On 2020-04-09 10:55, Rudolf Leitgeb wrote: > My point was, that security is an ongoing effort. Flaws and new > exploit venues are discovered. There will be different numbers > of flaws for different operating systems, but none remains unscathed > for years. As soon as your server does anything useful, it will > present an attack vector to the outside world, and one needs to > be aware of it.
OpenBSD has remained unscathed for years with sshd listening by default, despite sshd doing some complicated things. Take ipv6 out of the picture and it's a very long time? Note that ipv6 is way more complex than it should have been like ASN.1, due to a committee. OpenBSD resisted ipv6 for a long time and I still don't use it, neither does my phone network or ISPs, on my side. I'm not sure anyone has said OpenBSD is infallible or that what OpenBSD strives to achieve isn't great. What I said was that the idea that everything is hackable is complete nonsense. I am not saying sshd is infallible but you can run all sorts behind sshd and it be a very useful server. You can take some of the security designs like priv sep of sshd and make a simpler service arguably unhackable. People have put services out there and said I will pay you to hack me and remained unhacked. Maybe the amount was too small. You could argue sshd will be broken by quantum cryptography one day. It might and it might not, the mantra "everything is hackable", is still misleading and FUD. Conversely, if everything was easily hackable then we probably wouldn't use computers, at all. "unhackable" is an unknown. It is normal to fear the unknown. It is right to hold many to a higher standard of security. Saying everything is unhackable is almost like saying what's the point in securing anything, or spend lots of money and we will worry about that for you. That is wrong.
