[Cryptography] defaults, black boxes, APIs, and other engineering thoughts

[Jonathan Thornburg]

I wrote
| What I see is low-security consumer
| systems (e.g., the usual stuff from Microsoft, Adobe, etc) doing
| dynamic updates every month or even every week.  But OSs which make
| security a very high priority, like (say) OpenBSD, aren't moving that
| way at all -- they're staying with the old "updates are manually
| applied by a (human) system administrator" model.
|
| The OpenBSD website points out that they've only had two remote holes
| in the default install in "a heck of a long time" (I think more than a
| decade).  So perhaps the manual-updates security model remains viable....

On Sun, 5 Jan 2014, Phillip Hallam-Baker replied:
> I believe the point of OpenBSD is that it is not a kitchen sink O/S which
> ships everything someone might want by default. That is certainly going to
> offer more security if you use it for a single purpose with a stripped down
> build.

That's certainly part of it:

from http://www.openbsd.org/security.html
# To ensure that novice users of OpenBSD do not need to become
# security experts overnight (a viewpoint which other vendors seem
# to have), we ship the operating system in a Secure by Default mode.
# All non-essential services are disabled. As the user/administrator
# becomes more familiar with the system, he will discover that he
# has to enable daemons and other parts of the system. During the
# process of learning how to enable a new service, the novice is
# more likely to learn of security considerations.
#
# This is in stark contrast to the increasing number of systems that
# ship with NFS, mountd, web servers, and various other services
# enabled by default, creating instantaneous security problems for
# their users within minutes after their first install.


> It also means that the O/S is not going to report a vulnerability
> each time sendmail gets rolled.

Actually, sendmail is (still) part of the current OpenBSD, and runs in
the default install.  I don't know if that sendmail is vanilla ISC or
if OpenBSD has local patches to it.

The OpenBSD project is working on a replacement MTA (smtpd), but this
isn't quite ready for full-time production use yet.


> But take OpenBSD and lard it up with the thirty packages that are written
> by the usual C-crew and the advantage is lost. Very few Microsoft or OSX or
> Linux security reports are for code in the O/S core. It is usually the
> support apps that cause the issues.

I agree, userland causes a lot more problems than kernels.  Fortunately,
there are things a kernel and a libc can do that help, by reducing the
incidence of bugs in userland code
  http://marc.info/?l=openbsd-tech&m=138733933417096&w=1
and/or by blocking some bugs from being exploitable
  http://www.openbsd.org/papers/ru13-deraadt/


> the thirty packages that are written
> by the usual C-crew

Only 30? :)

But this raises some genuine questions:
* Is there a secure web browser?  My trust level in any of the biggies
  (Microsoft, Apple, Google, Mozilla) is low...
* I've just booked a hotel room in <distant city>; the hotel sent me a
  .docx file which claims to be a confirmation.  Is there an "office suite"
  in which it's safe for me to look at that .docx file?
* Same question, but for pdf files?
* For bonus points, can that pdf-viewer edit fillable pdf forms?  I have
  seen claims that evince or mupdf can do this... but neither seems to
  handle either US or Canadian tax forms. :(

-- 
-- "Jonathan Thornburg [remove -animal to reply]" <jthorn at astro.indiana-zebra.edu>
   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   "There was of course no way of knowing whether you were being watched
    at any given moment.  How often, or on what system, the Thought Police
    plugged in on any individual wire was guesswork.  It was even conceivable
    that they watched everybody all the time."  -- George Orwell, "1984"