Sniping at OpenBSD

Noel writes "An article at RootPrompt.org talks about the reaction to the announcements by the OpenBSD developer team about new exploits that implied that the developers had been hiding the truth about the exploits so as to not tarnish the reputation of OpenBSD."

Molehill

[frankie]

This is a non-issue. I read the whole silly flamewar on Bugtraq, and I agree with Theo. The point of OpenBSD is that they repair the source IN ADVANCE, even before they know what the potential problems are.

People found an exploit for a version that's two months out of date, and they're having sour grapes because they only got to bask in the H4X0R spotlight for negative sixty days.

Re:Molehill

[SirGeek]

And how many people are still running the 2month old version ? 95% of people do NOT run the latest and greatest (especailly companies where they have to run the same version on all systems until it has been tested) and in fact, most probably skip versions or they would have to update all their servers every few months (not easy or practical).

The problem that bugtraq has ( I think ) is that they fix "bugs" (not really, its programming style) and then don't tell anyone that it "could" be exploited... then when some other BSD does get bitten by the "bug" they yell "See.. We fixed it already ..." (when they should have at least announced the potential for it to be exploited.)

Re:Molehill

[Duke of URL]

Carefully read through the quotes supplied on the article:

Todd Miller an OpenBSD developer responded to this question with the following:

"As one of the people who took part in the audit I can honestly say that we didn't think they *were* exploitable. There was no intention of hiding any fixes, we just went through the entire source tree (we did not target privileged programs specifically) and fixed format string problems where we found them and released patches for those we knew to be exploitable (like xlock)."

As far as running old versions of Win95, well OpenBSD users are quite different from Win95 general users. People who are running OpenBSD like to apply those patches,etc.

Re:Molehill

[Anonymous Coward]

That is what makes OpenBSD sooo good. Up to now, the "Secure by Default" and "no Local root exploit" meant that if my name servers had uptimes of 270+ days, I didn't need to worry. It also means I missed upgrading to the versions that came out.
On the other hand, the one anonymous ftp server got upgraded back then when the scare about ftp servers was announced on BugTraq.
So take your pick. Run a server that doesn't have user accounts and let it run and run, until you upgrade the hardware and step up to the latest version, or watch the changelog and be prepared to patch or upgrade if something like this comes along.
I just looked at the uptimes on my OBSD servers:
one-nameserver 284 days
two-nameserver 274 days
three-ns/dhcp 306 days
www 166 days
general-net-mgr 336 days
ids-system 104 days
and none of them are -release, all are snapshots from when ever I was installing, and because of the OpenBSD paranoia, I don't worry about them being exploited. Good code just runs solid, and makes it easier to get the rest of the real work done.

Re:Molehill

[Anonymous Coward]

If the OpenBSD team announced every bug fixed in case it might be exploited in the future, we could simply rename bugtraq to openbsd-cvs-announce.

Re:Molehill

[SirGeek]

As far as running old versions of Win95, well OpenBSD users are quite different from Win95 general users. People who are running OpenBSD like to apply those patches,etc.

Where did you get Windows 95 from ? I said 95 % of people...

Re:So what? At Least they are finding/fixing the b

[bugg]

No, it really doesn't take too long with a little perl or with a program such as cscope. Heck, just do a big grep for "printf" and exclude matches that have quotes. That'll find you the offenders real quick.

Yeah, right

[Alejo]

They have mailing lists and SEVERAL webpages pointing out ALL the vulnerabilities. BTW the've found hundreds since 1996, and it would be nuts to post ALL on Bugtraq.

Re:Molehill

[Duke of URL]

Where did you get Windows 95 from ? I said 95 % of people..

Whoops. Sorry about that.

Well, from reading the OpenBSD misc-list I get the feeling that even though there are plenty of users not running the current version of OpenBSD, they still like to apply all the patches so their non-current OpenBSD system is still up to snuff.

My eyes must have been tired to turn that 95% into win95. Either that or supporting win95 boxes for the users is driving me mad.

Whats your OS audience / community / tribe

[sniggly]

Those who require the tight security OpenBSD provides are also those who will have subscribed to the relevant OpenBSD announcement lists so they always have the opportunity to fix any problem that might lead to an exploit.

If you require tight security and yet you run an OS without the latest security patches youre asking for trouble no matter what OS you're using.

<I'm getting tired of this mode on>
At times its discouraging to see so much pointless bickering and the "My CPU/OS/GUI/Car/Race/Planet/Dogma is better than yours" and all the "neer neer neer" having to do with that attitude. And it makes me shake my head to in some cases to see some media pick up on it and actually present some of this dreary immature factionalism fit for the stone age as if it represents the viewpoint of any sizeable group or even project.

To say that OpenBSD "was hiding the truth" by not flooding BugTraq (while posting everything you ever wanted to know on their website and in their lists) is just that type of time wasting drivel. You wouldn't rely on the new york times to tell you about whats going on in Kansas city; no you rely on sources of information relevant to you and scaled to your domain.
<getting tired of this mode off>

Sorry about that, im actually still capable of getting worked up over this :)

Re:Molehill

[DrWiggy]

Yeah, but they don't fix every bug do they? For example, now format string bugs are starting to appear, there is a whole new class of vulnerability that caught even the OpenBSD off-guard.

With regards to keeping the holes they find to themselves - well, if you had ever tried writing an exploit, you would realise that just because there is a dodgy function call deep within a load of code, being able to exploit that vulnerability is another matter completely. I think they just patch everything they can, and if it's later found to be exploitable then I think they have the right to say they fixed that hole 3 years ago. :-)

It's irrelevant.

[electricmonk]

How many commercial software vendors do you know of that have caught flak for having security holes in beta versions of their software?

I sure hope no one was dumb enough to put something important in a -CURRENT release OpenBSD, since everyone knows that those releases are on the bleeding edge of the OS development, and as such should only be used for testing purposes. If you are truely concerned about security or stability, use a -RELEASE version, or at least a -STABLE version.

(Disclaimer: I use FreeBSD, so I don't know if I am correct in mentioning the different states of development, i.e. -CURRENT, -RELEASE, etc. I believe, however, that it is something like this.)