Re: [Full-Disclosure] Re: Microsoft Security, baby steps ?

From: Daniele Muscetta (daniele_at_muscetta.com)
Date: 03/17/04

  • Next message: Geoincidents: "Re: [Full-Disclosure] Re: Microsoft Security, baby steps ?"
    To: <full-disclosure@lists.netsys.com>
    Date: Wed, 17 Mar 2004 12:52:55 +0100 (CET)
    
    

    Dave Horsfall said:
    > On Wed, 17 Mar 2004, Daniele Muscetta wrote:
    >> ....I know, you roughly have some 26 Megabytes of patches to be
    >> installed POST-SP4 and POST IE60SP1 on W2K.
    >> Is any other OS any better lately ?
    >
    > OpenBSD. FreeBSD. NetBSD. BSD/OS. See the pattern?

    Yes I do.
    Even if patching of a BSD box is not something that anybody can do, just
    like everyone uses windowsupdate / up2date / yast / apt-get and
    similar....
    ...you know what I mean: grab the source code patch / diff file, patch the
    code, recompile... and possibly recompile everything that is statically
    linked to that component/library....On big server farms this could still be annoying... not to say the
    obvious, like I cannot imagine my mum managing being able to do ANYTHING
    with such an OS, while she CAN windowsupdate (and she does) :)

    > I had a BSD/OS box exposed to the Net without a firewall for *years*;
    > it was quite funny watching Penguin/OS exploits against it.

    Indeed it is :)
    There are people out there who just attack anything which has an IP
    address, without even verifying if it is exploitable of not (or worse, if
    it is for the right OS). In this regard I also observe FrontPage server
    extensions exploits against some Netware server running Apache :) That
    will of course never work. It's just plain silly. Still they try. But in
    those cases I see the same exploit being tried on several contiguos
    addresses, which means is like a 'sweep' scan of the entire subnet, most
    likely....

    Anyway, I personally don't know FreeBSD, but I can talk for OpenBSD.

    This has also to do with other two factors, IMHO:
    1) less software shipped in default configurations;
    2) smaller 'market penetration' (assuming you can talk of a 'market' for
    OpenBSD - even if I'm one of those who keeps buying the official CDs to
    support the project !) - but in the end is more used by 'geeks' than by
    'companies'...
    This is not meant as an attempt to diminish BSD strenght.
    I also have an OpenBSD box on the internet, and it is awesome.
    The choice of shipping LESS software by default is a very wise one (and
    many linux distros in this regard are copying windows too much, enabling
    everything by default to facilitate the user - and the cracker).
    With 'smaller market penetration' I don't want to say that that code is
    less looked at (most likely it is indeed better code), but mainly that
    the crackers go usually after QUANTITY: they search to compromise AS MANY
    boxes as possible.... so they go after the most used OSes. IMHO, of
    course.This has been shown in the increase of linux compromises, anyway....
    Why should they bother having a hard time trying to compromise a
    super-hardened BSD box which belongs to a savvy admin (who's most likely
    going to spot them soon if they succeed), rather then just trying to shoot
    their exploits against everything, and hope to get as many as possible ?

    Let's not start with the 'holy war of the OSes' again... is one of those
    never ending question.... we are already off topic, I believe. If you
    like, continue with mailing me privately.

    Best Regards,

    Daniele

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Geoincidents: "Re: [Full-Disclosure] Re: Microsoft Security, baby steps ?"

    Relevant Pages

    • Re: Adaptec AAC raid support
      ... I am certainly not the only FreeBSD user who has reason to thank Scott ... Leaving OpenBSD and moving to FreeBSD ... but because the FreeBSD community was really is ... Scott Long is particularly outstanding in this regard. ...
      (freebsd-questions)
    • Re: Open Vs Free BSD
      ... NetBSD: Run on any hardware ... OpenBSD: ... FreeBSD: ... I like NetBSD (because of the supported platforms - especially RiscPCs - and the clean implementation). ...
      (freebsd-stable)
    • Re: Fwd: That whole "Linux stealing our code" thing
      ... The myth that Theo understands dual licensing? ... It's no longer dual licenced in the FreeBSD tree because the FreeBSD ... FreeBSD doesn't have Reyk's athHAL from OpenBSD, ... dual licenced files planned to make GPL-only ...
      (Linux-Kernel)
    • Re: Quick and dirty router/firewall to test something?
      ... using FreeBSD vs. OpenBSD. ... Soekris boards up against commercial Watchguard and Cisco offerings any ... Chris Olive ...
      (comp.os.linux.misc)
    • Re: FreeBSD vs. OpenBSD
      ... Subject: FreeBSD vs. OpenBSD ... you can secure any OS before you put it in the wild. ... | OpenBSD boasts that they test the patch branch before its posted. ...
      (Security-Basics)