Re: Fwd: Any user can panic OpenBSD machine

[deraadt () CVS OPENBSD ORG (Theo de Raadt)]

> Dunno. If your ISP was running on OpenBSD it would be pretty damn
> annoying.

Sure it would be.  Luckily the kernel debugger tells you which user
did it.  Now, shall I list 50 ways to crash a NetBSD box from the
shell?

> Personally, I find the constant claims that OpenBSD is more secure
> than FreeBSD and NetBSD annoying.

That's fine Perry..  many of us find you annoying too.

I have seen public claims by Warner Losh (a FreeBSD auditor) that
OpenBSD is more secure.  Alan Cox has made similar statements.  So has
Chris Evans (Linux security audit project).  The L0pht folk have been
impressed with our efforts.  Apparently even some AT&T security people
like what they see. I could probably grab more names out of the hat.

But who knows, they may be wrong.  Our team will keep auditing.  Our
work is not done.

We are trying to do something.

> We all do extensive security work.

Well, I am unaware of any _new_ security problem reports coming out of
the NetBSD community in the last while.

ie. the recent at(1) problem which your team's "security work" brought
to light appears to have affected noone else. It looks like everyone
else already had that fixed ages and ages ago).

I'd provide more examples of NetBSD security work, but I think I've
just exhausted the list.  I'm sure you've got a more substantial list
of new bugs discovered by the NetBSD team.

If people want to have fun with NetBSD systems, look at some of the
problems described at www.openbsd.org/security.html.  Many of those
bugs (and patches) have been posted there for months, yet the NetBSD
group is apparently too busy with extensive security work to look into
fixing those problems.  There might even be a crashing bug there.

You're taking a little localhost "any user can crash the machine" bug
and trying to extrapolate that into a failure of our auditing process.
Are you trying to goad me into stooping to your level the next time I
see a "any user can crash the machine" fix applied to NetBSD?

> This is just another example of a fairly common situation -- in
> which OpenBSD has a bug that other BSDs don't. Sometimes it is the
> other way around, too, but you'd think from the propaganda that it was
> always, or even usually, OpenBSD that was the most secure system.

Well, over the last two years it does look like we found and fixed
most of the holes first.  I think so.  Everyone, have we been doing a
good job or not?

But you are disputing that, right?

Perry -- I see your NetBSD commits! You don't even do security
commits!  You don't even try to fix security problems (but you
lambaste people who do try).  I think you do not know what you are
talking about.  You mostly fix man pages and change the spelling of
NORVEGIAN to NORWEGIAN!  (I should compile a list of perry commits so
that people can see how weak Perry's credentials look).