You, BB, and Tux may huff, puff, insult, gainsay, and dissemble until blue in the face, but that won't change anything in reality.
True but I'm hardly doing any of those things.
Bickering and playing word games don't cut it, especially when a statistical modeling expert (specialized in computer security) is schooling you on the facts and logic of the issue at hand.
What, other than Maud-dibs say-so has you thinking he's any kind of expert in statistics? I mean other than that he appears to agree with you. Can you point me to a specific, well supported point he has made? From where I sit if there was an award for uninformative posts. I think maud_dib would be a contender.
I repeat: Referring to a commonly known fact, such as the security of BSD vs Linux, is not an argument.
Actually it is. We call it an implied argument from popularity
. It's no more compelling than people who say: "It's a well known fact that <racial/ethnic group X> is <deficiency Y>".
I think you must be pulling my leg here...any reason that you take the word of this random person on the internet? I mean other than that they appear to agree with you?
Security is a difficult and sometimes controversial thing to analyze. The only truly "secure" operating systems are those that have no contact with the outside world. The firmware in your DVD player is a good example.
This reads a lot like someone who heard a college lecture and is making "broken telephone" mistakes in repeating it. I've heard this used as a theoretical
example. That is, a system which has no contact with people or machines at all is secure by definition but that's because 'security' is probably being defined as 'Allowing only the right people access to the right things'. Allowing nobody access to anything is clearly conforming to that definition. However that is also an example of the most useless system. So sometimes people use this example to refer to attacks that are network related. So again, yes removing the ability to talk on the network is yet again, conforming to our definition. However the network isn't the only way people gain access to information. Ergo while a non-networked computer is immune to network attacks. It doesn't mean it's immune from the wrong people getting access to information. A computer could have no network card but be physically available. Terminals in our university library were able to access some machines without using a network connection. As they were hardwired into a serial console connected to the computer.
Using a DVD player as an example is either wrong, dated or unclear. DVD Players allow physical access and some even allow network access.
only two remote attack vulnerabilities have been found in the last ten years. This is because OpenBSD doesn't create a large attack surface by running a large number of networked apps.
Actually this isn't quite correct. The actual tagline was:
"Only two remote holes in the default install
, in a heck of a long time!" (emphasis mine)
I addressed this already. The best argument you can make here is that an OpenBSD box with nothing else installed is secure from a remote attack. However that doesn't really tell you much about OpenBSD code, review procedure, or their overall security model. So it doesn't say the average OpenBSD box is secure nor anything about how secure an OpenBSD box would be when running a common application in a production environment and it sure doesn't say anything about when compared to a Linux machine that has been secured by someone qualified to do so.
What OpenBSD attempts to do is commendable but the statement is closer to marketing hype than a useful security metric.
I've met Linus Torvalds in person. He's a nice guy, and it sucks his baby is being reprsented here by fanboi suffering from Tiny E-peen Complex.
Linus has publicly been more critical of the OpenBSD development model than I have been in any of my posts. In case you keep missing it. I simply deny that there is clear evidence that in any real-world environment a secured OpenBSD (or a FreeBSD) box is more secure than a secured Linux box. That isn't saying that OpenBSD isn't good, nor is it saying that Linux is the best.
Very well put; an elegant statement.
...and inaccurate. I've already given examples as to how OpenBSD has avoided proactive security measures either because they consider their existing security sufficient or Theo D. has gone a little nuts.
I love that some ITT Tech foolio is questioning the methodology of a trained statistical modeler.
First, your use of "statistical modeler" instead of simply "statistician" is adorable! Second I think it's more me saying "Where exactly *is* your methodology?" and maud_dib kind of pretending that methodological transparency isn't important.
there’s evidence to suggest that most Linux distributions are not up to the standards of FreeBSD, for instance — let alone OpenBSD, with possibly the best security record of any general-purpose operating system.
This article is all over the place. At first he says there is evidence to suggest but he doesn't say what that is, The only thing he seems to mention is the OpenBSD tagline (which says nothing about FreeBSD). He does make this other interesting quote later on:
One of the most common criteria used by people who don’t really understand security, and by those who do understand it but want to manipulate those who don’t with misdirection and massaged statistics, is vulnerability discovery rates.
Isn't this one of the two primary metrics that maud_dib espoused? According to this guy he says maud_dib 'doesn't understand security'. I've already given my rationale for why these rates aren't such a good metric.
He goes on to mention a few more metrics without any rational why these are particularly useful.
i) code quality auditing
ii) default security configuration
iii) patch quality and response time
iv) privilege separation architecture
i) I don't agree with this as prima facie
it's difficult to express it as a metric. What units does "code quality auditing" come in?
ii) Likewise this is hard to express usefully as a number and it's really only meaningful to people who are in the habit of deploying systems in their default configs.
iii) If by 'quality' we mean a binary condition consisting of: a) Does it fix the security problem b) Does it cause another security problem. This is a metric I actually like but there's no information as to how FreeBSD, Linux and OpenBSD differ in this respect.
iv) Again I like this idea but it's difficult to express in units. Perhaps some categorical?
It's entertaining how, when his on-topic nonsense is corralled and put down, he simply disputes whether or not you *really* have an MS in stat.
...so on your Internet nobody pretends they're something they're not? I can see how security seems so easy over there then. Just make your login sequence ask: "Hey are you *really* supposed to be accessing this system?" since where you are everyone is completely honest. All attackers will be forced to say "No". Then you can log them out.
Where I am people regularly attempt to fake it. As I've already said my position is simple. Maud_dib has provided very little in the way of what he was attempting to do with his "psi", how it was meaningful to computer security and what data he was supplying to it. He has had multiple opportunities to clear up some very simple questions. I think that means the alleged statistician has earned some skepticism.
Besides I've provided a dearth of information as to why I hold the positions I do and I'm open to argument on those points. So far all you want to say is your position is a "fact" and therefore requires no support. Which is fine, have any sort of religion about computers you want but it's hardly surprising when those of us above the age of seventeen think the world is a little more complicated than you suggest.