chaos
August 23rd, 2003, 06:45
Hi
This is NOT to start a flame, simply to understand this.
After reading the folowing comment on deadly.org
(http://www.deadly.org/article.php3?sid=20030820173741&mode=flat)
----
Credibility
by Me!You on Friday, August 22 @07:31AM
The intent of this post is not to start a flame. I just want to question the credibility of the OpenBSD team.
After my opinion the claim saying: "Only one remote hole in the default install, in more than 7 years!" is not exactly true.
Now for the proof of this:
Revision 1.393 of index.html (Mon Dec 9 09:59:06 2002 UTC) more than 7 years
Revision 1.392 of index.html (Mon Nov 25 22:11:52 2002 UTC) nearly 6 years
Revision 1.379 of index.html (Sun May 19 18:51:09 2002 UTC) 5 years
Revision 1.378 of index.html (Wed May 1 16:06:14 2002 UTC) 4 years
Revision 1.331 of index.html (Sun Apr 29 01:25:12 2001 UTC) 3 years
From Dec 9 2002 to Nov 25 2002 1 year?
From Nov 25 2002 to May 19 2002 1 year?
From May 19 2002 to May 1 2002 1 year?
From Apr 29 2001 to Dec 9 2002 I roughly get 1 year and 7 month which equals 4 years after to OpenBSD team’s opinion?
----
I can't sop wondoring if this in fact is a way to promote OpenBSD even thoug is may or may not be true. This quote is easyly misunderstood by media and users.
Is it in fact NOT true? What else have the OpenBSD team hidden from the community and the public? Did the competitors get too close and hence they had to raise the record?
What is in fact true? This looks like a coverup operation that failed.
Moreover do you have anny comments to the following (also form the comments @ deadly.org):
---
The quote is:
"Only one remote hole in the default install, in more than 7 years!"
This tells us the following about OpenBSD's stance on security:
* They don't care about local/remote DoS conditions (hence why such "reliability" fixes aren't on the security page, yet every other OS seems to consider a DoS a security-related bug)
* They don't care about client-side bugs that can be exploited remotely (the ftp client bug for instance)
* They don't care about bugs that don't gain you instant root (remember apache + select)
* They don't care about exploits in programs that aren't in the default install (essentially nothing bug OpenSSH)
* They don't care about local bugs at all, since it's clearly ridiculous that anyone would want to have users on an OpenBSD server.
---
References and points to information regardig this would be appriciated.
This is NOT to start a flame, simply to understand this.
After reading the folowing comment on deadly.org
(http://www.deadly.org/article.php3?sid=20030820173741&mode=flat)
----
Credibility
by Me!You on Friday, August 22 @07:31AM
The intent of this post is not to start a flame. I just want to question the credibility of the OpenBSD team.
After my opinion the claim saying: "Only one remote hole in the default install, in more than 7 years!" is not exactly true.
Now for the proof of this:
Revision 1.393 of index.html (Mon Dec 9 09:59:06 2002 UTC) more than 7 years
Revision 1.392 of index.html (Mon Nov 25 22:11:52 2002 UTC) nearly 6 years
Revision 1.379 of index.html (Sun May 19 18:51:09 2002 UTC) 5 years
Revision 1.378 of index.html (Wed May 1 16:06:14 2002 UTC) 4 years
Revision 1.331 of index.html (Sun Apr 29 01:25:12 2001 UTC) 3 years
From Dec 9 2002 to Nov 25 2002 1 year?
From Nov 25 2002 to May 19 2002 1 year?
From May 19 2002 to May 1 2002 1 year?
From Apr 29 2001 to Dec 9 2002 I roughly get 1 year and 7 month which equals 4 years after to OpenBSD team’s opinion?
----
I can't sop wondoring if this in fact is a way to promote OpenBSD even thoug is may or may not be true. This quote is easyly misunderstood by media and users.
Is it in fact NOT true? What else have the OpenBSD team hidden from the community and the public? Did the competitors get too close and hence they had to raise the record?
What is in fact true? This looks like a coverup operation that failed.
Moreover do you have anny comments to the following (also form the comments @ deadly.org):
---
The quote is:
"Only one remote hole in the default install, in more than 7 years!"
This tells us the following about OpenBSD's stance on security:
* They don't care about local/remote DoS conditions (hence why such "reliability" fixes aren't on the security page, yet every other OS seems to consider a DoS a security-related bug)
* They don't care about client-side bugs that can be exploited remotely (the ftp client bug for instance)
* They don't care about bugs that don't gain you instant root (remember apache + select)
* They don't care about exploits in programs that aren't in the default install (essentially nothing bug OpenSSH)
* They don't care about local bugs at all, since it's clearly ridiculous that anyone would want to have users on an OpenBSD server.
---
References and points to information regardig this would be appriciated.