Linked by Thom Holwerda on Wed 20th Jun 2007 20:07 UTC, submitted by Valour
OpenBSD "If you're a software enthusiast who has never used OpenBSD before, you might enjoy installing it by yourself and figuring it out as you go. If, however, you're looking for a more practical approach to using OpenBSD 4.1 on a desktop or server machine, here's a quick guide to get you started in this spectacular operating system."
Thread beginning with comment 249409
To view parent comment, click here.
To read all comments associated with this story, please click here.
flav2000
Member since:
2006-02-08

It's good for OpenBSD to have most services shut off by default. I guess that's a good compromise between usability and security.

In reality, the even better way to be secure by default is NOT to have any UNNEEDED applications installed in the first place.

As I said, the not-enabled-by-default approach is the best compromise between usability and security - I do want to point out that you can get even better security if tools are not installed to be exploited.

Reply Parent Score: 5

Janizary Member since:
2006-03-12

Having the software installed by default but not active is no more insecure than not having the software installed - if the system is compromised, it's over anyways. It's like people not having gcc on a system as a, "security measure," it's not helping, since once a person has broken in, they can simply get it on their own.

Reply Parent Score: 3

flav2000 Member since:
2006-02-08

I guess I wasn't too clear.

The problem with more software is that it gives more vectors for attack.

Software installed by default and not active *should* be secure. But, all it means is that the server daemon is not running. The executable is still sitting somewhere.

A newly installed server could have added a "hook" to run the executable of a non-enabled server. Something like this may just enabled a new vector of attack not realized before. Even experienced admins may miss something like that.

Speaking of gcc. Not having gcc installed means that a hacker cannot use gcc as a vector of attack. Sure, if a person has hacked a server they can do whatever they want - including adding gcc. But what I mean to say is that not having gcc may just have shut down attacks from that angle.

Reply Parent Score: 3