OpenBSD Journal

[ZDNet] Bruce Schneier on Code Red and OpenBSD

Contributed by Dengue on from the feast-or-famine-with-the-news-around-here dept.

ZDNet's AnchorDesk is running an article by Bruce Schneier and Stephan Somogyi titled: How Code Red revealed the perils of port 80 . In it, the authors praise the OpenBSD Project:
"One example of doing it right is the OpenBSD project, whose developers have audited its kernel source code since the mid-1990s, and have discovered numerous vulnerabilities--such as buffer overflows--before they were exploited." .
And to top it all off, Jason@ managed to coax the audio from an Ultra 30 into playing "The Metro" by Berlin. What a day <g>.

(Comments are closed)


Comments
  1. By Chen Lu Zhu () on


    OpenBSD's claim of no exploits in the context of this article doesn't really make any sense.
    OpenBSD's claim is for it's default install, which, if I am not mistaken, has it's (audited) webserver *turned off*. Yeah, it's pretty secure all right.
    Therefore, you can't really say, "OpenBSD is doing it right" since the first thing someone is going to do is enable the web-server! Therefore it's a question of whether or not the audit is sufficient to prevent problems. However, misconfiguration is a great security problem which OBSD fixes somewhat with good defaults. However there is no real support for guiding the bad do-it-yourself (developer/homeuser/admin) from configuring a well-audited, good default configured web-server into an exploitable service.
    It's nice of Bruce to plug OpenBSD, but it's not really contextually correct to site OpenBSD as a "secure webserver product" with a 4 year no exploit track record. Definitely the heavy source audit is the way to go, along with good default configs, but to become a really secure OS, OpenBSD will need to have configuration documentation that provides strong caveats, along with guides for doing things right, or even (god forbid) a GUI that only allows relatively secure alterations of at least the base packages.

    Comments
    1. By Janne J () on

      Well, given the fact that other OSes would come
      with exploitable imap-servers and god-knows-what-else
      not only installed but also active by default
      means that if you use those OSes you need to start
      protecting yourself against imap exploits too,
      since it only takes one root exploit to get hold of
      your webpages alltogether even if Apache is safe.

      If you need a "random-package-on-the-net"-server
      and base it on OpenBSD, you run less chance of it
      getting whacked from the side by some unknown
      exploit in a service you don't need. Of course the
      OS have a hard time protecting your "random..."-
      server if it is insecure in itself, but at least
      it gives that daemon a fair chance on its own
      security merits by not letting the bad guys in
      by the back doors.

    2. By Stefan Berglund () on

      The important difference is that if you are running OBSD and need the webserver you have to deliberatly install and enable it and it is (hopefully) a concsious decision done because you intend to run a website. In most other OS's, including but sadly not limited to Microsofts severly inadequate product, services that you don't need and in some cases have a lot of trouble figuring out what they do and why they do it is enabled and runs by default.
      This means that OBSD is a much better tool when you wish to have control of what you are doing and is therefor generally also a more secure platform to build whatever service you want on.
      Thats what I call being userfriendly!

    3. By Russ () russ@zerotech.net on mailto:russ@zerotech.net

      OpenBSD's audited Apache also runs as a privilege-less user "www" group "www", which means if someone manages to make your Apache server overflow into a shell, they're going to do it into a shell owned by "www". Lots of good that would do, maybe they can manage to find a few cookie directories.

  2. By Sacha Ligthert () on

    Music.. Very Important! Did he ever try the Gridlock version??

    Comments
    1. By Miod Vallat () miod@openbsd.org on mailto:miod@openbsd.org

      Actually we had been trying to convince Jason to test with good Finnish music...

      Comments
      1. By Sacha () on

        Not Hummppa by any chance? I guess my soundcard would explode. I guess the sparc would nuke itself to ;-)

        Comments
        1. By diana () deeiche@theperuvian.com on mailto:deeiche@theperuvian.com

          Hey

          I turned my summer intern on to Hummppa. He came to the same conclusion as I did. Listening to Hummppa keeps you smiling all day, well it does if your a sick and twisted individual.

          Comments
          1. By Sacha () on

            *Bad HAL 2001 memories return*

          2. By Rupert Pigott () on

            Hummppa, is that good finnish music ?

            If I want to smile I've got lots of options :
            Gong
            Mr Bungle
            Donovan
            The Wurzels

            Are just 4 which spring to mind... I've got this huge back catalogue of depressing stuff which I hardly touch these days...

            Cheers,
            Rupert

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]