[daneel_w]

> Sure, see any of the previous exploits for sshd, or any other software shipped in the OpenBSD default install.

Would you like to point to one that successfully utilizes a weakness in OpenBSD itself, which is the topic and implied statement of the video, rather than a weakness in some application running under the superuser?

Just to underline, I'm not interested in discussing the hows and whys of containing arbitrary applications where one or more portions are running under euid 0. I'm interested in seeing OpenBSD successfully attacked by an unprivileged process/user.

[yjftsjthsd-h]

Now to be fair, sshd on OpenBSD is part of OpenBSD rather than an add-on application and I think it would be fair to count exploits in it against the OS, if it had vulnerabilities there.

[DEADMINCE]

Any vulns in any package in OpenBSD's package repositories that they audited should count as a vuln against OpenBSD itself.

If OpenBSD users installed it through OpenBSD repositories and are running it will they be affected? Yes? Then it counts against the system itself.

[yjftsjthsd-h]

I'm not sure that's fair; was log4j a vulnerability in Ubuntu itself? How about libwebp ( https://news.ycombinator.com/item?id=37657746 )?

[DEADMINCE]

> I'm not sure that's fair;

It's the way most distros handled security vulnerabilities, though. Without looking, I'm certain Ubuntu has a security advisory for that vulnerability.

So I agree it might not be fair on the face of it or if doing a technical analysis or something, but if you want to compare OpenBSD security to other Linux distros by vulnerability count, (and so many who don't know better do), then vulnerabilities should be measured in the same way across both systems.

[DEADMINCE]

> Would you like to point to one that successfully utilizes a weakness in OpenBSD itself, which is the topic and implied statement of the video, rather than a weakness in some application running under the superuser?

I'm sorry, what? What kind of nonsense distinction is this?

Are you trying to very disingenuously try and claim only kernel exploits count as attacks against OpenBSD?

Why the hell wouldn't a webserver zero-day count? If an OS that claims to be security focused can't constrain a misbehaving web server running as root then it's sure as hell not any type of secure OS.

> I'm interested in seeing OpenBSD successfully attacked by an unprivileged process/user.

You realize there is very little that OpenBSD does to protect against LPE if there is any LPE vuln on their system, right? Surely you're not just advocating for OpenBSD based on their own marketing? If you want to limit the goalposts to kernel vulns or LPE's that already require an account you're free to do so, but that's rather silly and not remotely indicative of real world security needs.

If it's a security focused OS, it should provide ways to limit the damage an attacker can do. OpenBSD had very very little in that regard and still does, although things are slightly better now and they have a few toys.

And hey, fun fact, if you apply the same OpenBSD methodology and config of having a barebones install, you'll suddenly find at least dozens of other operating systems with equivalent or better track records.

Plan 9 has had less vulnerabilities than OpenBSD and has had more thought put into its security architecture[0], so by your metric it's the more secure OS, yeah?

[0] http://9p.io/sys/doc/auth.html

[daneel_w]

> I'm sorry, what? What kind of nonsense distinction is this?

> Are you trying to very disingenuously try and claim only kernel exploits count as attacks against OpenBSD?

Not at all. I clearly underlined that I'm not looking for cases fitting that specific scenario. The only moving of goalposts is entirely on your behalf by very disingenously misrepresenting my question in a poor attempt to try make your answer or whatever point fit. And on top of that, the tasteless pretending to be baffled...

[DEADMINCE]

> Not at all. I clearly underlined that I'm not looking for cases fitting that specific scenario

The thing is, we're trying to talk about the security of OpenBSD compared to its competition.

But you're trying to avoid letting anyone do that by saying only an attack against something in the default install you can do with a user account counts, which is absolutely ridiculous.

I'm not moving the goalposts nor am I pretending in any sense. Your approach just doesn't make sense, measure or indicate anything useful or relevant about the security of OpenBSD. I stated so and explained why.

But hey, keep believing whatever you want buddy.

[daneel_w]

> "The thing is, we're trying to talk about the security of OpenBSD compared to its competition."

> "But you're trying to avoid letting anyone do that by saying only an attack against something in the default install you can do with a user account counts, which is absolutely ridiculous."

I don't know who "we" are. The question I asked another poster, where you decided to butt in, regarded escalation from an unprivileged position and nothing else.

Nobody but yourself said anything along the lines of "only attacks against things in the default install 'count'", nor drew drew up comparisons against "the competition". You clearly have some larger axe to grind, but you're doing it in a discourse playing out only in your head, without reading what others actually wrote.

[dang]

Please don't perpetuate flamewar comments on HN. It's not what this site is for, and destroys what it is for.

I don't see as much of it in your recent history, which is good, but it's not good to let yourself get sucked into this sort of tit-for-tat spat.

If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.

[DEADMINCE]

> I don't know who "we" are.

We are the people having this discussion. That should be obvious. It's kind of funny you accused me of pretending to be baffled, lol. The irony.

You certainly had no issue discussing this top with me until I called out your claims/methodology as nonsense.

> The question I asked another poster, where you decided to butt in,

Welcome to the Internet!

> regarded escalation from an unprivileged position and nothing else.

Yes. And I pointed out why this is an absolutely nonsense approach. You realize getting root on OpenBSD is significantly easier than several other setups or Linux distro's you've probably never heard of, though, right?

So, what is it? Afraid to be wrong? You brought too much into the OpenBSD marketing, so now it's a sunk cost for your ego?

> Nobody but yourself said anything along the lines of "only attacks against things in the default install 'count'", nor drew drew up comparisons against "the competition".

This is exactly what you imply when you want to limit attacks to LPE's that require a user account, lol.

> You clearly have some larger axe to grind, but you're doing it in a discourse playing out only in your head, without reading what others actually wrote.

No axe to grind. Just calling out bad claims and reasoning.

Even now, you've successfully got us discussing semantics and nonsense instead of you actually addressing the bs claims you made. Stellar job.

[dang]

You've been posting huge numbers of flamewar comments lately. That's not what HN is for, and destroys what it is for. If you keep this up, we're going to have to ban you. I don't want to do that, so if you'd please review https://news.ycombinator.com/newsguidelines.html and stick to the rules from now on, we'd appreciate it.

By the time a commenter gets to violating the site guidelines as egregiously as this, it's almost always the case that they should have stopped posting a lot sooner.

[medguru]

Not sure if you reflect at all over your own texts. You come off as projecting, incoherent and cognitively dissonant.