0
PhillyKev

Debunking the myth that OpenBSD is so secure

By PhillyKev, in The Bonfire

Recommended Posts

PhillyKev    0

PhillyKev
I know that, and you know that. But I always hear a lot of Linux proponents claiming that OpenBSD will never suffer from the same vulnerabilities as MS.

Fact it, they're both secure, or insecure, depending on the skills of the person maintaining the network. Neither is inherently more secure than the other.

Share this post

Link to post
Share on other sites

Clownburner    0

Clownburner
OpenBSD went for more than 5 years without a remote vulnerability in the default install.

The reality is that a skilled administrator can make either system fairly secure; OpenBSD is more secure by default, owing to the way it's installed.

And I don't know that you can ever completely secure a platform unless you control ALL the software running on it 100%, which is something that is very difficult with OpenBSD, and completely impossible with Windows.
7CP#1 | BTR#2 | Payaso en fuego Rodriguez
"I want hot chicks in my boobies!"- McBeth

Share this post

Link to post
Share on other sites

AggieDave    6

AggieDave
Yeah, but compared to the 4 NT4 (it was a few years ago when I was doing this) boxes I ran, the BSD box was lightyears easier to secure then the NT boxes.

To top it off, one of the NT boxes *had* to have Frontpage extensions on it...AGGGHHHHH you talk about a fucking security nightmare. Any fucking AOL script kiddy could crack that if they tried, just because of the shit the extensions opened up and there wasn't really much we could do to prevent that. But nooooooo, the end users had to have those extensions.
--"When I die, may I be surrounded by scattered chrome and burning gasoline."

Share this post

Link to post
Share on other sites

adamT    0

adamT
Every week windows update is telling me to download a new patch for holes allowing remote systems to run arbitrary code. Anyone who claims any os is totaly secure by default is foolish. The only way to be totaly secure is to unplug the computer and lock it in a safe. But then the safe might get stollen. How have to keep up with stuff like this. I download the winblows updates and when i read about this yesterday i turned off ssh until a fix is tested. A decade of internet use and i have never touched virus scaner never caught a virus, never exploited and never been affected by a worm. Except when they bog down my firewalls looking for open windows boxes.

Share this post

Link to post
Share on other sites

Blahr    0

Blahr
This looks like an openssh vulnerability rather than an OpenBSD vulnerability.

Most open source UNIXes come with OpenSSH including FreeBSD, Linux, etc...

This hole is not specific to any OS so I dont think its fair to claim OpenBSD is insecure because of it. I use FreeBSD myself and have no direct experience with OpenBSD but I think I can still say this.
Any OS that uses these crypto libs will have the same vulnerability until its fixed.

I wouldnt claim that Win2k is insecure because of an Exchange exploit.

One is an OS, the other is an Application.

In this particular case, one is OS, the other is the Crypto libraries it uses for secure connections. I'd be willing to bet that the OpenSSH guys have this fixed in very short order.

In any case, I dont think that this debunks any claims. These UNIXes are quite secure. NOTHING is totally secure nor do any of them claim to be as far as I know.

PS. Thanks for the info. I'll be updating my systems as soon as the updates are available B|

Share this post

Link to post
Share on other sites

AggieDave    6

AggieDave
blah blah blah blah sendmail blah blah blah blah

Why, oh why do you use sendmail. I used a secondary app (fuck me if I could remember what it was called) for no other reason but Sendmail's history of extreme security holes.
--"When I die, may I be surrounded by scattered chrome and burning gasoline."

Share this post

Link to post
Share on other sites

Blahr    0

Blahr
Quote

CERT Advisory CA-2003-25 Buffer Overflow in Sendmail

2 in one week. Uh oh. :o



2 whats in one week?

Again, sendmail is an application, not an OS.

This would make 1 vulnerability in a crypto library and 1 vulnerability in a smtp application in the same week.

So far I have seen none for OpenBSD or any other open source UNIX OS

OpenBSD and OpenSSH are created and maintained by the same folks. This does not make them the same thing.
Sendmail has nothing to do with either of them.

By your initial reasoning, the Mustang would be defective if the Taurus were found to have a defect.
With regard to sendmail, its like saying that the Mustang is defective because the sterio inside it isnt indestructible.

Try to be at least a LITTLE fair even if you dont like UNIX.
B|

Of course if your intent is merely to prod the UNIX guys into reacting, well....you win! ;)

Share this post

Link to post
Share on other sites

Blahr    0

Blahr
Quote

Sendmail's history of extreme security holes.



As a matter of fact, the extreme holes you refer to are because it was originally written back when security was not the primary consideration.

This has been addressed 10 fold since that time. Its not perfect though, what is? It IS the most reliable (and most widely used) MTA in the world.
I use it on my external smtp gateway because its very robust, cant take a MAJOR pounding without failing, and by default is not a 3rd party relay.

Share this post

Link to post
Share on other sites

Clownburner    0

Clownburner
Sendmail has been secured quite a bit over the years, but have you looked at the source? Buffer overflows are not really a surprise, it's still a mess in there. Which is why smaller, simpler MTAs are getting so popular.

Sendmail is very robust, but easy to misconfigure, and yes, it's prone to buffer overflows and other security problems. There are more secure MTAs out there now, so IMHO, Sendmail is kind of obsolete.

On the birght side, it's nowhere near as bad as Exchange or Outlook! ;)
7CP#1 | BTR#2 | Payaso en fuego Rodriguez
"I want hot chicks in my boobies!"- McBeth

Share this post

Link to post
Share on other sites

Blahr    0

Blahr
Quote


There are more secure MTAs out there now, so IMHO, Sendmail is kind of obsolete.

On the birght side, it's nowhere near as bad as Exchange or Outlook! ;)



Dats why I only use it (sendmail) on the gateway. I use iPlanet 5.2 and Directory (ldap) 5.1 on Solaris for the actual messaging server.

I agree on the config issues but take a look at a product called "Webmin". This can be used to configure and maintain a lot of those hard to configure apps like Sendmail.

I'll take any decent standards based application over proprietary crap like Exchange any day of the week.

Share this post

Link to post
Share on other sites

PhillyKev    0

PhillyKev
Quote

2 whats in one week?

Again, sendmail is an application, not an OS.

This would make 1 vulnerability in a crypto library and 1 vulnerability in a smtp application in the same week.



Hey, people bash WinTel because of problems with different software programs. If you're going to lump them all together on one side, you have to do the same on the other.

Share this post

Link to post
Share on other sites

Blahr    0

Blahr
Quote


Hey, people bash WinTel because of problems with different software programs. If you're going to lump them all together on one side, you have to do the same on the other.



I am not people. I am person ;)

I dont lump them together on either side, so I dont have to remain silent while others do it.
You dont have to either if you dont want to B|

Share this post

Link to post
Share on other sites

andrewstewart    0

andrewstewart
Quote

Sendmail has been secured quite a bit over the years, but have you looked at the source? Buffer overflows are not really a surprise, it's still a mess in there. Which is why smaller, simpler MTAs are getting so popular.
;)



While it is true that complexity is generally the enemy of security, there have been several examples of very well known security professionals who have written very small peices of code that have subsequently been found to be vulnerable. If they can't get 100 lines of code right, it doesn't bode well for anything larger...

The root of the problem w.r.t buffer overflows is the underlying langauge, C, has very little bounds control.

- Andrew

Share this post

Link to post
Share on other sites

Jimbo    0

Jimbo
Quote

This has been addressed 10 fold since that time. Its not perfect though, what is? It IS the most reliable (and most widely used) MTA in the world.
I use it on my external smtp gateway because its very robust, cant take a MAJOR pounding without failing, and by default is not a 3rd party relay.



I use Postfix on my external email relays, 5 of them. Postfix is secure, robust, able to handle a larger load than Sendmail, and like Sendmail, is not an open relay by default. Oh, did I mention that Postfix config files don't have any of this "#$ <*?#!>" crap? I'll never use Sendmail again. Never.

-
Jim
"Like" - The modern day comma
Good bye, my friends. You are missed.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
0
Go To Topic Listing