OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: OpenBSD remote root
From: Tom Vogt (tomlemuria.org)
Date: Mon Dec 18 2000 - 03:13:43 CST

Typo Princep <typoscene.at> wrote:
> That, coupled with the claim that that OpenBSD doesnt take a security
> through obscurity approach, but a serious one, makes me fairly suspicious.
>
> I think the 'Security through Obscurity' dogma either is misused or plain
> wrong, because i feel a lot safer on a Linux System with some patches
> and replacement daemons that, according to popular opinion, provide no
> security but just obscurity.

there are some "you don't have to know this" parts on OpenBSD. I have a
serious issue with this approach, and it's one of only 2 reasons I haven't
joined OpenBSD so far (the other being that I just happen to like Linux
more).

> I think this may be a good way to prove that depending on a central authority
> to protect you of all security problems is a bad idea. (instead try to make
> your system more obscure and you'll probably survive the next 0day sploit)..

/me is a big fan of full disclosure and everything related to it. on the
other hand, secure systems seem to be made by central authorities. all the
secure Linux distros we have are essentially one-man projects. I know of
two projects with more open approaches and larger dev teams. one (kha0s)
has folded recently. the other (Nexus, my project and a split-off from
kha0s) isn't currently going anywhere, either.

OpenBSD made it past that point. they *are* a secure system and they do
have a dev team. maybe their experience is just that things work the way
they do them, or not at all.
sadly, the Linux community has nothing to prove them wrong. 

-- 
"The net treats censorship as a malfunction and re-routes around it."
(John Gilmore)