Re: How much does battle-testing weigh?
Economics 101: doesn't matter what you say, it matters what you DO. Everyone says security is important; few actually give a shit about it. Amen brother! That's right to the point! Nick.
Re: How much does battle-testing weigh?
On 3/14/22 4:31 PM, the guy who couldn't solve a trivial problem without vi on the install media wrote: Billions of companies world wide use the Linux kernel and several of the major Linux distributions daily. It would stand to reason that that would make a lot more bugs be discovered. The OpenBSD project can have the best coding practice, the best handle on security mitigations, the best default options, but if very few companies worldwide use the system, then it's not very battle-tested. The famous old message on the website has been removed, but the "Only two remote holes in the default install, in a heck of a long time!" is maybe because "no one" is using the system in production except very few. That's a fascinating leap of (il)logic. "I found a change on the website, and it must be proof of my point!" How much does battle-testing matter? By your logic, Windows is the best, as it is most "battle tested", by probably an order of magnitude greater than all Linux installs combined. What matters is people actively looking for problems. That's not a popular activity with most projects and most OSs. It is much more rewarding to most people to add features, not to debug existing code...and thus, you end up with ... Linux and Mozilla products. Economics 101: doesn't matter what you say, it matters what you DO. Everyone says security is important; few actually give a shit about it. Nick.
Re: How much does battle-testing weigh?
On Tue, Mar 15, 2022 at 01:08:38AM +0100, i...@tutanota.com wrote: >Do you believe that OpenBSD has less attack vectors? I fail to see >that. If I install a basic Debian, just as an example, with only the >base system, there is nothing running to attack. If I install NGINX on >OpenBSD and on Debian, about equal attack vectors exist. You probably meant to write "if I install NGINX on OpenBSD and on Debian, about equal attack vectors exist in NGINX". >In this case I would perhaps prefer to use NGINX over httpd for the >exact reason mentioned, it is much more battle tested. Fantastic. Congratulations! Now put it in a chroot on OpenBSD and, assuming the Nginx team has actually created a legitimate port using the security features available in OpenBSD, you have threat mitigations at the operating system level that likely are not available in Debian.
Re: How much does battle-testing weigh?
On Mon, Mar 14, 2022 at 8:13 PM wrote: > Please see "Are all BSDs created equally. OpenBSD vs NetBSD vs FreeBSD" > https://www.youtube.com/watch?v=AvSPqo3_3vM > > How they are handled is another matter, but its just as easy as it is in > other OS's. > > Do you believe that OpenBSD has less attack vectors? I fail to see > that. That video you referenced indicates that OpenBSD has *less* attack vectors than the other BSDs, and that is stated several times in several different ways in that video. (Check out the text displayed 40 minutes, 30 seconds in, for example.) Less attack vectors is of course not the same as no attack vectors. And it's often worth understanding what the issues are (not only in the kernel, but at the hardware levels). That said, we have to live with imperfect security, so we also have to live with mitigation efforts. Thanks, -- Raul
Re: How much does battle-testing weigh?
It depends on your threat model. All else being equal, using a less known OS can even be safer. A popular OS will have many people motivated to dedicate time to find flaws and thus, will have many more known vulnerabilities plus a number of holes that are not disclosed by the reearchers. If vulnerabilities are already found, automating attacks becomes cheap. That means that you can end up being pawned even if no one was targetting you specifically. While automating attacks using known vulnerabilites is cheap, finding new vulnerabilities is expensive because it requires expertise that is rare and well paid. So if you are using some niche OS that no one knows, you are only in risk if your threat model includes motivated people with resources being focused on you. If this is not the case, it is not too hard to find a handful of OS who never had a single remote hole found in the default install since forever. Popularity aside, it pays to take your time to understand why it is harder to find new security flaws on OpenBSD than on your average OS. Understanding the concept of attack surface could be a good start. Em Mon, 2022-03-14 às 21:31 +0100, i...@tutanota.com escreveu: > Billions of companies world wide use the Linux kernel and several of > the major Linux distributions daily. It would stand to reason that > that > would make a lot more bugs be discovered. > > The OpenBSD project can have the best coding practice, the best > handle > on security mitigations, the best default options, but if very few > companies worldwide use the system, then it's not very battle-tested. > > The famous old message on the website has been removed, but the "Only > two remote holes in the default install, in a heck of a long time!" > is > maybe because "no one" is using the system in production except very > few. > > How much does battle-testing matter? > > Kind regards. >