From owner-freebsd-questions@FreeBSD.ORG  Thu Dec 10 16:21:58 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D86A41065695;
	Thu, 10 Dec 2009 16:21:58 +0000 (UTC)
	(envelope-from mexas@bristol.ac.uk)
Received: from dirj.bris.ac.uk (dirj.bris.ac.uk [137.222.10.78])
	by mx1.freebsd.org (Postfix) with ESMTP id 94AEC8FC18;
	Thu, 10 Dec 2009 16:21:58 +0000 (UTC)
Received: from seis.bris.ac.uk ([137.222.10.93])
	by dirj.bris.ac.uk with esmtp (Exim 4.69)
	(envelope-from <mexas@bristol.ac.uk>)
	id 1NIlm3-0004Ey-GU; Thu, 10 Dec 2009 16:21:57 +0000
Received: from mech-cluster241.men.bris.ac.uk ([137.222.187.241])
	by seis.bris.ac.uk with esmtp (Exim 4.67)
	(envelope-from <mexas@bristol.ac.uk>)
	id 1NIlm2-00054L-IY; Thu, 10 Dec 2009 16:21:51 +0000
Received: from mech-cluster241.men.bris.ac.uk (localhost [127.0.0.1])
	by mech-cluster241.men.bris.ac.uk (8.14.3/8.14.3) with ESMTP id
	nBAGLoLF001210; Thu, 10 Dec 2009 16:21:50 GMT
	(envelope-from mexas@bristol.ac.uk)
Received: (from mexas@localhost)
	by mech-cluster241.men.bris.ac.uk (8.14.3/8.14.3/Submit) id
	nBAGLo2V001209; Thu, 10 Dec 2009 16:21:50 GMT
	(envelope-from mexas@bristol.ac.uk)
X-Authentication-Warning: mech-cluster241.men.bris.ac.uk: mexas set sender to
	mexas@bristol.ac.uk using -f
Date: Thu, 10 Dec 2009 16:21:50 +0000
From: Anton Shterenlikht <mexas@bristol.ac.uk>
To: Bill Moran <wmoran@potentialtech.com>
Message-ID: <20091210162150.GA1135@mech-cluster241.men.bris.ac.uk>
References: <20091210144141.GB834@mech-cluster241.men.bris.ac.uk>
	<20091210095122.a164bf95.wmoran@potentialtech.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20091210095122.a164bf95.wmoran@potentialtech.com>
User-Agent: Mutt/1.5.20 (2009-06-14)
X-Spam-Score: -1.5
X-Spam-Level: -
Cc: freebsd-current@freebsd.org, Anton Shterenlikht <mexas@bristol.ac.uk>,
	freebsd-questions@freebsd.org
Subject: Re: Root exploit for FreeBSD
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2009 16:21:59 -0000

On Thu, Dec 10, 2009 at 09:51:22AM -0500, Bill Moran wrote:
> In response to Anton Shterenlikht <mexas@bristol.ac.uk>:
> 
> > >From my information security manager:
> > 
> > 	FreeBSD isn't much used within the University (I understand) and has a
> > 	(comparatively) poor security record. Most recently, for example:
> > 
> > 	http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html
> 
> Are you trying to make your infosec guy look like an idiot?  Does he
> realize that FreeBSD has a grand total of 16 security problems for all
> of 2009?  Hell, Microsoft has that many in an average month.
> 
> If he can find something (other than OpenBSD) with a better record than
> that, I'd love to hear about it.

I was just stressed after being forced by him
to explain why I wanted firewall exceptions
for two ports to my FreeBSD portscluster nodes.
I explained the reasons and that was settled.

I wouldn't be surprised if I'm the sole fbsd user
at my Uni. The situation with computing is not
great and getting worse.

The Uni is, of course,
addicted to Microsoft, but having realised all
the problems with that, lately the policy has
been to deny (!) MS users admin access to their
own desktops. The situation is just ridiculous - 
if a MS user wants to install a piece of software
on their PC he/she has to ask for permission,
and then wait until some computer officer would
come and do install for them.

Also recently, well.. about a year ago, no
host (!) could be accessed from outside the
Uni firewall. Special exception has to be
obtained even for ssh. There is only one dedicated
sun server which accepts only ssh. The users
are supposed to dial to this frontend server
first, and from there to hosts on the local net.

Honestly, the situation is so bad that I 
sometimes wonder - perhaps it's me who is mad.
It seems IT services look at anybody who
wants to escape MS with suspicion at best.
 
I had to fight a long battle, well.. I had
some support from other academics, to have
a linux class in my Faculty. Here the
opposition wasn't so much security, as
"why would any undegraduate need linux",
as if MS solutions are a pinnacle of human thought.

And from I understand it's going to get worse.
Apparently the IT services are drawing up
plans to completely forbid use of "non-autorized"
OS. I imagine fbsd will not be authorized.
So I'm anticipating another battle already.

Perhaps I should start putting together
some statistics to make my case more forcefully.

many thanks for your support, as always

-- 
Anton Shterenlikht
Room 2.6, Queen's Building
Mech Eng Dept
Bristol University
University Walk, Bristol BS8 1TR, UK
Tel: +44 (0)117 331 5944
Fax: +44 (0)117 929 4423