Sniping at OpenBSD 12
Noel writes "An article at RootPrompt.org talks about the reaction to the announcements by the OpenBSD developer team about new exploits that implied that the developers had been hiding the truth about the exploits so as to not tarnish the reputation of OpenBSD."
Molehill (Score:3)
People found an exploit for a version that's two months out of date, and they're having sour grapes because they only got to bask in the H4X0R spotlight for negative sixty days.
Re:Molehill (Score:2)
The problem that bugtraq has ( I think ) is that they fix "bugs" (not really, its programming style) and then don't tell anyone that it "could" be exploited... then when some other BSD does get bitten by the "bug" they yell "See.. We fixed it already ..." (when they should have at least announced the potential for it to be exploited.)
Re:Molehill (Score:1)
Todd Miller an OpenBSD developer responded to this question with the following:
"As one of the people who took part in the audit I can honestly say that we didn't think they *were* exploitable. There was no intention of hiding any fixes, we just went through the entire source tree (we did not target privileged programs specifically) and fixed format string problems where we found them and released patches for those we knew to be exploitable (like xlock)."
As far as running old versions of Win95, well OpenBSD users are quite different from Win95 general users. People who are running OpenBSD like to apply those patches,etc.
Re:Molehill (Score:1)
On the other hand, the one anonymous ftp server got upgraded back then when the scare about ftp servers was announced on BugTraq.
So take your pick. Run a server that doesn't have user accounts and let it run and run, until you upgrade the hardware and step up to the latest version, or watch the changelog and be prepared to patch or upgrade if something like this comes along.
I just looked at the uptimes on my OBSD servers:
one-nameserver 284 days
two-nameserver 274 days
three-ns/dhcp 306 days
www 166 days
general-net-mgr 336 days
ids-system 104 days
and none of them are -release, all are snapshots from when ever I was installing, and because of the OpenBSD paranoia, I don't worry about them being exploited. Good code just runs solid, and makes it easier to get the rest of the real work done.
Re:Molehill (Score:1)
Re:Molehill (Score:1)
Where did you get Windows 95 from ? I said 95 % of people...
Re:So what? At Least they are finding/fixing the b (Score:1)
Yeah, right (Score:1)
Re:Molehill (Score:1)
Whoops. Sorry about that.
Well, from reading the OpenBSD misc-list I get the feeling that even though there are plenty of users not running the current version of OpenBSD, they still like to apply all the patches so their non-current OpenBSD system is still up to snuff.
My eyes must have been tired to turn that 95% into win95. Either that or supporting win95 boxes for the users is driving me mad.
Whats your OS audience / community / tribe (Score:2)
If you require tight security and yet you run an OS without the latest security patches youre asking for trouble no matter what OS you're using.
<I'm getting tired of this mode on>
At times its discouraging to see so much pointless bickering and the "My CPU/OS/GUI/Car/Race/Planet/Dogma is better than yours" and all the "neer neer neer" having to do with that attitude. And it makes me shake my head to in some cases to see some media pick up on it and actually present some of this dreary immature factionalism fit for the stone age as if it represents the viewpoint of any sizeable group or even project.
To say that OpenBSD "was hiding the truth" by not flooding BugTraq (while posting everything you ever wanted to know on their website and in their lists) is just that type of time wasting drivel. You wouldn't rely on the new york times to tell you about whats going on in Kansas city; no you rely on sources of information relevant to you and scaled to your domain.
<getting tired of this mode off>
Sorry about that, im actually still capable of getting worked up over this :)
Re:Molehill (Score:2)
With regards to keeping the holes they find to themselves - well, if you had ever tried writing an exploit, you would realise that just because there is a dodgy function call deep within a load of code, being able to exploit that vulnerability is another matter completely. I think they just patch everything they can, and if it's later found to be exploitable then I think they have the right to say they fixed that hole 3 years ago.
It's irrelevant. (Score:1)
I sure hope no one was dumb enough to put something important in a -CURRENT release OpenBSD, since everyone knows that those releases are on the bleeding edge of the OS development, and as such should only be used for testing purposes. If you are truely concerned about security or stability, use a -RELEASE version, or at least a -STABLE version.
(Disclaimer: I use FreeBSD, so I don't know if I am correct in mentioning the different states of development, i.e. -CURRENT, -RELEASE, etc. I believe, however, that it is something like this.)