[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Another sploit makes 2 in one day

Quoting security (security_(_at_)_synnergy_(_dot_)_net):
>    IMHO an operating system that is claimed to be this secure should dare to
>    put all of their services wide open.

It seems you do not get it. Being "secure" is not a state. Any open service
is a risk, no matter which OS you look at. Being secure is about
understanding and adressing risk.

OpenBSD requires less work than any other UNIX to meet my security policy,
and that is why I use it. Just because OpenBSD is my primary choice of OS
does not mean I forfeit on strong authentication or on digital signatures of
every critical binary on my system.

I have never seen any OpenBSD team member claim their product to be perfect.
I have, however, seen many of them elborately explain what precautions they
take during development and this is _extremely_ rare. As I scroll through
the daily batch of source changes, I have no reason to think the OpenBSD
team liars about what precautions they engage in.

Instead of picking up on OpenBSD's reputation of quality and security and
following the example, some people attempt to tarnish it. That is not
helping the state of security today, and it is the wrong approach to take.

The only thing I have observed OpenBSD to lack is the resources to
communicate the same level of detail about security problems that other
vendors do and especially about having the resources to deal with
insignificant problems that are blown out of proportion on bugtraq.

If you want to make a name for yourself, please go to bugtraq or somewhere
else.  If you feel this team is trying to do the right thing, help the cause
and stop wasting people's time.

I prefer the dark of the night, after midnight and before four-thirty,
when it's more bare, more hollow.                  http://a.area51.dk/