[rescue] Linux Luserisms (was: secondary market storage?)

Eric Dittman dittman at dittman.net
Tue Apr 2 13:49:32 CST 2002 

> > And that's exactly what I'm saying.  You have to install
> > the patches or your box isn't secure.  Claiming there's
> > not a problem because the service is turned off out-of-
> > the-box is just semantics, since they are going to be
> > turned on 99% of the time.
> 
> But it's not semantics.  Somebody brought up secure and
> out-of-the-box being mutually exclusive in UNIX.  Someone
> else pointed out OpenBSD, and you said OpenBSD is on the
> CERT advisories.

Someone pointed out OpenBSD because they said out-of-the-
box it was secure.  However, OpenBSD does appear on the
CERT advisories, not all of which are for services.  Also,
out-of-the-box doesn't mean anything since after installing
you have to customize.  I can say RedHat is secure out-of-
the-box if I don't connect it to anything.

> Just because you are changing what we were talking about
> doesn't make my point "just semantics".

I'm not changing what we were talking about.  OpenBSD
is as secure as any other operating system that has
been installed and not connected to the net.  Once
you connect to the net, you aren't secure.  And just
about everyone connects to the net.

Even if you don't connect to the net, you can still
be vulnerable to someone local.

If you have dial-in, there's another path.

If you aren't connected to the net, and there's no one
else using the system except for you, and there's no
dial-in access, then yes, OpenBSD is secure out-of-
the-box.  But then so is every other operating system.

Saying something is secure doesn't make it so.  Just
because someone says they've audited all the software
that goes on OpenBSD doesn't mean they haven't missed
something.  People are finding previously unknown
exploits all the time.  There's always some programmer
that leaves possible buffer exploits.

> Beyond which, how many web servers do you need on your
> network?  Apache is included in the OpenBSD base install
> but not turned on... do you turn it on on 99% of your
> machines?

Of course not, but there's more than just Apache.  There's
ftp, telnet, ssh, smtp, pop3, etc.  Open any one of them
and you've got a possible hole.
-- 
Eric Dittman
dittman at dittman.net
Check out the DEC Enthusiasts Club at http://www.dittman.net/

More information about the rescue mailing list