OpenBSD is perhaps the only (modern) example that is worse than Bernstein's code. Sure, I could secure a system if it were so stripped down as to be barely accessible by default. And that's just good design.

But, the OpenBSD team's "secure by design" effort has not had nearly as much success as its "secure by default" effort. OpenBSD often finds itself correcting buggy or sloppily-written code. OpenSSH is a prime example of how NOT to write a server of any kind, let alone one that handles authentication and data security. OpenBSD is secure-by-default, but the moment you start enabling things, you start seeing vulnerabilities.

The effect of OpenBSD's efforts has been to over-strip and over-emphasize the default code paths, while leaving others insecure.

Claims like "Only one remote hole in the default install, in more than 8 years!" are material for reckless attempts to deny vulnerability. Much like Venema responded by denying Bernstein's reports of Postfix holes in the face of overwhelming evidence, and much like Bernstein denied Guninski's report (even to the point of refusing to fix it), the OpenBSD team has done the same thing. The OpenBSD IBCS2 vulnerability reported by Georgi Guninski wasn't patched until reports of the exploit were seen *in-the-wild* by colleagues of mine -- even though it didn't fall under the "1 remote hole..." guarantee.

The reason companies like Microsoft don't market such things, is because they have a financial disincentive to do so. Microsoft would be committing suicide if it attempted to market its products as "secure", without qualifying that statement. Microsoft would face that criticism for the exact same reason that Bernstein will face more criticism for his refusal to fix the vulnerability found in its software, than for the incorrect code assumption that led to it.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/331/32104#32104