MS Security VP Mike Nash remarks on MS vs OpenBSD security.

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

MS Security VP Mike Nash remarks on MS vs OpenBSD security.

Shane J Pearson
What an incredible load of tripe!...

From:    http://interviews.slashdot.org/article.pl?sid=06/01/26/131246

~~~
OpenBSD
by hahiss

How is it that OpenBSD is able to be so secure by design with so few
resources and yet all of Microsoft's resources cannot stem the tide of
security problems that impact everyone, including those of us who do not
use Microsoft programs?

Nash: First, I should say that OpenBSD includes a relatively small
subset of the functionality that is included in Windows. You could argue
that Microsoft should follow the same model for Windows that the OpenBSD
Org follows for their OS. The problem is that users really want an OS
that includes support for rich media content and for hardware devices,
etc. So while OpenBSD has done a good job of hardening their kernel,
they don't seem to also audit important software that are used commonly
by customers, such as PHP, Perl, etc. for security vulnerabilities. At
Microsoft we're focusing on the entire software stack, from the Hardware
Abstraction Layer in Windows, all the way through the memory manager,
network stack, file systems, UI and shell, Internet Explorer, Internet
Information Services, compilers (C/C++, .NET), Microsoft Exchange,
Microsoft Office, Microsoft SQL Server and much, much more. If a
software company's goal is to secure customers, you have to secure the
entire stack. Simply hardening one component, regardless of how
important it is, does not solve real customer problems.

Second, it is not completely accurate to say that OpenBSD is more
secure. If you compare vulnerability counts just from the last 3 months,
OpenBSD had 79 for November, December and January compared to 11 for
Microsoft (and that includes one each for Office and Exchange - so
really 9 for all versions of Windows). I encourage you to look at the
numbers reported at the OpenBSD site to verify that this is true.
~~~


Shane J Pearson        shanejp netspace net au                       ->|

Reply | Threaded
Open this post in threaded view
|

Re: MS Security VP Mike Nash remarks on MS vs OpenBSD security.

bsdusr@gmail.com
> Second, it is not completely accurate to say that OpenBSD is more
> secure. If you compare vulnerability counts just from the last 3 months,
> OpenBSD had 79 for November, December and January compared to 11 for
> Microsoft (and that includes one each for Office and Exchange - so
> really 9 for all versions of Windows). I encourage you to look at the
> numbers reported at the OpenBSD site to verify that this is true.

According to http://openbsd.org/security.html, the last two releases
of OpenBSD have had 8 vulnerabilities (and that includes two that
apply to both releases - so really 6 for both releases of OpenBSD).

Reply | Threaded
Open this post in threaded view
|

Re: MS Security VP Mike Nash remarks on MS vs OpenBSD security.

Will H. Backman
In reply to this post by Shane J Pearson
Shane J Pearson wrote:

> What an incredible load of tripe!...
>
> From:    http://interviews.slashdot.org/article.pl?sid=06/01/26/131246
>
>
> Second, it is not completely accurate to say that OpenBSD is more
> secure. If you compare vulnerability counts just from the last 3 months,
> OpenBSD had 79 for November, December and January compared to 11 for
> Microsoft (and that includes one each for Office and Exchange - so
> really 9 for all versions of Windows). I encourage you to look at the
> numbers reported at the OpenBSD site to verify that this is true.
> ~~~
>
>
> Shane J Pearson        shanejp netspace net au                       ->|
>

We need to do more than just complain.  We need to provide solid
evidence that he is wrong, and make sure it is known.

Reply | Threaded
Open this post in threaded view
|

Re: MS Security VP Mike Nash remarks on MS vs OpenBSD security.

Dries Schellekens
In reply to this post by bsdusr@gmail.com
fox wrote:

>>Second, it is not completely accurate to say that OpenBSD is more
>>secure. If you compare vulnerability counts just from the last 3 months,
>>OpenBSD had 79 for November, December and January compared to 11 for
>>Microsoft (and that includes one each for Office and Exchange - so
>>really 9 for all versions of Windows). I encourage you to look at the
>>numbers reported at the OpenBSD site to verify that this is true.
>
>
> According to http://openbsd.org/security.html, the last two releases
> of OpenBSD have had 8 vulnerabilities (and that includes two that
> apply to both releases - so really 6 for both releases of OpenBSD).

Maybe he is counting vulnerabilities in ports?


Cheers,

Dries

Reply | Threaded
Open this post in threaded view
|

Re: MS Security VP Mike Nash remarks on MS vs OpenBSD security.

Lukasz Sztachanski
In reply to this post by Shane J Pearson
On Fri, Jan 27, 2006 at 01:42:13AM +1100, Shane J Pearson wrote:

>
> ~~~
> OpenBSD
> by hahiss
>
> How is it that OpenBSD is able to be so secure by design with so few
> resources and yet all of Microsoft's resources cannot stem the tide of
> security problems that impact everyone, including those of us who do not
> use Microsoft programs?
>
> Nash: First, I should say that OpenBSD includes a relatively small
> subset of the functionality that is included in Windows. You could argue
if you consider `solitaire' as `functionality', then yes ;)
As far as i know, MS doesn't provide reliable software for network
services, OpenBSD does.

> that Microsoft should follow the same model for Windows that the OpenBSD
> Org follows for their OS. The problem is that users really want an OS
> that includes support for rich media content and for hardware devices,
what? MS doesn't write drivers for all devices; if there would be a bug
in NVidia`s Windows  driver, then NVidia would be the one, who`s blame.
Moreover, Windows `built-in' drivers are usually bad and give low
performance, and minimum of functionality.

> etc. So while OpenBSD has done a good job of hardening their kernel,
> they don't seem to also audit important software that are used commonly
> by customers, such as PHP, Perl, etc. for security vulnerabilities. At
yeah, and MS should audit and be responsible for every foo.bar available
for windows ;)

> Microsoft we're focusing on the entire software stack, from the Hardware
> Abstraction Layer in Windows, all the way through the memory manager,
> network stack, file systems, UI and shell, Internet Explorer, Internet
> Information Services, compilers (C/C++, .NET), Microsoft Exchange,
> Microsoft Office, Microsoft SQL Server and much, much more. If a
> software company's goal is to secure customers, you have to secure the
> entire stack. Simply hardening one component, regardless of how
> important it is, does not solve real customer problems.
>
OpenBSD provides in base system substitutes for almost all that software.
First and foremost, OpenBSD's designed for other type of users; author
of that opinion surely isn't that type.
 
> Second, it is not completely accurate to say that OpenBSD is more
> secure. If you compare vulnerability counts just from the last 3 months,
> OpenBSD had 79 for November, December and January compared to 11 for
> Microsoft (and that includes one each for Office and Exchange - so
> really 9 for all versions of Windows). I encourage you to look at the
> numbers reported at the OpenBSD site to verify that this is true.

People always talk about numbers, but the most importat is approach. I
truly belive, that it's imposible to build anything secure on
foundations of MS platform.
Recently i've wrote simple application using random numbers; i was
disappointed, when i've had to port it to windows and linux, and i saw
the results.




                                - Lukasz Sztachanski


P.S. i know, that openbsd isn't perfect, but it's the only reasonable
     choice.


--
0x058B7133 // 16AB 4EBC 29DA D92D 8DBE  BC01 FC91 9EF7 058B 7133
http://szati.blogspot.com
http://szati.entropy.pl

Reply | Threaded
Open this post in threaded view
|

Re: MS Security VP Mike Nash remarks on MS vs OpenBSD security.

Rob W
In reply to this post by Shane J Pearson
fox wrote:
>According to http://openbsd.org/security.html, the last two releases
>of OpenBSD have had 8 vulnerabilities (and that includes two that
>apply to both releases - so really 6 for both releases of OpenBSD).

What about http://www.securityfocus.com/bid/16375 and
http://docs.freebsd.org/cgi/mid.cgi?200601251013.k0PAD9lO059018 (Fixed in
cvs, but NO patch for 3.8 or 3.7 and NO security announce -
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_bridge.c.diff?r1=1.147&r2=1.148)

Is there other bugs that haven't made it to the errate page?

Reply | Threaded
Open this post in threaded view
|

Re: MS Security VP Mike Nash remarks on MS vs OpenBSD security.

Adam Douglas
In reply to this post by Shane J Pearson
Here! Here! I am so sick of these crappie articles down playing
something when they don't even come close to the truth and the facts.
What really amazes me the most is the fact that the average user just
sits back and does nothing about the problems they have with MS or
Windows. They just accept the fact that it sucks and never bothers to
complain. Can you imagine if everyone started to complain to Microsoft
how much trouble they would have on their hands. I only wish.

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf
Of Will H. Backman
Sent: Thursday, January 26, 2006 9:05 AM
To: OpenBSD Misc
Subject: Re: MS Security VP Mike Nash remarks on MS vs OpenBSD security.

Shane J Pearson wrote:
> What an incredible load of tripe!...
>
> From:    http://interviews.slashdot.org/article.pl?sid=06/01/26/131246
>
>
> Second, it is not completely accurate to say that OpenBSD is more
> secure. If you compare vulnerability counts just from the last 3
> months, OpenBSD had 79 for November, December and January compared to
> 11 for Microsoft (and that includes one each for Office and Exchange -

> so really 9 for all versions of Windows). I encourage you to look at
> the numbers reported at the OpenBSD site to verify that this is true.
> ~~~
>
>
> Shane J Pearson        shanejp netspace net au
->|
>

We need to do more than just complain.  We need to provide solid
evidence that he is wrong, and make sure it is known.

Reply | Threaded
Open this post in threaded view
|

Re: MS Security VP Mike Nash remarks on MS vs OpenBSD security.

Tony Aberenthy
In reply to this post by Shane J Pearson
[hidden email] wrote:

>fox wrote:
>>According to http://openbsd.org/security.html, the
>last two releases
>>of OpenBSD have had 8 vulnerabilities (and that
>includes two that
>>apply to both releases - so really 6 for both
>releases of OpenBSD).
>
>What about http://www.securityfocus.com/bid/16375
>and
>http://docs.freebsd.org/cgi/mid.cgi?200601251013.k0
>PAD9lO059018 (Fixed in
>cvs, but NO patch for 3.8 or 3.7 and NO security
>announce -
>http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/i
>f_bridge.c.diff?r1=1.147&r2=1.148)
>
>Is there other bugs that haven't made it to the
>errate page?
Does it matter?
(When and if OpenBSD is secure (without disclaimers like
"uber-secure", the errata no longer matter from a security
standpoint. Methinks that would be the primary advantage
of being proactive rather than reactive.

What I find incredible is that that presumably number-literate
computer people could imagine that counting security flaws
is a measure of anything relevant.
People get bills that come in the mail (or whatever).
Computing you financial position by counting the number
of bill envelopes is mildly indicative but is hardly any
basis for any rational comparison. Even adding the numbers
is misleading if the currencies differ. The "dumb" user-base
is not THAT dumb.

Actually there is an objective measure of computer security.
That is the going rate for compromised computers.
Last I heard, seems it was something like five cents US
per compromised computer. After several years of "security
is a priority". Surely somebody could do better with
extremely bad security.

Reply | Threaded
Open this post in threaded view
|

Re: MS Security VP Mike Nash remarks on MS vs OpenBSD security.

Ted Unangst-2
In reply to this post by Rob W
On 1/26/06, Rob W <[hidden email]> wrote:
> Is there other bugs that haven't made it to the errate page?

yes.  you can find an exhaustive list here:
http://marc.theaimsgroup.com/?l=openbsd-cvs&r=1&w=2

but don't let the word get out.  let's keep this quiet.

Reply | Threaded
Open this post in threaded view
|

Re: MS Security VP Mike Nash remarks on MS vs OpenBSD security.

Rob W
In reply to this post by Shane J Pearson
http://www.securityfocus.com/bid/16375 is minor but important enough to
report?

A way to remotly crash a OpenBSD box is minor?

From http://openbsd.org/security.html:
"Security information moves very fast in cracker circles. On the other hand,
our experience is that coding and releasing of proper security fixes
typically requires about an hour of work -- very fast fix turnaround is
possible. Thus we think that full disclosure helps the people who really
care about security."

It requires to qualify as a root explort/possible root explorit to get a
security announce?

Sorry, I don't get it.

>From: Marco Peereboom <[hidden email]>
>To: Rob W <[hidden email]>
>Subject: Re: MS Security VP Mike Nash remarks on MS vs OpenBSD security.
>Date: Thu, 26 Jan 2006 13:04:55 -0600
>
>How many times do you need to hear the same thing?
>
>NOT ALL BUGFIXES MAKE IT TO THE ERRATA BECAUSE THEY ARE MINOR.
>
>On Thu, Jan 26, 2006 at 05:11:23PM +0100, Rob W wrote:
> > fox wrote:
> > >According to http://openbsd.org/security.html, the last two releases
> > >of OpenBSD have had 8 vulnerabilities (and that includes two that
> > >apply to both releases - so really 6 for both releases of OpenBSD).
> >
> > What about http://www.securityfocus.com/bid/16375 and
> > http://docs.freebsd.org/cgi/mid.cgi?200601251013.k0PAD9lO059018 (Fixed
>in
> > cvs, but NO patch for 3.8 or 3.7 and NO security announce -
> >
>http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_bridge.c.diff?r1=1.147&r2=1.148)
> >
> > Is there other bugs that haven't made it to the errate page?
> >

_________________________________________________________________
Find dine dokumenter lettere med MSN Toolbar med Windows-pc-sxgning:  
http://toolbar.msn.dk

Reply | Threaded
Open this post in threaded view
|

Re: MS Security VP Mike Nash remarks on MS vs OpenBSD security.

Will H. Backman
Rob W wrote:

> http://www.securityfocus.com/bid/16375 is minor but important enough to
> report?
>
> A way to remotly crash a OpenBSD box is minor?
>
>  From http://openbsd.org/security.html:
> "Security information moves very fast in cracker circles. On the other
> hand, our experience is that coding and releasing of proper security
> fixes typically requires about an hour of work -- very fast fix
> turnaround is possible. Thus we think that full disclosure helps the
> people who really care about security."
>
> It requires to qualify as a root explort/possible root explorit to get a
> security announce?
>
> Sorry, I don't get it.
>

"By sending carefully crafted sequence of IP packet fragments, a remote
attacker can cause a system running pf with a ruleset containing a
'scrub fragment crop' or 'scrub fragment drop-ovl' rule to crash."

1: Has this been verified to actually cause a panic on OpenBSD, or did
OpenBSD just add the fixes to pf in CVS for the benefit of other
operating systems?

2: How common is the use of those rules?

Reply | Threaded
Open this post in threaded view
|

Re: MS Security VP Mike Nash remarks on MS vs OpenBSD security.

Martin Schröder
In reply to this post by Shane J Pearson
On 2006-01-27 01:42:13 +1100, Shane J Pearson wrote:
> What an incredible load of tripe!...

This belongs on advocacy.

Reply | Threaded
Open this post in threaded view
|

Re: MS Security VP Mike Nash remarks on MS vs OpenBSD security.

Ted Unangst-2
In reply to this post by Will H. Backman
On 1/26/06, Will H. Backman <[hidden email]> wrote:
> "By sending carefully crafted sequence of IP packet fragments, a remote
> attacker can cause a system running pf with a ruleset containing a
> 'scrub fragment crop' or 'scrub fragment drop-ovl' rule to crash."
>
> 1: Has this been verified to actually cause a panic on OpenBSD, or did
> OpenBSD just add the fixes to pf in CVS for the benefit of other
> operating systems?

the first.

> 2: How common is the use of those rules?

that's kinda hard to determine.  i don't use them (but i don't use pf).

Reply | Threaded
Open this post in threaded view
|

Re: MS Security VP Mike Nash remarks on MS vs OpenBSD security.

Tony Aberenthy
In reply to this post by Lukasz Sztachanski
Lukasz Sztachanski wrote:

> On Fri, Jan 27, 2006 at 01:42:13AM +1100, Shane J Pearson wrote:
> >
> > ~~~
> > OpenBSD
> > by hahiss
> >
> > How is it that OpenBSD is able to be so secure by design with so few
> > resources and yet all of Microsoft's resources cannot stem the tide of
> > security problems that impact everyone, including those of us who do not
> > use Microsoft programs?
> >
> > Nash: First, I should say that OpenBSD includes a relatively small
> > subset of the functionality that is included in Windows. You could argue
> if you consider `solitaire' as `functionality', then yes ;)
> As far as i know, MS doesn't provide reliable software for network
> services, OpenBSD does.
>
> > that Microsoft should follow the same model for Windows that the OpenBSD
> > Org follows for their OS. The problem is that users really want an OS
> > that includes support for rich media content and for hardware devices,
> what? MS doesn't write drivers for all devices; if there would be a bug
> in NVidia`s Windows  driver, then NVidia would be the one, who`s blame.
> Moreover, Windows `built-in' drivers are usually bad and give low
> performance, and minimum of functionality.
>
> > etc. So while OpenBSD has done a good job of hardening their kernel,
> > they don't seem to also audit important software that are used commonly
> > by customers, such as PHP, Perl, etc. for security vulnerabilities. At
> yeah, and MS should audit and be responsible for every foo.bar available
> for windows ;)
>
> > Microsoft we're focusing on the entire software stack, from the Hardware
> > Abstraction Layer in Windows, all the way through the memory manager,
> > network stack, file systems, UI and shell, Internet Explorer, Internet
> > Information Services, compilers (C/C++, .NET), Microsoft Exchange,
> > Microsoft Office, Microsoft SQL Server and much, much more. If a
> > software company's goal is to secure customers, you have to secure the
> > entire stack. Simply hardening one component, regardless of how
> > important it is, does not solve real customer problems.
> >
> OpenBSD provides in base system substitutes for almost all that software.
> First and foremost, OpenBSD's designed for other type of users; author
> of that opinion surely isn't that type.
>
> > Second, it is not completely accurate to say that OpenBSD is more
> > secure. If you compare vulnerability counts just from the last 3 months,
> > OpenBSD had 79 for November, December and January compared to 11 for
> > Microsoft (and that includes one each for Office and Exchange - so
> > really 9 for all versions of Windows). I encourage you to look at the
> > numbers reported at the OpenBSD site to verify that this is true.
>
> People always talk about numbers, but the most importat is approach. I
> truly belive, that it's imposible to build anything secure on
> foundations of MS platform.
> Recently i've wrote simple application using random numbers; i was
> disappointed, when i've had to port it to windows and linux, and i saw
> the results.
>
>
>
>
> - Lukasz Sztachanski
>
>
> P.S. i know, that openbsd isn't perfect, but it's the only reasonable
>      choice.
>
>
> --
> 0x058B7133 // 16AB 4EBC 29DA D92D 8DBE  BC01 FC91 9EF7 058B 7133
> http://szati.blogspot.com
> http://szati.entropy.pl

As I explain to my users:
Microsoft has immense difficulty walking and chewing gum at the same time.
Most everything works pretty well assuming that everything else in the
universe is perfect, and you don't really try to do too much.
Microsoft is very good to throw something at it and have it come out
looking half-way presentable. Many cases that is all you want or need.
As time progresses, the newer computers are really just overgrown dumb
terminals (it takes a lot of horsepower for a browser to be fast and
snappy).
Everything important, you put somewhere outside of Microsoft's reach.

BTW, I lurk on the list because it is one of the FEW sources of sanity.

Security. If it has the slightest possibility of actually mattering:
Do not fool yourself.
Do not fool your customers.
Do not fool your suppliers.

If it actually does matter:
It's long and hard to accomplish what seems to be almost nothing.
OpenBSD has and does at least try.  (Actually very friendly, considering)
Some stuff looks like actually accomplishing something.  (*)
Most everybody else trying to find some cheap shot.
Does a little (almost) and want to claim it does it all.

What the users really want seems to be a $2000 computer that
functions as well as a $200 DVD player. Seems to be the direction.


(*) Secure:  Vulnerability in a critical service.
Running and your enemies are competent.
Read and understand the vunlerability.
And sneer, because that is not enough to do you in.
That is security. Anything less is still just trying.

And you've got grown men, presumably post kindergarten, who somehow
think that counting "vulnerabilities" actually mean something.
I think you'll find that sub-standard "dumb" users are far
too intelligent to fall for that stupid a line.

Reply | Threaded
Open this post in threaded view
|

Re: MS Security VP Mike Nash remarks on MS vs OpenBSD security.

Dries Schellekens
In reply to this post by Rob W
Rob W wrote:

> What about http://www.securityfocus.com/bid/16375 and
> http://docs.freebsd.org/cgi/mid.cgi?200601251013.k0PAD9lO059018 (Fixed
> in cvs, but NO patch for 3.8 or 3.7 and NO security announce -
> http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_bridge.c.diff?r1=1.147&r2=1.148)

Fixed in -current, 3.8-stable and 3.7-stable.

> Is there other bugs that haven't made it to the errate page?

Subscribe to source-changes@


Cheers,

Dries

Reply | Threaded
Open this post in threaded view
|

Re: MS Security VP Mike Nash remarks on MS vs OpenBSD security.

Henning Brauer
In reply to this post by Will H. Backman
* Will H. Backman <[hidden email]> [2006-01-26 23:15]:
> "By sending carefully crafted sequence of IP packet fragments, a remote
> attacker can cause a system running pf with a ruleset containing a
> 'scrub fragment crop' or 'scrub fragment drop-ovl' rule to crash."
>
> 1: Has this been verified to actually cause a panic on OpenBSD

yes.

--
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Reply | Threaded
Open this post in threaded view
|

Re: MS Security VP Mike Nash remarks on MS vs OpenBSD security.

Otto Moerbeek
In reply to this post by Rob W
On Thu, 26 Jan 2006, Rob W wrote:

> http://www.securityfocus.com/bid/16375 is minor but important enough to
> report?
>
> A way to remotly crash a OpenBSD box is minor?

If the number of systems affected is low, the answer may be yes. This
problem only exists if you enable specific scrubbing options in pf.

As a rule of thumb, you can look at the fraction of machines affected
multiplied but the severity of the problem. This gives some
indication if something is going to hit errata.

We are not hiding things, just follow src-changes to get everything.

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: MS Security VP Mike Nash remarks on MS vs OpenBSD security.

Joachim Schipper
On Fri, Jan 27, 2006 at 10:07:33AM +0100, Otto Moerbeek wrote:

> On Thu, 26 Jan 2006, Rob W wrote:
>
> > http://www.securityfocus.com/bid/16375 is minor but important enough to
> > report?
> >
> > A way to remotly crash a OpenBSD box is minor?
>
> If the number of systems affected is low, the answer may be yes. This
> problem only exists if you enable specific scrubbing options in pf.
>
> As a rule of thumb, you can look at the fraction of machines affected
> multiplied but the severity of the problem. This gives some
> indication if something is going to hit errata.
>
> We are not hiding things, just follow src-changes to get everything.

Or Full-Disclosure or one of the like, for a more generic security list.
See http://lists.grok.org.uk.

It doesn't have much OpenBSD content, of course... ;-)

                Joachim