Slashdot Mirror
OpenBSD: Hackers Meet Soldiers
BSDForums writes "OpenBSD has a well-deserved reputation for fanatical security. Why is the U.S. military funding it? What do you get out of it? Cameron Laird and George Peter Staplin investigate and talk to Theo de Raadt, the creator, overseer, and taskmaster of the OpenBSD project!"
Why not? They've tried it with Windows nt, which didn't work, so maybe there's more trust in open systems since then.
I think NetBSD falls more into that catagory.
I remember hearing a good explanation of there "roles".
This isn't exact, but close enough.
FreeBSD, a sportscar. Hauls ass.
NetBSD, a hummer (or a jeep). Can go anywhere.
OpenBSD, a tank. I'd feel safe in one.
Anyone know who originally explained it similar to this? I'd like the original quote.
For those of you interested in this topic, you should also be aware of RedHat's DII COE (Common Operating Environment) kernel available at DISA. The kernel is available at http://diicoe.disa.mil/coe/kpc/linuxpc.html
The creation of DII COE kernel for RedHat implies that there may be some pressure to accept GNOME as a valid component of the Joint Technical Architecture (JTA).
In other words, the military bureaucracy is beginning to accept the fact that linux is part of the modern computing landscape. (Watching the wheels of military technology turn is like watching grass grow)
Although OpenBSD has recently gotten a reputition for being ubersecure, and thus this article about how it has been getting funds from DARPA, it is by no means unique. It seems that this perception of OBSD has come from its ability to do encrypted swap, and encryption in most faculties; however, it blatently neglects disk based security.
I'd like to point out that DARPA is also funding the FreeBSD project, specifically enabling the development of FBSD 5.0's geom/gbde functions, which enable a fully modular disk access system, and transparent drive encryption. Really cool features, and it looks like once the code gets a stronger review from the crypto community it should really open up the possibilites for securing FBSD.
**AA: a bunch of mindless jerks who'll be the first against the wall when the revolution comes
I'd add that obscurity only helps when _all other pieces_ of security are in place. That is, it's a bit of icing.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
I seem to recall that OpenBSD was developed exclusively outside the USA because of export restrictions on crypto. Now it is being funded by DARPA? I am little confused on the matter, but thought that it was an interesting enough point to post.
Contributions to BSD don't really help us as much. . .
Speak for yourself - those of us who run BSD on our production servers find contributions useful.
If you pay a little attention to what the OpenBSD core team says and does, you'd realize that there is little-to-no danger that government funding will take the project in any directions but those stated in the project goals.
The government won't let us distribute our own crypto freely, but they fund foreigners to make cryptography, to distribute to the whole world?
Also, OpenBSD still uses our trusty old friend gcc 2.95. While it certainly remains the best choice for secure & stable programs, the performance increases in code built with 3.x are nothing to scoff at.
--
est modus in rebus
I run Debian, OpenBSD, and FreeBSD. Debian is not even close to the simplicity of OpenBSD. In particular Debian suffers from a lack of a true default (complete) install. OpenBSD's default install is "everything you want in a *nix and nothing more." FreeBSD has a few more nice to have features. By comparision Debian is quite complex. Debian's philosophy of choice, choice, and more choice has its place (and is the reason I use it). However a side effect is that the Debian team won't come out and package up a default system that is well integrated and contains the basic unix tools and servers. OpenBSD has a smaller footprint then Debian for the same basic functionality because OpenBSD does not have all the support files Debian needs to seemlessly work with any of the 56 mailservers packaged in debs.
All three systems are equally easy to administer due to ports and apt-get. I do find that Debian is easier to keep current as apt-get/dpkg does a better job of upgradeing from one version to the next. Some admin basic admin tasks are easier under OpenBSD/FreeBSD as there is just less cruff to deal with. I prefer *BSD on my servers as I can "install and forget." I prefer Debian/testing on my workstations as it combines a good mix of current software and stability.
If you like Gentoo (which I also use) switch to FreeBSD. The packages in FreeBSD ports are better then Gentoo's ebuilds. FreeBSD aims for stability. Gentoo has a tendancy to apply too many bleeding edge patches. FreeBSD does have a completely different way of manageing the source, so it will take some getting used to.
How is it that Apache and XFree86 have not been forked off into proprietary products and promptly used to put the reams to you with custom extensions? Apache is perhaps the most successful open source project, and XFree86 is perhaps second. This is in part because they do not use the GPL, and are therefore free from its restrictions.
Heh.
I guess it's no longer an issue now that they decided to "keep their choice [of OpenBSD] private for security reasons".
Btw, there is a difference between not making your OS very easily detectable and not letting anybody see the source so they could check it.
Any security expert will tell you that obscurity is not a good model for security, BUT it is a helpful first barrier. Just look how well it's working for MS. There are probably hundreds of bad bugs in their code, but very very few people will be able to exploit them (THE UNKNOWN ONES), because you can't just download the code look through it and find a bug and attack. I'm definitely not agreeing with this model, but something like making your machines unable to be OS-fingerprinted IS a useful security measure that will at least make things more difficult for the attacker, even though it could be considered as 'ADDITIONAL security through obscurity'.
Reinard
If I remember correctly, OpenBSD development was based in Canada (in part) because encryption code was considered a munition and thus the US government refused to allow it's export (while it was allowed from Canada).
Now the military (who were probably the source of these rules) are paying for the continued development of a technology that the forced out of the country on security grounds.
Convoluted enough for you???
OS Software is like love: The best way to make it grow is to give it away.
Actually propolice was available for FreeBSD (and Linux) first ... it's a GCC extension. OpenBSD just happens to be first to decide it worth integrating in the the OS base (there is a small performance penalty -- perhaps explaining why it hasn't been all that widely accepted in the worlds of FreeBSD and Linux.
Code is not free under the GPL. Free means no restrictions; the GPL imposes restrictions.
According to most people with a clue and dictionary.com, free means "Not controlled by obligation or the will of another" and "Not subject to external restraint."
Why is the U.S. military funding it? What do you get out of it?
Because they want the most secure operating system available. I may get my ass shot at a lot less. Or, maybe, terrorist hackers won't be able to figure out when my flight home is leaving Kuwait City International Airport.
I'm in the Army National Guard. It used to be my full time job. Now I'm a "weekend warrior".
I used to administer NT boxes for the Army among other job duties. It gave me the heebie-jeebies! I am a helluva lot more comfortable with military secrets residing somewhere else.
Before someone trots out the "you're just a weekend warrior" pony - after I left the guard full time, I was deployed to Kuwait for six months of middle-east summertime bliss. I was there for September 11. And, yes, I really did fly home out of KCIA, and I was damned glad the time we flew out was kept secret, even from us. And if the only computer that info ever lives on is an OpenBSD box, I'll sleep better at night. And so will my wife, parents, etc.
I can't help it - I'm a 19D.