The latest OpenBSD 3.3 release arrives with even stronger attack defenses coupled with an amazing record of just a single remotely exploitable vulnerability in more than seven years, the best security track record for any general-purpose operating system around. Read the review at eWeek.On another secure OS, Yahoo News is reporting on Hyrda, a supposedly “hackproof” web-services Operating System. One of the more interesting features of this seems to be the methods of safeguarding the embedded kernel; loading it from flash memory and constantly scanning the kernel (while loaded in ram) for viruses.
OpenBSD Gets Harder to Crack; Get to Know the HYDRA OS
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Like 75% of the article is the creator talking about how good his OS is. Might be actually good, though–but what does it *do* besides kernel-level functions? I’m sure the security is good, but as someone said centuries ago, in the war between weapons and armor, armor will eventually always lose.
OpenBSD is a much better bet, IMHO. The fact that it’s UNIX(-like) makes it automatically extremely versatile. I don’t think that Hydra would be useful for organizations who want to do more than basic FTP and Web serving.
I assume that the Hydra kernel checks its integrity via a hardcoded MD5sum or the like. An excellent idea for any secure OS. Of course, lots of obfuscation is necessary, but that’s not hard to arrange.
(please, Yahoo, call them “crackers.”)
Another article boasting about OpenBSD’s security
Again, imho you can make Linux or even FreeBSD “more” secure as they are more flexible than OpenBSD
Um, as soon as the FreeBSD folks check every single line of code like the OpenBSD team, it will be as secure, just maybe. Security has NOTHING to do with flexibility. OpenBSD can boast all night, they have earned the right. The statistics speak for themselves, it’s not “just an opinion” like most of the crap spewed over this site.
You usually have to sacrifice flexibility for security, and vice versa… Anonymous has also a good point.
You could say that Theo&co have spent the last seven years making NetBSD secure, the result of which is OpenBSD, as OpenBSD started out as a fork of NetBSD.
Now, sure you could make Linux/FreeBSD as secure, but it would at least take as long. Or in case of Linux probably a lot longer since the Linux development model inherently causes it to be a mess of all kinds of different stuff, without strong coordination.
Although a thorough security audit of other free OS’s is certainly a good idea, I doubt that any other OS will be able to catch up with OpenBSD anywhere in the near future.
And about flexibility: OpenBSD is very flexible, I use it for everything, and don’t have a need to have any other OS around. OpenBSD is a UNIX-like OS after all, and arguably more than Linux is (ie. OpenBSD follows the original spirit of UNIX a lot closer than Linux)
I assume that everyone who’se picking on OpenBSD’s so called lack of flexibility is referring to the lack of SMP. Now how many people are using SMP? How many are _needing_ SMP? Most of the time, the same problem can be solved in other ways.
For example replace that 4-way webserver with four independent single cpu boxes, and load balance them. That even has its benefits for major upgrades etc, as you can take down one box at a time, and your website will stay up.
Also that approach actually scales better, as it’s easy to add extra servers, whereas it’s rather difficult to jam a 5th cpu into a 4-way motherboard
There are of course applications that do need SMP, like heavy database work, scientific simulations,… but that’s not the majority of tasks.
Luckily OpenBSD chooses for security first, and doesn’t blindly strive to implement $buzzword asap. SMP is being worked on though, but it’ll take some time, as SMP is very hard to secure (race conditions etc. can spoil all the fun). So OpenBSD wants to have a secure SMP implementation, or none at all.
I’ll definately be running OpenBSD for now, and probably for ever ๐
Thanks for your feedback guys
Of course, as soon as you install anything in the ports tree, or anything beyond the default install, you’re on your own as far as security goes. Only the very minimalistic base installation has been audited. That’s a fairly good example of lack of flexibility, although if it does what you need, great.
I knew I had already seen the name Bodacion somewhere but I couldn’t remember. A quick search on the Net and there it was : for their preposterous claims, those guys were sent to the doghouse by Bruce Schneier in his Crypto-Gram Newsletter of September 15, 2002.
After reading the info that appears on Bodacion’s website, the first thing that comes to my mind is : all this racket about a http/ftp server !
Most of the functionalities of HydraOS are easily obtained with a secured Linux or BSD installation.
They claim they keep their algorithm secret to protect their intellectual property. I hope someone will be courteous enough to show them the way to the nearest US Patent Office where they’ll find real IP protection ๐
One thing I don’t understand is why the engineers (former Motorola employees) behind this product have lowered themselves to the level of snake oil merchants ? They could have simply advertised it as a web appliance.
The software in the ports tree hasn’t been audited indeed; there’s just way too much software in there to audit it all.
For a server system though, you can do quite some stuff with the base install: apache, sendmail, bind, ftpd, nfsd, sshd, dhcpd, … are included, which already cover the most widely used services.
If you need another service, well, you’re still better off running it on OpenBSD. If there’s a security hole in the application you’re using, it would affect it on any OS anyway. With OpenBSD, you at least don’t have to worry about the rest of the system.
And you could always use systrace and chroot to minimize the possible damage when a third party application would get exploited.
I agree with Rabbit. I’d rather run a port on OpenBSD where the kernel is paranoid about the access it allows to programs.
An example of this is the read only memory feature implemented on other architechures an coming to x86 in 3.4.
CP/M is even more secure than OpenBSD. Not one remote security hole in over 30 years.
(For those of you that don’t know, CP/M is pre-DOS and doesn’t have any kind of remote access)http://www.seasip.demon.co.uk/Cpm/
Yeah, we _all_ know an unplugged box is pretty secure from network attacks. Big deal ๐
Hey, if you power it off, it gets even more secure. If you take all the parts out of the box and store them in different safes accross the country, you’re even safer… ๐
Allright, we’re getting off topic here ๐
i trust openbsd.
i don’t trust X11. the X11 also harder to crack?
The X server and xconsole use privilege separation. Xterm drops privileges as soon as possible. And xdm runs as a seperate user and group (_x11).
These measures certainly make X11 more secure on OpenBSD than on other OS’s. But this is of course no reason to start running X on your gateway
i will never use X11,
so i never trust linux gnome.
X11 always interfere linux gnome becoming integrated/unified.
so i really hate X11,
moreover, correct X11 need very very long time,
i know it, so again i really hate X11..
Yeah, it’s really secure, but then a car with no engine doesn’t use much gas. What’s the point of a really secure OS that doesn’t do anything? I tried installing BSD on my post-97 PC. It didn’t recognize any of the hardware above system-level components. It was able to figure out that I had a CPU and a hard drive, but it didn’t even notice my Audigy II. It has no clue what USB devices are. It tried to guess what kind of video card I had and failed miserably. So there I was, with an OS with no sound, no network and no video over 16 colours. Then I realized there were real, useable OS’s out there and took out the spare drive with BSD on it, replacing it with my XP Pro drive.
Majik Fox
With all due respect, I’m more than a little skeptical that someone who has enough interest and/or skill to install OpenBSD successfully, would have been unable to set up video or audio properly. I’m not saying that OpenBSD handles video and audio better than XP Pro, because OpenBSD isn’t made to be a multi-media desktop. But an utter failure to get anything working on an industry-standard system? I have my doubts.