What are your thoughts on this article?

OP
OP
stratacast1

stratacast1

Active Member

Thanks: 19
Messages: 178

#3
Apply Betteridge's law of headlines
LOL! That's funny, never heard of that before. I would like to see this thread turn into a bit of a discussion on security. I don't know much about the development cycle of the BSDs, how bugs are handled n such. What I do know, however, is I did report a ZFS bug (dry run is broken in some cases) myself and the response was essentially "no one really uses dry run for that case". So then, is there truth to potentially serious bugs/security holes just being deferred in FreeBSD when it really shouldn't be?
 

OJ

Daemon

Thanks: 253
Messages: 1,038

#4
As far as security is concerned, I think one would do better to compare users and use cases, rather then operating systems. We've all been living with lots of "low hanging fruit" vulnerabilities in hardware, operating systems, and users, for very many years. It would therefore seem that, historically anyway, it doesn't matter as much as people tend to think. I'm not sure this article serves any practical purpose.
 

Trihexagonal

Daemon

Thanks: 507
Messages: 1,017

#5
Some people think the Earth is flat, too.

Win10Pro came loaded on my W520 and I felt vulnerable to exploit the whole time I was online, which wasn't long, and I know how to lock it down..

I don't have that feeling at all on my BSD boxen.
 

ShelLuser

Son of Beastie

Thanks: 1,389
Messages: 2,959

#8
My honest thoughts about that article? "Totally not worth my time". It's plain out nonsense that "many eyes provide better security" because even "many eyes" can easily overlook the obvious. And that's not just me venting a loaded opinion, that's my opinion based on numerous of example situations which have occurred in the past, where the Debian OpenSSL disaster is simply the most obvious one.

The main reason why I deem this unworthy of my time is this:

van Sprundel says he easily found around 115 kernel bugs across the three BSDs, including 30 for FreeBSD, 25 for OpenBSD, and 60 for NetBSD. Many of these bugs he called "low-hanging fruit." He promptly reported all the bugs, but six months later, at the time of his talk, many remained unpatched.
I'm not claiming that this isn't true (I can't make those kind of claims) but I do think that comments like these would have much more value to them if they were also specifically sharing the made reports. Give me PR numbers so that I can form my own opinion on this. Yet that important detail is carefully left out. "Convenient".

Then there's the rather obnoxious headline with "Dying". Seriously: the use of 'dying' has only one effect on me: It makes me believe up front that: "They can't give a good solid opinion based on (proven!) arguments and therefor need a catchy catchphrase to draw more attention to it".

So how does an open source project "die" exactly? One good way is when no one is using it anymore, but the statistics on BSD usage proof otherwise. BSD is used in tons of environments, from the PS4 to that unknown machine which no one has heard off. Of course quantity doesn't make quality, but even so...

My problem with that is that you can read panic stories like these within all areas. Heck, I'm a big Minecraft fan and a pretty dedicated player. Guess what? "Is Minecraft dying? Researchers believe that to be the case" (I kid you not!) yet here we are, 2 years later and in anticipation of the latest upcoming update: 1.13, now dubbed "Project Aquatica". Dying indeed...

Modeling languages (such as UML, SysML) anyone? "Is UML obsolete?", same deal. Yet the whole thing is still being actively used today.

"Has Ableton died in favor of Bitwig?" (audio / DAW software comment). Gee, where did I hear those "dying" comments before? Oh wait, I know!

Summing up

To me every article which starts with "catchy" headlines such as the one in the OP is plain out unworthy of my time. "Is it dying?!" to me equals: "I need you to read this!!!!!!", usually while making assumptions and vague arguments which over the years will be easily debunked. Only problem is that by that time no one cares anymore.

Which brings me to another point: AdBlock plus tells me that it has blocked 12 (that's kind of high) sources of advertisements on that website. So... is this really about spreading a well meant warning or could this also be about generating more revenue for oneselves?

Same with that speaker I quoted... What better way to draw attention to yourself then by sharing a rather outspoken opinion. Wouldn't you agree that this is a solid way to raise your chances of getting invited to more seminars (which will also ensure you'll be receiving more paychecks)?

And the reason I'm starting to theorize in this direction is this:

The FreeBSD project pushed back on van Sprundel's findings, however. "One of the issues we have is there's a large variety of issues that are being found but there are some issues that have no practical exploit," Ed Maste, director of project development at the FreeBSD Foundation, and member of the elected FreeBSD core team, says. "We've started treating some of these as just bugs and not as security issues."
And this is exactly the reason why I consider the given arguments about "problems" extremely hollow if those aren't backed up by facts, such as shared PR numbers.

Considering the whole context I shared above (about a possible conflict of interest) I'm definitely more tempted to side with the FreeBSD foundation over this than the researcher who - in my opinion - is first and foremost more busy with selling his story. Note: even though I realize all too well that I'm basically not able to make those claims because.. Let's be honest: no one knows exactly what kind of bugs or issues we're talking about. Convenient indeed.

So yah...
 

CraigHB

Member

Thanks: 24
Messages: 90

#9
Ublock Origin on my browser tallied 34 blocks on that article. I think the article is more about getting people to click in for ad revenue.
 
OP
OP
stratacast1

stratacast1

Active Member

Thanks: 19
Messages: 178

#10
Thank you all for the very good input on this! CraigHB, I got 55 with Ublock Origin on the website

The second I saw the article I thought it was clickbait myself, but sometimes I take time to read them just to consider a rebuttle. I'd like to be able to make a case for something if it ever comes up in conversation. I think one thing FreeBSD offers is a simple system to understand. It took coming from Linux to realize how much more straightforward FreeBSD is. I think that easy to understand software is a huge player in a secure system, because if the user doesn't know how to make it secure, then you already lost. I trust my Linux systems too because I've learned how to make them secure over the years, but I trust the foundation and its ability to make a good codebase, and it shows in how reliable the system is, where my Linux boxes would start to have problems in this time
 

Datapanic

Active Member

Thanks: 127
Messages: 233

#12
It was slash-dot'ed Friday. I read it and thought about posting it here, but seriously, it's not an article worth reading.
 
OP
OP
stratacast1

stratacast1

Active Member

Thanks: 19
Messages: 178

#13
I thought the video that Preetpal posted was somewhat useful though. The video is the same guy but more of a presentation of his findings. However, I still found the conclusion pretty lackluster. Yeah yeah, you found vulnerabilities, good job. What was somewhat interesting though was how Linux (kernel) had 346 security flaws reported from January 1 to July 2017, but all of FreeBSD, NetBSD, and OpenBSD had 377 combined from 1999 to 2017. Hence his hypothesis of "are there just not enough devs looking over this stuff?" well....considering FreeBSD was far more popular in the early 2000s than Linux I think bunks his thesis. I just see Linux having the marketing edge
 

CraigHB

Member

Thanks: 24
Messages: 90

#15
It took coming from Linux to realize how much more straightforward FreeBSD is. I think that easy to understand software is a huge player in a secure system, because if the user doesn't know how to make it secure, then you already lost.
I'm fresh off the boat from Linux with FreeBSD. I tell you, it's amazing to me how much cleaner and more organized things are with FreeBSD. Much more straightforward. I was getting frustrated with how convoluted everything is getting on Linux. It's like security through obscurity. There are some things I'm missing about the old Linux system, right now I'm having a little trouble getting used to the disk partitioning tools, but nothing I can't get a handle on.
 

-Snake-

Active Member

Thanks: 22
Messages: 129

#16
I'm fresh off the boat from Linux with FreeBSD. I tell you, it's amazing to me how much cleaner and more organized things are with FreeBSD. Much more straightforward. I was getting frustrated with how convoluted everything is getting on Linux. It's like security through obscurity. There are some things I'm missing about the old Linux system, right now I'm having a little trouble getting used to the disk partitioning tools, but nothing I can't get a handle on.
Completely agree, I also come from gnu/linux and it's amazing how clean and clear the FreeBSD base system is compared to the "chaos" in gnu/linux.
 

herrbischoff

Active Member

Thanks: 69
Messages: 165

#17
I had opened a post (now deleted) on this without realizing it's already discussed here.

Apply Betteridge's law of headlines.
This is the feeling I had about it. The article itself appears to be pretty much in the realm of clickbait. Yet, if you take away all the urgent language and hyperbole ("dying"), what I'm most interested in is the way how security vulnerabilities and bugs are addressed by FreeBSD developers. From what I can gather it appears to be a rather practical approach, vetting the potential vulnerabilities for possible real-world exploitability, leaving less critical bugs in place until later. While this is a common approach to security, it would help to know a little about the reasoning behind the patching of some bugs and the leaving of others without being a fully trained security engineer. Is there information regarding this I could use to educate me?
 

sidetone

Aspiring Daemon

Thanks: 310
Messages: 900

#18
https://www.csoonline.com/article/3...dying-some-security-researchers-think-so.html

Its points are: less developers than Linux, and differences in amounts of code among different BSD kernels. Knowing about problems of mainstream Linuxes, I take this with a grain of salt.

BSD's are less bloated than most Linuxes. Anything with SystemD automatically negates any possible benefits of a kernel. GCC being or already removed from BSD's is another strong point of BSD's compared to most Linuxes. OSS (soon to be version 4 on FreeBSD) and Sndio outperform ALSA, PulseAudio, etc... In Linux/GNU, code is just piled on redundantly, to where when that code is ported here and fixed, 14 hours of bloat compile time has been done away with.

One area where other BSD's outperform FreeBSD is the simplicity of their ports in terms of cleaner dependencies, but this deficiency actually comes from porting from Linuxes with few improvements over how they were there. Another issue specific to FreeBSD is, while FreeBSD has a good reputation for documentation, there are a lack of committers or interest in updating it.

When FreeBSD 12 (at this time Current) comes out with Elf or Clang compiling utilities, maybe OSSv4 [audio/oss as ignored] and maybe Bluetooth LE (Low Energy) [https://github.com/takawata/FreeBSD-BLE] improvements, I think that will free up a lot of resources and be a catalyst for further improvements.

Come to think of it, there is a strong point in the BSD community with plenty of active members, FreeNAS.
 

sidetone

Aspiring Daemon

Thanks: 310
Messages: 900

#20
It's plain out nonsense that "many eyes provide better security" because even "many eyes" can easily overlook the obvious.
In GCC, ALSA, Pulseaudio, GTK, Docbook, SystemD and Ubuntu, all they've done is overlooked the obvious and piled on 20 different dependencies for 1 need, 20 different times.

Then a flaw in Linux software is pointed out in FreeBSD, and they take it back to the Linux community. After that I wonder, if some Linux fanatics are in awe of the Linux community for thinking they discovered it, after that problem was unnoticed for 10 years by those many eyes, whose only solution was to pile on.

I even notice when trying to figure out how to de-clutter a port. Someone reports a bug for a GNU related program in an attempt to clean it up, then they use that report to find a way to re-clutter it in such a way that, they've found a way to make it so that a program's purpose that is only for audio finally appears logically inseparable from graphics gtk code.

Linux is aggressive regression, if I ever saw it.

I haven't used NetBSD or OpenBSD yet, but those have to have the most efficient, and least bloated ports than anything else.
 

CraigHB

Member

Thanks: 24
Messages: 90

#21
Linux is aggressive regression, if I ever saw it.
It's amazing to me the damage done to all of Linux/GNU by one large organization upstream. It illustrates a fault in the development model there. I think FreeBSD being more structured is not vulnerable to this failing, at least I hope it's not.
 

ronaldlees

Aspiring Daemon

Thanks: 266
Messages: 670

#22
Some people think the Earth is flat, too.

Win10Pro came loaded on my W520 and I felt vulnerable to exploit the whole time I was online, which wasn't long, and I know how to lock it down..

I don't have that feeling at all on my BSD boxen.

HaHa - have you visited https://www.theflatearthsociety.org/forum? Over a million posts there are arguing over whether the earth is round or flat, but it is really a debaters club for 3/4 of them. Might be a few true believers tho :)

I feel that Windows is probably less good for me given the possible and suspected corporate data collection potentials that grow out of proprietary software, but it's probably more secure than OSS on a first visit to my bank, when I've used the browser for nothing else from the time of the installation of the OS. After the OS has been exposed to other sites, I'd feel some vulnerability on Windows thereafter. This gut feeling comes from reading headline results of penetration competitions conducted at some of the white/gray/black/hat infosec conferences. This isn't advice, and I'm not an expert. You seem to be one of those (Win Sec expert), so I'd *really* be interested in your opinion. That said, I still don't use Windows.

Due to the blueprint that's available via any open source, I feel that targeted efforts against my OSS system and browser are more likely to be successful on that first trip to the bank, even when I've used the setup for nothing else. For non-targeted efforts I'd lean towards OSS, and feel more comfortable about it, and that is at least partially based on obscurity. That said, I use OSS for *everything*.

Forum activity is up, so the trolls are wrong.
 

k.jacker

Well-Known Member

Thanks: 224
Messages: 425

#23
I mostly read the news on fb because people there know what they are talking about!
I didn't know the world was flat, but I believe it since now. My teachers at school were wrong. Those stupid idiots!!!
And if you didn't know allready... everybody who can write is right. That's why they write!!
They want to help us and teach us the truth, so that we can relax and see the world how it really is.
That's the reason for all those funny blinking adds. They should attract us, so that we don't let breaking news and revealed secrets pass by unread.

It's way too easy. Every click is another sheep on the pasture....
 

Trihexagonal

Daemon

Thanks: 507
Messages: 1,017

#24
HaHa - have you visited https://www.theflatearthsociety.org/forum? Over a million posts there are arguing over whether the earth is round or flat, but it is really a debaters club for 3/4 of them. Might be a few true believers tho :)
There are, check youtube. :)

This isn't advice, and I'm not an expert. You seem to be one of those (Win Sec expert), so I'd *really* be interested in your opinion. That said, I still don't use Windows.
Aside from a short run on Win7 to play Oblivion, Win10Pro was the first Windows I'd used since Vista. I had already read a lot of it on how it phoned home and such, some of it I knew from experience. I go through each firewall rule and set as I please and make my own as I go to enforce it. By blocking TCP port 0 on Win10 it prevented it from doing something I didn't expect, I can't remember exactly what. It couldn't update itself or something with port 0 blocked. It's a rule I had always used before and I still block port 0 with my pf ruleset from my old Windows days

I spent one whole day locking it down before ever going online. The time I spent online was to find more apps to lock it down further due to the "layered security" idea they adhere to, where you have to pile app upon app to do a job. The only sites I went to were Microsoft related and I still felt like the Sword of Damocles was hanging over my head the whole time.

I don't do online banking but I do use ebay a lot and on the same machines I use daily with the same browser. I know what scripts I'm allowing, type the URL by hand, have puny code disabled in my browser, etc. They might ask me to identify my 2 step authentication when I log in or my password again if I start to make a transaction. The first time I spoofed my useragent from FreeBSD they messaged "Something doesn't look right..."

So I am fairly confident in my BSD setup, and I do still have that Win10Pro HDD to play Oblivion, but I never connect it to the net anymore and still have the version before Creators Update.
 

sidetone

Aspiring Daemon

Thanks: 310
Messages: 900

#25
It's amazing to me the damage done to all of Linux/GNU by one large organization upstream. It illustrates a fault in the development model there. I think FreeBSD being more structured is not vulnerable to this failing, at least I hope it's not.
It's more of a mindset. To a smaller extent, FreeBSD is vulnerable in ports, because some source code is brought over like so. In FreeBSD, it's not intentional. FreeBSD also relied on GCC for too long, so now more bugs inherent in ported code can be found and corrected. Ports is structured, but there is room for improvement by standardization.
 
Top