From owner-freebsd-current@FreeBSD.ORG Thu Dec 10 16:21:58 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D86A41065695; Thu, 10 Dec 2009 16:21:58 +0000 (UTC) (envelope-from mexas@bristol.ac.uk) Received: from dirj.bris.ac.uk (dirj.bris.ac.uk [137.222.10.78]) by mx1.freebsd.org (Postfix) with ESMTP id 94AEC8FC18; Thu, 10 Dec 2009 16:21:58 +0000 (UTC) Received: from seis.bris.ac.uk ([137.222.10.93]) by dirj.bris.ac.uk with esmtp (Exim 4.69) (envelope-from ) id 1NIlm3-0004Ey-GU; Thu, 10 Dec 2009 16:21:57 +0000 Received: from mech-cluster241.men.bris.ac.uk ([137.222.187.241]) by seis.bris.ac.uk with esmtp (Exim 4.67) (envelope-from ) id 1NIlm2-00054L-IY; Thu, 10 Dec 2009 16:21:51 +0000 Received: from mech-cluster241.men.bris.ac.uk (localhost [127.0.0.1]) by mech-cluster241.men.bris.ac.uk (8.14.3/8.14.3) with ESMTP id nBAGLoLF001210; Thu, 10 Dec 2009 16:21:50 GMT (envelope-from mexas@bristol.ac.uk) Received: (from mexas@localhost) by mech-cluster241.men.bris.ac.uk (8.14.3/8.14.3/Submit) id nBAGLo2V001209; Thu, 10 Dec 2009 16:21:50 GMT (envelope-from mexas@bristol.ac.uk) X-Authentication-Warning: mech-cluster241.men.bris.ac.uk: mexas set sender to mexas@bristol.ac.uk using -f Date: Thu, 10 Dec 2009 16:21:50 +0000 From: Anton Shterenlikht To: Bill Moran Message-ID: <20091210162150.GA1135@mech-cluster241.men.bris.ac.uk> References: <20091210144141.GB834@mech-cluster241.men.bris.ac.uk> <20091210095122.a164bf95.wmoran@potentialtech.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20091210095122.a164bf95.wmoran@potentialtech.com> User-Agent: Mutt/1.5.20 (2009-06-14) X-Spam-Score: -1.5 X-Spam-Level: - Cc: freebsd-current@freebsd.org, Anton Shterenlikht , freebsd-questions@freebsd.org Subject: Re: Root exploit for FreeBSD X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Dec 2009 16:21:59 -0000 On Thu, Dec 10, 2009 at 09:51:22AM -0500, Bill Moran wrote: > In response to Anton Shterenlikht : > > > >From my information security manager: > > > > FreeBSD isn't much used within the University (I understand) and has a > > (comparatively) poor security record. Most recently, for example: > > > > http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html > > Are you trying to make your infosec guy look like an idiot? Does he > realize that FreeBSD has a grand total of 16 security problems for all > of 2009? Hell, Microsoft has that many in an average month. > > If he can find something (other than OpenBSD) with a better record than > that, I'd love to hear about it. I was just stressed after being forced by him to explain why I wanted firewall exceptions for two ports to my FreeBSD portscluster nodes. I explained the reasons and that was settled. I wouldn't be surprised if I'm the sole fbsd user at my Uni. The situation with computing is not great and getting worse. The Uni is, of course, addicted to Microsoft, but having realised all the problems with that, lately the policy has been to deny (!) MS users admin access to their own desktops. The situation is just ridiculous - if a MS user wants to install a piece of software on their PC he/she has to ask for permission, and then wait until some computer officer would come and do install for them. Also recently, well.. about a year ago, no host (!) could be accessed from outside the Uni firewall. Special exception has to be obtained even for ssh. There is only one dedicated sun server which accepts only ssh. The users are supposed to dial to this frontend server first, and from there to hosts on the local net. Honestly, the situation is so bad that I sometimes wonder - perhaps it's me who is mad. It seems IT services look at anybody who wants to escape MS with suspicion at best. I had to fight a long battle, well.. I had some support from other academics, to have a linux class in my Faculty. Here the opposition wasn't so much security, as "why would any undegraduate need linux", as if MS solutions are a pinnacle of human thought. And from I understand it's going to get worse. Apparently the IT services are drawing up plans to completely forbid use of "non-autorized" OS. I imagine fbsd will not be authorized. So I'm anticipating another battle already. Perhaps I should start putting together some statistics to make my case more forcefully. many thanks for your support, as always -- Anton Shterenlikht Room 2.6, Queen's Building Mech Eng Dept Bristol University University Walk, Bristol BS8 1TR, UK Tel: +44 (0)117 331 5944 Fax: +44 (0)117 929 4423