Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Open Source Operating Systems BSD Linux

Are the BSDs Dying? Some Security Researchers Think So (csoonline.com) 196

itwbennett writes: The BSDs have lost the battle for mindshare to Linux, and that may well bode ill for the future sustainability of the BSDs as viable, secure operating systems, writes CSO's JM Porup. The reason why is a familiar refrain: more eyeballs mean more secure code. Porup cites the work of Ilja von Sprundel, director of penetration testing at IOActive, who, noting the "small number of reported BSD kernel vulnerabilities compared to Linux," dug into BSD source code. His search 'easily' turned up about 115 kernel bugs. Porup looks at the relative security of OpenBSD, FreeBSD and NetBSD, the effect on Mac OS, and why, despite FreeBSD's relative popularity, OpenBSD may be the most likely to survive.
This discussion has been archived. No new comments can be posted.

Are the BSDs Dying? Some Security Researchers Think So

Comments Filter:
  • by sconeu ( 64226 ) on Friday January 26, 2018 @11:45AM (#56008099) Homepage Journal

    I won't believe it until Netcraft confirms it!

    • by Netcraft Confirms It ( 1477201 ) on Friday January 26, 2018 @12:02PM (#56008269)
      I'm sad to say it's true.
    • by Anonymous Coward on Friday January 26, 2018 @12:07PM (#56008321)

      The reason why is a familiar refrain: more eyeballs mean more secure code.

      After Heartbleed and the other issues affecting OpenSSL, and Shellsheck affecting bash, why the hell would anyone still be pushing this disproven "more eyeballs" narrative?!

      The OpenBSD project proves that security doesn't come from "more eyeballs". It comes from having software developers who know what they're doing, and who take their work very seriously, and who show immense discipline, and who don't put up with bullshit, and who put security first and foremost.

      You could have two million "eyeballs" of offshore "programmers" in India looking at some code, and it will likely still end up being much less secure than code doing the same work but written by a couple of OpenBSD's developers.

      Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.

      • by Anonymous Coward

        Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.

        "he easily found around 115 kernel bugs across the three BSDs, including 30 for FreeBSD, 25 for OpenBSD, and 60 for NetBSD. Many of these bugs he called "low-hanging fruit." He promptly reported all the bugs, but six months later, at the time of his talk, many remained unpatched."

        This does not speak highly of the quality of the people working on the code.

        • by Anonymous Coward

          Give us links to each and every one of those bug reports so we can judge the severity of these alleged bugs on our own. If the BSD devs aren't fixing them it's probably because they're very minor bugs, or perhaps aren't even valid bugs to begin with.

          • Re: (Score:3, Informative)

            by fmoliveira ( 979051 )

            van Sprundel also praised OpenBSD's response to his bug findings, saying that De Raadt responded within a week, and OpenBSD patched the flaws within a few days.

        • It's not the quality of people but perhaps how much they are being paid. The difference between Linux and the BSDs is that there are many more paid developers working on the Linux kernel than the BSDs.

          Everybody has to find a way to put groceries on the table.

          • Everybody has to find a way to put groceries on the table.

            I am fine on groceries. I want code that is reliable and secure. I will continue using OpenBSD - but not as my dinner.

      • by Anonymous Coward

        The BSDs work on the principle that you can shoot into your foot if you so desire. That's why you get a stern warning if you enable the troves of security holes (aka known as compat-X). Not to mention that to sum up all the security holes before comparing them to the Linux side was a little bit disappointing. You have to compare each flavour of BSD to Linux.

        Yes there are lots of holes left and they will stay until someone really needs an old version secured. There is a reason LINT is called lint. If you don

      • by Hylandr ( 813770 ) on Friday January 26, 2018 @01:09PM (#56008985)

        Why the hell would anyone still be pushing this disproven "more eyeballs" narrative?!

        It's important to not that if there weren't eyeballs on the code we would never have known about the vulnerabilities to fix to begin with.

        They would have only been discovered and exploited by the malicious and never disclosed unless the attack was discovered while the company responsible would spin the issue and would ( in most cases ) not spend the money to secure other installations.

        Because flaws cannot be hidden, overlooked or covered up, researchers and other interested parties can perform their own independent audit of the software powering their systems.

        -- More eyeballs does in fact mean more secure code. -- Think of it as a global oversight committee.

        • You should read up about the Shellshock bug that affected bash [wikipedia.org].

          Once you do that, you'll learn that it was present in bash back in 1989.

          When it was finally publicly announced in 2014, the bug had been present for around 25 years!

          We aren't talking about an obscure piece of software here, either. Bash is probably among the most widely available and used open source software projects out there, and has been like this for a long time.

          Brag about your "global oversight committee" all you want. It's clear that all

      • by Anonymous Coward on Friday January 26, 2018 @01:14PM (#56009035)

        That comment is neither interesting nor insightful. It's just pushing the age old misrepresentation of the quote.

        Many eyeballs makes all bugs shallow does not - and have never - meant that there will be no bugs, or that they will not lie dormant for a potentially long time. It simply refers to the fact the the more eyes that see a bug, the quicker someone will come up with a fix. Exactly what these researchers are claiming.

        The OpenBSD project proves that security doesn't come from "more eyeballs".

        I'm sorry, that you didn't RTFA is pretty damned obvious, but did you even read the blurb? There is no such "proof". Rather, they proved the opposite.

        Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.

        Again, a half-truth. Yes, it's true, but the more people who are involved in a project, the greater the probability that your "good people" turn out to be really good. And the more people you have, the more people you have to fix mundane stuff which doesn't require "really good people" to fix - which frees up your "really good people" to deal with the hairy stuff, and the more eyeballs you have who might for some reason find bugs which needs the attention of the "really good people".

        Quantity is a quality of it's own.

      • by koavf ( 1099649 ) on Friday January 26, 2018 @02:35PM (#56009735) Homepage

        Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.

        Did you read the article? Theo De Raadt says as much:

        Theo De Raadt, the founder of OpenBSD, agreed with van Sprundel that more eyeballs on OpenBSD would make the operating system more secure. "I remember reading his first slides, which were mostly about the impact of small API misuses," De Raadt tells CSO Online by email. "Unfortunately, this is a problem of the volume of code relative to manpower. Ensuring all code is 100 percent bug-free and handles all exceptional conditions is a rather difficult problem."

      • After Heartbleed and the other issues affecting OpenSSL, and Shellsheck affecting bash, why the hell would anyone still be pushing this disproven "more eyeballs" narrative?!

        People keep repeating the law incorrectly. Linus' Law states that "with many eyeballs, all bugs are shallow", it doesn't say anything about secure code.

    • "BSD users are fat, have fleas and spend all their time posting on kuro5hin [wikipedia.org]" as the troll goes

      /Ironically I'm writing this on a BSD machine, if you consider macOS BSD

    • by Daetrin ( 576516 ) on Friday January 26, 2018 @12:29PM (#56008551)
      This is what happens when we complain too much about the quality of recent posts. They dig up some "BSD is dying" article to try and make us feel all warm and fuzzy from the nostalgia.
    • by mark-t ( 151149 )
      Slashdot's oldest meme (or at least the oldest one I know of) is still one of the best. Thank you for making my day a bit cheerier.
    • by Bruce Perens ( 3872 ) <bruce@perens.com> on Friday January 26, 2018 @02:28PM (#56009665) Homepage Journal
      My sinister viral GPL cabal has been successful! Baw ha ha ha ha :-)
      • by haruchai ( 17472 )

        FYI on an unrelated matter, from a previous discussion, SpaceX is now *tentatively* launching Falcon Heavy on Feb 6th or 7th, which is a couple days ahead of Hamcation.
        So you may have to make your way out there a few days early.

        • I usually plan to spend some time at KSC playing tourist, so I was already scheduled to come out on the 5th, and I now have my "Feel the Heat," tickets. That should be a pretty sensational show.
    • by Anonymous Coward

      Funnily enough, when I worked for Netcraft a large number of their machines were running FreeBSD :)

      That was over six years ago though, and we were moving more towards Linux when we left, so I wouldn't be surprised if most of those are gone now.

  • by Anonymous Coward
    It is now official. Netcraft has confirmed: *BSD is dying One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last [s
  • ...until Netcraft confirms it!
  • by Anonymous Coward

    The BSDs have lost the battle for mindshare to Linux

    I think that this is a laughable idea. The *BSDs have the best mindshare possible. They have the mindshare of the most intelligent and forward-looking software developers, IT specialists, and executives.

    Linux's mindshare is closer to that of Windows. It's not so much based on technical excellence or intelligence or foresight as it is based on hype and name recognition.

    The mindshare that the *BSDs have is the best there is.

    • As a PC-BSD/TrueOS user, I wonder about that. It used to be that the updates were pretty smooth. Since TrueOS succeeded PC-BSD in ver 11 onwards as a rolling update, I've found it next to impossible to upgrade my revs, but can't work in the older revs either. Which is a pity.

  • BSDs dying? (Score:2, Insightful)

    by QuietLagoon ( 813062 )
    I'd be more concerned about the effects of systemd on the Linux distributions. :)
    • by Anonymous Coward

      I'd be more concerned about the effects of systemd on the Linux distributions. :)

      Mod Parent Up.

      After running Linux for a decade, systemd pushed me to try both FreeBSD and OpenBSD for the first time ever.

      • by mark-t ( 151149 )

        One word: slackware.

        The oldest (still available), and IMO still the best.

      • by Megol ( 3135005 )

        I've heard systemd is under suspicion of being a serial killer!

    • by Drunkulus ( 920976 ) on Friday January 26, 2018 @12:48PM (#56008751)
      Systemd is the reason Linus is now running freebsd at home.
      • And if Linus jumps into a well, you will jump after?
      • I realize you are joking, but it's interesting that Linus is using Fedora, which was one of the first distros to switch to systemd, meaning he was one of the early systemd adopters.
        • I realize you are joking, but it's interesting that Linus is using Fedora, which was one of the first distros to switch to systemd, meaning he was one of the early systemd adopters.

          Linus needs to use something with a lot of the popular bells and whistles, at least part of the time, so he can see what's fouled up. B-)

          That means he needs to run some really baroque stuff - the better to keep it from being totally broke(n).

  • by Anonymous Coward

    The whole world does NOT revolve around accountants and their twisted view of progress.

  • MacOS X? (Score:5, Interesting)

    by Kenja ( 541830 ) on Friday January 26, 2018 @11:57AM (#56008219)
    While not an "official" BSD, OS X is based on NeXT which is based on BSD and it uses the MACH kernel.
    • by Anonymous Coward

      Yes. The Mac OS X kernel does come from BSD heritage. Also the command line utilities are ported over on a regular basis from FreeBSD. The same goes for iOS (the iPhone OS).

      The GUI is of course it's own thing with some basis from NeXT's GUI (same with many libraries).

  • Hogwash (Score:5, Funny)

    by thegarbz ( 1787294 ) on Friday January 26, 2018 @12:01PM (#56008253)

    The authorities here on Slashdot have repeatedly said that right now was the golden age of BSD due to Debian's adoption systemd. There are no Linux users left. BSD is the only system that remains in widespread use.

    • The authorities here on Slashdot have repeatedly said that right now was the golden age of BSD due to Debian's adoption systemd. There are no Linux users left. BSD is the only system that remains in widespread use.

      I noticed this too. Also, I am not concerned about the low hanging fruit when it comes to security. The reality is that humans are error prone so there is no way to make a system that is 100% secure. Theo de Raadt has to prioritize things and really spend the lion's share of his team's time on the serious stuff that can result in intrusion and privilege escalation. OpenBSD's security record stands ... "Only two remote holes in the default install, in a heck of a long time!" I don't think any Linux distribut

    • Except Devuan is Debian with init so really that doesn't mean much.
  • by Anonymous Coward

    FreeBSD is from 1993, when the potential number of eyeballs was just a fraction of what it is today: the world. Some kid in China who wasn't online in 1993, could be their next contributor. Even if their market share has gone done, the number of users has gone up dramatically.

  • No (Score:5, Interesting)

    by DaMattster ( 977781 ) on Friday January 26, 2018 @12:16PM (#56008403)
    "Some" researchers are saying the BSDs are dying so it must be true, huh? "Read it on the internet, hot damn, must be true then." Bullshit! The BSDs have a large community that is passionate about their choice of operating system. I have been using OpenBSD since 1998 and I will only stop using it once the community completely collapses, development ceases, and the foundation folds. The day that happens, I will have to find another hobby altogether and just keep a smartphone and tablet handy. Learning and using OpenBSD has made me far more knowledgeable about computers, operating systems, networks, and security than any other platform out there. If it weren't for my college roommate introducing me to OpenBSD, I believe I would just be another Microsoft wanker. OpenBSD taught me how the internet works and opened a wealth of knowledge. OpenBSD turned me from a computer power user into a true System Administrator. Ever since that day when I asked my roommate just what the heck OpenBSD was, my life would never be the same.
    • It's not like BSD users go around saying "I run BSD" or that they leave ports open so that they can be electronically surveyed.

      My SNES Classic runs BSD. Lots of routers, firewalls and NAS devices run BSD.

      The thing with BSD is it gets professionally used, not professionally blogged. Maybe BSD should consider a marketing team is it's really an issue for them.

    • by sinij ( 911942 )
      Car analogy time: There is a difference between being a mechanic and being able to drive a car. Not everyone wants or has to be able to replace piston rings.
    • How is it that different from Linux?

    • "Some" researchers are saying the BSDs are dying so it must be true, huh? "Read it on the internet, hot damn, must be true then." Bullshit! The BSDs have a large community that is passionate about their choice of operating system. I have been using OpenBSD since 1998 and I will only stop using it once the community completely collapses, development ceases, and the foundation folds. The day that happens, I will have to find another hobby altogether and just keep a smartphone and tablet handy. Learning and using OpenBSD has made me far more knowledgeable about computers, operating systems, networks, and security than any other platform out there. If it weren't for my college roommate introducing me to OpenBSD, I believe I would just be another Microsoft wanker. OpenBSD taught me how the internet works and opened a wealth of knowledge. OpenBSD turned me from a computer power user into a true System Administrator. Ever since that day when I asked my roommate just what the heck OpenBSD was, my life would never be the same.

      Here's the problem, in 1998 the BSDs and Linux were still on fairly equal footing, so it made just as much sense for you to learn a BSD.

      In 2018 Linux has a giant community, a huge ecosystem, and major companies behind it.

      You can get a job on the basis of your Linux expertise and will be able to do so for a while, even if there are corporate BSD systems right now how much longer do you think they're going to last?

      How old are the members of that BSD community? If an undergrad is looking to learn BSD or Linux

    • "Some" researchers are saying the BSDs are dying so it must be true, huh? "Read it on the internet, hot damn, must be true then." Bullshit! The BSDs have a large community that is passionate about their choice of operating system.

      I wouldn't put my stock in the BSD is dying chant. That's been appearing on Slashdot since October 5, 1997.

    • For me it wasn't OpenBSD, it was NetBSD (evicting VMS from VAXen).

      I get heartily sick of the OS wars, you use the correct tool for the job (regardless off zealotry. I used to be a toolchain maintainer for a "From Source" pseudo linux distro)

      I use OpenBSD (my own custom built perimeter devices), *BSD (Vendor supplied storage devices, load balancing gear, network gear ie: EMC/F5/Juniper), Solaris (backend "have to stay up forever" devices, predominately databases), Linux (Frontend scale-out services, Open
  • The summary doesn't make a clear distinction...

  • by walterbyrd ( 182728 ) on Friday January 26, 2018 @12:30PM (#56008563)

    IMO:

    BSDs have a superior architecture in many respects. This is especially true since the systemd takeover.

    Administration on BSD servers just makes more sense. Linux seems to be all over the map. I think there are over 1000 Linux distros. Many distros want to change around the directory structure. Simple things, like starting services on bootup, and setting up static IP, become difficult with Linux because everybody wants to pull Linux in different direction - often for no good technical reason.

    Linux certainly has advantages over BSD. But I think BSD gets a lot of stuff right.

    Again: all JMHO.

    • by geek ( 5680 ) on Friday January 26, 2018 @01:39PM (#56009243)

      1000 distros sure, but you can completely ignore 990 of them. The other Of the remaining 10, probably 6 are copies of the major 4, Debian, RedHat, Gentoo, Arch.

      People keep bringing up the many distro thing but honestly, no one really gives a shit. Those are hobbyist toys and they almost universally die out after a few years. In those few years a handful of people learn a lot and contribute to the community.

      The BSD's are fine. I used them once upon a time. The problem is they are inflexible and all they want to do is emulate a long gone era of computing that just isn't functional today. Linux will at least adapt to peoples needs, BSD's will stand there and bitch about you being on their lawn.

      • BSDs have a superior architecture in many respects. This is especially true since the systemd takeover.

        1000 distros sure, but you can completely ignore 990 of them. The other Of the remaining 10, probably 6 are copies of the major 4, Debian, RedHat, Gentoo, Arch.

        Gentoo doesn't use systemd by default. I don't know about the others. There's nothing wrong with GNU/Linux itself just because some distros decide to ruin themselves by including systemd.

        I remember trying NetBSD back around 2002, and I really liked some aspects of it compared to the Linux distros I knew back then. Hardware support was pretty bad, though. Fortunately, I soon discovered Gentoo whose package management is derived from the BSDs, but having the hardware support of Linux and the nicer (IMHO) G

        • > Gentoo doesn't use systemd by default. I don't know about the others. There's nothing wrong with GNU/Linux itself just because some distros decide to ruin themselves by including systemd.

          I am using a gentoo based distro right now. No systemd, but gentoo is not a very standard Linux.

          Also you post about "some distros" as if there are just a few systemd distros. In reality, systemd has fairly well taken over, especially in the corporate world. Very few individuals, and even fewer corporations, want to bot

    • by ebvwfbw ( 864834 )

      There is really only two distros. RedHat and Debian. Debian is a mess while RedHat combined what made sense. It's a really good mature OS with industrial grade applications. I've been around since the VMS days. One of the first real operating systems. Don't get me wrong, I used to know and love BSD back in the 1980s. I remember it fit on around 50 3.5" disks that I punched out from the University. Used to build X11 from source. However BSD today isn't that. It hasn't been a real player for a couple of decad

  • by Voyager529 ( 1363959 ) <voyager529@yahoo. c o m> on Friday January 26, 2018 @12:34PM (#56008611)

    First off, I submit that BSD is finding its home in appliances. FreeNAS and pfSense are both fairly popular, and both BSD based. Commercially, the Nintendo Switch is based on BSD, and Cisco, McAffee, and Juniper all have appliances using BSD at their core. Also, as others have pointed out, OSX.

    That said, there are so many copy/paste tutorials for Debian and its derivatives like Ubuntu and Raspbian. With BSD lagging behind severely, for every person who prefers BSD and can successfully use it to do what they need, there are five more less-technical users who are able to fall into the pit of success with a Bitnami or Turnkey Linux distribution.

    BSD may well be superior for certain tasks, especially networking, but the fact of the matter is that expecting BSD to simultaneously be competitive in the numbers game against Linux when Linux has an ecosystem which BSD lacks. That ecosystem encourages users looking to get something done to use that product, rather than adhere to principles which otherwise have little effect on them. I know systemd is hated in these parts, almost universally, but if I need to spin up a Wordpress instance, it takes me ten minutes to grab Turnkey Linux and start addding my content, rather than the half hour or more it would take to spin up BSD, manually install an AMP stack, figure out the BSD equivalent of /var/www, Google all the MySQL commands to create the database at the CLI since I don't have Adminer or phpMyAdmin to do it, and then add Wordpress. As a non-developer and non-distributor, the BSD vs. GPL vs. MIT license situation affects me very little, so the fact that both Debian and BSD are free-as-in-beer means that they compete on how much of my time they take to spin up.

    This is why I use pfSense and FreeNAS. It's also why most of my appliances are Turnkey Linux based.

    • Is "pkg install phpmyadmin" not sufficient to add all the necessary AMP components, phpMyAdmin, etc? /var/www = /usr/local/www (/www ... and this is a lot more logical than putting them under /var!!!!)

      A few different things for controlling service startup (/etc/rc.conf) but that should be about it?

      Don't doubt that there are finely tuned Linux distros specifically for spinning up your use cases (and I'm not experienced with any of them), but FreeBSD is pretty easy to get up and running today too!

    • by MeNeXT ( 200840 )

      Yo buddy not sure what you are getting at. Setting up wordpress on a Linux system or a BSD system is the same amount of work. Just because you are familiar with one installation process does not mean that you know all. Just by your comment I know you haven't even looked at BSD. So let me help you. System config files /etc. User installed config files /usr/local/etc. Log files /var/log. Very constant, been so for over 25 years. Every program you listed is available and I can go from bare bone to full firewal

    • I come from a traditional Unix background, I want to say the first system I used was running SunOS 3.5. In college I found out about OpenBSD and ran it on my P-90 beige box. It was great for servers, but trying to run desktop apps was a hassle since you either hoped what you wanted was there in the ports collection or were forced to build it yourself. Back in those days just getting X11 to work with your graphics card could be difficult to impossible.

      Eventually I got tired of dealing with a limited port

  • My FreeBSD hard drive died on me a couple of month ago, and I haven't been able to replace it yet. I really need to get to that though, because being on Linux for my primary desktop at home has been annoying the h*** out of me. FreeBSD is what I'm used to, it's what I prefer, and I really, really want to get back to it soon.
  • It's only failing is lack of Widevine support (no streaming videos.) Otherwise works great for everything.
  • *BSD = Elitism (Score:3, Interesting)

    by duke_cheetah2003 ( 862933 ) on Friday January 26, 2018 @01:50PM (#56009343) Homepage

    You know, some 20 years ago, I used to be a huge supporter of FreeBSD. I swore by the OS, and wouldn't touch anything else. A diehard fanboi. Then I asked for help with some legacy hardware and discovered the hostile elitism of BSD community.

    They basically told me to make my own drivers and to fuck off. Yeah, not very helpful. I switched to Linux cuz it worked with my legacy hardware and never looked back.

    Today I have zero respect for *BSD people and software. They can jump off a cliff and I'd just smile. I would sooner touch a Mac than a *BSD system. Treat people like shit, they might just be totally alienated from your offerings.

    • by WallyL ( 4154209 )

      Sorry you were exposed to the raw elitism in a *nix community. I know that our GNU/Linux communities can get pretty damn elitist too. See, even I'm doing it with the "GNU."

    • I switched to Linux cuz it worked with my legacy hardware and never looked back.

      Funny how the BSDs were once known to run on any toaster, but it's been ages since Linux took over in the number of hardware architectures, not to mention the countless device drivers. Linux might be lacking in some traditional Unix purity, but for practical purposes it is much more useful, and it's not at the expense of openness. If you use a grown-up distro like Gentoo that doesn't have training wheels or atrocities like systemd, you can get the best of both worlds.

    • by LWATCDR ( 28044 )

      What do you have against Macs?
      I am a Linux Developer, I have MacBook Pro "The old one that lets you upgrade the ram and drives", a Windows system for FSX, several Linux boxes, an Android phone and tablet, a Kindle tablet, Apple IIc, and an Amiga 3000 with a video toaster!

      Really folks stop making certain tech into your God. Tech is just a tool and frankly, all tools are kind of cool in their own way.

    • Here is an article worth reading that explains that "The first person that should solve that issue, the one you wrote, should be no other than yourself [hackernoon.com]."

      But it starts with everyone rolling up their sleeves and actively contributing. Writing code is always the first way you should approach a problem you have in open source.

      Let me also share with you a few names behind well-known open source projects: Poul-Henning Kamp (FreeBSD, Varnish Cache) runs his own independent consulting business, Paul Vixie (Cron, BI

  • ... when you don't have the FreeDesktop or SystemD crowd, solving trivial projects in the most complex way to deal with weird use cases nobody has.

    The Unix philosophy was meant to achieve a lot with little effort, and that's gradually getting lost on Linux.

news: gotcha

Working...