“IT staff can make almost any software system secure with enough pain and wizardry, but getting great security with hardly any effort at all is true magic. That’s the attraction of the Internet’s most secure operating system, OpenBSD. The latest release of OpenBSD, Version 3.2, started shipping Nov. 1.” Read the article at eWeek.
OpenBSD 3.2 Is Back on Track
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
its magic to turn everything off by default? maybe I should rip a Linux ISO with no services running by default, then i’ll be able to claim no remote root exploits in 6 years too.
Bah.
It´s not only that. Setup a OpenBSD box and look for yourself.
No everything is not off by default. And the “no remote exploit” is the result of the thorough proofreading process that OpenBSD uses and the results from that also spreads into the other BSDs like NetBSD and FreeBSD.
I’m sure Linux can be made equally secure but not without reducing development speed (which is slow enough as it is) and not without some extensive proofreading.
Having many services turned off by default is not “magic” but rather a sane decision considering the abundance of hacker-kits and script kiddies. Leaving them off also has the effect of you HAVING to turn them on to make them work and thereby knowing more of your systems potential vunerabilities. Given the track record of all the open WLAN installations where “security” most often have to be turned ON from a default setup I’d rather have people complaining about having to “open up” their systems to make them work the way they want them to rather than having an open system that have to be “locked down”. 95% of all the people out there simply will not secure an “insecure” system, even when they are forced to! Windows releases up til now have worked that way but MS have seen the “light” and are starting to turn off features unless you specifically need them rather than the other way around. It’s not magic, it’s called “learning through experience”
…and for the sake of it, no I’m not an OpenBSD user. I administer Windows, Linux, Solaris and FreeBSD systems/servers and all are in my opinion equally secure when configured/protected correctly. What do I mean by than? Patch, shield and turn off the fluff you don’t use!
Patches are an admins obligation to apply if it is security patch. Shields in the form of firewalls are a necessity for all net connected computers. And having fluff you don’t use turned on is always a really bad idea. Just my 2cents…
And the “no remote exploit” is the result of the thorough proofreading process that OpenBSD uses and the results from that also spreads into the other BSDs like NetBSD and FreeBSD.
The claim is “One remote hole in the default install, in nearly 6 years!”
This claim is shakey at best. One would think from this claim that it would mean that if you installed an OpenBSD system 6 years ago it would contain precisely one remote security hole when obviously this isn’t the case from OpenSSH vulnerabilities alone.
I’m not discounting the work that the OpenBSD people have done, but seriously, this tagline is a blatent lie.
nothing more, you’ve gotta see what you need as opposed to what some distributer wants you to.
I’m a linux user, and I’ve been wondering, does anyone know where I can get a BSD (openBSD would do) by mail-order in UK.
sorry scratch the where can I get it from bit of the last post.
You should research your information before letting your mouth of its leash. That claim is entirely correct. OpenSSH was not always part of the default install, due to export regulations on crypto. And while there were other exploits reported, none of them were remote exploits (particularly important given that OpenBSD is prevalent on firewalls).
While there have been smatterings of local exploits, many of those were due to non-default post-install packages that are NOT audited for security by the team.
Nobody is trying to claim anything other than what is true. The OpenBSD developers (like many of the *BSD folks) don’t care whether you use their OS or not. They are not out for world domination… just an OS they can use, trust, and enjoy.
-fp
Dave,
You can order the “big 3” BSDs official CD releases from here :-
http://www.linuxemporium.co.uk/bsd.html
and here :-
http://www.pcbooks.co.uk/ (just seach for “bsd”)
Hope this helps.
-Mark
The secure system tag on OpenBSD is correct. It comes from four very simple things:
1. Yes, they turn all services off by default. This is good. This is the way it should be for most server installs of an operating system.
2. Ships with crytography because it can.
3. They are very picky about the packages included with OpenBSD. Openssh as someone has already pointed out was not in the default install for a looong time.
4. All development and work done on OpenBSD in general is done with security in mind.
Also, remember that BSD in general is also very stable. Look at the longest uptimes list on Netcraft and see the trend. Almost every single one of the them is some sort of BSD OS.
but wasnt openssh part of the default prior to the huge gaping hole in it being discovered?
but wasnt openssh part of the default prior to the huge gaping hole in it being discovered
Yes. And that’s the one remote exploit they are talking about.
ahh, my bad, i thought there was another one quite some time back
oops
Other than the fact that OpenBSD did not properly support my floppy drive and soundcard on my DEC Alpha (AlphaStation 200), I was very satisfied with the OpenBSD operating system. It’s stable, it’s proven, it just work.
I was also agreably surprised to see that a few packages were installed by default that were not on other systems, such as OpenSSH, which simplified the setup process.
Not all features are turned off, but any feature that could potentially be a hole if improperly setup is off.
OpenBSD Install:
– install a system
– connect to the net
– enjoy without being scared
Others:
– install a system
– connect to the net
– hope you don’t get hacked before you finish patching and turning off hundreds of features all over the place (redhat comes to mind..)
Good job guys, keep oBSD rolling!
So what does `BSD’ stand for?
Berkley Standard Distribution I believe.
Berkely is where the TCP/IP stack for unix was created.
Bill Joy was crucial in this from the legends.
BSD == Berkeley Standard Distribution
Berkeley as in University of California at Berkeley.
Doesn’t take much searching to dig up lot of info on the history of the BSDs, if you want to know more.
BSD == Berkeley Standard Distribution
Actually it’s Berkeley Software Distribution.
You should research your information before letting your mouth of its leash. That claim is entirely correct. OpenSSH was not always part of the default install, due to export regulations on crypto.
So now you’re debating the semantics of “default install”? That’s lovely. So’s placing the burden of proof on me. Oh, and the “letting your mouth off its leash” part? Classic. It’s nice when people make it clear from the get-go that they’re zealots.
And while there were other exploits reported, none of them were remote exploits (particularly important given that OpenBSD is prevalent on firewalls).
Well, gee, let’s see, I’ve used OpenBSD on our router here for the past three years. During this time I’ve seen three remote exploits in OpenSSH. Since I have better things to do with my time, how about you tell me if OpenSSH was enabled per default in OpenBSD 2.9? As I recall it was, and also contained a system level remote exploit. That would bring the exploit count up to two, enough to invalidate their claim. But let’s not forget the recent string of exploits found in OpenSSH: the empty password vulnerability, the off-by-one buffer overflow in the channel bits, and the s/key authentication vulnerability, all of which occured before OpenBSD ever admitted there was a remote hole.
I actually found OpenBSD a pain in the butt installing …
Yes. And that’s the one remote exploit they are talking about.
What about the single byte buffer overflow in ftpd, was ftpd in the default install? Granted that it was turned off by default, but a daemon is useless if it can’t even be run.
they did seem to suffer a beating in the vulnerability department a while back… whether it invalidates the claim of one remote hole in six years… well im not particularly in the mood to debate that and will leave it to others…
i will say this though… compare its history with that of most other os’es… it comes out lookin pretty good