Slashdot Mirror
OpenBSD: Hackers Meet Soldiers
BSDForums writes "OpenBSD has a well-deserved reputation for fanatical security. Why is the U.S. military funding it? What do you get out of it? Cameron Laird and George Peter Staplin investigate and talk to Theo de Raadt, the creator, overseer, and taskmaster of the OpenBSD project!"
Why is the U.S. military funding it? What do you get out of it?
Mulder, is that you?
Do you like German cars?
I thought OpenBSD was designed with the idea of providing the most Open ported version of BSD rather than for fanatical security. But now knowing that, I have yet another reason to switch.
BSD is Bad Ass!
Imagine a Beowulf cluster of fork-touting BSD daemons... they'd call it an army!
Why not? They've tried it with Windows nt, which didn't work, so maybe there's more trust in open systems since then.
I've been wanting to set up an OpenBSD installation on one of my boxes for a few months now but the task of installation looks rather daunting according to their FAQ. Can anyone here who runs openBSD or who has installed it a few times and has a grip on the process email me with some thoughts about exactly how rough it would be for a BSD n00b, like myself, to do his first installation.
Choose wisely you must...
I never knew any reason to consider OpenBSD (versus FreeBSD or one of the Linux distros). But security is a pretty good reason. I think I'll put OpenBSD on one of my servers and see how it looks. Thanks, Slashdot!
"Lord, grant that I may always be right, for Thou knowest that I am hard to turn" -- A Scots-Irish prayer
In a nutshell, not everyone in the "government" is a complete idiot ... *gasp* ... and sometimes ... just sometimes these "agencies" come up with supporting something that is actually useful to them and what they're trying to do.
OpenBSD is designed with security in mind. The article goes into great lengths about OpenBSD and what they've managed to acheive.
Anyone who has read my comments knows that I'm pretty much a BSD cheerleader because when I start to work with servers I will always pick a BSD solution wherever possible.
For many reasons there is a level of obscurity (try explaining to a "1337 h4x0r" what a "wheel" is ...) which also goes along with that there is some differences in the file structure as well (slackware doesn't count).
Plus theres the stability, I know linunx is stable, but the BSD stability is tested for stability and there isn't any "new exciting" features plugged in and not tested (okay at least in OpenBSD ... NetBSD does NOT count for this argument *grin*)
And my absolute favorite NO MORE THAN YOU NEED is installed!!! Something that I have also been arguing over in the SuSE disucssion ...
So what do we have, Simple, Stable, and Secure ... KISSS!!
Go DARPA, I've got tuition to pay so I can't buy an OpenBSD CD Set this semester :-(, but I did pay income taxes (so I guess I did kinda fund OpenBSD!!!)
Ignore the "p2p is theft" trolls, they're just uninformed
I mean the US military is funding it. Commercial software I might be a bit wary of. Least with Open Source other people can vet the code to make sure there isn't any backdoors. You get the best of both worlds so all in all I'm up for this
Rus
Cheap UK and US VPS
My guess would be that the military will either take OpenBSD, combine it with some code from the NSA, and make a really secure OS, or take some code from it and add it to an OS they already use.
What do you get out of it?
It's Free Software so we get to see the source code that's being developed as part of the project. We get to tweak that code, make it better, port it to another system, etc.
I think it's pretty cool the US Gov. is partially funding OpenBSD. I guess it's no different that government grants to universities for medical research and such.
I was not touched there by an angel.
Kind of like how Microsoft keeps its code private for security reasons too....
If BSD really is as secure as it has been touted, why keep your choice private "for security reasons"? Sorry, I don't mean to flame, but this statement has done more to hurt BSD than help it.
The society for a thought-free internet welcomes you.
Ok, before I get started, let me say that OpenBSD developers and users have no patience for people who aren't willing to read documentation, since they pride themselves on it (even man pages) being extremely well written and kept up to date. If it's not, file a bug, and _IT WILL GET FIXED_ (of course if it's just _your_ problem, then don't file a bug regarding the project, file one in your own bugtracking system as something you need to work on).
That said, the following FAQ explains the installation process far better than anyone writing you email ever will be able to, including a complete install process in grey, which has example responses in bold [for the most part]. If you can't get it from this, then you aren't reading, and it doesn't matter if someone writes you an email message with the same thing (written more poorly no doubt). If you can't read and follow instructions, then OpenBSD is not for you, and honestly - you shouldn't bother.
Most people don't have this problem, but there are always some feeble minded folks who think that life is easier if they're spoonfed on IRC and the like. To such people: you aren't welcome. The answer to this attitude has already been given: don't ask questions that already have explicit, clear answers publically available.
If you have a problem with the instructions (not enough detail supplied, typos, etc.) then please let the OpenBSD developers know about them in order that they may be corrected. If _you_ have a problem, in that you can't understand them, well... maybe it's _JUST YOUR PROBLEM_. It might be something that you need to work on. Of course, there is an opportunity for things to be unclear, and in such cases - again, submit a bug: "such and such statement regarding fdisk is unclear, suggest more detail on partitioning so that xyz is unabiguous"
Now, if you -want- to install OpenBSD, go read:
http://www.openbsd.org/faq/faq4.html
For those of you interested in this topic, you should also be aware of RedHat's DII COE (Common Operating Environment) kernel available at DISA. The kernel is available at http://diicoe.disa.mil/coe/kpc/linuxpc.html
The creation of DII COE kernel for RedHat implies that there may be some pressure to accept GNOME as a valid component of the Joint Technical Architecture (JTA).
In other words, the military bureaucracy is beginning to accept the fact that linux is part of the modern computing landscape. (Watching the wheels of military technology turn is like watching grass grow)
There is no possible way OpenBSD can be that secure and stable without stolen key Sco OpenServer source code.
No and ifs or buts. Its not like this technology is well known or taught.
After all, everyone knows that sco is the most stable, secure, and scalable unix ever made. All the great unix's borrow code from sco. There is no way Sun could of made solaris scalable without the ultra secure and scalable Xenix code. Just ask David Bois. Shesh.
http://saveie6.com/
The article tells me nothing.
... Right...
So OpenBSD needed DARPA funding to make the MMU trap jumps to the stack?
Also, Slashdot made it sound like this article is an interview, which it is clearly not...
I'm a senior in high school. I will most likely go for a CS major. I have a friend and he has used FreeBSD (so have I). In my eyes, working on something like FreeBSD is prestigeous. even though many are saying that "*BSD is dying", they never said that *BSD WILL die, which I think wont happen, ever!!! (the original projects might close, but there will derivative upon derivatives upon derivatives) *BSD is dying, but it will never actually die! ^^^ my two cents.
Not to harp on more publicity for OpenBSD, but this piece was a real letdown. One quote from Theo in the whole thing?! (note, I do not consider quoting terms such as "unix semantics" or "setuid program" to be substantive -real- quotes).
Maybe this will be useful to those who have never heard of OpenBSD, or are unfamiliar with its improvements for the past two years (only propolice incorporation is something more recent) - but for anyone with more than a cursory knowledge of the project, this is just not good journalism. Here you have an opportunity to have Theo answer your questions, and really get down to the meet behind the scenes, how the DARPA funding came about - how they approached him, whether there were any conditions to the work, if OpenBSD could use more of this funding, etc. But no, nothing, one quote - no new insight.
This might serve OK as an advocacy piece, and hopefully it will. But if you have two people "talk[ing] to Theo de Raadt" you would hope that they would have some more to talk about.
I find that reading interviews are far more enlightening than summary tripe such as this, because you're not just presented with a set of facts, but you get to hear information that goes beyond just the answers to questions. Often times, you then learn about things beyond the scope of the story, upcoming developments, sore spots. Say even a mention of how unfathomable it is that Sun has been holding back documentation to OpenBSD, given how many other private, public and governmental organizations (e.g. DARPA) that make no pretenses about support the opensource community are providing support to OpenBSD, whereas Sun is totally going against their own doctrine and ignoring OpenBSD developer requests (not even _offering_ an NDA as Linux et al have been presented with).
If this were a paper for a class or a personal site, fine no problem, what can a student or hobbiest do? But if you are in a position to provide journalism, it's really sad to see that power completely wasted in such a way.
Oh well, at least it can be added to the "OpenBSD is secure, free and neat, you should buy a CD" article pile, oh, I forgot to mention - continually overlooked. I guess there can never be too many of those, but it's sure starting to feel that way.
And -TWO- people wrote this article. Goddamn, two people, no brain.
Although OpenBSD has recently gotten a reputition for being ubersecure, and thus this article about how it has been getting funds from DARPA, it is by no means unique. It seems that this perception of OBSD has come from its ability to do encrypted swap, and encryption in most faculties; however, it blatently neglects disk based security.
I'd like to point out that DARPA is also funding the FreeBSD project, specifically enabling the development of FBSD 5.0's geom/gbde functions, which enable a fully modular disk access system, and transparent drive encryption. Really cool features, and it looks like once the code gets a stronger review from the crypto community it should really open up the possibilites for securing FBSD.
**AA: a bunch of mindless jerks who'll be the first against the wall when the revolution comes
It would seem to me, that for 'enterprise' level government work (i.e. defense related software) that stability would be more of a requirement than speed, portability or feature-set.
You don't want your tank software blue-screening in the middle of a fight. "Hold on guys, don't fire at me for a second, I need to reboot my tank."
Alot of UNIX vendors have realized this, and they know that if they make products that the gov'ment likes that contains the features that they need, then they will continue to sell products. Lots of products. Its not so much a niche market, more like market share.
Fortunately, it's open source. We can learn from it and take the lessons with us to other code. While there are a lot of people getting mileage out of the amount of malware out there that attacks Windows, one of the reasons there is so much of it is that it is absolutely no challenge to find Windows machines on the net because of their sheer number. And many of them are poorly secured because Windows is the OS that is shipped on machines that are sold to people who have neither the knowledge to secure a computer nor the time to learn how.
There are several efforts to improve the security of Linux and *BSD. In the end, I think they'll benefit us all. Bruce Schneier talks about the window of exposure in his book Secrets and Lies. Efforts to improve the security of open source OSs have several benefits in reducing that window.
Some bugs will be fixed before they are ever exploited. A security vulnerability is still a vulnerability. But the damage is much less in this case.
Some bugs will be fixed faster after they are first exploited. Again, this reduces the damage that is done.
But in the long run, a greater benefit is the number of people who acquire some knowledge of how to analyze and test for security vulnerabilities and how to fix them. That is going to be greatest in open source. It provides the opportunity for competent programmers to wear the white hats.
The net will not be what we demand, but what we make it. Build it well.
Quick, someone call up that SCO lawyer. Tell them that OpenBSD has got recognition from DARPA for security. I am sure they will file a claim of $1 billion against them too. The next day, the U.S. army will "accidently" test a MOAB on SCO hearquarters.
We will no longer need to worry about the lawsuit they filed against IBM.
My mom never taught me to sign.
Openbsd is about qualtiy. It has les bugs, which equal less possible exploits, but security is not their objective. Hell, they only recently got a basic acl and added stack protection, stuff that has been available for *ages*
Oh, and theo's stubborn incorrect opinion that users don't need security models. This is wrong, as we need stuff like rsbac or grsecurity to bring *nix security up to a powerfull level.
With OpenBSD not implementing such a basic ideaology, They might suceed as a hobbiest OS, but never as a *secure* os.
i suggest redhat for an easy install and all the software you need.
I had a lot of problems compiling and installing software on mandrake that I just havn't had on redhat
Contributions to BSD don't really help us as much because they can just be forked off into proprietary OS'es like Microsoft - which they will promptly use to put the reams to us with custom extensions. It would be much nicer if they went all GPL and nothing else.
I think the real problem is this attitude that free software is morally and intellectually equivalent to "owned" software. IMHO, this is an intellectual fraud, it screwed SCO, it will screw Sun, and it will screw us too until we finally get it.
A world with OpenBSD is much safer than a world OpenBSD.
This holds even more if you do not use OpenBSD.
(Like cars are much safer in a world with crash dummies;)
I've been installing via a boot disk and FTP ever since my first OBSD installation. It has consistently been the easiest installation I've ever used. Much of that is because it is a very minimal installation and you must explicitly install packages from the ports tree after the system is running (a minimalist quality that I very much like). The most complicated part of the install is using the disklabel. Your OBSD installation will probably exist entirely on a single physical partition (represented by slice C in disklabel), you'll add other slices (a, b, d, etc) for swap, /, /var, /tmp, /usr, etc. This can confuse some people because other operating systems group filesystems by a physical partition, not a slice within a partition. The rest is even easier by comparison.
I have the desire (but not the skill) to port as many security features from OpenBSD to Debian as possible without massive license violation. Anyone know if such a project is in the works? (And if not, why not?)
Daniel.
Free software, not Iraq, because Bill Gates is evil & Saddam is just misunderstood.
Things that make you go: Hmm
BSDForums writes "OpenBSD has a well-deserved reputation for fanatical security. Why is the U.S. military funding it? What do you get out of it? Cameron Laird and George Peter Staplin investigate and talk to Theo de Raadt, the creator, overseer, and taskmaster of the OpenBSD project!"
/. posting.
OpenBSD has a reputation for very good security. I wouldn't consider the quest for strong security "fanatical" any more than I would consider the quest for a bug-free operating system "fanatical."
Why is the U.S. military funding it? What do you get out of it?
The U.S. military is funding it because it makes sense to do so. Anyone who looks at OpenBSD's record for security and stability, the fact that it is free to use and modify in any way you desire, and doesn't consider it as a potentially cheap and useful platform for security applications...well, they aren't thinking clearly.
What do you get out of it?
I find it makes a great platform for firewalls and terminal servers, among other things. Ones that are reliable, very secure, with no software cost and lot of online support information.
Cameron Laird and George Peter Staplin investigate and talk to Theo de Raadt, the creator, overseer, and taskmaster of the OpenBSD project!"
They may have talked to Theo, but they sure didn't *quote* him much. The article was very thin on information. In my opinion it hardly merited a
I seem to recall that OpenBSD was developed exclusively outside the USA because of export restrictions on crypto. Now it is being funded by DARPA? I am little confused on the matter, but thought that it was an interesting enough point to post.
I use FreeBSD for Internet Services OpenBSD VPN/Router/IDS NetBSD EOF Exotic Hardware running modern O/S e.g http://www.spectechnologies.net/projects/ehardware /index.html
Solaris Database/CAD WS
Win2000 Games/office
Linux cluster/3d viz
http://www.spectechnologies.net
projects @ http://spectechnologies.net
I recently wiped Win98 off an old deskpro 4000 with the idea that I would make a firewall/router/whatever box (for fun and for my own education).
:-(
I'm a newcomer to bsd/linux and don't really know anything. I've heard that OpenBSD is really good and wanted to try it. Ok great, I'll go to OpenBSD.org, download, burn and install.
wtf? how to I download the iso?
After searching around I saw the entry in the faq that I have to buy it... or I can try to download it myself and figure out what bits go where on the CD. Oh, and the layout (or something) is copywrited so I can't grab it off the net someplace without breaking the law.
Well, I'm sorry guys. I don't know how to do that and the documentation I've seen doesn't tell me enough. I want to learn... but I'd like to do it incrementally, not all up front. So I'll be giving OpenBSD a pass and using something else.
Yeah, I'm sure I'll get at least one flaming response about how the team doesn't have to provide the iso, how they need money to continue development, how it's only $40 for God's sake.
I know all that already.
But I have a choice too. And I'm going to choose a distro I can try before I buy without having to figure out where stuff is supposed to go on the CD and whatever else I have to learn just to install the thing.
It's too bad. I've heard a lot of nice things about OBSD and I want to try it. But I'm going to go with someone else... and if I like FreeBSD, RedHat, or whatever, I'm going to end up sending that company money. And OBSD is going to miss out on that little bit of income.
If I'm not too firmly entrenched in the future, or if I actually learn enough to install OBSD myself then maybe, just maybe I'll give that distro a try.
Too bad
Sukotto
(hmm... that's a little more whiny than I intended)
Come play free flash games on Kongregate!
The government won't let us distribute our own crypto freely, but they fund foreigners to make cryptography, to distribute to the whole world?
Why not? They've tried it with Windows nt [gcn.com], which didn't work, so maybe there's more trust in open systems since then.
h tml
The news agency that originaly broke the story you cite later distanced themselves from it by calling it early speculation. My understanding is that a naive server app corrupted it's own database and naive client apps (the infamous "LAN consoles" that crashed) needed that database to function properly and to operate equipment. Rather than rely on the early speculation of *NIX advocates why not rely on someone who was on the ship and someone who wrote the software:
http://www.sciam.com/1998/1198issue/1198techbus2.
"Others insist that NT was not the culprit. According to Lieutenant Commander Roderick Fraser, who was the chief engineer on board the ship at the time of the incident, the fault was with certain applications that were developed by CAE Electronics in Leesburg, Va. As Harvey McKelvey, former director of navy programs for CAE, admits, 'If you want to put a stick in anybody's eye, it should be in ours.' But McKelvey adds that the crash would not have happened if the navy had been using a production version of the CAE software, which he asserts has safeguards to prevent the type of failure that occurred."
I should stop feeding the trolls, but really - this isn't hard. You want to be a smart ass? Fine. Enjoy it. Take a look at the ftp site, you should see something like floppy33.fs or cdrom33.fs. (3.2 is the current release, but you can use snapshots, they're even more stable than the last release usually).
Then, since you're such a fuckwit with regards to needing to use a CD, download either of those, and burn it to a bootable CD, using either one of those as the boot image [I won't go over mkisofs stuff here, there's a shockley.net article on how to create a bootable CD that has all the details]. If you use the cdromXX.fs file, then make sure it's a 2.88 image using El Torito funness [say, if you're creating the boot CD from Nero], and burn. Ta-da, you just burned a bootable image, freely offered, that does the same goddamn thing that the floppy does, only now it's on CD and you're overpriced hardware which didn't even include a $5 fdd is now usable.
If you already have a flexible bootloader installed, you don't even need a fdd or cdrom - you can just boot bsd.rd and the ramdisk install image will do the _SAME_ thing.
Please stop going on and on about bullshit _needing_ a CD drive, since it's super easy to do, and there are instructions widely available.
Look here: http://www.shockley.net/obsd-bootcd.asp
21st century has not eliminated fdds yet, and for the short history of the personal computer, they're included on far more things out there than CD drives even. You should really try to start small with simple things, since morons tend to have trouble with newer things like bootable CD's, hence it wasn't mentioned originally is my guess.
I'd add that obscurity only helps when _all other pieces_ of security are in place.
Wrong. Obscurity helps no matter what. Take a system with NO other security measures in place... Obscuring the OS, type of web server, or any other very simple type of obscurity -will- deter a portion of potential attackers. In the same way that putting an unlocked door in front of another unlocked door. Some people will persist, but some will say 'shit, another door; i'll find a place without this hassle'. Not to mention that probing past obscurity will commonly be traceable and/or loggable, and attackers know that piercing even simple obscurity may alert admins.
Obscurity always adds a little bit of weak security to any system, even an otherwise unsecured one. It's not a sin to acknowledge this!
Hey! I remember that! (Sorry, text only, no video or pictures)
Can I grab an ISO to build a live CD fs that I can take to the library or circuit city, put on a locked down machine, reboot and hit the ground running? -- That's the important part of the Knoppix distro -- autoconfigure and no required hdd space.
(Actually, I would really like to know this. Is there such a user friendly / toolkit *BSD distro?)
All the *BSD community are DEVELOPERS.
Every single last one of them.
They like tinkering around to get stuff running, and think everyone else should too.
There are not real advocates or people who try to make things easy for users. They don't give a shit about lowering the entry costs. It was hard for them to learn, it should be for you too.
This story just proves that *BSD is an OS by developers, for developers and of developers -- no (l)users need apply.
And this is why, although *BSD may not be dying, it will always be consigned to it's little niche ghetto.
Way to go Theo. I hope you realize you're indirectly assisting the U.S. military in perpetuatating American hegemony around the globe while killing thousands of innocents. Oh, but you live in Canada, I guess you don't have to worry about that...
Way to go DARPA, I hope you realise that you are funding foreigners to indirectly assist Terrorists by making their systems harder to crack by US intelligence agencies.
Sound ridiculous? I hope so.
Or: Way to go Theo, I hope you realise that you are indirectly assisting civil rights and human rights groups by making their systems harder to crack by corrupt dictatorships.
If I remember correctly, OpenBSD development was based in Canada (in part) because encryption code was considered a munition and thus the US government refused to allow it's export (while it was allowed from Canada).
Now the military (who were probably the source of these rules) are paying for the continued development of a technology that the forced out of the country on security grounds.
Convoluted enough for you???
OS Software is like love: The best way to make it grow is to give it away.
(Watching the wheels of military technology turn is like watching grass grow)
A couple of recent rapid developments serve to disprove that particular bit of common wisdom. The military, when pressed, kicks ass like no other organization in existence.
Maw! Fire up the karma burner!
"OpenBSD has a well-deserved reputation for fanatical security. Why is the U.S. military funding it?"
I think you've just answered your own question mate.
I never said he was...
Karma: Non-Heinous
Why is the U.S. military funding it? What do you get out of it?
Because they want the most secure operating system available. I may get my ass shot at a lot less. Or, maybe, terrorist hackers won't be able to figure out when my flight home is leaving Kuwait City International Airport.
I'm in the Army National Guard. It used to be my full time job. Now I'm a "weekend warrior".
I used to administer NT boxes for the Army among other job duties. It gave me the heebie-jeebies! I am a helluva lot more comfortable with military secrets residing somewhere else.
Before someone trots out the "you're just a weekend warrior" pony - after I left the guard full time, I was deployed to Kuwait for six months of middle-east summertime bliss. I was there for September 11. And, yes, I really did fly home out of KCIA, and I was damned glad the time we flew out was kept secret, even from us. And if the only computer that info ever lives on is an OpenBSD box, I'll sleep better at night. And so will my wife, parents, etc.
I can't help it - I'm a 19D.
geeks once again get their asses kicked by the jocks.
Access modes is how the system is structured. There are two main modes, each with two sub modes. In the system space, which is common to all processes, there is kernel mode where the OS runs and exec mode where RMS (Record Management System) and databases run. They use the common nature of exec mode for global buffer management between processes. In per-process space we have executive mode and user mode. Exec mode is where the shell runs, and use mode is where most normal programs run.
Normal users do not write stuff that runs at elevated access modes. They require privileges to enter elevated access modes which they normally do not have. However, it is possible to enter an elevated mode through a declared entry point (think call gates in the x86). Arguments to these calls are checked for address violations in the space from which the system service was called. For example if you want to read something into a buffer, and you call from user mode then the buffer must be user mode writeable. Areas of system space are only accessible to a user if the system sets the protection accordingly.
The main benefit is that it is extremely difficult to get out of user mode except through defined entry points. However, if you particularly want to do things inside exec mode or the kernel, you can extend the system API with your own loadable service routines or you can enter the system with a change-mode-to kernel API call, where you stay in your program but now run with full access to the kerenl address space until you return. Naturally such a call is protected with its own privilege (CMKRNL). To write some thing that runs in exec or kernel mode requires more skills because although the call list will have been address checked, the references will not.
This means VMS is tight and with excellent availability. The various checks as you cross address spaces means that on any given system, Unix will always run faster, but with lower availability.
In the article there is a link to Theo's personal site. He lists his hardware there, and the amazing thing is that he doesn't have a single machine capable of more than 200MHz.
I find it amazing in these days of 3.6GHz machines needed to run bleeding edge games and gimmicky OS's and everyone and their mothers going gooey over the latest GHz jump in analy embedded mobile devices that OpenBSD's chief developer uses computers that actually fit his needs. It is comforting to know that the SECURE processing and dissemination of digital information can be done efficiently without the large, bright, rounded, colourful buttons and Windows found in most other OS's.
Yeah, if you go through archives, you'll see Theo whining for being whined and his newserver content being tempered. And how about trojaned downloads, buggy Sendmail which he claims wa bug free for years and so on?
Anybody knows how the project structured? There is no Core Group, there is Theo and his control mania.
I'd like to see one before believing there is such a thing.
-- justine
There are at least half a dozen filesystem encryption programs that function on OpenBSD
Well, yes and no.
CFS - Weak (DES) encryption
TCFS - Slow (3DES) encryption
cryptfs - Blowfish (good) encryption, but the system relies on mounting loopback / stacked devices, which although being the best option available, is still slower than crypto integrated straight into the disk structure itself.
In fact all the fs-crypto mechanisms that I know of that work on OpenBSD either are slow due to the loopback method of mounting the drive, are based on weak encryption, or are just made as proof-of-concept rather than DOD-standard encryption implementations.
**AA: a bunch of mindless jerks who'll be the first against the wall when the revolution comes
She's dead, Jim.
There is no mention of a core team on their page.
Does the project rotate around Linus de Raadt alone?