architecture and administration than most of us get exposed to on a regular basis.

    None of this is intended to steal OpenBSD's thunder - it's a great accomplishment, and far closer to existing operating environments than it's B1 counterparts (which makes it more accessable, and more flexable). Often, a B1 system will be severe overkill (or just too much of a pain to configure and manage), where OpenBSD will just work. So I'm not saying that OpenBSD is no good, I'm just saying that choosing the "Most Secure OS" isn't quite so clear cut...

    Oh, BTW, there is a Trusted BSD [trustedbsd.org] project, but it's fairly young and as I understand it building a trusted OS is quite time consuming. When it's ready I think it will likely kick ass, but it may yet be a long way off.
    --
  • This is offtopic, but obviously you missed the point of the MSSQL7 story. The same vulnerability existed in a RedHat distro, but was immediately fixed and resulted in no breakins. However it resulted in tons of bad press for RedHat. The MSSQL7 issue will not be fixed, even in MSSQL2000, has resulted in hundreds of thousands of breakins, yet received 0 press outside of /.

    The story was about mainstream publications having bad technical accuracy and a microsoft bias, not an attempt to bash microsoft.

  • Has OpenBSD never been submitted for security evaluation. M$ went to big heights over the C2 stamp on NT4. How about an officeal evaluation of OpenBSD's security
  • Does anybody know of an firewall/NAT OpenBSD Floppy/LS120 project? you know, something like Linux Router [c0wz.com] which boots from [insert your favorite media] and decompresses in RAM

    BTW, is a cut-down version of OpenBSD still OpenBSD?

    Okay I have to admit I don't know shit about BSD, but I could see the point to have such a project... Even if it's just to say to your boss "look pops, it's OpenBSD booting a write-protected media, it's bound to be secure!"

    ---

  • by Lanir ( 97918 ) on Wednesday August 23, 2000 @12:31AM (#834226)
    There is a Linux distribution with much the same philosophy. It's still being worked on from my understanding of things, tho I'm not at all an authoritative source. The name of the distribution is Nexus and the website is here [nexus-project.net]. As usual, the proper reply to "Why isn't there a widget for this?" is "Because you haven't written it yet." If you want this, help out and do what you can.
  • You are, of course, right. My mistake and to any out there in TV land that were offended: My most sincere apologies.

    But, lets face it: there is such a great saturation of windows users that there are so many bad NT admins out there that it is absolutly sickening. One of the reasons that the vast majority of *UNIX admins, that I have met, are factors more competant on the whole than NT admins is simply that there is a certain level of experience (and dare I say it, intelligence) to gain entrance. That is something that is not there with NT simply because any nitwit with a do-it-yourself itch can install a warezed copy of NT. On successful (more or less) installation, they think that they know enough to get a job as an admin.. THAT'S where the trouble begins.


    On passwords, how many people do you think look at the root password dialogue box on a Unix install and say 'I can't think of a good one, I'll just make it "password" for now, and change it later'? I'd guess it's a hell of a lot. That's why the whole MSSQL thing was blown out of proportion - a weak password is just as bad as not having one at all, and perhaps worse.


    This is bad. VERY VERY bad. While I do not necessarily condone a required level of education to run a computer (some days I do.. just not today. :), I do think that the setup should disallow certain types of passwords (or at least give warning that such pass words are insecure. Some passwords are:

    • Made up of one letter repeated.
    • $name == $password


    I might also go so far as to require these additional measures:

    • Must have >7 letters/number
    • ! all one case.
    • mixd letters and number
    • and to the extreme:random password, 16digits.


    Maybe not realistic for a home user, but even NT5 won't let me install with less than 6 characters; why does linux (or Corel and RedHat, havn't reinstalled SuSE or Slack recently: didn't need to. :).

    Finally, I think that you are wrong about the MCSE competency thing: awhile back, my company was interviewing for NT admins and a quite a few of the interviewees that we had com in turned out to be kids straight out of some two week MCSE cram course. No exp, nothing.

    I'm also seeing more and more NT admins out there that are completly foregoing the MCSEs and just doing their jobs. They know full well that the MCSE exams are a load of crap and marketing hype.

    Yours,
    Rami
    --
  • by -brazil- ( 111867 ) on Wednesday August 23, 2000 @12:34AM (#834228) Homepage
    What makes it so hard for RedHat or any other company that produces Linux distros to come up with a super secure system like OpenBSD or FreeBSD?

    What makes OpenBSD so secure is not the lack of severs that are installed pointlessly. It's the very, very stringent auditing, the "we don't put it in unless we are 100% certain there are no buffer overflows in it" philosophy. And that philosophy is rather incompatible with the demands of your typical Distro's customer base that always wants all the newest gadgets and features to play around with.

  • Perhaps you are right and I missed the point. But, I already knew that the mainstream press has its pockets stuffed by the highest bidders: it wasn't news to me. What was news to me was that there were admins out there that didn't even bother to check that there was a password to change.

    I guess we all take the daily news in a different light; parse accordingly.

    Rami
    --
  • The Department of Defense has four classes of operating system security where A is the best and D the worst and where the C class has two subgroups C1 and C2. OpenBSD as (almost) all other unices are at level C1 but Windows NT (and proably also 2000) are at level C2 (a higher level), however I think few would use theese operating systems in environments OpenBSD normally serves. Still when you read about operating system security the Windows guys can always claim they are using the more secure OS. Maybe we could (kindly) ask the Department of Defense to intruduce another OS scale ... Bug-free-ness...
  • It's not secure...I only know of one OS that's fully secure (remotely). MacOS, hehe. Try to root my box :)
  • These official evaluations are extremely expensive, so who's gonna pay for it?
  • Theo doesn't pull his punches (then again, he never does), in particular, discounting the "more eyes means better security" philosophy. Then again, he's probably right.

    If anything, he discounted the idea that more Linux users makes Linux more secure than OpenBSD. He says that most of these people can't write programs over 300 lines, and that they're no real help to the security of the system.

    But that doesn't discount the idea that, for a given system, more eyes make for better security. OpenBSD would be more secure if more people were doing the same thing that Theo does with it. Okay, there's a possibility of too many chefs spoiling the stew at some point,I guess, but in general I think that it's pretty clear that more eyes looking at a given system makes that system more secure than it would be with fewer eyes.

    Anyone arging that any system Foo is more secure than any system Bar if more people are looking at Foo than at Bar has a problem with their logic. (And, granted, most people have a problem with logic.) Like one person posted, his system is pretty secure now that the power supply has failed...

    Rather than say that he discounts the "many eyes" argument, I would say that he brings out how important a few well-trained eyes spending a lot of time on a set of code can be. That's easy to forget (or to never know if all you know about writing code comes from reading ESR...).

    FWIW
    --

  • And I ended up with a distro of

    What did you waste so much space on? My laptop has a normal Debian 2.1 installtion in 180MB, and it also had at one point the full kernel source, *and* a minimal X windows system. Or did you keep around teh sources of everything (in which case 250MB are impressive).

  • "The Department of Defense has four classes of operating system...but Windows NT...are at level C2"

    This is a common misconception, promulgated by marketing droids. Operating systems are not given security classifications, particular hardware and software installations are.

    To use NT as an example, 3.51 was given a C2 classification, provided it did not have a floppy drive or network card installed.
  • the MSSQL7 issue will not be fixed, even in MSSQL2000, has resulted in hundreds of thousands of breakins

    this is pathetic microsoft bashing. Please prove the hundreds of thousands of breakings, before making such claims. I think the magnitude is at hundreds...

    Anyway, they have a useless firewall, if they let connections from internet to sql server. Although microsoft doesn't make it easier by locating sql server in port 1433 ,a unprivileged port... Even that would not be a problem, if Microsoft would respectt he spec and use local port ranges >= 4000.

    Bad maintanance leads to breakings, but Microsoft has a done a nice job making good maintaning hard to achieve.
  • I though NT passed C2 spec only if not connected to a network and with the floppy drive removed.
  • I suggest you try Debian.
    With only a few tasks selected at install time, I got a ~60MB system, and I probably could have made it even smaller.
    I had never achieved that with Mandrake before.
  • (PS: This isn't flamebait - I don't use either Linux or BSD in anger...)

    Do you have a citation for the 260 copies of OpenBSD used for "most sensitive data" BTW?

    This story [cnn.com] details that the NSA (the people who dictate what platform is used for greater than Secret data) are progressing with Linux as a new secure platform. Though this doesn't mean BSD will not be considered, it's fairly indicative.

    I've often thought that Linux versions should include more crypto/security as standard (e.g. SSH, GPG, EFS, IPSEC (or even PPTP!), secure file deletion etc etc).

    Rgds, Sam

  • I read somewhere the following quote:

    "The only truly secure system is one which is switched off, disconnected from all networks, buried in a bunker made of six foot thick concrete with armed guards posted outside. Even then I wouldn't stake my life on it being secure!"

    I tend to think this is overkill. Like everything in life, security is a trade-off. The more secure the system, the less usable it is.

    OpenBSD is pretty good if you need high security, but is overkill for home users (and office workers). For this reason OpenBSD will never have the same popularity as Linux or Windows.

    It still has its place though, in ensuring that standards are maintained in these other OS's as I believe that it really sets the benchmark for what should be possible with any OS. BrendanB.
  • OpenBSD certainly is a strongly secure O.S., and such level of security is also -but not only- due to some facts: it has a small, then more maintainable, code base; its developement can exploit the experience matured by all other OSs out there. Actually, it is no secret that most security bugs stem from bad programming attitude and that security-conscious programming is possible. I do not need OpenBSD at the moment, but to know that there is an OS programmed with security always in mind helps me sleep well, for when I'll need it I'll know where to find one.
  • Whether or not rewriting a piece of software
    results in incompatiblities is a function
    of the skill of the person doing the rewriting
    and of the original design of the software, it
    has nothing to do with the license.
  • However, you have to take into account that at the C and even the B level, these "Orange Book" criteria are a totally theoretical thing. A System being B1 certified does not mean that there are not security holes - just that it supports audit trails and a lot of other security features/i>.

    Also, last time I looked, Windows NT got C2 only under very specific circumstances that have nothing to do with any actual productive environment.

  • Do you have a citation for the 260 copies of OpenBSD used for "most sensitive data" BTW?

    Well it's mentioned in the article.

    And it was posted on /. what more could you ask for? [slashdot.org]

    wrighty.

  • by jht ( 5006 ) on Wednesday August 23, 2000 @01:01AM (#834245) Homepage Journal
    Theo has a security audit model that works terrifically well - having trusted, talented people audit the crap out of the code and being real finicky about releases.

    The Linux model (and the generic Open Source model, at that), relies on a broad pool of users with code access reading and using it. A lot of bugs, many of them security-relat, will be found this way.

    However, though security bugs will be found and fixed with the infinite-monkeys methodology, it does fall short on finding security issues proactively. You can find a lot of holes in that fashion, but to really ultra-secure and OS, you need people who are as freakish about security as Theo. The other side of that is that the users who seek out OpenBSD are also likely to be much smarter about security themselves.

    Linux is a reasonably secure OS for the "average" user, and the methodologies are adequate for the end result. The companies distributing the OS need to be more proactive about looking for holes, though - there's a lot of ways to root a Linux box, and the consequences of allowing it to happen are sufficiently high that it's worth more work to find holes before they get into the distro.

    Say what you will about Microsoft, but their Windows Update is a really nice mechanism for distributing patches and updates - none of the Linux vendors (even Mandrake) come close to that level of functionality. Most Slashdot readers will be fairly proactive about their boxes, but that doesn't mean all Linux users are like that. They need an easier way to patch and update their boxes when holes are found.

    - -Josh Turiel
  • Ouch, that was not very nice!!!
  • "buffer overflows" (which overwhelm a machine with data packets)...

    Correct me if I'm wrong, but a buffer overflow is _not_ overwhelming a machine with data packets. That sounds more like a DoS attack. A buffer overflow is more like declaring a static char a[20] then exploiting the 20-character limit, inserting malicious instructions in the "over-the-20-character-buffer" overflow to be executed. If the program is, say, a daemon or a program run as root, well the overflowed instructions are also executed as root, allowing one to create an account, open a port for himself, yadda yadda yadda...

    Buffer overflows have plagued the software industry for years, and are obviously more apparent in OS's that are connected to the Net. I'm sure MS Office is just full of 'em, but they're not always easy to discover.
  • > does that mean that bill gates has been telling me naughty lies? i thought windows 2000 was the most secure...

    No, he's right... he's just using the MS definition of "secure".

    We need an MS jargon file. Secure, standard, reliable, compatible, innovate, ....
    --
  • by samurphy21 ( 193736 ) on Wednesday August 23, 2000 @01:25AM (#834249) Homepage
    A bare install of linux without a lot of crap, huh? Sounds like Slackware to me. There's not a lot of RPM dependancies to worry about, if you just install the packages maked REQUIRED in sets A and N, then you've got a networked system with nothing on it but the bare minimum to run a functional linux system. Back in the day when the kernels were only up to 2.0.36 (last year, year before??) I was able to get a fully working Linux installation on my Commodore 386SX laptop, along with kernel source, on the 40MB HD and still have 5-10 megs to play with. Compiling the kernel was another story though, and it took so long i eventually wiped the source and compiled a kernel for it in 5-10 minutes on my K6-2 system :) I respect CmdrTaco and his opinions, but I don't think Slackware is only for those who have slackware already installed as he claims, but rather that it is for those who want a clean install without a lot of crap floating around. This includes Linux power users as well as those who are (for whatever reason) migrating from BSD to Linux. I started on linux, then migrated to BSD, but I still use linux quite frequently. I've tried Redhat, Debian, Mandrake and a couple others, but I always return to the tried and true Slackware. I love you Patrick Volkerding!
  • What did you waste so much space on?

    Maybe some of the packages just have grown bigger, or maybe I had some other source files lying around - I can't remember. At this point there's a lot of extras on it, so I'm not sure exactly what it was when I started...

    At least kernel 2.2.16, XFree86 4.0.1, Perl, gcc 2.95.2, glibc 2.1.2, all the basic stuff like make/man/groff/m4/flex/libtool/ncurses/whatever, bash, c++, vim... I suspect Xfree of having grown quite a bit since release 3, but that probably doesn't cover all of the 70 megs I had extra compared to what you have :) Maybe the X headers/libraries? You said your X was minimal :)

    Anyway, 250MB is still small enough for me.. And I don't mind having a lot of stuff installed - what I do mind is having no control over what's on my disk :)
    --

  • Found this [microsoft.com] on Microsoft's site a while back, and somewhere else on their site is a document explaining how they got C2 certification for NT4. The story about 3.51 being certified without a network connection or floppy drive is quickly becoming urban legend, or at least a standard slur whenever the subject is brought up.

    Anyway, they seem to have C2 certification for NT4.

  • I've used Slackware and it's still one of my favorite distros, but there's still too many menus and things to click before the bare system is on your disk. My barebones OpenBSD install over FTP was up and running in 30 minutes - and the time it took to fetch all the files from the servers makes up for around 25 of those... This is what I'd like to see a Linux distro do.
    --
  • You're right, I don't think I installed the X development stuff. But now I threw out the kernel and instead managed to squeeze in a full-blown xemacs with Japanese support, Apache and MySQL!
  • by tqbf ( 59350 ) on Wednesday August 23, 2000 @01:44AM (#834254) Homepage
    I have some respect for the effort that Theo and the auditors have put into reviewing OpenBSD. I was peripherally involved in the project for about a year, and wrote most of their advisories. I also know Theo personally and have great respect for his technical acumen.

    However, the notion that OpenBSD is the "most secure OS", or even the "most secure OS in common use", is absurd. Nor is it the most secure OS "out of the box". Rather, it is the leader in out-of-the-box security in a rather narrow set of popular, open-source, Unix-like operating systems.

    There have been commercially-available mandatory access control Unix-based operating systems on the market for years. The "trusted" variants of the commercial Unices are great examples. These operating systems get their security from the compartmental design of the system, and are thus largely immune to (unavoidable) trivial programmer errors.

    A great microcosm of this same competition exists in the free SMTP MTA's. Modern, secure mail transports are written in a compartmentalized fashion, so that a bug in one subsystem doesn't compromise the whole thing, or worse, the whole OS it runs on. Systems like Venema's Postfix and Dan Bernstein's qmail (which has never had a published security hole) are examples of this design.

    Meanwhile, legacy MTA's like Sendmail and Exim remain popular, despite a history of insecurity. Sendmail's authors would happily claim that, after literally decades of audit, it is secure despite a monolithic design. Nobody that takes security seriously buys this argument anymore, though, because effective alternatives exist that are built on a more secure design. So what's the difference between Sendmail and OpenBSD? Well, OpenBSD is orders of magnitude more complex and has had less than 10% of the long-term attention that Sendmail has had.

    Calling OpenBSD "secure" in light of competition from Argus Secure Solaris or even wrapper systems like SeOS is not much better pitting Sendmail against qmail.

    It's definitely true that in practical terms, OpenBSD is a more trustworthy distribution of free Unix code than Red Hat Linux. However, with very few exceptions, OpenBSD's design remains stagnant and embraces an obviously-inferior security model. Who do you expect to implement compartmentalization and Mandatory Access Control first, OpenBSD or Linux?

    My money is not on OpenBSD in the long run.

  • The topic of an OpenBSD bootable business card (or simply a small CD-ROM installation) was raised on misc@openbsd.org recently. I believe there's an interest in the project, and one correspondant was going to contact one of the people who'd helped put together the LinuxCare BBC (a pimp-ass Linux-on-a-CD distro that's with me always). Sorry, forget names, but check the past couple of weeks of archives.

    My suggestion was that such a distro would be a great admin/rescue/demo tool, particularly if it allowed someone to set up a firewall with the system. One plus of OpenBSD is its union mount method, which allows mouting nonwritable media ass if they were a writable filesystem (I've heard that this may be a feature of the 2.4 Linux kernel as well). This allows for both the security of having nonvolatile media, and the flexibility of a mutable fileystem. Pretty cool.

    What part of "Gestalt" don't you understand?

  • The story about 3.51 being certified without a network connection or floppy drive is quickly becoming urban legend, or at least a standard slur whenever the subject is brought up.

    Assume I was wrong about the floppy drive and network card. However when you state Anyway, they seem to have C2 certification for NT4. you compound the fallacy about certification being given to and OS per se. If you look at the MS site it actually states that a particular configuration of NT 4 was being used for evaluation. The quote is

    "This checklist outlines the steps you should take to duplicate the
    C2-evaluated configuration of Windows NT Server 4.0. Note that following this checklist does not make your installation C2-compliant; it merely assures you that thesoftware configuration matches the configuration that the NCSC evaluated."
  • "What I'd like to see is a Linux distro which installed the bare basics"

    I dont know what version of RedHat you used but 6.2. has the option to just install, Kde OR Gnome or try a server install, you are not forced to install both.

    If you want just the basics get one of the "Linux on a floppy" distributions, and add stuff form there. compiling your own kernel as shown on "Linux from scratch" would be overkill for what you seem to want.

    "Seek and thou shalt find", if you had made an effort to search then you might have seen this:
    Trustix
    http://www.icewalk.com/softlib/app/app_01091.html
    or Bastille linux [bastille-linux.org]

    kha0s [kha0s.org]
    www.kha0s.org

    i could go on, and on and on, and on but instead i suggest you Read this Article [linuxplanet.com] it lists various security focused linux distributions.

    Distributors are listening, but they should not underestimate the importance of marketing and gaining mindshare (case in point is the success of micro$oft).

    --
    "Rumours of my death have been greatly exaggerated"
    http://www.mozilla.org

  • Well, yeah. The best you can do is duplicate the configuration under which they achieved the C2 certification, unless you want to pay for certification of your own setup. It doesn't change the fact that they achieved the rating, and that by following the same guidelines, someone else can have their installation certified. Since C2 can only be officially certified on a case-by-case basis, it seems like they've done all they can to prepare people for it.

    I linked to a checklist of things you need to change to match their configuration, so I didn't intend to mean a default install of NT is compliant. I simply intended to show that NT4 can be made C2 compliant, and put an end to the 3.51/no floppy/no network anecdotes.

  • Um, do BSD hackers read like (speed)daemons, too? The linked-to article mentions the auditing as well:
    Over an 18-month period, a team of 10 volunteers vetted OpenBSD's entire source code - all 350 megabytes - weeding out thousands of bugs.
    Surely that must be a mistake? I find it very hard to believe that the OpenBSD code is a full 350 MB! A Linux kernel is what, somewhere between 10 and 20 MB of (compressed) code... If the size is in fact true, then those 10 guys must have read an average of 35 MB each, over 18 months. That's 1.9 MB/month! Wow. Where is the error here?
  • Ah... LFS, ever since i've started getting involved in it's development i've not logged back.

    And you are right, for anyone that wants todo LFS right now it's a _wonderfull_ getting-to-know-and-learn-linux way and doing-it-my-way-from-the-ground-up instead of taking-a-distro-and-moldy-it-into-what-i-want.

    We have started a subproject called ALFS, Automated LinuxFromScratch, which will automated the installation, there are several implementatoins allready done in bash, etc.

    The design for ALFS is quite flexible though it's had a hard time taking off, mainly as developers have been busy, etc...but inside of a week everything should be running full 'till.

    I know myself, Pual and Bryan are planning on making a small HOWTO on basic security procecudres one _should_ do to make a system secure.

    Either way, i suggest everyone take a look, you can learn quite alot about linux in general and UNIX, The project has been around for a while yet wtill in heavy development, Gerard should be releasing version 2.4 which will replace the old 2.2 stable version, and it doesn't take too long, on a half-decent box you could do it in 5 hours (i've done it :) and that's was by typing everything out including shell scripts and configuration files, once it's Automated i think it sould be very impressive.

    Considering you have almost no daemons/clients/ or whatever installed it's allready more secure then almost everything out there... i'll tell ya, give this project a little time.

    Anyways... just mumbling now *winks*

    btw: too all those Debian ppl, this is a _full development system_, you should also make sure you strip all your binarys and libraries as it's saves _alot_ of room ;) anyways, sign up and post on the mailing list.

    -
  • by Wheely ( 2500 ) on Wednesday August 23, 2000 @02:19AM (#834261)
    Actually, C1 is higher than C2. B1 and B2 exist as well (I have worked on the development of a B2 secure unix with some B1 features) and all the common "secure" operating systems struggle to maintain C2 level security. To say that any of the mainstream operating systems are the most secure in the world is bizarre.

    Regards
  • by KMSelf ( 361 ) <karsten@linuxmafia.com> on Wednesday August 23, 2000 @02:30AM (#834265) Homepage

    If you read the Microsoft NT C2 Configuration article [microsoft.com] closely, with comprehension, you'll find that it speaks of NT 4.0 being evaluated, but never certified, as being C2 compliant. This was addressed in this [neohapsis.com] BugTraq post. Believe you me, if NT 4.0 had been certified, Microsoft would be singing it to the heavens. But they don't want you to know that. You'll also note that "The C2 Administrator's and User's Security Guide" is itself a MS Windows executable (http://www.microsoft.c om/technet/security/exe/C2SecGuide.exe [microsoft.com]), hardly the most secure and safe way to transmit data around the Internet. Anyone got an open-standards version of this document?

    They also don't want you to know about the man they killed after he first got WinNT 3.51 C2 certified, then told Microsoft that it would not be possible to get C2 certification for WinNT 4.0. Ed Curry [cryptome.org], military man, NSA-certified technician, and a former independent contractor for Microsoft first had his business, health, and ultimately life destroyed. I knew Ed only from online encounters in Nick Petreley's InfoWorld forums, but the man was a friend, willing and capable of sharing fascinating information. Ed Curry died in December of 1999 of a stress-induced stroke. He is survived by a wife and young daughter.

    What part of "Gestalt" don't you understand?

  • Jesus H. Christ!!

    I had to check the argusrevolution site out, and boy did I run away screaming. I'm really not sure who the target audience is (for the site anyway).

    The site seemed to be designed for the im-so-cool-im-@-h@x04-fux0r-@11 people. So, the old boring me decides to try lynx. It definetely looked better [tec.puv.fi].

    Oh well, the weekend is coming so maybe I'll try it when I'm wasted properly.
  • PicoBSD may be interesting to you.

    Small and embedded FreeBSD (PicoBSD) [freebsd.org]
    PicoBSD is a one floppy version of FreeBSD which in its different variations allows you to have secure dial-up access, small diskless router, or even a dial-in server. All of this on only one standard 1.44MB floppy disk. It runs on a minimum 386SX CPU with 8MB of RAM, and no hard drive is required!

  • by Anonymous Coward
    First off, remember that C2 is now obsolete, anyway. Noone is trying for orange book evaluations anymore. Now vendors of Trusted Operating Systems try for Common Criteria evaluation.

    Besides, evaluation requires huge amounts of $$$ and documentation, and may not actually involve an exhaustive code audit. (C2 certainly does not.) Frankly, Theo is not impressed [sigmasoft.com] with TOS evaluations, and might have to wea ken [sigmasoft.com] OpenBSD's crypto to get such a rating.

    It is much more reliable to just turn things off [sigmasoft.com] until you have time to audit them.

    OTOH, Theo's decisions are not flawless. C2 would require ACLs, and Theo does n't want them [sigmasoft.com] in OpenBSD. I think he's correct, that they usually are a problem, but I think that an admin should have the option of using them.

  • We digress a little here, but M$ introduced Windows Update as part of Windows 98, in mid '98. The Red Hat update wizard they have arrived with the debut of RH 6.0, whenever that was. Sure, the Linux update wizards are robust and capable, but the Microsoft one was there real early in the game, and it works very well. They update any apps that Microsoft is willing to allow into the MS sandbox (for instance, Flash and Shockwave updates can be downloaded from it), but not third-party apps in general.

    They also have an Office Update site as well that uses the same technology (a funky ActiveX control) to check for and patch Office 2000 code.

    What Microsoft doesn't do is roll every single update into Windows Update - a lot of the security hole patches for servers are only accessible from the kbase article or the Security homepage. Windows Update is more focused on the consumer OS and apps.

    - -Josh Turiel
  • a) the information is in the change logs [openbsd.org]

    b) Theo and company don't remove security bugs from software, they remove sloppy coding. Most other OS maintainers don't want the OpenBSD team to post 300 "this code was sloppy" comments to bugtraq. It's only after the fact that the sloppy code is determined to be a security flaw. Thus the frequent "we already fixed that" posts.

  • Over an 18-month period, a team of 10 volunteers vetted OpenBSD's entire source code - all 350 megabytes - weeding out thousands of bugs.

    10 programmers, working every day for 18 months would have to audit over 65k of source per day to reach 350 megabytes. My guess that on average, 65k of source would end up being about 1800 lines of code.

    I wonder (a) how much of that is in comments and (b) if perhaps some portions do not need to be audited.

  • Actually, GCC should be highly discouraged on a firewall/bastion host. Never give the kiddies any breaks.
  • [shudder]

    I greatly admire Theo's work. I just don't think you'd want two of him on the same project, maybe even the same planet.

    --
  • Having installed both, and as a current user of both, I feel free to comment. Debian dosen't compare in that it gives too much choice, and asks many more questions at install. I agree with the original poster: OpenBSD has an excellent default install. Not that many packages are installed, but everything that a unix system should have is there.

  • well, duh. no networking, no services of any kind, and, well, that's it.

    if you don't have console access, you can't get into even the least secure minix box :)

  • by autechre ( 121980 ) on Wednesday August 23, 2000 @03:57AM (#834286) Homepage
    It blows the MS mechanism into tiny chunks.

    Debian has apt, which has several advantages over Windows update:

    1. Debian is mirrored on several zillion servers, so if one is slow or down, you can simply choose another. Route to MS gets messed up? Too bad for you...please hang up and try again.

    2. You can update ALL of your packages, barring those you've had to compile from source, which, considering the sheer volume of Debian packages, =="not bloody many".

    3. You can use it from the command line, which is a good idea if you're updating X-Windows :) You could also use one of the "console GUI" tools such as capt or aptitude, or an X-based tool like GnomeApt.

    4. You don't have to do anything evil like run ActiveX controls to use apt-get.

    5. Apt-get will let you upgrade the ENTIRE SYSTEM AT ONCE. Try using Windows update to move from NT 4.0 to Windows 2000 -- without even rebooting :)
  • This reminded me of an experience I had about ten years ago. Right after college, I spent a few months working at a retail PC store while looking for a good engineering job. One day, a guy came in asking for advice on how he could keep his system secure while he was at work. He claimed that "they" were getting onto his PC, he knew this because files that were in one directory would be moved to another directory. I assumed that he was leaving his PC on so that he could dial into it from work but, when I mentioned this during the conversation, he told me that his PC was turned off all day. I explained that with no power, his HDD would not be spinning and there was no way that anyone could access it remotely. With a completely straight face he responded, "They can". He finally left relieved when I suggested that he unplug the phone line from the jack during the day.

    Just wanted to let you know that power or not, "they" can still get at you.
  • I had a nice debate with TQBF on this subject about a year ago.

    Take a look at the BSD-derived OS shipped with the Sidewinder [securecomputing.com] firewall, which they call SecureOSTM. Secure Computing has compartmentalization implemented in what they call Type Enforcement [securecomputing.com].

  • Something that is seldom mentioned, under the BSD license, the various *BSD groups can take code from each other, and the various Linux groups can take BSD code and add it to their OS, however ...

    BSD Cannot take Linux GNU-licensed code

    There is no GNU code in the BSD kernel, and any cool code that Linus comes up with and releases under the GNU license cannot be directly used in BSD.

    In that respect, the BSD license slows development of the *BSDs, especially drivers for new hardware. This is not always a bad thing.

  • If anything, he discounted the idea that more Linux users makes Linux more secure than OpenBSD.

    Yet no distribution of linux is as secure as OpenBSD. Your entire line of reasoning is specious, and you conclusion is unwarranted.

    Theo is correct. Security analysis is difficult - even most experienced programmers have no idea how to properly apply security in their code. "More eyes" in this case are largely irrelevant and maybe even detrimental if they don't know what they are doing.

    In any case, it doesn't appear that the linux community has mustered "more eyes" than the OpenBSD team, and your presumption with regards to this is largely naive.

  • by addison ( 80477 ) on Wednesday August 23, 2000 @04:33AM (#834294)
    It doesn't change the fact that they achieved the rating, and that by following the same guidelines, someone else can have their installation certified.

    It doesn't, because that fact doesn't exist.

    Its been EVALUATED. Not certified.

    And no, you can't have YOUR installation certified, either.

    Additionally - the 3.5 (not 3.51) Certification - *was* without a network or a floppy drive.

    I simply intended to show that NT4 can be made C2 compliant, and put an end to the 3.51/no floppy/no network anecdotes.

    You were simply, wrong.

    First - its 3.5. On 3 machines (2 x86, 1 Alpha) with a certain service pack. And no floppy, no network card. its not anecdotal. Go find the facts, and read them.

    And the default of NT isn't complaint/certifiable. NT 4 has *never* been certified as C2 (Orange Book) secure.

    And attempting to put an "end" to the factual complaints based on a badly flawed understanding is not a good idea.

    Addison
  • by Anonymous Coward on Wednesday August 23, 2000 @04:39AM (#834296)

    Most secure OS my @$$. OpenVMS right out of the box is literally orders of magnitude more secure than any *nix. NO buffer overflow exploits (never had 'em, never will). NO means of gaining priviledged access from a nonprived account. NO means of cracking passwords in SYSUAF (thanks to a strong one-way hash). Heck, you need a prived account just to look at SYSUAF! The amazingingly TINY handfull of security wholes which have occassionally cropped up in VMS over the last 23 years have been promptly corrected.

    The only ways to break into a VMS system are:

    • "Social hacking" -- tricking someone into telling you their password or guessing at sites with poor password policies,
    • Packet sniffing at sites where SSH and other secure connection techniques are not used (again, a policy issue),
    • Gaining physical access to the console and using documented procedures for by-passing password protection.
    That is all. Period. There are NO other ways. Zero. The same cannot be said of ANY other OS.

    And don't hand me the "closed-source, proprietary OS, security through obscurity" arguements. The OS is better documented than any other in the world (most of it available on the web), including the system internals. Source listings are available for a fee for every part of the OS except those portions related to license handling (for obvious reasons).

  • Well, it'a about attitudes. Linux has so many distributions and changes so rapidly that implementing time-consuming security audits might be seen as a waste of time. By the time you got a bunch of fixes done the 'next version' would be out and the whole deal of rolling in fixes might be a big enough hassle to discourage others. The best thing would be to have a security conscious distribution. Debian probably comes closest to this. They have the 'sit on it till it's ready' mindset that you would need with security being a primary goal. OpenBSD's fixes are listed on their site; I assume people are either ignorant or lazy concerning rolling security fixes into other products.

    As the article notes, security is a mindset. You have to be a certain type of person with a certain outlook on life. I've setup some routers/firewalls for some friends and some of them could careless whether telnet is secure or not. I know others, mostly system admins, who cringe at the thought of even typing 'telnet'.

    Oh, I dunno but maybe licensing conflicts might screw up some people. BSD's pretty liberal about usage but you never know about how others take that.
  • Just to add another voice. BSDs can do this rather easily as well. Between packages, ports, and cvsup you can completely update your system every night if you want. This means the entire system kernel and all. Kinda funny how much Debian and the BSds are alike in ways.
  • There should be a secure OS which can be used for a webserver (or similar) without any tweaking or installing additional software, which is secure out of the box.

    Oh wait, there is, and it's called OpenBSD.

    And I want security, and OpenBSD makes that possible with a default installation. This is why I downloaded and installed it in the first place. It was either that or FreeBSD (I was a linuxhead for a long time, used Slack, Redhat, and Debian) and security won. I do admin and analyst work for a living, I really don't want to come home and have to worry about if I got hax0r3d. I'd far and away prefer that some other people were going through code line by line for me. Hence, OpenBSD.

  • Sure, but the WOL feature doesn't wake up your system every time it sees a packet, or even every time it sees a packet which could conceivably be interpreted as belonging to it. If it did, no machine on a NetBIOS network would ever go to sleep, due to the dramatic quantity of broadcast traffic.

    One of these days I need to look up what WOL DOES wake up on, and just what a "Magic Packet" entails.

  • No, it's not, and because doing security auditing
    is a boring, tedious task; it doesn't scratch anybody's itch except Theo and his team and thye're already fixated on BSD.

    One or more of the commercial distributions probably ought to pay people to do the tedious auditing tasks, but a.t.m. they're all focused on front-end/user-friendliness issues, making Linux 'ready for the desktop' not making ready for Enterprise and Gov't applications. (Or, since Linux is really already doing both, I mean a broader range of enterprises and gov't applications, just to pre-empt any flames.)


    --Parity
  • I know this is flamebait-esque, but MacOS9 and below being secure is certainly an artifact of the OS just not doing that much.

    UNIX has tended to run, as standard services, a much larger set of applications. Until recently Apples used only Appletalk to speak to one another, and TCP/IP to speak to the rest of the world (Or to NT boxen or Linux boxen which were willing to deal with them.) So there really wasn't any way to do anything to a Mac remotely.

    MacOS is also a single-user operating system (Does that change in X?) with only a local login context. I'd guess there's a PC-Anywhere equivalent for it by now (Ah yes, VNC [att.com] seems to be in beta) so there's another potential source of vulnerability. ph34r me as I hax0r your mac from my Wince handheld.

  • Yes, it's been EVALUATED, not certified. Bad choice of words. The evaluation, however, means [ncsc.mil] that it is a C2-rated product. Semantics is an ugly game.

    I understand that the 3.5 certification was without a network or floppy drive, but that isn't the only C2 rated NT product, which is what I was driving at.

    I hate being put into a position where I feel like I'm defending Microsoft, but it's silly to play word games with these ratings. NT 4 has been evaluated at C2, and so it has a C2 rating.

    This bores me now. Anyone that actually cares to know can jump around the TPEP site and draw their own conclusions.

  • by Animats ( 122034 ) on Wednesday August 23, 2000 @06:59AM (#834327) Homepage
    OK. Here's NSA's official list of certified products [ncsc.mil], with the NSA Trusted System logo one very seldom sees. NT 4.0 with Service Pack 6A and additional "C2" fixes made the list, at the lowest evaluated level, after four years of work. That's not much of an achievement.

    NSA's computer security evaluation program hasn't been very popular. NSA also evaluates security equipment like padlocks and safes, and back in the '80s when they started evaluating computer systems, they thought much the same approach would work. Early on, evaluations were conducted by in-house NSA staff, under a "two-try" system; the system was evaluated once, and if it didn't pass but looked promising, the vendor was given hints on what to fix. The second try was pass/fail; no further tries were allowed. It wasn't considered the job of the evaluation team to debug the system.

    The current scheme is much more vendor-friendly. Evaluation is usually done by outside contractors paid by the vendor. The vendor can keep trying to pass as long as they pay the vendor. NSA then reviews the evaluation. That's how NT 4 got through.

    Even under the same criteria, the new approach is much easier to pass. Under the old scheme, vendors didn't go for evaluation until they were really confident of their ability to pass, since outright rejection was possible. Now, vendors can submit whatever they've got and keep debugging until they wear down the evaluation contractor. That's not good. Note that it took Microsoft years of trying to get NT 4 through.

    C2 is a very low standard. Nothing below B2 is really serious. It's embarassing that NT can't make C2 out of the box.

    The list is depressing. Little has been added in recent years. The security properties of commercial products are so weak today that it's embarassing. Yes, the criteria are dated, but that's not the big problem.

  • OpenBSD takes a very serious stance towards security.

    Therefore,they fix a lot of stuff which -could- be a vulnerability. The fix anything that looks remotely suspicious at all. This is a fairly paranoid view of the world.

    Bugtraq, however, tends to only have proven exploits. It's hard enough for most developers to keep up with this much smaller set of problems. They don't have the time to fix all of the possibles, maybees, and coulds that the OpenBSD people fix.

    On the other hand, I'm sure that if there was a very serious problem in a common GPLed tool, the BSD people would submit a fix if they were the ones to find it. However, OpenBSD, while it does include GPLed software, tries to avoid it, since the GPL has more restrictive terms than the BSD licence. So, they aren't playing around with a very large set of GPLed software.

    I do remember reading that some major OSS group (Apache ?) uncovered a large number of serious buffer overflow exploits in the TCP/IP stack of nearly every OS out there, OSS or not. They submited patches to all of the open ones, but the closed OSes are still mostly vulnerable. Different open-source teams do contribute to one another, which is part of the strenght of open source.
  • by tilly ( 7530 ) on Wednesday August 23, 2000 @08:12AM (#834334)
    I know Karsten from the same online forums that we both knew Ed Curry from. Microsoft did a ton of stuff to him. Some of which simply cannot be sustantiated. For instance after his company was destroyed, at one point he got a job, then his boss' boss got a phone call from Microsoft, and his boss was ordered to fire him. Which kinda sucks when you are supporting a wife and kid.

    As for the current location of that online community, follow my .sig.

    BTW a question you probably have right now is whether or not we can be believed. Well we both have sufficient credibility to be automatic +2's on this site, and in fact were among the first batch of moderators selected here. You could also do a Google [google.com] search for either of us. Or look for Ed Curry.

    Yeah, what happened to him is pretty astounding. The lack of press reporting on it is pathetic. But I assure you that the basic story is true.

    Regards,
    Ben
  • Else Microsoft would be jumping up and down screaming about how they were really certified. Instead they play BS word games and nobody calls them on it. :-(

    Regards,
    Ben
  • by rjh ( 40933 ) <rjh@sixdemonbag.org> on Wednesday August 23, 2000 @08:18AM (#834336)
    I am an InfoSec professional, but this is not professional advice. Moreover, I really like OpenBSD, so please don't take this as a BSD flame. :)

    The problem with buzzwords is that they so rarely mean what their obvious meaning is. When I see "secure by default", that tells me "I can install OpenBSD in its default install, throw Apache and my MTA-of-choice on it, and it'll still be safe". That's what secure by default suggests to me; that a clean install of the OS and the daemons you need to run your business will be secure, by default.

    The problem with it is that this isn't anywhere near to the case. I've got lots of kudos for OpenBSD's large, distributed security audit. I think it's a brilliant idea, and I wouldn't mind seeing Linus say "okay, for the next six months all development is frozen and we're going to audit our codebase".

    Unfortunately, security audits are not synonymous with security. (Trust me on this one.) Security is a process, not a product; it cannot be magically generated by anything, not even OpenBSD's vaunted audits. You run into Heisenberg's Catastrophe at some point--assuming that your auditing process was complete and accurate, your codebase is safe; but then you have to audit the audit process to make sure you didn't leave anything out... then you have to audit the audit of the audit... and so on.

    These are the main problems with audits that I've found:

    LIMITED MANPOWER. The scorn that Theo heaps on the Linux community is, in some sense, warranted. What Theo misses is that where Linux has a huge amount of manpower, mostly of limited skill, OpenBSD has a miniscule amount of manpower, mostly of fairly high skill.

    The problem is that security audits are limited by manpower more than they are technical skill. A thousand coders of only amateur skill can go through code at a huge rate; it's not hard to spot unconstrained buffers (buffer overflows), pointers that never get free'd, etc. If they were only ten coders strong, it would not matter how much skill they had, they simply wouldn't have the manpower to do a thorough code review.

    INCOMPLETE SECURITY AUDITS. OpenBSD's security audit means they have an extremely high-quality kernel and tools. When even ls has been audited, you know they're doing something. However, Apache, sendmail and other large programs have not been audited by the OpenBSD team. Putting an old, vulnerable version of Apache on an OpenBSD box exposes potential risk.

    (Before the OpenBSD people accuse me of FUDding, let me emphasize potential. The root exploit against Apache/Linux might fail on Apache/OpenBSD, due to OpenBSD's security consciousness. The point here is not to say "Apache makes systems insecure"--it's to say that there are a lot of daemons running on modern boxen, and many of these daemons have not been audited.)

    INCOMPETENT SYSTEM ADMINISTRATION. Most root exploits I've seen--regardless of operating system--have taken place due to incompetent system administrators. OpenBSD does some things right by shutting down all nonessential ports by default (as opposed to Red Hat, for instance), but these are just Band-Aid measures over the festering, necrotic wound of incompetent sysadmins.

    INCONVENIENCE. One of the biggest motivations for people to bypass security precautions is that security is inconvenient. If a user bypasses a precaution, that's worse than if the precaution never existed in the first place. There's a difference between a sysadmin who says "all our passwords are secure, because we use shadow passwords and force our users to change them every month" and the sysadmin who says "I don't know if our passwords are secure, despite the precautions we take".

    The former, more likely than not, has users who are so frustrated by the bondage-and-discipline security precautions that they leave their passwords on Post-It notes attached to their monitors. The latter probably has them, too, but at least isn't fooled into thinking he's safe.

    OpenBSD has some very useful security precautions, yes--but the most useful precautions are those that are transparent to users (security audits, jailing daemons, etc). The more intrusive your security becomes, the greater the likelihood your own users are going to circumvent them.

    LIMITED FEATURES. Remember that oftentimes security is enhanced by adding features. Adding ACLs, for instance, could be a boon to sysadmins everywhere and result in more secure boxen. Since OpenBSD's developers spend so much time auditing, though, they're significantly behind the pack when it comes to keeping current with other Unices.

    ... All that said, though, if I were setting up a network, all of my machines visible to the outside world (mailserver, webserver, etc.) would be running OpenBSD or Pit Bull or Trusted Solaris. Probably OpenBSD, due to the fact that I already know UNIX reasonably well and I don't need the bondage-and-discipline of Trusted Solaris (see "INCONVENIENCE" above). :)
  • by malraux ( 5479 ) on Wednesday August 23, 2000 @08:22AM (#834338)
    I was at IWE along with Karsten and Ben, and held several conversations with Ed. His life was basically destroyed by Microsoft because he wanted to tell the truth.


    Regards,
  • by InThane ( 2300 ) on Wednesday August 23, 2000 @08:25AM (#834339) Homepage Journal
    While I did not chat with him extensively, I did see him on the forums, and watch as he attempted to salvage his career and finances from the savaging Microsoft gave him. I also read the report of his death, and grieved with the rest of the IWETHEYers. You can find us at IWETHEY [ezboard.com]
  • by InThane ( 2300 ) on Wednesday August 23, 2000 @09:35AM (#834345) Homepage Journal
    Well, the original forums, on Infoworld Electric, were taken down. There are archives there, but they are not currently searchable. You can also do a Google search on Ed Curry, and come up with a bunch of relevant documents. I had some set up in a post, but my browser dumped on me, so the only pointer I have right now is

    http://foundation.geneseo.edu/scholarships/schol arlist.html

    which points to a $500 scholarship established in his memory.

    Most of the relevant Ed Curry posts occured in the old Infoworld Electric forums, which, unfortunately, aren't easily searchable any more.
  • I've been through something like 25 pages of Google results on "Ed Curry" but I have yet to find anything that explains what MS did to him - only things along the lines of (in order of frequency):
    • That be brought to light that WinNT 4.0 as of SP4 wasn't C2 certified, and somewhat less frequently, that the DOD didn't care. (And, as far as I know, still doesn't! The company I work for does computer/electronic related consulting for the various armed forces, so the standard desktop here is supposed to match the standard desktop (including software) of the armed forces. It is still, as of this date, AFAIK, WinNT SP4. The other interesting tidbit is that almost everyone here hates MS...)
    • His company, LSEC (? - it didn't even mention the name!) went bankrupt, and he blaimed MS. (Although no facts supporting the truth of this claim are given!)
    • He's dead. (Usually nothing more than that - just that he died. One page states a stroke, possible caused by stress - nothing more.)

    This is all kind of disheartening - 250 results, not a one really gives any information about what several people claim MS did to this man. And the only page that really mentioned his the cause of his death mentioned it because his lawsuit against MS was dropped because of it!

    I was hoping that the IWETHEY users could give links to the archives, since I couldn't find anything after a fairly quick look - I concentrated more on the Google search. It's kind of sad that there doesn't seem to be anything on the web explaining what MS did - maybe someone should write something.

  • by Alorelith ( 118865 ) on Wednesday August 23, 2000 @11:07AM (#834350) Homepage
    Try checking out this site [cryptome.org] for more info.
  • Check out this link: http://pub4.ezboard.com/fiwetheyopenforumiv.showMe ssage?topicID=656.topic&index=7

    This points to the thread we're discussing about Ed right now - there are some transcripts of what he originally posted in the Infoworld Electric forum.

    The main problem is since he never took legal action against Microsoft, most of his allegations don't have much documentation. But I can attest to reading his posts over a several year period as his finances slipped and fell apart due to the situation we've been talking about.

    Ed was a Good Man.
  • I like Linux - None of the BSDs have the software base that Linux has, and it's a lot speedier.

    Actually, all of the BSDs have the software base that Linux has, through the emulation layer.

    As for Linux being "a lot speedier", I think you're either exaggerating or not making a fair comparison. Most performance differentials can be eliminated with a little config file editing.

  • Just to add another voice to all those which have told you're full of jackpoo SuSE comes with a nice utility called YaST which stands for yet another setup tool. Has has several nice features such as system configuration and package handling. YaST which as of 6.4 comes in an X based GUI version (as opposed to ASCII GUI) which allows you to update your whole system from SuSE's ftp servers. I think YaST is a bit more useful than the Windows Update because it lets you control the package management better. The Windows Update won't run a conflict catcher like YaST does which sometimes causes problems with things. The only real important difference in my opinion is that Windows Update is web based because they have a browser that is tightly integrated with the OS which with monopoly argumentsaside is a good thing because it means less third party dependence.
  • Actually that was another lie.

    They got a different certification (IIRC from England) that they called C2-equivalent. Well their opinion on the equivalence is irrelevant, it wasn't C2 which is what they tried to make it look like.

    Lies? Microsoft? Whodathunkit?

    Images not allowed here so visit our usual sign [idirect.com] elsewhere...

    Cheers,
    Ben
  • Re: the note about adding an old, insecure version of Apache.

    These days, an audited version of Apache is included in the OpenBSD base. When you run httpd, that's Apache-1.12 (IIRC).

    Same case with your MTA -- sendmail is included in the base install.

    And, passwords -- OpenBSD has no default password policy. I don't even think that, at present, it has a mechanism for expiring passwords at all. They're not into preventing user/admin stupidity -- just code correctness/robustness.

    But, of course, security is a process, and the worst thing you can do with an OpenBSD box is get overconfident. Audits aren't magic fairy dust.
  • The big VMS bug: DECnet.

    While I love VMS, don't get me wrong, there are a lot of people out there with VMS boxen which have a DECnet daemon that has SYSPRV enabled.

    This doesn't strike them as bad, until some user with NETMBX runs tell.com, runs authorize.exe through tell, and gets SETPRV. :)

    That said, I'd rather run a webserver on VMS than any other OS. The ability to use ACLs to control access by CGIs to specific files is far too attractive; most *nix systems wind up having to grant world read/write access to things that CGIs generate, which is just dumb and bad.

    Frankly, if you want security in VMS, you pretty much have to deny your users NETMBX and install individual applications with it. The problem is you have to install a lot of applications.

"Everything should be made as simple as possible, but not simpler." -- Albert Einstein

Working...