People who read this blog know I somehow like OpenBSD for some reasons. One passage in the FAQ I just read strike me as its what I also think:
In fact, as our hope is to continually improve OpenBSD, the goal is that -current should be more reliable, more secure, and of course, have greater features than -stable. Put bluntly, the “best” version of OpenBSD is -current.
Thats what I always though where Debian sucks. They have software which is many years old in the stable branch. They try to fix some security issues with bug fixes – but fact is that many early versions of software are broken by design and that very often newer software is better. Its not always a real security leak – sometimes early release dont require or provide some level of security – so to think that old software which has no reported bugs or leaks is better than a new one is just false and also dangerous. Old software enables hackers to work for years to discover vulnerabilities which is much harder on moving targets.
And about security in general: Statistics sometimes can help – but in the end all must come down to very practical issues. Like – some people think its necessary to run a full scale firewall on every webserver. This might make sense on some installations – but often this is overkill. And some measures like prohibiting password access via SSH is much more important than to block all but a few tcp/udp ports. Security is a very relative term. On one hand you can make your systems infinite insecure, even with the most secure OS – and OTOH you can invest endless time to make your system still more secure. I would vore for “practical security” – which means that your system should be bit more secure than you actually need. And it also should depend on how much money you got. So security is not only about how much YOU should do to your system, but also – if you have a cash cow web server – please pay some good people to take care that its secure. Think about how bad it is if you loose data. If its not bad at all you dont need to do much – mostly you want to make sure that you mails servers are not abused by spammers and its not easy to access your system. So please beware of this situation:
- All users (also mail users) are system users (this alone is not fatal, but…)
- They can change their own passwords and…
- They have SSH access
This would mean that simple user names like “john” could give access with password “1234” . And then some very simple SSH hacking is on your box. And then you better have a really secure system, because if this happens a hacker has all possibilities to work on the vulnerabilities. This may sound silly for some people, but I think that those things are propably more widespread and more problematic as if your InmageMagick is slightly outdated. Not to suggest you shouldnt update ImageMagick but some scenarios are more likely than others and should be looked at more closely.