Contributed by Dengue on from the cause-10-wasn't-enough dept.
(Comments are closed)
OpenBSD Journal
Contributed by Dengue on from the cause-10-wasn't-enough dept.
(Comments are closed)
Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]
By Anonymous Coward () on
Having
'Large numbers of open ports'
is one of the top vulnerabilities?
Running services that you don't need/don't even
know what they do maybe is.
But running servers is what a network is about,
and _not_ a security risk in first place.
Comments
By pf incident () on
if you don't need portmap, why run it? if you don't need ntp why run it? if you don't need chargen why run it? if you don't need daytime or inetd, why run it?
running necessary and correctly configurated servers may be what the net is about, but there is no reason for excessive portage dude.
By Marc Espie () espie@openbsd.org on mailto:espie@openbsd.org
Already the first comment says that `most vendors' enable lots of unneeded services at first install... well, OpenBSD doesn't.
The second comment is about weak passwords and user security. Well, OpenBSD insists that root HAS a password even before you reboot.
We have disabled rlogin, telnet, and other services ever since we got ssh working and patent-free...
Of course, there are still interesting security issues, but if most of the Unix `community' worries about these issues, well... we're light-years ahead of the curve, aren't we ?
By Anonymous Coward () on
*** THIS IS NOT AN APRIL FOOL ***
Brian Valentine, Microsoft's senior vice president at its Windows division, told Reuters: "With the virus attacks of late ...and how vicious those attacks have been... it's incumbent on Microsoft, being in the leadership position we're in, to help drive forward the industry in this area."
Comments
By Anonymous Coward () on
Read it this way:
"Considering how screwed our customers have been recently ...and I mean we -really- fucked up big time if someone can hose us with BASIC scripts attached in e-mail for christsakes... we -need- to start plugging holes as fast as we can before we start losing money, otherwise we aren't going to be top dog and we'll to lose customers and market share faster than you can say "0wn3d j0", therefore, we need to play major fucking catchup before the stock price drops."
By seth arnold () on
By making a transition to a language that solves most of their problems for them, Microsoft stands a chance of becoming one of the more secure vendors -- once they re-write everything in C#.
They are looking at drastically cleaning up their code through a new language. Most people wait for their buffer overruns to show up on bugtraq. OpenBSD at least looks for problems proactively -- but not proactively enough to rewrite all tools in a language that does the work for them.
Just keep this in mind next time you hear someone bash microsoft about security. They might not be real secure today, or tomorrow, but in a few years time, they stand a good chance of being far ahead of other people still using C for everything.
Cheers! :)
Comments
By Rupert Pigott () on
"being in the leadership position we're in, to help drive forward the industry in this area"
That quote was actually part of a plug for XP - they're selling it locked down apparently. The list of measures they are taking with XP are pretty much a subset of what the OpenBSD team have done.
Hence the "drive forward the industry in this area" struck me as punchline to a sick joke.
Cheers,
Roo
By Patrick Myers () patrick@myers.net on mailto:patrick@myers.net
-Patrick
By Marc Espie () espie@openbsd.org on mailto:espie@openbsd.org
How many ways can you spell `snake oil' ?
By Vincent Labrecque () limitln@cooptel.qc.ca on mailto:limitln@cooptel.qc.ca
I'm pretty sure stupid programmers will be able to build new types of security holes with C#
Comments
By Rupert Pigott () on
Just like I've seen in several investment banks. They really do have minimal-tending-to-zero clue about security at application level.
Just to compound it, pretty much every production box I saw in those enivronments had a million and one network services which were not needed etc...
Oh, they didn't use SSH, they used telnet and ftp exclusively. "Why should we use SSH, our firewalls keep us safe !". I even had that same line of argument from someone developing CGI scripts... I think the fact is : Few people cares, including the people paid to care.
I'm wondering how many web development courses teach basic security... None bar webserver configuration I'll bet.
You see these folks, "security consultants", probably have great looking resumes. But they don't seem to have very good experience, whereas I'm lucky enough to have learnt a lot from the OpenBSD commmunity.
Cheers,
Rupert