Slashdot Mirror
OpenBSD: Hackers Meet Soldiers
BSDForums writes "OpenBSD has a well-deserved reputation for fanatical security. Why is the U.S. military funding it? What do you get out of it? Cameron Laird and George Peter Staplin investigate and talk to Theo de Raadt, the creator, overseer, and taskmaster of the OpenBSD project!"
In a nutshell, not everyone in the "government" is a complete idiot ... *gasp* ... and sometimes ... just sometimes these "agencies" come up with supporting something that is actually useful to them and what they're trying to do.
OpenBSD is designed with security in mind. The article goes into great lengths about OpenBSD and what they've managed to acheive.
Anyone who has read my comments knows that I'm pretty much a BSD cheerleader because when I start to work with servers I will always pick a BSD solution wherever possible.
For many reasons there is a level of obscurity (try explaining to a "1337 h4x0r" what a "wheel" is ...) which also goes along with that there is some differences in the file structure as well (slackware doesn't count).
Plus theres the stability, I know linunx is stable, but the BSD stability is tested for stability and there isn't any "new exciting" features plugged in and not tested (okay at least in OpenBSD ... NetBSD does NOT count for this argument *grin*)
And my absolute favorite NO MORE THAN YOU NEED is installed!!! Something that I have also been arguing over in the SuSE disucssion ...
So what do we have, Simple, Stable, and Secure ... KISSS!!
Go DARPA, I've got tuition to pay so I can't buy an OpenBSD CD Set this semester :-(, but I did pay income taxes (so I guess I did kinda fund OpenBSD!!!)
Ignore the "p2p is theft" trolls, they're just uninformed
I mean the US military is funding it. Commercial software I might be a bit wary of. Least with Open Source other people can vet the code to make sure there isn't any backdoors. You get the best of both worlds so all in all I'm up for this
Rus
Cheap UK and US VPS
I've installed it quite a few times on DEC Alpha systems (back when it was kind of-sort of supported) , Sparc and x86 systems. It wasn't exactly rocket science. Just try it, its not like your computer will explode if something goes wrong.
My guess would be that the military will either take OpenBSD, combine it with some code from the NSA, and make a really secure OS, or take some code from it and add it to an OS they already use.
What do you get out of it?
It's Free Software so we get to see the source code that's being developed as part of the project. We get to tweak that code, make it better, port it to another system, etc.
I think it's pretty cool the US Gov. is partially funding OpenBSD. I guess it's no different that government grants to universities for medical research and such.
I was not touched there by an angel.
Kind of like how Microsoft keeps its code private for security reasons too....
If BSD really is as secure as it has been touted, why keep your choice private "for security reasons"? Sorry, I don't mean to flame, but this statement has done more to hurt BSD than help it.
The society for a thought-free internet welcomes you.
Not to harp on more publicity for OpenBSD, but this piece was a real letdown. One quote from Theo in the whole thing?! (note, I do not consider quoting terms such as "unix semantics" or "setuid program" to be substantive -real- quotes).
Maybe this will be useful to those who have never heard of OpenBSD, or are unfamiliar with its improvements for the past two years (only propolice incorporation is something more recent) - but for anyone with more than a cursory knowledge of the project, this is just not good journalism. Here you have an opportunity to have Theo answer your questions, and really get down to the meet behind the scenes, how the DARPA funding came about - how they approached him, whether there were any conditions to the work, if OpenBSD could use more of this funding, etc. But no, nothing, one quote - no new insight.
This might serve OK as an advocacy piece, and hopefully it will. But if you have two people "talk[ing] to Theo de Raadt" you would hope that they would have some more to talk about.
I find that reading interviews are far more enlightening than summary tripe such as this, because you're not just presented with a set of facts, but you get to hear information that goes beyond just the answers to questions. Often times, you then learn about things beyond the scope of the story, upcoming developments, sore spots. Say even a mention of how unfathomable it is that Sun has been holding back documentation to OpenBSD, given how many other private, public and governmental organizations (e.g. DARPA) that make no pretenses about support the opensource community are providing support to OpenBSD, whereas Sun is totally going against their own doctrine and ignoring OpenBSD developer requests (not even _offering_ an NDA as Linux et al have been presented with).
If this were a paper for a class or a personal site, fine no problem, what can a student or hobbiest do? But if you are in a position to provide journalism, it's really sad to see that power completely wasted in such a way.
Oh well, at least it can be added to the "OpenBSD is secure, free and neat, you should buy a CD" article pile, oh, I forgot to mention - continually overlooked. I guess there can never be too many of those, but it's sure starting to feel that way.
And -TWO- people wrote this article. Goddamn, two people, no brain.
Fortunately, it's open source. We can learn from it and take the lessons with us to other code. While there are a lot of people getting mileage out of the amount of malware out there that attacks Windows, one of the reasons there is so much of it is that it is absolutely no challenge to find Windows machines on the net because of their sheer number. And many of them are poorly secured because Windows is the OS that is shipped on machines that are sold to people who have neither the knowledge to secure a computer nor the time to learn how.
There are several efforts to improve the security of Linux and *BSD. In the end, I think they'll benefit us all. Bruce Schneier talks about the window of exposure in his book Secrets and Lies. Efforts to improve the security of open source OSs have several benefits in reducing that window.
Some bugs will be fixed before they are ever exploited. A security vulnerability is still a vulnerability. But the damage is much less in this case.
Some bugs will be fixed faster after they are first exploited. Again, this reduces the damage that is done.
But in the long run, a greater benefit is the number of people who acquire some knowledge of how to analyze and test for security vulnerabilities and how to fix them. That is going to be greatest in open source. It provides the opportunity for competent programmers to wear the white hats.
The net will not be what we demand, but what we make it. Build it well.
Let's hope that the OpenBSD folks respond to questions they don't want to answer by just ignoring them rather than wasting everyone's time by returning insults.
Perhaps they'd be better off developing a closed version so they wouldn't have to deal with the outside world of the feeble minded at all. Oh, but I forgot about that ego thing. I wonder, If there's a group of geeks in the forest and they have an OS but there's no one there to use it, are they still superior?
This has nothing to do with OpenBSD folks responding (or ignoring) questions they don't want to answer.
This has to do with common questions, being answer _already_ and people not taking the time to read the answers.
Does it make sense to repeat oneself over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over, just because the question was asked again? No, it does not - this is why FAQ's came about, LONG AGO - in the time before OpenBSD (or Linux) there were still FAQ's.
The idea was, you could tell someone: read the FAQ here, and they would, and you wouldn't have to reanswer the same goddamn question 1000 times. OpenBSD has an excellent FAQ, and excellent man pages. They provide answers to commonly asked questions, any OpenBSD person will tell you to go read those sources and try them out. If they don't work for you, submit a bug report explaining why they don't work (install dies on xyz hardware for xyz apparent reason - help!). Someone will try to help you.
Asking people to email you a personal answer to a question, already answered is not welcome, because the answer is already provided, and people have likely told you where to look and to try that out first.
This has nothing to do with superiority or even OpenBSD itself, this is extremely basic learning skills, and if you don't have them - go away. Any OpenBSD 'folks' (well, developers) will likely tell you that as well, you are wasting their time.
Section 4 of the FAQ as linked in the original response is extremely clear and well written. It has a walkthrough of examples showing exactly what you can type to install a machine. Suggesting that someone go read that first, I think saves a lot of time for everyone.
Contributions to BSD don't really help us as much because they can just be forked off into proprietary OS'es like Microsoft - which they will promptly use to put the reams to us with custom extensions. It would be much nicer if they went all GPL and nothing else.
I think the real problem is this attitude that free software is morally and intellectually equivalent to "owned" software. IMHO, this is an intellectual fraud, it screwed SCO, it will screw Sun, and it will screw us too until we finally get it.
BSDForums writes "OpenBSD has a well-deserved reputation for fanatical security. Why is the U.S. military funding it? What do you get out of it? Cameron Laird and George Peter Staplin investigate and talk to Theo de Raadt, the creator, overseer, and taskmaster of the OpenBSD project!"
/. posting.
OpenBSD has a reputation for very good security. I wouldn't consider the quest for strong security "fanatical" any more than I would consider the quest for a bug-free operating system "fanatical."
Why is the U.S. military funding it? What do you get out of it?
The U.S. military is funding it because it makes sense to do so. Anyone who looks at OpenBSD's record for security and stability, the fact that it is free to use and modify in any way you desire, and doesn't consider it as a potentially cheap and useful platform for security applications...well, they aren't thinking clearly.
What do you get out of it?
I find it makes a great platform for firewalls and terminal servers, among other things. Ones that are reliable, very secure, with no software cost and lot of online support information.
Cameron Laird and George Peter Staplin investigate and talk to Theo de Raadt, the creator, overseer, and taskmaster of the OpenBSD project!"
They may have talked to Theo, but they sure didn't *quote* him much. The article was very thin on information. In my opinion it hardly merited a
Search usenet archives - there has been an effort at some point, and since BSD is higher in the foodchain of licenses than GPL, you don't need to worry about that (BSD can become GPL, whereas GPL cannot become BSD). Just don't pull a MicroBSD copyright screw over (i.e. don't search and replace, actually append your changes, don't change other people's and you'll be fine).
The -point- for doing something like that, instead of simply improving OpenBSD with its own license, is completely beyond me. Does there need to be a GPL'd debian released OpenBSD? Answer that question first. I see absolutely no reason to give something that is already active and has an open source license, a simple copy, with a more restrictive license (GPL is more restrictive than BSD, MIT or PD licensing).
If you just want to do porting efforts, a lot has been done already - their ftpd has been ported, systrace (google for niels provos) is being ported to some linux platform [it's already on several others since OpenBSD], propolice is currently not integrated into other projects to the same level that it is in OpenBSD, but OpenWall Linux (www.openwall.com) has some similar protections, though not quite as full blown. I don't know about pf being ported anywhere, but it's a best-of-class product right now (only thing currently lacking is a non-kludgey [or at least well documented] way of doing stateful failover).
Port all you want - they strive to keep their code as FREE as possible.
Why not? They've tried it with Windows nt [gcn.com], which didn't work, so maybe there's more trust in open systems since then.
h tml
The news agency that originaly broke the story you cite later distanced themselves from it by calling it early speculation. My understanding is that a naive server app corrupted it's own database and naive client apps (the infamous "LAN consoles" that crashed) needed that database to function properly and to operate equipment. Rather than rely on the early speculation of *NIX advocates why not rely on someone who was on the ship and someone who wrote the software:
http://www.sciam.com/1998/1198issue/1198techbus2.
"Others insist that NT was not the culprit. According to Lieutenant Commander Roderick Fraser, who was the chief engineer on board the ship at the time of the incident, the fault was with certain applications that were developed by CAE Electronics in Leesburg, Va. As Harvey McKelvey, former director of navy programs for CAE, admits, 'If you want to put a stick in anybody's eye, it should be in ours.' But McKelvey adds that the crash would not have happened if the navy had been using a production version of the CAE software, which he asserts has safeguards to prevent the type of failure that occurred."
Way to go Theo. I hope you realize you're indirectly assisting the U.S. military in perpetuatating American hegemony around the globe while killing thousands of innocents. Oh, but you live in Canada, I guess you don't have to worry about that...
Way to go DARPA, I hope you realise that you are funding foreigners to indirectly assist Terrorists by making their systems harder to crack by US intelligence agencies.
Sound ridiculous? I hope so.
Or: Way to go Theo, I hope you realise that you are indirectly assisting civil rights and human rights groups by making their systems harder to crack by corrupt dictatorships.
Openbsd is about qualtiy. It has les bugs, which equal less possible exploits, but security is not their objective. Hell, they only recently got a basic acl and added stack protection, stuff that has been available for *ages*
Oh, and theo's stubborn incorrect opinion that users don't need security models. This is wrong, as we need stuff like rsbac or grsecurity to bring *nix security up to a powerfull level.
With OpenBSD not implementing such a basic ideaology, They might suceed as a hobbiest OS, but never as a *secure* os.
Partially correct, but my impression is that if you want Multics, then use Multics.
Regarding OpenBSD and it security models or lack thereof. Theo's opinion matters. Yours does not. Mine does not. They are responsible to themselves for their own definition of what OpenBSD should be. ONLY. They happen to be nice enough to share the fruits of their labors, but that is their decision not our right.
as a hobbiest OS
Yep, but that's one hell of a hobby. It strikes me as what paranoid professionals use on their own private systems when they like to sleep peacefully at night.