chaos
August 23rd, 2003, 06:45
Hi

This is NOT to start a flame, simply to understand this.

After reading the folowing comment on deadly.org
(http://www.deadly.org/article.php3?sid=20030820173741&mode=flat)
----
Credibility
by Me!You on Friday, August 22 @07:31AM

The intent of this post is not to start a flame. I just want to question the credibility of the OpenBSD team.

After my opinion the claim saying: "Only one remote hole in the default install, in more than 7 years!" is not exactly true.

Now for the proof of this:

Revision 1.393 of index.html (Mon Dec 9 09:59:06 2002 UTC) more than 7 years

Revision 1.392 of index.html (Mon Nov 25 22:11:52 2002 UTC) nearly 6 years

Revision 1.379 of index.html (Sun May 19 18:51:09 2002 UTC) 5 years

Revision 1.378 of index.html (Wed May 1 16:06:14 2002 UTC) 4 years

Revision 1.331 of index.html (Sun Apr 29 01:25:12 2001 UTC) 3 years

From Dec 9 2002 to Nov 25 2002 1 year?
From Nov 25 2002 to May 19 2002 1 year?
From May 19 2002 to May 1 2002 1 year?

From Apr 29 2001 to Dec 9 2002 I roughly get 1 year and 7 month which equals 4 years after to OpenBSD teamís opinion?
----

I can't sop wondoring if this in fact is a way to promote OpenBSD even thoug is may or may not be true. This quote is easyly misunderstood by media and users.

Is it in fact NOT true? What else have the OpenBSD team hidden from the community and the public? Did the competitors get too close and hence they had to raise the record?

What is in fact true? This looks like a coverup operation that failed.

Moreover do you have anny comments to the following (also form the comments @ deadly.org):
---
The quote is:
"Only one remote hole in the default install, in more than 7 years!"

This tells us the following about OpenBSD's stance on security:
* They don't care about local/remote DoS conditions (hence why such "reliability" fixes aren't on the security page, yet every other OS seems to consider a DoS a security-related bug)
* They don't care about client-side bugs that can be exploited remotely (the ftp client bug for instance)
* They don't care about bugs that don't gain you instant root (remember apache + select)
* They don't care about exploits in programs that aren't in the default install (essentially nothing bug OpenSSH)
* They don't care about local bugs at all, since it's clearly ridiculous that anyone would want to have users on an OpenBSD server.
---

References and points to information regardig this would be appriciated.

|MiNi0n|
August 23rd, 2003, 08:19
deadly is full of lurkers whose sole intent is to stir up flame wars and talk shit about things that get posted there. Hell, they've even blasted us here at ScreamingElectron.

That being said, some points made are true, but for the most part you're talking about slants that OpenBSD use to help promote the cause, and the cause is a mighty fine one --> An OS that's built with Security in mind from the start, not as an afterthought.

The OS is ***solid*** in comparison to all other in terms of vulnerabilities and is still #1 by a mile in my books!