Is OpenBSD a Little Too Open?

Upcoming Events

Cloud Connect March 16-18

Comprehensive thought leadership for executives, IT professionals and developers. Topics include: the ROI, cost and economics of on-demand computing; Migration strategies to move from on-premise to cloud-based IT; Vertical cloud specialization, tailoring features and architectures to specific applications, industries, and customer ecosystems

Email Print Share

0 Comments

Posted by Jordan Wiens on March 29, 2007

For many years OpenBSD has claimed, "Only one remote hole in the default install--in more than 10 years!" That count has now jumped to two.

A vulnerability in the way many versions of OpenBSD handle IPv6 packets exposes them (at best) to compromise from their local subnet and (at worst) on IPv6 routed networks, remote compromise from any other IPv6 location. Even on an IPv4 network, the IPv6 interface is enabled by default and would be available on the local subnet, though this does mitigate the risk of the vulnerability somewhat.

Core Security Technologies found the vulnerability and worked with the OpenBSD team. But the vendor contact log included in the advisory hints that the OpenBSD team may be rusty in handling security events, or the usual "responsible disclosure" mechanism didn't function as well as designed. Not only did the OpenBSD folks initially deny the "vulnerability" status of the bug (believing it was only a remote denial of service), but it appears public disclosure of the vulnerability was uncoordinated.

That said, other OSs--and you know who you are--would kill for a security track record like OpenBSD's. --Jordan Wiens, jwiens@nwc.com

0 Comments

Add Comment

Add Your Comment:

Disk Storage, Heal Thyself

No-maintenance RAID arrays will deliver more efficiency and higher performance, and save money to boot by obviating expensive maintenance plans through built-in spares and other self-healing features. IT groups, especially those with remote locations, could save themselves a bundle by adopting this technology sooner rather than later.

Silo to Gold Mine: What CMIS Can (and Can't) Do for ECM Integration

Enterprises know they could wring more value from their enterprise content management system investments. Unfortunately, integration and interoperability are sticking points. In this Strategy Session report, we investigate whether Oasis' new open Content Management Integration Services standard could be the answer to these woes.

Download: 10 Gotchas That Derail ECM Initiatives

Enterprise content management deployments are fraught with dangers, such as weak search capabilities and poor requirements definitions, that can grind projects to a halt. This report helps CIOs and project leaders move beyond gridlock, choose the right tools and foster seamless integration.

Video

Network Computingwww.networkcomputing.com

Home

News and Analysis

Tech Centers

Channels

Bloggers

Upcoming Events

Executive conference

Vendor Newsfeed

Subscribe to Newsletter