On Fri, Jan 22, 2010 at 12:13:38PM -0500, Dan Harnett wrote:
quoted text
> On Fri, Jan 22, 2010 at 07:22:58AM -0600, Marco Peereboom wrote:
> > It doesn't and I'll argue all day that it won't help you a bit.
> 
> I couldn't agree more.
> 
> > BTW, microsoft implemented every single ACL type mechanism the NSA ever
> > made public.  Tell me again how well it worked for them.
> 
> More importantly, how well has it worked for end users doing general
> computing tasks?
> 
> Glancing through the author's other posts, I don't get the feeling that
> this person is in an environment that needs the level of security that
> the NSA does or has ever been in one.  Most of the posts revolve around
> removing malware from Windows XP or which virus scanner is the best...
> <sarcasm>I'm not sure why ACLs have not helped this person in those
> situations.</sarcasm>
> 
> Nowhere in the article is proof provided that OpenBSD is insecure.
> There are comparisons made.  "OS A has 'this', OS B has 'that'.  OpenBSD
> does not.  So, OpenBSD by comparison is less secure, therefore
> insecure".  It's non-sense.  There isn't even proof that feature "this"
> or feature "that" have provided stronger security.  Those features are
> not enabled by default and are often tedious to get working correctly.
> Basically, OS A does not benefit from "this" out of the box and OS B
> does not benefit from "that" out of the box.  They are strawman
> arguments with no actual facts.
> 
> The benefits of OpenBSD are not even covered.  The author claims OpenBSD
> makes no effort to contain unauthorized remote access, yet many of the
> default daemons attempt to contain security breaches through reduced
> privileges and chroot.  Basically, the same effect the author claims a
> MAC system would give you (if that system were infallible and effective,
> as the author blindly believes).  It's built into the daemon, by
> default.  How did the author miss this?
> 
> I also do not understand why strlcpy and strlcat are causing the author
> so much grief.  This person didn't seem to know they existed before
> writing the article.  I work in an ISP environment and it has caused
> zero issues to both myself and our users.  Of course, the author does
> not provide any real world examples of issues or exactly what code has
> been broken by use of strlcpy or strlcat.
> 
> The author also missed how OpenBSD's current methods match it's
> development model very well.  The OpenBSD developers are in control of
> all the code.  There aren't 3rd party patches being introduced daily
> that change thousands of lines of code with unknown consequences or
> unintended interactions with the existing code base.  Correcting the
> code works very well for OpenBSD.
> 
> The only facts I actually got from the article are (1) OpenBSD does not
> have some type of MAC, which I already know, and have no problem with,
> and (2) the author does not like OpenBSD and wants you not to like it,
> too.
> 
> 
The author of the linked article kind of lost me at "as soon as a
service is enabled or software from the ports tree is installed."

Well SHEEIIITTTTTTTT, who knew. I better run out right now and replace
all my firewalls with iLinux. 

I had no idea that it was up to me to understand/mitigate the risks in
using ports and services. How dare I not get my hand held.

I don't see much different in this point then saying Windows is secure
only until you plug in the ethernet cable.