OpenBSD Journal

Microsoft blog acknowledges OpenBSD security model

Contributed by grey on from the more kudos from MS dept.

Thanks to Kolchak for writing in with the following OpenBSD Mention in Larry Osterman's blog:

"There will be holes found in Longhorn, absolutely. But Microsoft GETS security nowadays. In general, Linux/Open Source community doesn't yet (The OpenBSD guys appear to get it, but Iíve not seen any indications of this level of scrutiny associated with the other distributions)."

You can read the blog, plus comments here: http://weblogs.asp.net/larryosterman/archive/2004/05/25/141593.aspx

Of course, we've noted that MS has used OpenBSD as a positive security reference in the past as well.

(Comments are closed)


Comments
  1. By Anonymous Coward (62.48.115.49) on

    certo non fanno altro che copiare quelli impressionante guadagnano un paco di soldi e alla fine devono copiare perchť non sono capaci a realizzare un minimo di sicurezza nel loro software di *****

    Comments
    1. By Raymond (212.238.248.34) on

      Come on man,

      speak english on an english website. I'm not a native englishspeaker myself, but please have the courtesy to try.

      It's like whispering in company...

      Comments
      1. By Anonymous Coward (195.217.242.33) on

        This isn't an english website, it is maintained by Daniel Hartemier who I beleive is Swiss.

        Though I will concede that it is an english speaking website, the level of english, even from english speaking readers, can be poor.


        The comment appeared to be Italian.

        It seemed to infrer that although M$ copy a model that they respect and the model has respect itself, that in an emergency ( such as a major vulnerability, ) there will not be the rapid turn around that can be done in open source.

        At least that is my interpretation of what was said.

      2. By knomevol (198.231.23.240) on

        "sure they do not make other that to copy those impressive they earn I soothe of moneies and to the fine ones they must copy because they are not able to realize a minimum of emergency in their software of ******"

        (huh?)

    2. By Anonymous Coward (69.156.165.132) on

      Of course!

  2. By Anonymous Coward (82.123.61.42) on

    Several comments... er... rants:

    -1- Do you have to post every single blog, article and other site that mentions OpenBSD? I know that every time someone talks about OpenBSD, it is a good thing, but several articles linked by this site recently only talk about OpenBSD to say "Security good" (which we already know).

    -2- I would be wary of Microsoft people who are fans of OpenBSD. "Embrace & Extend" is something that Microsoft loves to do... right after "Fear, Uncertainty & Doubt". I personally do believe Microsoft loves the BSDs because of the license, and the recent Windows Services for UNIX is a case in point, since it was code taken from OpenBSD. This being said, as long as Theo is not working for Microsoft, I won't worry too much...

    -3- Frankly, the whole point of the blog was to say: "Microsoft does Security, rah rah rah!". Yeah, right. As long as IE, or VB for apps is a part of every Windows copy, I really don't think so. Windows Server 2003? Don't make me laugh, please... The only reason holes haven't been found in great numbers is because no one is buying the thing.

    In short, linking to someone who is so obviously biased (and IMHO, so obviously wrong), just because he happens to like OpenBSD is not helping our favourite OS.

    Comments
    1. By Anonymous Coward (64.119.174.202) on

      OpenBSD isn't important or popular enough to have a wide variety of articles to choose from.

      Comments
      1. By Anonymous Coward (62.78.250.2) on

        So - if you want your online article to get an Undeadly.org link to it (= free advertising), what ever the quality (or the subject?) of it, just mention the word OpenBSD, and it will get published here...?

    2. By grey (207.215.223.2) on

      Thanks for your comments. I realize that not every story posted to undeadly is top notch, but rest assured that there are certain standards we try to adhere to while still keeping content relatively fresh. As a reminder, if any of our readers want to help, the best thing you can do is to find worthwhile content and use the Add Story link to let us know about it. The editors do our best to find pertinent content independently, but there's only so much to be found without turning into a web site of mailing list highlights. It's no excuse, but we're also still learning; and while further along the curve than when we started, we do value reader input and hope to use it to make corrections where appropriate.

      Having said that we are really appreciative of content our readers offer, doesn't mean we post everything we come across. I might as well take a bit to speak to the kinds of submissions we receive as long as I'm typing. For example, despite a couple of submissions, we won't be posting the recent OSViews BSD comparison piece which, despite mentions of OpenBSD, was basically a comparison of biases rather than technical or factual information. The judgement made for this story, on the other hand, was that as a personal blog it made no pretentions about being formal or traditional journalism unlike OSViews, and from the get go is obviously an opinion driven piece. Even with that being the case, there was still a positive endorsement with respect to OpenBSD. However, now knowing the readership response to this kind of submission, I'll be sure to keep a more critical eye on such stories that come across in the future.

      Additionally there are certain submissions, that while useful to our readers are misdirected when submitted to us as a story. The most common (or at least only problematic) example of this is that every now and then we get people who submit stories that are related to security announcements for programs in the ports tree. While definitely useful, we already have an rss feed of the OpenBSD VuXML information displayed on the main page. As such, ports security announcement submissions are better directed to the OpenBSD VuXML contributors than to undeadly as one explicitly drives the content of the other (Robert has also expressed that he'd like help for those interested).

      As editors, we see the good with the bad, and try to pick the best we have at the time to put forward. We can't and won't promise that every story that makes it to the front page is going to appeal to everyone, or that they'll all be outstanding quality. However, with continued reader submissions and feedback we will strive to improve on our mistakes and maintain this site as a worthwhile resource for those interested in OpenBSD as best we can. Thanks!

      Comments
      1. By Bruce (24.86.198.124) on

        I wouldn't worry about it so much. Personally, I see these quickies as being like an OpenBSD clipping service - you can see general trends in people's opinions of the OS.

        Nobody has to read the linked articles if they don't want to. Reading the summary, I get the impression that the blog entry is probably just a swipe at Linux mixed with some MS boosting. A quick look at the comments confirms that nobody is finding pearls of wisdom, so I can move on. Easy and painless.

        The only downside to reading the comments on undeadly is the amount of negativity I usually find here. I certainly wouldn't run this service with the kind of reactions you get from readers. What would be the point? So please don't let the flames get you down, some (I hope many) of us appreciate what you do.

        And as for the people calling Microsoft 'idiots' and the like, I suspect you are underestimating them quite badly. Never a wise thing to do.

        Comments
        1. By Anonymous Frog (4.231.169.18) on

          "The only downside to reading the comments on undeadly is the amount of negativity I usually find here."

          That statement seriously bothers me. So, I must reply with a quote from Paul Graham;

          "Indeed, the measure of a healthy organization is probably the degree to which negative thoughts are allowed. In places where great work is being done, the attitude always seems to be critical and sarcastic, not "positive" and "supportive". The people I know who do great work think that they suck, but that everyone else sucks even more."

          http://www.paulgraham.com/saynotes.html

          Pay extra attention to the "critical and sarcastic" part.

          So, get use to the "negativity", or leave, it is not going to change for the better.

          Oh, and yes, EVERYTHING sucks.

          Comments
          1. By krh (207.75.179.30) on

            All of a sudden I'm glad I think I suck.

      2. By Anonymous Coward (4.231.169.18) on

        Point One:
        Good OpenBSD related articles are hard to come by; stop whining, and contribute stories if you wish the quality to go up.

        Point Two:
        A large portion of the submitted articles are of poor quality, not relevant, or both.

      3. By Anonymous Coward (198.54.202.242) on

        Well I think you're doing a great job with undeadly, so go right ahead and keep doing exactly what you're doing.

    3. By Nick Holland (68.43.115.33) nick@holland-consulting.net on http://www.openbsd.org/faq/

      1: Hey, this was interesting. 8-)

      2: You speak as if this is a bad thing. That's the point of the BSD license, to get stuff USED, by anyone, anywhere. We *WANT* MS to use W^X protection (granted, it would be nice if they did a better job at it) and other OpenBSD code and ideas. Face it, Windows isn't going away as the Majority OS anytime soon. And the majority of people will probably never adopt OpenBSD. The hope is that the stuff OpenBSD leads the way on will get adopted INTO other OSs.

      It would be GREAT if MS really does "get" security some day. It would result in a better Internet for all. If that involves them using OpenBSD code and concepts, GREAT. We would rather that other companies use our GOOD code than reinvent the wheel poorly. If MS were to decide that Longhorn was to be every bit as secure and reliable as OpenBSD, so that loading Mozilla was a clear step BACKWARDS, how would that be a bad thing?

      3: Yes, as long as a web browser can be used to download and run apps over the 'net, people will do stupid things. But in this regard, he's right: Mozilla (and its kin) are doing a very good job of trying to match IE feature for feature with FAR more attention to bells and wistles than to real security. The Linux people are doing much the same, "Anything MS can do, we can do, too!", without ever asking, "Is this something that even SHOULD be done?"

      IF Microsoft choses to persue real security, they have the resources and the structure to accomplish it. Big "IF" there. At the moment, the line seems to be "Security is important, as long as it doesn't get in the way or change what people expect". Ok, a ways go yet...

      (anyone else catch the W^X or stack protection statement? ah, well, guess they don't quite understand that one tool isn't enough quite yet... And yes, as long as the users are still dumb as a rock, we ain't gonna win this battle.)

      Nick.

      Comments
      1. By Anonymous Coward (67.71.79.251) on

        IS there ANY chance THAT your "SHIFT" key IS a LITTLE _sticky_? ;-)

        Comments
        1. By Anonymous Coward (4.231.169.18) on

          It is obvious the method Nick chose to draw attention to key words worked based on your statement.

      2. By James (193.63.217.208) on

        Nick Holland wrote:

        If MS were to decide that Longhorn was to be every bit as secure and reliable as OpenBSD, so that loading Mozilla was a clear step BACKWARDS, how would that be a bad thing?

        If MS are finally 'getting' security, then one of the things they have always 'got' is the abuse of monopoly to enforce their own pseudo-standards. Mozilla will always be a step forwards until MS fix the HTML engine of IE to support the web standards instead of their bastardised versions. Standards compliance is another thing which OpenBSD does well which could be highlighted more. Many other software projects would be well served to adopt OpenBSD's approach to standards as well as its approach to security. Linux NFS and PF anyone?

      3. By Anonymous Coward (69.156.165.132) on

        I really like your reply, but you should ease up a little on the CAPS. Regards.

        Comments
      4. By t (66.52.195.106) on

        I agree. Despite what ones feelings towards MS might be, you have to remember that their software is still being run on millions of machines thoughout the world, which more than likely affects our lives in someway directly or indirectly on a daily basis. So a more proactive approach to security by MS is really a good thing for all of us. And if they choose to use tried and tested code from OpenBSD as a reference to their approach then even better.

    4. By Anonymous Coward (68.148.237.181) on

      1. "We" who read undeadly often may know, but new readers may not.
      Everyone knows security is good, but not many practice it well enough.

      2. Why would you worry at all? What's Microsoft going to do that might
      worry you about OpenBSD? Please leave the politics of "code taken" to
      the GPL crowd.

      3. I think undeadly and OpenBSD is proud of the fact Microsoft is
      copying from OpenBSD. Chalk 1 for OpenBSD. This story's focus is on
      OpenBSD, not other noise.

      This guy's liking OpenBSD helps OpenBSD by achieving one of OpenBSD's
      goal through his company's copying of OpenBSD's top quality code - that
      goal is "We strive to make our software robust and secure, and encourage
      companies to use whichever pieces they want to."

      Comments
      1. By Anonymous Coward (62.78.250.2) on

        It is important to understand if someone's just trying to use you without any real care for you, but maybe just to attack others who may actually be your true friends (read: Linux & "the GPL crowds").

        It is great if MS can borrow and use secure code from OpenBSD (the benefit of BSD license), but I wouldn't be sure if MS really cares for BSD. In fact if there was no Linux but BSDs would be the thing everyone and your cat's talking about now, MS would probably use all its energy to attack the BSDs, now, instead of Linux.

        Maybe this is out of topic, but:
        I really can't understand why many BSD people seem to hate Linux so much? Linux & BSD are like a twin brother and a sister who have very similar goals, and even share most toys. What is useful to the other is usually useful to the other one too. Are some BSD people like jealous kids who are unhappy because their bro/sister seems to get all the attention they would want for themself? For example, it often seems that many BSD fans find no problem if MS uses BSD code but if and when Linux does the same they are arguing that Linux is just stealing from BSDs and not really innovating etc... Now, why's that?

        Comments
        1. By Anonymous Coward (68.148.237.181) on

          > It is important to understand if someone's just trying to use you without any real care for you, but maybe just to attack others who may actually be your true friends (read: Linux & "the GPL crowds").

          True friends of the BSD are "the GPL crowds?" I don't see how they are
          friends of the BSD from what you've just said. Are you saying "my
          enemy's 'friend' is my friend?" Maybe it's just me, but I usually see
          the GPL crowd attacking the BSD instead of MS.

          Anyhow, one goal of the BSD is to maintain software excellence
          regardless of politics and business warfare. If MS can secure their
          code with OpenBSD's help, then everyone benefits. It doesn't matter
          if MS care for BSD because the MS and BSD relationship is only 1 way,
          MS use BSD code. I don't see why MS would attack the BSD, when they
          can get free top quality code. If they did attack the BSD, it'd be
          difficult to do damage when they use BSD code. Maybe you can list
          their strategy and consequences of their attack?

          The BSD people don't hate Linux so much. If they did, I think they
          wouldn't port Linux's GPL stuff to the BSD. The problem I see is the
          GPL crowd claiming the GPL is free, but it's not compared to the BSD;
          however, the BSD people get attacked for telling the truth.

          > Are some BSD people like jealous kids who are unhappy because their bro/sister seems to get all the attention they would want for themself?
          > arguing that Linux is just stealing from BSDs and not really innovating

          The BSD people care less about Linux's notoriety, so it's not jealousy.
          Even with references, maybe you should ask those people making those
          comments, since they're not the BSD majority.

          Comments
          1. By Anonymous Coward (62.78.250.2) on

            <i>The BSD people care less about Linux's notoriety, so it's not jealousy.</i>

            I wonder...? I've seen lots and lots of comments on web forums where some BSD people directly attack Linux saying that it shouldn't be so popular and that it should be BSDs that get all that attention. Or that Theo (or others) is next to God, but Linus is an ignorant jerk. I've also seen some rude stupid pictures where the BSD Beastie abuses Tux sexually etc. Some people should really try to grow up and learn to behave themselves.

            <i>Even with references, maybe you should ask those people making those
            comments, since they're not the BSD majority.</i>

            I agree. But there's no denying that there are <b>both</b> BSD zealots and GPL zealots. It doesn't help to see the bad in others but not in ourselves. In fact, that is just the beginning of zealotry.

            <i>The problem I see is the GPL crowd claiming the GPL is free, but it's not compared to the BSD; however, the BSD people get attacked for telling the truth.</i>

            Yes, the BSD license is the truly free one... But there's no denying that GPL has gained lots of support from developers just wanting to code good open source software for everyone's beneit.

            It is the minority of zealots again that may cause problems. Let's leave them to their own small dark and narrow potholes to shout to each other...

            I really see Linux and BSD like a close twin sister and a brother. They share the same relatives (mostly), toys etc. Sometimes family members have quarrels but the kids would be happier respecting and helping each other. But, in this family drama, guess who's the very rich looking man in business suit and with greedy eyes approaching the little kids trying to sow FUD between them and break the happy family? He even offers lots of candy to the little girl saying that her brother is evil, the enemy of the world. The gentleman tells that the little girl should leave her brother and follow him, and after a while, when the brother is dead, she could even have all the toys to herself too.
            A tempting offer?

            Comments
            1. By Anonymous Coward (68.148.237.181) on

              > I really see Linux and BSD like a close twin sister and a brother...

              That's your opinion, but I wouldn't compare them like that. They are
              very different, and even the licenses and goals don't compare. If you
              worry about the rich man in his business suit, you should worry about
              the rich man in his Blue business suit boasting Linux to his clients.
              Obviously, he wouldn't choose Linux, if he couldn't profit from it.

              Worry not of BSD. BSD was here before Linux, and BSD will be here as
              long as Open Source or the BSD license remains legal.

              Comments
              1. By Anonymous Coward (62.78.250.2) on

                They are very different, and even the licenses and goals don't compare. Linux and BSD very different? Like how? Both use and borrow lots of technologies from each other all the time, and its no problem to each of them - because they are so similar. File hierarchies, the Unix philosophy, many standards, they are practically the same. However, Apple Mac OS X that is even based on BSD, has licenses and goals that are more different from both BSD and Linux than BSD is from Linux. Not to mention the difference of MS goals and licenses from those of Linux & BSD. If you worry about the rich man in his business suit, you should worry about the rich man in his Blue business suit boasting Linux to his clients. Obviously, he wouldn't choose Linux, if he couldn't profit from it. Huh? So, is there something wrong with profiting from open source like Linux?? Especially if the rich man in his Blue business suit is a strong supporter of open source (I couldn't say that about the other rich man in my own story above, however). I cannot understand your logic at all. Is the rich man in his Blue business suit and who openly supports open source evil - just because he uses Linux...? But the other rich business man who is openly opposing open source (the soul & heart of OpenBSD too) and sowing FUD, false claims and promises all around him is quite ok - just because he throws some nice looking candy at you sometimes? If you worry about open source, worry about him who supports software patents and FUD against open source most strongly.

                Comments
                1. By Anonymous Coward (68.148.237.181) on

                  > Both use and borrow lots of technologies from each other all the time, and its no problem to each of them - because they are so similar.

                  OpenBSD is trying to replace GPL tools with BSD tools as much as they
                  can, so your "use" statement has less meaning as each GPL tool
                  disappears from OpenBSD. As per "borrow", I don't know how BSD,
                  or OpenBSD, can borrow GPL code and still maintain their BSD license.
                  BSDs and GPLs may incorporate the same open standards, but their
                  implementations are different. If you ignore their Detailed
                  implementations, I'd agree with you both are Open Source OSs with BSD
                  being Free, while GNU/Linux being not quite Free.

                  > If you worry about open source, worry about him who supports software patents and FUD against open source most strongly.

                  Want to talk about software patents?
                  http://lpf.ai.mit.edu/Patents/testimony/statements/ibm.testimony.html

                  Here's your GPL founder's example of IBM (read all or including the 2
                  paragraphs above this excerpt:)
                  "This phenomenon of cross-licensing refutes a common myth, the myth of
                  the starving genius. The myth that patents "protect" the "small
                  inventor". Those terms are propaganda terms. You shouldn't use them..."
                  http://www.cl.cam.ac.uk/~mgk25/stallman-patents.html

                  Additionally, here's a quote from IBM:
                  "The IBM patent portfolio gains us the freedom to do what we need to do
                  through cross-licensing--it gives us access to the inventions of others
                  that are the key to rapid innovation. Access is far more valuable to
                  IBM than the fees it receives from its 9,000 active patents. There's
                  no direct calculation of this value, but it's many times larger than
                  the fee income, perhaps an order of magnitude larger."

                  The quote is linked from your GPL founder above.
                  http://lpf.ai.mit.edu/Links/prep.ai.mit.edu/ibm.think.article

                  > So, is there something wrong with profiting from open source like Linux?

                  Get a clue!! I already stated BSDs don't care about politics and
                  business warfares. You implied "there [is] something wrong with
                  profiting from open source like Linux;" thus, you need the GPL to
                  protect GNU/Linux from this profit exploitation. Then, I suggested you
                  need to be wary of IBM, since they're not choosing Linux out of their
                  generosity if they can't exploit it. IBM is not supporting GNU/Linux,
                  they're exploiting it similarly to their software patent exploitation.

                  Once again, it's MS that's getting top quality code (candies) from
                  OpenBSD, and they're simply attributing credit towards OpenBSD -
                  nothing more, nothing less. Your perversion of MS luring BSD with
                  candies is totally ludicrous. Contrarily, look at your own predicament
                  of such perversion with IBM. From your IBM compliments, you're the one
                  accepting Linux advertising candies from IBM with their software patent
                  portfolio.

                  Comments
                  1. By Anonymous Coward (62.78.250.2) on

                    IBM & MS? Well, of course they are rather similar huge IT companies in many ways. But as to open source and software patents etc. the difference between them boil down to a few simple facts:

                    IBM has supported FOSS and given its resources to open source development in many ways. MS hasn't. IBM has also officially promised not to use their patent portfolio against open source, MS hasn't.

                    MS has continued publicly and loudly claim how bad open source model (so also open source in general, not just GPL) could be to the IT economy, according to them. Because of MS attitudes many people are afraid that MS might indeed also some day use its large patent portfolio against open source projects, just to protect its 100% proprietary software business model and monopolies.

                    Basically I have nothing against MS, just because it is MS. I also admit that I may have used my greedy business man metaphora above in too nasty a manner to portrait MS, and I apologize if I've hurted someone's feelings. But it is just a very clear and simple historical fact that MS has never been (at least so far) in friendly terms with open source software. They could even be called the biggest and most notable critic of open source software model.

                    Comments
                    1. By Anonymous Coward (68.148.237.181) on

                      > IBM has supported FOSS and given its resources to open source development in many ways. MS hasn't. IBM has also officially promised not to use their patent portfolio against open source, MS hasn't.

                      A corporation's promise may worth enormously to you just because they
                      gave you a few treats, but it's worthless to me, especially a
                      corporation that was indicted for anti-trust.

                      > Because of MS attitudes many people are afraid that MS might indeed also some day use its large patent portfolio against open source projects, just to protect its 100% proprietary software business model and monopolies.

                      Some day IBM might change their business model and begin to leverage
                      their software patents. From the GIF and the JPEG patent cases, the
                      suing started near the end of their patent life, where adoption is
                      common and ubiquitous.

                      > MS has continued publicly and loudly claim how bad open source model (so also open source in general, not just GPL) could be to the IT economy, according to them.

                      Aren't you glad they copied from and credit OpenBSD? Their claims
                      contradict due to that fact.

                      > Basically I have nothing against MS, just because it is MS. I also admit that I may have used my greedy business man metaphora above in too nasty a manner to portrait MS, and I apologize if I've hurted someone's feelings.

                      You're trying to make me look like a MS apologist. Nice try though. I
                      basically said if you're wary of one corporation with a software patent
                      portfolio, you might as well be wary of all of them. Nowhere did I
                      imply you should pick your favourite corporation with their software
                      patent portfolio. You, however, picked IBM and I simply advised of
                      your contradiction. I even pointed you to your GPL founder's example
                      of IBM, and yet you still embrace IBM. Do what you will, but don't
                      spread any perversion about BSD, like BSD being some whore taking
                      candies from rich businessmen. It's just wrong; it's next to FUD; and
                      you said to leave it to the zealot minority...

                      Speaking of historical fact, FUD was coined for... IBM.

                  2. By Anonymous Coward (62.78.250.2) on

                    Theo de Raadt:

                    "The hardware vendors who use OpenSSH on all of their products have given us a total of one laptop since we developed OpenSSH five years ago. And asking them for that laptop took a year. That was IBM."
                    http://www.theage.com.au/articles/2004/10/07/1097089476287.html?oneclick=trueibm

                    Maybe that one laptop is no big reason for IBM to boast about... But anyway, IBM has shown its support also to the OpenSSH and OpenBSD projects in a concrete way by donating some hardware.

                    Comments
                    1. By Anonymous Coward (68.148.237.181) on

                      I read that too. Anyway, if you're going to quote the article, at
                      least quote in context.

                      "Hardware donations do not come from vendors who use OpenSSH on parts
                      of their stuff. They come from individuals. The hardware vendors who
                      use OpenSSH on all of their products have given us a total of one
                      laptop since we developed OpenSSH five years ago. And asking them for
                      that laptop took a year. That was IBM. It took a year of negotiation
                      and I had to talk to 15 people and I had the right person from the
                      beginning but she had to get okays from other people and I had to write
                      letters to say why. It was astounding."
                      http://www.theage.com.au/articles/2004/10/07/1097089476287.html?oneclick=true

                      You're going to vaunt this opulent generosity of IBM supporting Open
                      Source?? My understanding is he had to beg a whole year to 15 people
                      for one lousy laptop, while IBM had profited from OpenSSH for years.
                      What do you think Theo did with the laptop? My guess is he probably
                      ported OpenBSD to it, thus, supporting IBM for their profuse generosity.

                      > But anyway, IBM has shown its support also to the OpenSSH and OpenBSD projects in a concrete way by donating some hardware.

                      I suppose you can't call one laptop, 1 laptop, or a single laptop,
                      since it wouldn't work if it didn't have some hardware for it to
                      function as one laptop. IBM's copious generosity astounds me, too. I
                      think I am going to cry, right after this uncontrollable laughter ends. hahahahaha

                      You're right, one lousy laptop is better than nothing, even after a year
                      of all the negotiations and letter writing. However, in the same
                      article, Theo also mentioned:

                      "Suddenly their entire model is - Linux, Linux, Linux, services, services
                      services - and they'll sell you garbage. And no support for the open
                      source community. Not anything. And yet they're all saying 'we're
                      helping the vendors'. No, what they're doing is they're helping
                      themselves. They're trying to stay alive, because they're afraid that
                      all the Linux sales vendors are going to eat their lunch and provide
                      the services direct to the customer. And everyone's going to find the
                      real reason why people buy a HP box or an IBM box today is pretty much
                      one piece of equipment - the power supply. Why? Because the grey box
                      vendors haven't discovered that when you make a 1U rackmount machine,
                      you have to put in a power supply that can run 24/7 for four years. And
                      if you can do that, they'll buy your box. That's what HP and IBM and
                      Sun do. They just put a power supply in it, with a good fan so it
                      doesn't break. Otherwise the machines are identical."

                      Comments
                      1. By Anonymous Coward (62.78.250.2) on

                        Yeah, yeah... IBM is not exactly a great hero of open source - especially just because of giving one lousy laptop to OpenSSH development after enourmous amounts of trouble and negotiating from Theo & co... I certainly agree on that.

                        I have no special warm relationship with IBM or any other IT company. But you should acknowledge that IBM has supported open source quite a lot and in numerous ways too, granted, it's mostly only Linux these days. Of course, IBM might also be just a greedy big huge company like MS in many ways too, working for only their own benefit mostly. That's all I meant to say about IBM.

                        As to Theo's comments about hardware business, like that IBM & HP machines are bought only because of the PSUs, well, guess what, I think he's simply wrong about that (how do I dare to think like that? Maybe just because I'm able to think independently of some gurus). Those companies, IBM, HP etc., sell and give support to their customers and that support is simply much more important to companies than some lousy power supplies units with or without good fans. That's the main reason why IBM and HP sell so much hardware to companies.

                        As to Theo's comments on Linux I don't get it why he seems to be so angry at Linux getting all the attention. But maybe also he's just a bit jealous because of the popularity of Linux when compared to BSD and especially OpenBSD??

                        Me? I'm just _completely_ fed up with all the BSD zealots out there... Could you calm down at least a bit, and, for example, see that there's lots of open source software also otside your own BSD playground, please? Peace to you all though. Over and out.

                        Comments
                        1. By Anonymous Coward (68.148.237.181) on

                          > But you should acknowledge that IBM has supported open source quite a lot and in numerous ways too, granted, it's mostly only Linux these days.

                          Why do I always have to repeat myself? As I said, IBM is just giving
                          you a few treats, so don't think they're your friend or they're some
                          Open Source defender. It's all a facade. With that, do or believe
                          whatever you want - more power to you.

                          > Of course, IBM might also be just a greedy big huge company like MS in many ways too, working for only their own benefit mostly.

                          There is no "might" or maybe. They are a big greedy company working
                          only to benefit their CEOs first, then their shareholders, then maybe
                          their employees in that order.

                          > As to Theo's comments about hardware business, like that IBM & HP machines are bought only because of the PSUs, well, guess what, I think he's simply wrong about that (how do I dare to think like that? Maybe just because I'm able to think independently of some gurus).

                          I read that part as a humorous hyperbole with some truth of no Open
                          Source support.

                          > As to Theo's comments on Linux I don't get it why he seems to be so angry at Linux getting all the attention...

                          Does it make sense when I say you're angry and jealous of MS because
                          they have tons of money with their popularity at around 90% of the
                          market?

                          > Me? I'm just _completely_ fed up with all the BSD zealots out there... Could you calm down at least a bit, and, for example, see that there's lots of open source software also otside your own BSD playground, please?

                          hahahahaha
                          Take your own advice and calm down. I haven't had this much fun in a
                          long while, especially about that some hardware in 1 laptop bit. I
                          don't think I am a BSD zealot, and I don't think what I've written is
                          BSD zealotry. I don't know, but I like BSD and OpenBSD though. Why?
                          Simple, the BSD playground doesn't have any perimeter fence closing you
                          in or keeping you out, unlike the GPL and other unFree or
                          Free-with-restrictions licenses.

                          Regards

                          Comments
                          1. By Anonymous Coward (62.78.250.2) on

                            Ok, I thought to add a few more comments still...

                            I couldn't be happier than if IBM, MS and everybody else including your grandma and dog used and supported OpenBSD. In fact, I cannot understand why it is not more like that already? To me OpenBSD is just quite close to a perfect server OS.

                            Anyway, I also respect and appreciate Linux, MS Windows, Apple Mac OS X, and various licenses including the GPL too. I see that, for example, both the GPL and the BSD licenses have pros and cons.

                            But it has often seemed to me that many BSD zealots cannot respect and accept that neutral and positive opinion of mine. In fact, if I, as an OpenBSD fan, mention that I mostly use Linux on my desktop machine, I may often get responses that I'm actually realy stupid to do that, that Linux really sucks, and that I should use some flavor of BSD instead. Why's that? Isn't that what can be called OS zealotry?

                            However, most of my Linux using friends, when I've mentioned that I like BSD too, have replied only something like: that's interesting, and that they've been considering giving some flavor of BSD a try too, and even that they ee that the BSD license may be more useful in some cases than the GPL etc. Now, who's a zealot here and who's not?

                            As to IBM, I happen to follow IT news online quite regularly. If you do too, you shouldn't find it too difficult to notice how many news there are about IBM supporting open source in one way or another. The most reason news I read just a few minutes ago: http://www-106.ibm.com/developerworks/db2/library/techarticle/dm-0410prial/?ca=dgr-lnxw11IBMrevealsDerby
                            But when have you seen similar news about MS?

                            I love both Linux and BSD, and I like many features and the ease of use of both MS Windows and Macs too.

                            But why or why is there so much stupid, short-sighted and stubborn OS zealotry? For example, why, can't Linux and BSD users just be friends and try to respect each other? Why do many BSD persons want to slander Linux in every opportunity? What use is that to BSD? How about trying to respect others, non-BSD people, a bit more?

                            Anyway, now this ranting starts to move a bit too much away from the original subject so I guess it's better I stop now. Peace!

                            Comments
                            1. By Anonymous Coward (68.148.237.181) on

                              > Ok, I thought to add a few more comments still...

                              You're not adding anything new. You're just repeating/rewinding what
                              you've said that led to the grossly depiction of MS luring BSD, and to
                              my trying to enlighten you of IBM. Thus, this is my last post on this.

                              > But it has often seemed to me that many BSD zealots cannot respect and accept that neutral and positive opinion of mine.

                              Everyone who has functional and normal hearing has tinnitus. Why isn't
                              it irritating to everyone, but only to the few minority? There are many
                              reasons, but one key solution is to ignore it like the vast majority.
                              Here's an interesting read:
                              http://www.tinnitus.org/
                              Tinnitus/TRT
                              http://www.tinnitus.org/home/frame/tin2a.htm

                              Moreover, if they give you valid reasons for why they think it sucks,
                              then it's not zealotry. They just prefer what's better for them, such
                              as they picked the best tool for their needs. There's nothing wrong
                              with discriminating between technologies or licenses.

                              > How about trying to respect others, non-BSD people, a bit more?

                              How about ignoring them when you don't get their respect? Do they owe
                              you their respect in some way? When some zealot makes a grotesque
                              statement about your favourite OS, you can ignore them, or laugh at it,
                              or best to ask why and enlighten them, if they're wrong.

                              > IBM supporting open source in one way or another.

                              Can you look beyond the bait they're waving at you? Once again and for
                              the last time, they are Not Supporting Open Source - they Exploit Open
                              Source. If you read the whole page again, they've listed their motives
                              for making the offer, and I quote:
                              "Derby is an incubator project... For our Cloudscape product, IBM will
                              take snapshots of the Derby code and provide full support as the IBM
                              Cloudscape offering. You can get a free download of the IBM Cloudscape
                              code as well, and you can purchase support for it from IBM, but we do
                              not intend to charge a license fee for Cloudscape... Cloudscape
                              technology is an extension of IBM's larger data product strategy. Our
                              vision is to integrate heterogeneous data stores -- from zSeriesģ all
                              the way to pervasive devices -- to support structured and unstructured
                              data, from IBM and non-IBM data sources. We think information
                              integration is the key to tying this together, and our DB2 products
                              provide customers with a framework to do this... By open sourcing
                              Cloudcape, IBM hopes to accelerate development of Java-based
                              applications and drive more innovation around Linux and Java. So
                              expanding this market expands the market for high-value IBM middleware,
                              hardware, and services. We think it will especially create new business
                              opportunities in areas such as embedded database applications, small
                              business solutions, and Java and Web-based applications."

                              To summarize, they're going to use Cloudcape as bait to catch big DB2
                              spenders, and to bait Open Source gullibles into strengthening Their
                              Java infrastructure. If IBM's no longer into the software business, why
                              don't they advocate against software patents and open their software
                              patent portfolio? Their denouncing software patents would mean much
                              more than these Open Source relation advertisings. Moreover, what's
                              wrong with PostgreSQL that you'd need Java on the database? Your Java
                              database isn't running as fast as it can? Well, IBM has the hardware
                              for you!
                              http://www.PostgreSQL.org/docs/7.4/static/supported-platforms.html

                              Here's an interesting read about giving away "abandonware" - invite
                              guests over for leftovers...
                              http://www.newsforge.com/article.pl?sid=04/08/04/2223246

                              You're going to say PostgreSQL benefits from IBM, according to the
                              article, but I can't find anything beyond this Globus Java installer
                              thing - which doesn't even affect me anyway. I can't find any
                              attribution at PostgreSQL.org to IBM either.

                              Here's another good point - the original definition of FUD meant for
                              IBM:
                              "IBM concentrates their customers to MySQL since they know that MySQL is
                              not enough for any enterprise solutions [due to flaky ACID compliant].
                              They say "Here is an Open Source database. You saw that open source
                              databases has no enterprise features. So come back to DB2" and sell
                              their customers lots of DB2 licences. If they offered PostgreSQL, who
                              would return to DB2?"
                              http://archives.postgresql.org/pgsql-advocacy/2004-07/msg00109.php

                              MySQL's claim for ACID compliant is rather misleading, just by looking
                              at 3 and 4:
                              http://sql-info.de/mysql/gotchas.html
                              http://sql-info.de/postgresql/postgres-gotchas.html

                              > But when have you seen similar news about MS?

                              Well, the BSD world has a different philosophy as I've already written
                              and emphasized, so this is good news:
                              http://undeadly.org/cgi?action=article&sid=20041020183404

                              This is good news because the next time you wait at the airport, at the
                              bank, or for your favourite site to load due to a major virus attack,
                              you will wish MS should have copied more of OpenBSD's secure code.

                              Cheers!!

    5. By Michael Knudsen (217.157.199.114) on

      > -1- Do you have to post every single blog, article and other site that
      > mentions OpenBSD? I know that every time someone talks about OpenBSD,
      > it is a good thing, but several articles linked by this site recently
      > only talk about OpenBSD to say "Security good" (which we already know).

      I'm sorry that we haven't noticed your many great submissions so far. I'm
      sure they were all of excellent quality and we simply didn't see them in
      the submissions queue.

      Comments
      1. By Anonymous Coward (4.231.169.18) on

        How about addressing the quoted points, and not attacking the author?

      2. By Anonymous Coward (82.123.57.190) on

        Actually, I have submitted a few articles to OpenBSD Journal, and some have even been accepted by the moderators of this site (or by the previous moderators, when it was named deadly.org)

  3. By brian (68.224.187.79) wtf?@rtfm.com on

    I don't know if we should be publicizing a positive comparison of microsoft products to any open source project. ..Yes even when they seem to say good things. Does a compliment from a idiot count as a compliment or as a insult?

    Comments
    1. By Adam Getchell (208.201.231.164) on

      I'm glad this story was posted, and more like it should continue to be posted on Undeadly.

      Zealotry is counterproductive. You use the Hamiltonian for certain types of problems in quantum field theory and the Feynman path integrals for other problems in field theory, not because Hamilton was Irish and Feynman was American. Use the best tool for the task at hand.

      "Does a compliment from a idiot count as a compliment or as a insult?"

      You've apparently not actually read the article in depth, or you'd know that Larry Osterman has been working at Microsoft over 20 years on all versions of their OS from MS-DOS through Longhorn, plus Exchange and LAN Manager: It was 20 years ago today.

      So for someone of his stature and experience to repeatedly acknowledge OpenBSD's development methodology as the only way to write secure software actually is a worthwhile bit of PR for the "unenlightened".

      Of course, it would be better still if they acknowledged OpenBSD with donations of cash or machines, but then the consipiracy-minded or zealots out there would have a field day ....

      Comments
      1. By Brian (68.224.187.79) on

        it was not a personal attack, it was a attack at the direction it came from. The stench of bad software the emanates from Microsoft, isn't a viable comparison to Openbsd. "But Microsoft GETS security nowadays. In general, Linux/Open Source community doesn't yet (The OpenBSD guys appear to get it, but Iíve not seen any indications of this level of scrutiny associated with the other distributions)." No Microsoft doesn't "get" security. No The OpenBSD guys don't "apear" to "get it".. they HAVE IT. No the open source community does "get" security. The reputation of Microsoft isn't something that should have anything to do with OpenBSD. Let them talk about Redhat or Suse... If anything it would be in better taste to laugh at the absurdity of any comparison of the two groups. When you lay with dogs, you get flees.

  4. By Dehumanizer (62.249.11.71) on http://www.dehumanizer.com

    Bad, bad, bad. Microsoft DOESN'T get security at all, and Linux distributions, while less secure than OpenBSD (of course), are still (and will probably always be) light years ahead of any Microsoft product.

    Comments
    1. By James (193.63.217.208) on

      One of the main reasons Windows cannot be as well secured as *nix is simply different design philosphies. Windows, certainly up to 2k/xp, is a monolithic, interconnected mess that does everything. In contrast *nix splits different tasks off to separate processes which can be controlled or even disabled independently. Try turning off Windows' RPC and see where that gets you but most *nix boxes I see have RPC turned off to no detriment.

      *nix is intrinsically more secure by design than Windows and seems likely to remain so.

    2. By Tet (194.106.50.226) on

      Actually, I think Microsoft (or at least parts of it anyway) DO get security. They've taken some pretty radical steps with SP2, for the first time in their history taking steps to improve security even at the expense of features that some of their customers were using. Every Microsoft programmer is now explicitly taught about secure coding techniques, although they don't AFAIK conduct regular code audits in the same way that OpenBSD does. I'm also not sure of their long term committment to security. I think they'd reached the point where their security was so bad that if they didn't do something about it, they'd start losing customers now that there are increasingly viable alternatives. But once they've dragged themselves up from the bottom of the barrel, will they continue to strive until they're at the top, or will they just do the minimum necessary to protect their market share. History suggests the latter. Of course, the biggest problem they face is that Windows is architecturally worse in terms of security. None of my servers have a GUI and a web browser installed, for example. Even if a flaw is found in them, it won't be affecting my servers. I don't think they're yet ready to ship a text only server product based around the Windows kernel. Yes, they could do it, but even if there was stomach for it in the company (which I don't think there is), there wouldn't be any apps for it anyway...

  5. By Anonymous Coward (144.136.82.153) on

    Microsoft? Get Security? HAHAHAHAHAHAHAHAHAHA!
    Biggest oxymoron for this decade.

    MS treats security as a PR issue. It does just enough to get the majority of users happy. (At least it makes them think they're reasonably secure...BIG mistake...A false sense of security is BAD).

    If securing Windows was profitable, then MS would do it in a heartbeat. But it isn't. Its hardwork and constant auditing...But it pays off in the end. You do the hardwork now, and its less troublesome later.

    I'm sure MS has learnt this. (NOT!)...Their constant innovation (with security taking a backseat) for the last few years, is costing them now isn't it? And don't talk to me about WinXP SP2's NX function...This is a slap stick feature that won't protect you from every possible nasty. (well it won't protect them from a poorly secure code).

    I still think security will be the biggest issue for MS in the future, when Longhorn is out and about. (I've tried programming in Win32 and DirectX...Its not pretty and straightforward. Its full of notations and such that seem to clutter all over the place...Its hours of pointless exercises of staring at code (I wonder why security patches take so long!)...The best seems to be using open-source tools that allows your code to be compiled on the majority of OSs out there...Its all simple and straightforward).

    In addition to that, their response time from potential security issue to a solution, is a joke. Why do they take months for a patch when open-source solutions take hours to a few days?

    Why? Because Microsoft isn't making money out of it. That's why. Its obvious that their policy is to delay it until an exploit app is developed and becomes a major issue, will they bring in a patch. And the patch itself may break other fixes or break compatibility or functionality!

    Bill Gates claimed they can have a turn-around time of 48hours...LIER! There are several issues with IE that need to be addressed...What are you gonna do Bill? Oh, I know! Don't patch it, and encourage users to upgrade to Longhorn...Profits come raking in! And what about those who still won't upgrade?

    For me...WinXP/2k/2k3 is the last series of Windows I'm trying. After this, its all open-source solutions. (mainly BSDs). I've just had enough!

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]