OpenBSD Journal

A Safer Internet with OpenBSD

Contributed by jose on from the OpenBSD-for-president dept.

Two articles this week caught my attention in their mention of the OpenBSD project. The first appeared on the Slate magazine site yesterday. The Fix Is In: Programmers can stop Internet worms. Will they? talks about how recent, large scale security compromises on the Internet, such as the Sapphire worm, are best avoided by programming securely in the first place. The author notes that the OpenBSD project has given a great example in this approach, one that Microsoft may be learning from with their new initiatives to secure their systems from the ground up.

The second piece appeared in The Register . In Getting realistic in the war on hackers , the author suggests that the approach of secure design and implementation, as found in OpenBSD, is a more sustainable defense against hackers, as opposed to jail time.

In both articles, the project goals seem to be catching on with a larger world. Ultimately, this is what the whole thing is about.

(Comments are closed)

Comments

  1. By tony () tony@libpcap.net on mailto:tony@libpcap.net

    I hope law enforcements read the "War on hackers" article. I have a friend that was facing a Class-A felony charge (what they give murderers and rapists) with up to a year in prison for basically snooping his manager's email. I'm not going to try to justify his actions, but the punishment _hardly_ fit the crime. Luckily he got out of it with some community service and some other things. I guess he can count his stars this happened before the the Patriot act.

  2. By grey () on

    Nice to see the props given to OpenBSD in the one piece. I have heard that "secure by default" has been posted as a slogan in parts of MS, so maybe they'll get the picture. I mean, it really has a lot less to do with the implementation manner (whether strl*, W^X, PaX, Stackguard, ProPolice, etc. is used) than it does with the mindset and methodology - that you try to make sure that the defaults are sane.

    The Lasser piece is much more depressing, not because it isn't the right mindset - but because with the was legislative measures have been going in the US (and furthermore worldwide), things are just getting worse. Punishment fitting the crime has been more or less thrown out the window. By the same token however, with highly proliferated worms, even things as banal as the melissa mm likely get into hospitals and institutions where real lives might be involved (reminders of Cuckoo's Egg medical imaging anecdote pop to mind). So sometimes the potential havoc is much greater than intended these days.

    Anyway, two decent reads, real hope for either approach isn't going to happen until more people wake up and get involved though. Whether that's improving their programming practices, or simplifying the legal system.

  3. By too lazy to register () on

    It's true that the all underlying systems have to be secure, and that security needs to be designed and built in at the start. It's about time some of the big players out there realized that security isn't (just) about protecting IP from naughty citizens bent on stealing games and Britney Spears songs (Microsoft, I'm looking in your direction).

    My main concern is education. There is a lot of good stuff out there for making secure apps, auditing systems, protecting stacks &etc. It's bad enough if these techniques aren't more widely used. It's even worse when a good chunk of coders and sysadmins out there are not taught this stuff from day one.

    I count myself in this majority, as well. Oh sure, I run a reasonably secure node, and was only hacked once due to stupidity, and not ignorance (I forgot to restart the newly *patched* sshd server -- I wanted to do it from the console when I got home from work, and totally forgot). No open relays here, and any compromised box on the inside would have a hard time hurting the world.

    At work, where I'm paid to code (mostly in Java, but a little C) secure designs are not only the last consideration, but I'd be hard pressed to actually apply what little secure techniques I know. To be fair, I'm a "tactical" developer. I fix bugs, solve problems, and keep customers happy. I have little input on design considerations (and I like it that way). I'm a pretty poor proponent of opne-source, as well. I've submitted exactly one patch to Mozilla, so I'm not exactly making great strides to help secure other applications (and again, I'm not sure I know how to).

    To be perfectly honest, at home I prefer to play games and hack on my web site. I spend the day looking at code, and the last thing I want is more C or Java at home. I don't even know if the PHP I write for my web site is a danger to myself or others.

    I guess I'm just musing out loud that, if I consider myself status quo, there is a certain amount of inertia required to make secure designs a real priority.

    I wish end-users would (or could) complain about security issues as much as they complain about usability issues. Then we might see more of a push for security. Then again, I might then be out of a job unless I learned this stuff properly.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]