From owner-freebsd-hackers Mon May 24 0:51:51 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 176A314CBF for ; Mon, 24 May 1999 00:51:49 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (jkh@localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id AAA29358; Mon, 24 May 1999 00:52:32 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: Andreas Klemm Cc: hackers@FreeBSD.ORG Subject: Re: security: what does OpenBSD have, that FreeBSD doesn't have... In-reply-to: Your message of "Sun, 23 May 1999 09:45:55 +0200." <19990523094555.A33370@titan.klemm.gtn.com> Date: Mon, 24 May 1999 00:52:32 -0700 Message-ID: <29354.927532352@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > What make OpenBSD so "secure" ? Or can this kind of security be > reproduced with FreeBSD ports ? I think of tools like: It's not the tools but the amount of time supposedly invested in improving security. I say "supposedly" because a lot of the buffer overflow issues they've dealt with haven't been actual, proven security holes per-se but rather just more examples of defensive programming. Sometimes it's actually preventative, other times it's just an exercise in replacing every strcpy() with strncpy() (and so on) because that's an easy thing to do. It's a bit like the approach of putting more locks on your front door. Maybe those extra locks will save your butt, maybe they'll just be expensive extras for a house with nothing worth stealing and maybe the thieves will use the window instead and just bypass the door altogether - it's very hard to say. What is certain is that having ANY faith in ANYONE'S security claims as a substitute for properly diligent system administration is just complete and utter foolishness. Most attacks I've seen, in fact, compromise *BSD (for all values of *BSD) and Linux equally through well-known 3rd party utilities, like popper or sendmail, rather than the "OS" itself. I doubt that any group has enough resources to completely audit even a small fraction of the 3rd party packages which users are likely to run and, even if they did, each revision of a package would necessitate auditing it all over again. Don't trust anyone's security claims, *especially* when they claim to be uncrackable or even "extremely secure." Operating systems are built by engineers, the same sort of engineers who built "unsinkable ships" like the Titanic, and I think that pretty much says it all. :-) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message