On Thursday 28 July 2005 12:37 pm, Dave Feustel wrote: > On Thursday 28 July 2005 11:24 am, Moritz Grimm wrote: > > Dave Feustel wrote: > > >>And [snip] > > of this anecdote: A pal once had to deal with a probably-owned OpenBSD > > box, because his clueless co-admin installed an outdated, vulnerable > > MySQL server by hand (not related to ports/packages at all), and likely > > configured it in a bad way, too. Some script kiddie managed to exploit [snip] > > My point is mostly that, if you try really hard, you can make an OpenBSD > > box insecure. OpenBSD can also not help you when you run an > > OpenBSD-aware trojan as root, for example. > > > > Moritz > > Thanks. I have installed several software packages not in the > ports/packages and I realize that running "sudo make install" is not safe. > Sometimes I just run the software under my non-root login without > installing.
It isn't running software that isn't in the ports system that is the problem. The problem was the software version installed had some vulnerability and it was never updated to a patched version. Not keeping up with security updates is how most systems get updated, and it can happen to any system no matter how secure the default install of the operating system is. Security is a big cat and mouse game, especially when you are a big target like say Microsoft or Google. There is no one configuration that you can say is 100% bullet-proof, it is always a moving target where you are constantly juggling known exploits and bugs, new patches, system security, and system usability (which includes availability). Tim Donahue
