Windows: more secure than OpenBSD

[n0cmonkey]

From an interview on slashdot:

OpenBSD
by hahiss

How is it that OpenBSD is able to be so secure by design with so few resources and yet all of Microsoft's resources cannot stem the tide of security problems that impact everyone, including those of us who do not use Microsoft programs?

Nash: First, I should say that OpenBSD includes a relatively small subset of the functionality that is included in Windows. You could argue that Microsoft should follow the same model for Windows that the OpenBSD Org follows for their OS. The problem is that users really want an OS that includes support for rich media content and for hardware devices, etc. So while OpenBSD has done a good job of hardening their kernel, they don't seem to also audit important software that are used commonly by customers, such as PHP, Perl, etc. for security vulnerabilities. At Microsoft we're focusing on the entire software stack, from the Hardware Abstraction Layer in Windows, all the way through the memory manager, network stack, file systems, UI and shell, Internet Explorer, Internet Information Services, compilers (C/C++, .NET), Microsoft Exchange, Microsoft Office, Microsoft SQL Server and much, much more. If a software company's goal is to secure customers, you have to secure the entire stack. Simply hardening one component, regardless of how important it is, does not solve real customer problems.

Second, it is not completely accurate to say that OpenBSD is more secure. If you compare vulnerability counts just from the last 3 months, OpenBSD had 79 for November, December and January compared to 11 for Microsoft (and that includes one each for Office and Exchange - so really 9 for all versions of Windows). I encourage you to look at the numbers reported at the OpenBSD site to verify that this is true.

I want to know where he got the number of vulnerabilities for OpenBSD. I couldn't find a list for those three months, and the errata page definitely doesn't list that many...

Also, unless Microsoft is auditting PHP I don't see how that applies to OpenBSD. Plus, OpenBSD has been adding in security pieces throughout the system. ProPolice doesn't just help secure the kernel...

EDIT: Forgot the link to the rest of the interview.

 

[xtknight]

What? I thought OpenBSD had like one hole throughout its hole life? Or was that NetBSD or FreeBSD?

Edit: 'hole life', lol. 'WHOLE life'

 

[nweaver]

yes, because if PHP has a hole, it'll show itself on BSD, but windows will patch the hole when you install. That's the super sekrit they have. Install a root kit? they patch it to make it more secure....


the ONLY way I could see that many, is if they figured EVERY app you ever MIGHT install on BSD (and even then...)

 

[kamper]

That crap about just a kernel vs an entire software stack was so laughable, I'm surprised he even had the guts to publish it.

his answers were not laundered by PR people

Maybe they should have. They could maybe have done some damage control.

Anyways, I hope I find time to read the rest of that article at some point.

Originally posted by: xtknight
What? I thought OpenBSD had like one hole throughout its hole life? Or was that NetBSD or FreeBSD?

Edit: 'hole life', lol. 'WHOLE life'

One remote hole in the default install. That doesn't count local vulnerabilities or any config you change (like running httpd).

 

[drag]

Ya that guy is full of it.

Maybe he is thinking of Redhat? I doubt it.

Maybe if you took all vunerability advisories for all of the software aviable in OpenBSD ports you could maybe get 70 something. And that is mostly going to be crap like 'tetris game makes non-random /tmp file to store scores leading to possible disclosure of information between users' or some nonsense like that. (what openbsd and most free software people considure a possible vunerability is not nessicarially what microsoft considures a vunerability) And even then that's going to be a hell of a lot more software from many multiple vendors, much more then anything Microsoft releases in it's operating systems.

 

[skyking]

:Q
< quickly starts formatting his freebsd and linux servers, muttering " stupid insecure OS, I'm coming back, Redmond!" >



😉

 

[n0cmonkey]

I'm sure you could find software in the ports tree that'll give you close to 70 vulnerabilities in 3 months. At least some of the PHP stuff, now that ethereal has been removed. 😉

 

[kamper]

That question from the microsoft developer explaining how security was still a joke in his team was interesting. If it's true, it's obviously a complete contradiction to all that Nash had been saying. But that fact that it was posted anonymously from a slashdot reader makes it seem like it really could have been faked. It's easy to imagine some l337 m$ hating linux hAx0r cooking that up to give the anti-ms crowd something to run with.

And his reason that there was no AES support was because they have this pluggable encryption framework? Doesn't 'pluggable' mean that you can put other implementations in? 😕

 

[n0cmonkey]

Originally posted by: kamper
That question from the microsoft developer explaining how security was still a joke in his team was interesting. If it's true, it's obviously a complete contradiction to all that Nash had been saying. But that fact that it was posted anonymously from a slashdot reader makes it seem like it really could have been faked. It's easy to imagine some l337 m$ hating linux hAx0r cooking that up to give the anti-ms crowd something to run with.

I dunno, it seemed plausible. A major culture change takes a lot of time, especially with the number of employees he says they have.

And his reason that there was no AES support was because they have this pluggable encryption framework? Doesn't 'pluggable' mean that you can put other implementations in? 😕

That confused the bejeezus out of me. 😕

 

[kamper]

Originally posted by: n0cmonkey
I dunno, it seemed plausible. A major culture change takes a lot of time, especially with the number of employees he says they have.

Sure, it's plausible. So's it being made up. I was just proposing that it might not necessarily be as daming as it looks. I'm kinda interested to see how the crowd there dealt with it, but there's no way I'm diving into that swamp.