===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/security.html,v
retrieving revision 1.34
retrieving revision 1.35
diff -c -r1.34 -r1.35
*** www/security.html	1998/02/24 19:47:15	1.34
--- www/security.html	1998/02/24 21:15:26	1.35
***************
*** 61,76 ****
  programming errors in code and then only months later discovered that
  the problems were in fact exploitable.  In other cases we have been
  saved from full exploitability of complex step-by-step attacks because
! we had fixed one of the steps.  An example of where we did this is the
  <a href=http://www.secnet.com/sni-advisories/sni-19.bsd.lpd.advisory.html>
! lpd advisory from
! Secure Networks.</a><p>
  
! This proactive auditing
! process has really paid off.  Statements like ``This problem was fixed
! in OpenBSD about 6 months ago'' have become commonplace in security
! forums like <a href=http://www.geek-girl.com/bugtraq/index.html>BUGTRAQ</a>.<p>
  
  The auditing process is not over yet, and as you can see we continue
  to find and fix new security flaws.<p>
  
--- 61,89 ----
  programming errors in code and then only months later discovered that
  the problems were in fact exploitable.  In other cases we have been
  saved from full exploitability of complex step-by-step attacks because
! we had fixed one of the steps.  An example of where we managed such a
! success is the
  <a href=http://www.secnet.com/sni-advisories/sni-19.bsd.lpd.advisory.html>
! lpd advisory from Secure Networks.</a><p>
  
! This proactive auditing process has really paid off.  Statements like
! ``This problem was fixed in OpenBSD about 6 months ago'' have become
! commonplace in security forums like <a
! href=http://www.geek-girl.com/bugtraq/index.html>BUGTRAQ</a>.<p>
  
+ Most of our security auditing happened immediately before the OpenBSD
+ 2.0 release and during the 2.0->2.1 transition.  Thousands of security
+ issues were fixed rapidly over almost a year, like the standard buffer
+ overflows, protocol implementation weaknesses, and filesystem races.
+ In the time since then, the types of security problems we find and fix
+ have tended to be more obscure or complicated.  Still we will persist
+ for a number of reasons:
+ <ul>
+ <li>Occasionally we find a simple one we missed before.
+ <li>Security is like an arms race; the best attackers will continue
+ 	to search for more complicated exploits, so we should too.
+ </ul>
+ 
  The auditing process is not over yet, and as you can see we continue
  to find and fix new security flaws.<p>
  
***************
*** 152,158 ****
  <a href=index.html><img src=/back.gif border=0 alt=OpenBSD></a>
  <a href=mailto:www@openbsd.org>www@openbsd.org</a>
  <br>
! <small>$OpenBSD: security.html,v 1.34 1998/02/24 19:47:15 deraadt Exp $</small>
  
  </body>
  </html>
--- 165,171 ----
  <a href=index.html><img src=/back.gif border=0 alt=OpenBSD></a>
  <a href=mailto:www@openbsd.org>www@openbsd.org</a>
  <br>
! <small>$OpenBSD: security.html,v 1.35 1998/02/24 21:15:26 deraadt Exp $</small>
  
  </body>
  </html>