
The insecurity of OpenBSD (2010) - i336_
https://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/
======
Canada
I'd be interested to hear the author's opinion on pledge.

Also, this article repeatedly points out that OpenBSD did not invent memory
hardening techniques, but fails to acknowledge that they were by far the first
to ship many of them in a base system by default. As I recall they were the
only ones willing to break binary compatibility. Was Openwall was shipping
with such protections enabled by default when OpenBSD released W^X? Certainly
no other Linux distros were.

~~~
i336_
I found this HN discussion from just under a year ago on pledge():
[https://news.ycombinator.com/item?id=10537268](https://news.ycombinator.com/item?id=10537268)
(which lists this presentation:
[http://www.openbsd.org/papers/hackfest2015-pledge/mgp00001.h...](http://www.openbsd.org/papers/hackfest2015-pledge/mgp00001.html))

I couldn't help wondering that the author had somehow been bitten by something
OpenBSD-related, or that he had some kind of spat with some developer(s)
somewhere. I wouldn't quite call this FUD, but I don't think it has enough
bullet points for the amount of "this is the end of the world" it has in it.

That said, the point about China settling for FreeBSD instead of OpenBSD for
their secure computing environment is very interesting. I wonder that OpenBSD
may possibly be being distracted by trying to hit some kind of academically
"cute" model of functionality, instead of staying grounded and realistic. Or
maybe OpenBSD is trying to stay out of the commercial limelight, so is
deliberately sidestepping the mainstream enterprise ideas about MAC and so
forth?

In any case, I was mildly perturbed to realize that OpenBSD's author also
maintains OpenSSH, which has only just now been shaken out of its disturbingly
complacent development mindset
([http://lwn.net/Articles/702751/](http://lwn.net/Articles/702751/) ); OpenBSD
is likely to never experience something similar, which is sad - it would be
truly interesting to see the level of scurrying and fixing that would happen
(and just how much OpenBSD really deserves its security track record)...

For a counterpoint, I also read this nice and positive argument recently:
[http://cfenollosa.com/blog/openbsd-from-a-veteran-linux-
user...](http://cfenollosa.com/blog/openbsd-from-a-veteran-linux-user-
perspective.html)

And I found this page a while back, on OpenBSD as a router:
[http://www.skeptech.org/blog/2013/01/13/unscrewed-a-story-
ab...](http://www.skeptech.org/blog/2013/01/13/unscrewed-a-story-about-
openbsd/)

~~~
brynet
OpenSSH is not OpenSSL. OpenBSD had nothing to do with the trainwreck that is
OpenSSL.

~~~
i336_
Unless I'm mistaken, Theo de Raadt was the author of both projects.

~~~
brynet
> Unless I'm mistaken

Indeed.

~~~
i336_
...I am not having a good brain day today.

1\. In my previous comment I meant OpenSSL, not OpenSSH.

2\. So I just established that Theo is the author of _OpenSSH_ , while
_OpenSSL_ is the large pile of fail. I certainly recognize the difference
between the two, but failed at reading while researching about OpenBSD.

Thanks.

And now my view of OpenBSD is a bit more positive :)

