On Apr 3, 2014, at 10:20 PM, Kenneth Westerback <kwesterb...@gmail.com> wrote:
> On 3 April 2014 22:04, Martin Braun <yellowgoldm...@gmail.com> wrote: >> As we all know on the front page of OpenBSD it says "Only two remote holes >> in the default install, in a heck of a long time". >> >> I don't understand why this is "such a big deal". >> >> A part from the base system in xBSD, OpenBSD - so far - also contains a >> chrooted web server, that can't be used for much else than serving static >> content, and then the X system, which also can't be used for anything >> before installing some third party application. >> >> All in all the default install is pretty useless in itself and I am going >> to quote "Absolute OpenBSD" by Michael Lucas: >> >> «You're installed OpenBSD and rebooted into a bare-bones system. Of >> course, a minimal Unix-like system is actually pretty boring. While it >> makes a powerful foundation, it doesn't actually do much of anything.» >> >> So we need those third party applications to start the party, yet none of >> these applications receives the same code audit, security development and >> quality control as OpenBSD does. >> >> As soon as we install a single third party application our entire operating >> system is, in theory at least, compromised as these third party >> applications gets installed as root. >> >> Maybe I am just plain stupid, but could someone explain to me the point in >> "bragging" about only two remote holes in the default install, when the >> default install is useless before you add some content to the system, >> unless you're running a web server serving static content only. > > Firewalls? BGP Routers? Email servers? Relayd load balancers? All > base-only external facing devices that might be nice to not have > exploits in by default. > > .... Ken > > >> >> Best regards. >> >> Martin > It’s also nice to know you can safely enable networking on your computer to install software, whether connected directly or through a firewall. In theory your own network should be a safe haven. In practice we know that's not always the case. The current survival time for an unpatched Windows system when first connected to the internet ranges from 66 minutes to 2,630 minutes.* I've seen Windows computers take hours to fully patch after initial install. Linux systems have much better ranges (95 minutes to 2,141) and usually patch much quicker. Still, all else being equal, I choose the system that's not likely to be compromised while I patch or install software. And that's worth bragging about. --Aaron * Data for 2014-01-01 through 2014-04-03: <https://isc.sans.edu/survivaltime.html>.
