Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 12 Jun 2008 11:43:40 -0500
From:      Jeffrey Goldberg <jeffrey@goldmark.org>
To:        David Naylor <naylor.b.david@gmail.com>
Cc:        Roland Smith <rsmith@xs4all.nl>, freebsd-questions@freebsd.org
Subject:   Re: FreeBSD and User Security
Message-ID:  <62860DF8-423D-48B3-9757-CC3D24732CF0@goldmark.org>
In-Reply-To: <200806121519.12820.naylor.b.david@gmail.com>
References:  <200806112225.36221.naylor.b.david@gmail.com> <20080611214743.GA18371@slackbox.xs4all.nl> <200806121519.12820.naylor.b.david@gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Jun 12, 2008, at 8:19 AM, David Naylor wrote:

> I think this argument is rather mute, just because there are no  
> programs
> exploiting security vulnerabilities does not been there are not
> vulnerabilities,

But it is far from moot if you are interested in the actual threat  
against your system.  In a sense, using a less popular OS is a form of  
"security by obscurity" which is not to be heavily relied on, but  
still it does make a real, practical, difference in the case that you  
described.

> and a determined cracker would create his own program.

You have not articulated what you are trying to defend against.  Do  
you anticipate determined crackers going after your particular system  
and what resources will such attackers have?  We can't talk about a  
system being "secure" in general, but the question needs to be framed  
in terms of "secure against what".

> That said I hope there are, actually, no vulnerabilities.

That is demanding too much.  What you need to hope for is a  
combination of "no known unpatched vulnerabilities at the moment" and  
more importantly "procedures and practices to keep things that way".   
As Bruce Schneier likes to say, "Security is not a product but a  
process".  The vast majority of actual system compromises involve  
failure of system administrators to keep systems patched and follow  
good security practices.

One reason that I switched from Linux to FreeBSD is that I find it  
much easier to maintain FreeBSD, particularly in terms of security  
updates.  I have been responsible for Linux machines that did get  
rooted because I was having problems keeping them up-to-date for a  
variety of reasons.

> [Security through obscurity is just an illusion]

In your post you mentioned concern about spyware.  It is not an  
illusion that FreeBSD has not been targeted by spyware writers while  
Windows has.  Even if some of that is the consequence of security by  
obscurity, it is no illusion.  Of course we need to understand that  
those security benefits from obscurity are fragile, but we shouldn't  
dismiss it entirely.

Again, what sorts of benefits such things may add (or subtract)  
depends on the nature of the attacker.

Cheers,

-j




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?62860DF8-423D-48B3-9757-CC3D24732CF0>