Contributed by Dengue on from the feast-or-famine-with-the-news-around-here dept.
"One example of doing it right is the OpenBSD project, whose developers have audited its kernel source code since the mid-1990s, and have discovered numerous vulnerabilities--such as buffer overflows--before they were exploited." .And to top it all off, Jason@ managed to coax the audio from an Ultra 30 into playing "The Metro" by Berlin. What a day <g>.
(Comments are closed)
By Chen Lu Zhu () on
OpenBSD's claim of no exploits in the context of this article doesn't really make any sense.
OpenBSD's claim is for it's default install, which, if I am not mistaken, has it's (audited) webserver *turned off*. Yeah, it's pretty secure all right.
Therefore, you can't really say, "OpenBSD is doing it right" since the first thing someone is going to do is enable the web-server! Therefore it's a question of whether or not the audit is sufficient to prevent problems. However, misconfiguration is a great security problem which OBSD fixes somewhat with good defaults. However there is no real support for guiding the bad do-it-yourself (developer/homeuser/admin) from configuring a well-audited, good default configured web-server into an exploitable service.
It's nice of Bruce to plug OpenBSD, but it's not really contextually correct to site OpenBSD as a "secure webserver product" with a 4 year no exploit track record. Definitely the heavy source audit is the way to go, along with good default configs, but to become a really secure OS, OpenBSD will need to have configuration documentation that provides strong caveats, along with guides for doing things right, or even (god forbid) a GUI that only allows relatively secure alterations of at least the base packages.
Comments
By Janne J () on
with exploitable imap-servers and god-knows-what-else
not only installed but also active by default
means that if you use those OSes you need to start
protecting yourself against imap exploits too,
since it only takes one root exploit to get hold of
your webpages alltogether even if Apache is safe.
If you need a "random-package-on-the-net"-server
and base it on OpenBSD, you run less chance of it
getting whacked from the side by some unknown
exploit in a service you don't need. Of course the
OS have a hard time protecting your "random..."-
server if it is insecure in itself, but at least
it gives that daemon a fair chance on its own
security merits by not letting the bad guys in
by the back doors.
By Stefan Berglund () on
This means that OBSD is a much better tool when you wish to have control of what you are doing and is therefor generally also a more secure platform to build whatever service you want on.
Thats what I call being userfriendly!
By Russ () russ@zerotech.net on mailto:russ@zerotech.net
By Sacha Ligthert () on
Comments
By Miod Vallat () miod@openbsd.org on mailto:miod@openbsd.org
Comments
By Sacha () on
Comments
By diana () deeiche@theperuvian.com on mailto:deeiche@theperuvian.com
I turned my summer intern on to Hummppa. He came to the same conclusion as I did. Listening to Hummppa keeps you smiling all day, well it does if your a sick and twisted individual.
Comments
By Sacha () on
By Rupert Pigott () on
If I want to smile I've got lots of options :
Gong
Mr Bungle
Donovan
The Wurzels
Are just 4 which spring to mind... I've got this huge back catalogue of depressing stuff which I hardly touch these days...
Cheers,
Rupert