Linked by Eugenia Loli on Mon 20th Sep 2004 09:27 UTC
OpenBSD With security the focus of this year's Australian Unix Users Group (AUUG) conference, OpenBSD founder and project lead Theo de Raadt was invited to speak on exploit mitigation techniques. In an exclusive interview with Computerworld's Rodney Gedda, the man behind an operating system that lays claim to only one remote exploit in the default install in seven years, reveals where we are headed – and how far we have to go – in the search for more secure software
Order by: Score:
slides of theos presentation
by Bernhard Leiner on Mon 20th Sep 2004 10:08 UTC

More interesting than this interview are Theos slides from his presentation at the AUUG04. You can find them here:
http://cvs.openbsd.org/papers/auug04/index.html

RE: slides of theos presentation
by xedx on Mon 20th Sep 2004 10:24 UTC
re: interesting analysis
by tech_user on Mon 20th Sep 2004 10:53 UTC

i recommend even reading parts of the interesting analysis linked by xedx. a lot of it cannot easily be refuted. I think th eopenbsd team have been creditted with too much nonce blindly. we need such "analysis" to ensure the sanity of some of the wilder approaches to securing unix-like systems.

who is pageexec
by xedx on Mon 20th Sep 2004 11:06 UTC
Theo de Raadt is brilliant
by Anonymous on Mon 20th Sep 2004 11:15 UTC

I love his approach on things. Closed source, open source, doesn't matter. Both are open just more or less, which is exactly how it is.

Security is something which everyone keeps forgetting about (not as in, not trying to be, but rather not being). The key to it all though is diversity. Unices run a lot of similar apps on top and what we see today is 2 different systems. Unices (I include OSX here) and Windows. Sure we have IOS, QNX and so forth, but the dominance is clearly from the 2 first mentioned.

I hope we get to see more safeaware development soon.

What is security?
by Jophn Deo on Mon 20th Sep 2004 11:52 UTC

Bottom line:A networked PC(or whatever variant) is as secure as the amount of knowledge of the one(s) who made the OS which
runs on this particular PC and last but not least the knowledge and skill of the one that uses this PC.I think it is very healthy that someone now and than questions some aspects
of OS security features/flaws in a objective way and from a technical point of view.I hope this will continue to be a neverending story.

"In the land of the blind the one-eyed is king or a marketeer"

Theo and his cohorts are impressing
by Marc van Woerkom on Mon 20th Sep 2004 12:11 UTC


hope we get to see more safeaware development soon.

I have a DSL router since a few days. That small box is running its own OS, with webserver for Administration.
In other words, other stuff gets more and more computational intelligence. Of course people will use a few OSes but also have a lot of gadgets with advanced OSes on board, including security risks. Thus I doubt it will get easier soon.

Regards,
Marc

Dream world
by Quentin Garnier on Mon 20th Sep 2004 12:25 UTC

We’ve seen in the wild, people who are not running OpenBSD boxes but are making them look like OpenBSD boxes because it will immediately make an attacker say: ‘it’s a waste of my time’.

Ah ah, yeah, sure.

Quentin Garnier.

re: "interesting analysis"
by Anonymous on Mon 20th Sep 2004 12:46 UTC

That "interesting analysis" is a load of crap. 95% of the text is just rants about openBSD and its developers. Obviously someone has a personal grudge against them. At the end of the day, is openBSD a insecure operating system? Not to my knowledge.

I Think Theo Misses The Point
by erikharrison on Mon 20th Sep 2004 13:09 UTC

I think Theo misses the point about closed versus open source. He points out, rightly, that with code leaks, closed source is no less vulnerable than open source.

But is open source _more_ secure? Theo's beloved security audits are just applied use of the "many eyes" principle. I suspect that if phrased that way, Theo would say that OSS is more secure, or at least potentially so.

If Theo still thinks it's all the same, I'd like to know why.

re: interesting analysis
by tech_user on Mon 20th Sep 2004 13:28 UTC

i disagree, some of the point in the analsysi, although heated at times, are valid. and too many people take what theo and the oopenbsd project do at face value. theirs is not always the right way.
in term of holistic security, availability is an essential component... and openbsd does not perform well. i don't believe theyhave a good balance between ugly hacks and clean performance. (i speak as someone who has had code contributed to openbsd).

Re: I Think Theo Misses The Point
by Paul on Mon 20th Sep 2004 13:29 UTC

Well - as I understand it the security audits are conducted by a core team of developers who know the system intimately. A closed-source OS could theoretically restrict source access to such a team and have similar results.

Only one remote hole in the default install, in more than 8 years!
by Anonymous on Mon 20th Sep 2004 13:29 UTC

hasnt anyone noticed this?! its been on the site for quite some time, but it is incorrect on the main page.

RE: interesting analysis
by csabimano on Mon 20th Sep 2004 14:46 UTC

The 'interesting' analysis is a simple troll if there is any. Ranting in 'oh, yeah, sure, you suck hahaha' style is not what I would call interesting (unless you mean it ironically).

In response to xedx'x link. Oh, one can say - why don't I refute some of the claims with facts? Well, there is nothing to refute there. Its a simple flaming, and as usually, there are no points to refute, only vague 'haha, you suck' kind of comments.

One _remote_ hole (if it'd be a crash it doesn't count, i think) in 8 years in the default install...which is unusable because it disables everything and install nothing.

I'd love to see the possible remote holes in a default debian install (this is, the base system, which as you probably know, has nothing installed). I don't think it'll be better than openbsd but I don't think it'll be too far from 1. The same for other OSes too.

The lesson here is "a OS with a installer which install nothing and disables everything by default is a secure OS". Not just openbsd. I know openbsd cares a lot about security, but that "only one remote hole" is not a great advertisement if you think it a second. I bet the openbsd guys have better things to show than those crappy reasons.

RE:Advertising
by Chris on Mon 20th Sep 2004 15:34 UTC

It's called humor and sarcasm, it attracts people's good humor which increases openness to new ideas/products. This is why you open speeches and sales pitches with a joke, or at least put one in somewhere.

nice
by dude on Mon 20th Sep 2004 16:12 UTC

It is nice to hear someone talk about putting quality
code out there. Microsoft really sucks!

openbsd has less devs and less users than other major OS-es so it has less eyes and as ppl are cosidering it has less bugs... "more eyes less bugs" argument definitely in this case... but...

i think security is much more about commitment _to_ security from the devs and their indenpendence from marketing, selling and other commercial deps....

i'm quite sure MS security guys would tell us the same story... but even if that is the true i don't find any sympathy for them :0)

the great thing about free software is that ppl who are really interested and committed to security as an issue can join any of the free software projects....

you can't better code because of money you get for it.. you can better live from it.. that's why some ppl who don't live best life on earth code much better than ppl who has big money from coding.... biggest respect for them....

He's Right
by Smartpatrol on Mon 20th Sep 2004 16:36 UTC

The source code doesn’t make a difference. You can get the source code for anything today and an attacker can find vulnerabilities. The fact of the matter is, there is no more closed source there is just limited open source.

Very good point! Open source isn't any more secure than closed source. Its the quality of the code that matters.

Software producers ..
by Uruloki on Mon 20th Sep 2004 16:41 UTC

The real problem lies not with software producing companies, but with educational institutions. Every single C class starts by using strcopy and other absolutely useless and depreciated functions. All under the same "but kids need to learn how to this first, THEN we'll teach them to write secure code"-motto. Which is of course a bad idea .. Teaching people bad habits only so they can get rid of them later is a VERY bad idea.

I think it's about time educational institutions started taking their responsabilities a bit more serious.

pre-authentication remote root vulnerabilities
by xmp on Mon 20th Sep 2004 17:45 UTC

The 'interesting' analysis is a simple troll if there is any.

It was a post to Dave Aitel's mailing list, which is full of exploit developers rather than self-proclaimed security gurus. Aitel's list is higher quality than Full Disclosure and many others.

I'd love to see the possible remote holes in a default debian install (this is, the base system, which as you probably know, has nothing installed).

Why not compare to a Debian derivative with an emphasis on security i.e. Adamantix linux.

I know openbsd cares a lot about security, but that "only one remote hole" is not a great advertisement if you think it a second.

This only applies to --Current. Older installs of OpenBSD that are unpatched have several holes. And you are right, once you enable daemons, that figure may not apply.

He points out, rightly, that with code leaks, closed source is no less vulnerable than open source.

Especially since closed source can be reverse engineered.
http://www.rootkit.com/uploads/orig00000850.jpg

Overrated?
by netchan on Mon 20th Sep 2004 17:59 UTC

Those of you who thinks OpenBSD is overrated:
When was the last time you've seen a working remote exploit (except DoS) against the base OpenBSD system? (incl. apache, sendmail, bind, etc.)
The protection in OpenBSD 'just works'.

clarify
by xmp on Mon 20th Sep 2004 17:59 UTC

lays claim to only one remote exploit in the default install in seven years

Just to clarify, this is pre-authentication remote vulnerabilities in the default install (i.e. with some services disabling) of --Current. A remote is of course not necessarily a remote root due to principle of least privilege e.g. jails and user level. Local and DoS vulns were not considered in this figure, however are a factor in the wild.

Several OS are adding "stackguard" type mechanisms, even Server 2003 has a version (albeit a defeatable one). It will be nice once all OS are immune to stack overflows.

I have nothing against OpenBSD, and I've used it in the past. You can get a system up in running in minutes via net install. Linux (e.g. Adamantix, Hardened Gentoo) may be worth investigating as well.

archives
by xmp on Mon 20th Sep 2004 18:09 UTC

When was the last time you've seen a working remote exploit (except DoS) against the base OpenBSD system? (incl. apache, sendmail, bind, etc.)

Um, I thought some of those were disabled in the default install. And the 15 bits of entropy can be brute forced if you have a valid remote e.g. for proftpd or other. Granted if you jailed the app, it may be less of an issue. It certainly eliminates the bottom tier of blackhats i.e. script kiddies.

This issue has been beaten to death on Full Disclosure, Daily Dave, and other lists. Older installs of OpenBSD have multiple remotes. This is not even debateable.

lying liars and the lies they tell
by church on Mon 20th Sep 2004 18:17 UTC

Are the vendors paying attention? No, they’re not. That’s all the Linuxes, all the commercial Unixes, and Microsoft. Now, there are exceptions. There are vendors who are starting to learn a bit. There are a few Linux variants that have some copycat – that’s the wrong word for me to use but I’m going to be honest.

Theo, that's a damned lie and you know it. You didn't invent stack randomization and jails.

Re: archives
by netchan on Mon 20th Sep 2004 18:28 UTC

Um, I thought some of those were disabled in the default install.

Yes, they are. That's why I said 'base OpenBSD' instead of default install. I haven't seen any non-DoS remote exploit against the base system since 3.4, the release in which the i386 stuff were completed.

Default to security
by Lovechild on Tue 21st Sep 2004 00:04 UTC

I truly hope most distros will adopt this thinking, we should default to security and we could strive to make it easy. Like defaulting to always using SSL in evolution to check mails, to default to using SSL for your IM client, to use Propolice, to use PaX or exec-shield. To make it easy to encrypt your mails, because now it takes a lot of work and 99% of users can't figure it out, and the list goes on forever.. e.g. why isn't my harddrive encrypted, and why does the current schemes not take into account that I could be a moron - security is something you learn but the least we could do was give the user a solid foundation... it's to damn hard, so much work, so many guides to read.. it should just work, and it doesn't.

Security these days is important and it's to damn hard to enable it, and there's so much room for improvement it's just not funny. Why don't we consider it a problem?

It boggles my mind to see all this security advisors being posted every day, looking at where the industry was 5 years ago we haven't moved much in the right direction.

Why isn't anyone going over, say the Linux kernel and throwing away old code, there's bound to be lots in there we don't need anymore - it's just begging to be exploited in some way or form.

It's sad really, here we are - more CPU power than what NASA used to send man to the moon, and we can't spare a fraction for that extra bounds check?