From owner-freebsd-questions@FreeBSD.ORG Thu Jun 12 16:43:48 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6600B1065676 for ; Thu, 12 Jun 2008 16:43:48 +0000 (UTC) (envelope-from jeffrey@goldmark.org) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by mx1.freebsd.org (Postfix) with ESMTP id E8DDA8FC0A for ; Thu, 12 Jun 2008 16:43:42 +0000 (UTC) (envelope-from jeffrey@goldmark.org) Received: from compute2.internal (compute2.internal [10.202.2.42]) by out1.messagingengine.com (Postfix) with ESMTP id 2DDF9114E18; Thu, 12 Jun 2008 12:43:42 -0400 (EDT) Received: from heartbeat1.messagingengine.com ([10.202.2.160]) by compute2.internal (MEProxy); Thu, 12 Jun 2008 12:43:42 -0400 X-Sasl-enc: 7U3PDe4rqZI3TiVNVbxomcooR7dX3PVRapTCpy2Rv+Zt 1213289021 Received: from hagrid.ewd.goldmark.org (n114.ewd.goldmark.org [72.64.118.114]) by mail.messagingengine.com (Postfix) with ESMTPSA id 9CB04102AF; Thu, 12 Jun 2008 12:43:41 -0400 (EDT) Message-Id: <62860DF8-423D-48B3-9757-CC3D24732CF0@goldmark.org> From: Jeffrey Goldberg To: David Naylor In-Reply-To: <200806121519.12820.naylor.b.david@gmail.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v924) Date: Thu, 12 Jun 2008 11:43:40 -0500 References: <200806112225.36221.naylor.b.david@gmail.com> <20080611214743.GA18371@slackbox.xs4all.nl> <200806121519.12820.naylor.b.david@gmail.com> X-Mailer: Apple Mail (2.924) Cc: Roland Smith , freebsd-questions@freebsd.org Subject: Re: FreeBSD and User Security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jun 2008 16:43:48 -0000 On Jun 12, 2008, at 8:19 AM, David Naylor wrote: > I think this argument is rather mute, just because there are no > programs > exploiting security vulnerabilities does not been there are not > vulnerabilities, But it is far from moot if you are interested in the actual threat against your system. In a sense, using a less popular OS is a form of "security by obscurity" which is not to be heavily relied on, but still it does make a real, practical, difference in the case that you described. > and a determined cracker would create his own program. You have not articulated what you are trying to defend against. Do you anticipate determined crackers going after your particular system and what resources will such attackers have? We can't talk about a system being "secure" in general, but the question needs to be framed in terms of "secure against what". > That said I hope there are, actually, no vulnerabilities. That is demanding too much. What you need to hope for is a combination of "no known unpatched vulnerabilities at the moment" and more importantly "procedures and practices to keep things that way". As Bruce Schneier likes to say, "Security is not a product but a process". The vast majority of actual system compromises involve failure of system administrators to keep systems patched and follow good security practices. One reason that I switched from Linux to FreeBSD is that I find it much easier to maintain FreeBSD, particularly in terms of security updates. I have been responsible for Linux machines that did get rooted because I was having problems keeping them up-to-date for a variety of reasons. > [Security through obscurity is just an illusion] In your post you mentioned concern about spyware. It is not an illusion that FreeBSD has not been targeted by spyware writers while Windows has. Even if some of that is the consequence of security by obscurity, it is no illusion. Of course we need to understand that those security benefits from obscurity are fragile, but we shouldn't dismiss it entirely. Again, what sorts of benefits such things may add (or subtract) depends on the nature of the attacker. Cheers, -j