Lukasz Sztachanski wrote: > On Fri, Jan 27, 2006 at 01:42:13AM +1100, Shane J Pearson wrote: > > > > ~~~ > > OpenBSD > > by hahiss > > > > How is it that OpenBSD is able to be so secure by design with so few > > resources and yet all of Microsoft's resources cannot stem the tide of > > security problems that impact everyone, including those of us who do not > > use Microsoft programs? > > > > Nash: First, I should say that OpenBSD includes a relatively small > > subset of the functionality that is included in Windows. You could argue > if you consider `solitaire' as `functionality', then yes ;) > As far as i know, MS doesn't provide reliable software for network > services, OpenBSD does. > > > that Microsoft should follow the same model for Windows that the OpenBSD > > Org follows for their OS. The problem is that users really want an OS > > that includes support for rich media content and for hardware devices, > what? MS doesn't write drivers for all devices; if there would be a bug > in NVidia`s Windows driver, then NVidia would be the one, who`s blame. > Moreover, Windows `built-in' drivers are usually bad and give low > performance, and minimum of functionality. > > > etc. So while OpenBSD has done a good job of hardening their kernel, > > they don't seem to also audit important software that are used commonly > > by customers, such as PHP, Perl, etc. for security vulnerabilities. At > yeah, and MS should audit and be responsible for every foo.bar available > for windows ;) > > > Microsoft we're focusing on the entire software stack, from the Hardware > > Abstraction Layer in Windows, all the way through the memory manager, > > network stack, file systems, UI and shell, Internet Explorer, Internet > > Information Services, compilers (C/C++, .NET), Microsoft Exchange, > > Microsoft Office, Microsoft SQL Server and much, much more. If a > > software company's goal is to secure customers, you have to secure the > > entire stack. Simply hardening one component, regardless of how > > important it is, does not solve real customer problems. > > > OpenBSD provides in base system substitutes for almost all that software. > First and foremost, OpenBSD's designed for other type of users; author > of that opinion surely isn't that type. > > > Second, it is not completely accurate to say that OpenBSD is more > > secure. If you compare vulnerability counts just from the last 3 months, > > OpenBSD had 79 for November, December and January compared to 11 for > > Microsoft (and that includes one each for Office and Exchange - so > > really 9 for all versions of Windows). I encourage you to look at the > > numbers reported at the OpenBSD site to verify that this is true. > > People always talk about numbers, but the most importat is approach. I > truly belive, that it's imposible to build anything secure on > foundations of MS platform. > Recently i've wrote simple application using random numbers; i was > disappointed, when i've had to port it to windows and linux, and i saw > the results. > > > > > - Lukasz Sztachanski > > > P.S. i know, that openbsd isn't perfect, but it's the only reasonable > choice. > > > -- > 0x058B7133 // 16AB 4EBC 29DA D92D 8DBE BC01 FC91 9EF7 058B 7133 > http://szati.blogspot.com > http://szati.entropy.pl
As I explain to my users: Microsoft has immense difficulty walking and chewing gum at the same time. Most everything works pretty well assuming that everything else in the universe is perfect, and you don't really try to do too much. Microsoft is very good to throw something at it and have it come out looking half-way presentable. Many cases that is all you want or need. As time progresses, the newer computers are really just overgrown dumb terminals (it takes a lot of horsepower for a browser to be fast and snappy). Everything important, you put somewhere outside of Microsoft's reach. BTW, I lurk on the list because it is one of the FEW sources of sanity. Security. If it has the slightest possibility of actually mattering: Do not fool yourself. Do not fool your customers. Do not fool your suppliers. If it actually does matter: It's long and hard to accomplish what seems to be almost nothing. OpenBSD has and does at least try. (Actually very friendly, considering) Some stuff looks like actually accomplishing something. (*) Most everybody else trying to find some cheap shot. Does a little (almost) and want to claim it does it all. What the users really want seems to be a $2000 computer that functions as well as a $200 DVD player. Seems to be the direction. (*) Secure: Vulnerability in a critical service. Running and your enemies are competent. Read and understand the vunlerability. And sneer, because that is not enough to do you in. That is security. Anything less is still just trying. And you've got grown men, presumably post kindergarten, who somehow think that counting "vulnerabilities" actually mean something. I think you'll find that sub-standard "dumb" users are far too intelligent to fall for that stupid a line.
