Slashdot Mirror
OpenBSD: Hackers Meet Soldiers
BSDForums writes "OpenBSD has a well-deserved reputation for fanatical security. Why is the U.S. military funding it? What do you get out of it? Cameron Laird and George Peter Staplin investigate and talk to Theo de Raadt, the creator, overseer, and taskmaster of the OpenBSD project!"
Why is the U.S. military funding it? What do you get out of it?
Mulder, is that you?
Do you like German cars?
I thought OpenBSD was designed with the idea of providing the most Open ported version of BSD rather than for fanatical security. But now knowing that, I have yet another reason to switch.
BSD is Bad Ass!
Imagine a Beowulf cluster of fork-touting BSD daemons... they'd call it an army!
Why not? They've tried it with Windows nt, which didn't work, so maybe there's more trust in open systems since then.
I've been wanting to set up an OpenBSD installation on one of my boxes for a few months now but the task of installation looks rather daunting according to their FAQ. Can anyone here who runs openBSD or who has installed it a few times and has a grip on the process email me with some thoughts about exactly how rough it would be for a BSD n00b, like myself, to do his first installation.
Choose wisely you must...
I never knew any reason to consider OpenBSD (versus FreeBSD or one of the Linux distros). But security is a pretty good reason. I think I'll put OpenBSD on one of my servers and see how it looks. Thanks, Slashdot!
"Lord, grant that I may always be right, for Thou knowest that I am hard to turn" -- A Scots-Irish prayer
In a nutshell, not everyone in the "government" is a complete idiot ... *gasp* ... and sometimes ... just sometimes these "agencies" come up with supporting something that is actually useful to them and what they're trying to do.
OpenBSD is designed with security in mind. The article goes into great lengths about OpenBSD and what they've managed to acheive.
Anyone who has read my comments knows that I'm pretty much a BSD cheerleader because when I start to work with servers I will always pick a BSD solution wherever possible.
For many reasons there is a level of obscurity (try explaining to a "1337 h4x0r" what a "wheel" is ...) which also goes along with that there is some differences in the file structure as well (slackware doesn't count).
Plus theres the stability, I know linunx is stable, but the BSD stability is tested for stability and there isn't any "new exciting" features plugged in and not tested (okay at least in OpenBSD ... NetBSD does NOT count for this argument *grin*)
And my absolute favorite NO MORE THAN YOU NEED is installed!!! Something that I have also been arguing over in the SuSE disucssion ...
So what do we have, Simple, Stable, and Secure ... KISSS!!
Go DARPA, I've got tuition to pay so I can't buy an OpenBSD CD Set this semester :-(, but I did pay income taxes (so I guess I did kinda fund OpenBSD!!!)
Ignore the "p2p is theft" trolls, they're just uninformed
I mean the US military is funding it. Commercial software I might be a bit wary of. Least with Open Source other people can vet the code to make sure there isn't any backdoors. You get the best of both worlds so all in all I'm up for this
Rus
Cheap UK and US VPS
My guess would be that the military will either take OpenBSD, combine it with some code from the NSA, and make a really secure OS, or take some code from it and add it to an OS they already use.
What do you get out of it?
It's Free Software so we get to see the source code that's being developed as part of the project. We get to tweak that code, make it better, port it to another system, etc.
I think it's pretty cool the US Gov. is partially funding OpenBSD. I guess it's no different that government grants to universities for medical research and such.
I was not touched there by an angel.
Kind of like how Microsoft keeps its code private for security reasons too....
If BSD really is as secure as it has been touted, why keep your choice private "for security reasons"? Sorry, I don't mean to flame, but this statement has done more to hurt BSD than help it.
The society for a thought-free internet welcomes you.
Ok, before I get started, let me say that OpenBSD developers and users have no patience for people who aren't willing to read documentation, since they pride themselves on it (even man pages) being extremely well written and kept up to date. If it's not, file a bug, and _IT WILL GET FIXED_ (of course if it's just _your_ problem, then don't file a bug regarding the project, file one in your own bugtracking system as something you need to work on).
That said, the following FAQ explains the installation process far better than anyone writing you email ever will be able to, including a complete install process in grey, which has example responses in bold [for the most part]. If you can't get it from this, then you aren't reading, and it doesn't matter if someone writes you an email message with the same thing (written more poorly no doubt). If you can't read and follow instructions, then OpenBSD is not for you, and honestly - you shouldn't bother.
Most people don't have this problem, but there are always some feeble minded folks who think that life is easier if they're spoonfed on IRC and the like. To such people: you aren't welcome. The answer to this attitude has already been given: don't ask questions that already have explicit, clear answers publically available.
If you have a problem with the instructions (not enough detail supplied, typos, etc.) then please let the OpenBSD developers know about them in order that they may be corrected. If _you_ have a problem, in that you can't understand them, well... maybe it's _JUST YOUR PROBLEM_. It might be something that you need to work on. Of course, there is an opportunity for things to be unclear, and in such cases - again, submit a bug: "such and such statement regarding fdisk is unclear, suggest more detail on partitioning so that xyz is unabiguous"
Now, if you -want- to install OpenBSD, go read:
http://www.openbsd.org/faq/faq4.html
For those of you interested in this topic, you should also be aware of RedHat's DII COE (Common Operating Environment) kernel available at DISA. The kernel is available at http://diicoe.disa.mil/coe/kpc/linuxpc.html
The creation of DII COE kernel for RedHat implies that there may be some pressure to accept GNOME as a valid component of the Joint Technical Architecture (JTA).
In other words, the military bureaucracy is beginning to accept the fact that linux is part of the modern computing landscape. (Watching the wheels of military technology turn is like watching grass grow)
There is no possible way OpenBSD can be that secure and stable without stolen key Sco OpenServer source code.
No and ifs or buts. Its not like this technology is well known or taught.
After all, everyone knows that sco is the most stable, secure, and scalable unix ever made. All the great unix's borrow code from sco. There is no way Sun could of made solaris scalable without the ultra secure and scalable Xenix code. Just ask David Bois. Shesh.
http://saveie6.com/
Not to harp on more publicity for OpenBSD, but this piece was a real letdown. One quote from Theo in the whole thing?! (note, I do not consider quoting terms such as "unix semantics" or "setuid program" to be substantive -real- quotes).
Maybe this will be useful to those who have never heard of OpenBSD, or are unfamiliar with its improvements for the past two years (only propolice incorporation is something more recent) - but for anyone with more than a cursory knowledge of the project, this is just not good journalism. Here you have an opportunity to have Theo answer your questions, and really get down to the meet behind the scenes, how the DARPA funding came about - how they approached him, whether there were any conditions to the work, if OpenBSD could use more of this funding, etc. But no, nothing, one quote - no new insight.
This might serve OK as an advocacy piece, and hopefully it will. But if you have two people "talk[ing] to Theo de Raadt" you would hope that they would have some more to talk about.
I find that reading interviews are far more enlightening than summary tripe such as this, because you're not just presented with a set of facts, but you get to hear information that goes beyond just the answers to questions. Often times, you then learn about things beyond the scope of the story, upcoming developments, sore spots. Say even a mention of how unfathomable it is that Sun has been holding back documentation to OpenBSD, given how many other private, public and governmental organizations (e.g. DARPA) that make no pretenses about support the opensource community are providing support to OpenBSD, whereas Sun is totally going against their own doctrine and ignoring OpenBSD developer requests (not even _offering_ an NDA as Linux et al have been presented with).
If this were a paper for a class or a personal site, fine no problem, what can a student or hobbiest do? But if you are in a position to provide journalism, it's really sad to see that power completely wasted in such a way.
Oh well, at least it can be added to the "OpenBSD is secure, free and neat, you should buy a CD" article pile, oh, I forgot to mention - continually overlooked. I guess there can never be too many of those, but it's sure starting to feel that way.
And -TWO- people wrote this article. Goddamn, two people, no brain.
Although OpenBSD has recently gotten a reputition for being ubersecure, and thus this article about how it has been getting funds from DARPA, it is by no means unique. It seems that this perception of OBSD has come from its ability to do encrypted swap, and encryption in most faculties; however, it blatently neglects disk based security.
I'd like to point out that DARPA is also funding the FreeBSD project, specifically enabling the development of FBSD 5.0's geom/gbde functions, which enable a fully modular disk access system, and transparent drive encryption. Really cool features, and it looks like once the code gets a stronger review from the crypto community it should really open up the possibilites for securing FBSD.
**AA: a bunch of mindless jerks who'll be the first against the wall when the revolution comes
It would seem to me, that for 'enterprise' level government work (i.e. defense related software) that stability would be more of a requirement than speed, portability or feature-set.
You don't want your tank software blue-screening in the middle of a fight. "Hold on guys, don't fire at me for a second, I need to reboot my tank."
Alot of UNIX vendors have realized this, and they know that if they make products that the gov'ment likes that contains the features that they need, then they will continue to sell products. Lots of products. Its not so much a niche market, more like market share.
Fortunately, it's open source. We can learn from it and take the lessons with us to other code. While there are a lot of people getting mileage out of the amount of malware out there that attacks Windows, one of the reasons there is so much of it is that it is absolutely no challenge to find Windows machines on the net because of their sheer number. And many of them are poorly secured because Windows is the OS that is shipped on machines that are sold to people who have neither the knowledge to secure a computer nor the time to learn how.
There are several efforts to improve the security of Linux and *BSD. In the end, I think they'll benefit us all. Bruce Schneier talks about the window of exposure in his book Secrets and Lies. Efforts to improve the security of open source OSs have several benefits in reducing that window.
Some bugs will be fixed before they are ever exploited. A security vulnerability is still a vulnerability. But the damage is much less in this case.
Some bugs will be fixed faster after they are first exploited. Again, this reduces the damage that is done.
But in the long run, a greater benefit is the number of people who acquire some knowledge of how to analyze and test for security vulnerabilities and how to fix them. That is going to be greatest in open source. It provides the opportunity for competent programmers to wear the white hats.
The net will not be what we demand, but what we make it. Build it well.
Quick, someone call up that SCO lawyer. Tell them that OpenBSD has got recognition from DARPA for security. I am sure they will file a claim of $1 billion against them too. The next day, the U.S. army will "accidently" test a MOAB on SCO hearquarters.
We will no longer need to worry about the lawsuit they filed against IBM.
My mom never taught me to sign.
Contributions to BSD don't really help us as much because they can just be forked off into proprietary OS'es like Microsoft - which they will promptly use to put the reams to us with custom extensions. It would be much nicer if they went all GPL and nothing else.
I think the real problem is this attitude that free software is morally and intellectually equivalent to "owned" software. IMHO, this is an intellectual fraud, it screwed SCO, it will screw Sun, and it will screw us too until we finally get it.
A world with OpenBSD is much safer than a world OpenBSD.
This holds even more if you do not use OpenBSD.
(Like cars are much safer in a world with crash dummies;)
I have the desire (but not the skill) to port as many security features from OpenBSD to Debian as possible without massive license violation. Anyone know if such a project is in the works? (And if not, why not?)
Daniel.
Free software, not Iraq, because Bill Gates is evil & Saddam is just misunderstood.
BSDForums writes "OpenBSD has a well-deserved reputation for fanatical security. Why is the U.S. military funding it? What do you get out of it? Cameron Laird and George Peter Staplin investigate and talk to Theo de Raadt, the creator, overseer, and taskmaster of the OpenBSD project!"
/. posting.
OpenBSD has a reputation for very good security. I wouldn't consider the quest for strong security "fanatical" any more than I would consider the quest for a bug-free operating system "fanatical."
Why is the U.S. military funding it? What do you get out of it?
The U.S. military is funding it because it makes sense to do so. Anyone who looks at OpenBSD's record for security and stability, the fact that it is free to use and modify in any way you desire, and doesn't consider it as a potentially cheap and useful platform for security applications...well, they aren't thinking clearly.
What do you get out of it?
I find it makes a great platform for firewalls and terminal servers, among other things. Ones that are reliable, very secure, with no software cost and lot of online support information.
Cameron Laird and George Peter Staplin investigate and talk to Theo de Raadt, the creator, overseer, and taskmaster of the OpenBSD project!"
They may have talked to Theo, but they sure didn't *quote* him much. The article was very thin on information. In my opinion it hardly merited a
I seem to recall that OpenBSD was developed exclusively outside the USA because of export restrictions on crypto. Now it is being funded by DARPA? I am little confused on the matter, but thought that it was an interesting enough point to post.
I use FreeBSD for Internet Services OpenBSD VPN/Router/IDS NetBSD EOF Exotic Hardware running modern O/S e.g http://www.spectechnologies.net/projects/ehardware /index.html
Solaris Database/CAD WS
Win2000 Games/office
Linux cluster/3d viz
http://www.spectechnologies.net
projects @ http://spectechnologies.net
I recently wiped Win98 off an old deskpro 4000 with the idea that I would make a firewall/router/whatever box (for fun and for my own education).
:-(
I'm a newcomer to bsd/linux and don't really know anything. I've heard that OpenBSD is really good and wanted to try it. Ok great, I'll go to OpenBSD.org, download, burn and install.
wtf? how to I download the iso?
After searching around I saw the entry in the faq that I have to buy it... or I can try to download it myself and figure out what bits go where on the CD. Oh, and the layout (or something) is copywrited so I can't grab it off the net someplace without breaking the law.
Well, I'm sorry guys. I don't know how to do that and the documentation I've seen doesn't tell me enough. I want to learn... but I'd like to do it incrementally, not all up front. So I'll be giving OpenBSD a pass and using something else.
Yeah, I'm sure I'll get at least one flaming response about how the team doesn't have to provide the iso, how they need money to continue development, how it's only $40 for God's sake.
I know all that already.
But I have a choice too. And I'm going to choose a distro I can try before I buy without having to figure out where stuff is supposed to go on the CD and whatever else I have to learn just to install the thing.
It's too bad. I've heard a lot of nice things about OBSD and I want to try it. But I'm going to go with someone else... and if I like FreeBSD, RedHat, or whatever, I'm going to end up sending that company money. And OBSD is going to miss out on that little bit of income.
If I'm not too firmly entrenched in the future, or if I actually learn enough to install OBSD myself then maybe, just maybe I'll give that distro a try.
Too bad
Sukotto
(hmm... that's a little more whiny than I intended)
Come play free flash games on Kongregate!
The government won't let us distribute our own crypto freely, but they fund foreigners to make cryptography, to distribute to the whole world?
Why not? They've tried it with Windows nt [gcn.com], which didn't work, so maybe there's more trust in open systems since then.
h tml
The news agency that originaly broke the story you cite later distanced themselves from it by calling it early speculation. My understanding is that a naive server app corrupted it's own database and naive client apps (the infamous "LAN consoles" that crashed) needed that database to function properly and to operate equipment. Rather than rely on the early speculation of *NIX advocates why not rely on someone who was on the ship and someone who wrote the software:
http://www.sciam.com/1998/1198issue/1198techbus2.
"Others insist that NT was not the culprit. According to Lieutenant Commander Roderick Fraser, who was the chief engineer on board the ship at the time of the incident, the fault was with certain applications that were developed by CAE Electronics in Leesburg, Va. As Harvey McKelvey, former director of navy programs for CAE, admits, 'If you want to put a stick in anybody's eye, it should be in ours.' But McKelvey adds that the crash would not have happened if the navy had been using a production version of the CAE software, which he asserts has safeguards to prevent the type of failure that occurred."
Way to go Theo. I hope you realize you're indirectly assisting the U.S. military in perpetuatating American hegemony around the globe while killing thousands of innocents. Oh, but you live in Canada, I guess you don't have to worry about that...
Way to go DARPA, I hope you realise that you are funding foreigners to indirectly assist Terrorists by making their systems harder to crack by US intelligence agencies.
Sound ridiculous? I hope so.
Or: Way to go Theo, I hope you realise that you are indirectly assisting civil rights and human rights groups by making their systems harder to crack by corrupt dictatorships.
Openbsd is about qualtiy. It has les bugs, which equal less possible exploits, but security is not their objective. Hell, they only recently got a basic acl and added stack protection, stuff that has been available for *ages*
Oh, and theo's stubborn incorrect opinion that users don't need security models. This is wrong, as we need stuff like rsbac or grsecurity to bring *nix security up to a powerfull level.
With OpenBSD not implementing such a basic ideaology, They might suceed as a hobbiest OS, but never as a *secure* os.
Partially correct, but my impression is that if you want Multics, then use Multics.
Regarding OpenBSD and it security models or lack thereof. Theo's opinion matters. Yours does not. Mine does not. They are responsible to themselves for their own definition of what OpenBSD should be. ONLY. They happen to be nice enough to share the fruits of their labors, but that is their decision not our right.
as a hobbiest OS
Yep, but that's one hell of a hobby. It strikes me as what paranoid professionals use on their own private systems when they like to sleep peacefully at night.
If I remember correctly, OpenBSD development was based in Canada (in part) because encryption code was considered a munition and thus the US government refused to allow it's export (while it was allowed from Canada).
Now the military (who were probably the source of these rules) are paying for the continued development of a technology that the forced out of the country on security grounds.
Convoluted enough for you???
OS Software is like love: The best way to make it grow is to give it away.
(Watching the wheels of military technology turn is like watching grass grow)
A couple of recent rapid developments serve to disprove that particular bit of common wisdom. The military, when pressed, kicks ass like no other organization in existence.
Maw! Fire up the karma burner!
Openbsd is about qualtiy. It has les bugs, which equal less possible exploits, but security is not their objective.
Spoken like someone whose knowledge of security comes from a Web page they read once.
Underline this one and write it in bold: high-quality software is secure software. Software insecurity arises when software either does something it's not supposed to do, or does something it's supposed to do in a way it's not supposed to do it.
When software works exactly as intended, even in the face of an adversary who is deliberately attempting to subvert it into malfunctioning, that software is secure, for practically any realistic definition of "secure". Software which works exactly as designed, which is fault-tolerant and has good failure modes in the event of intolerable faults, is a cracker's worst nightmare.
If you don't have a hdd, how do you expect to -download- and burn an ISO to begin with? Oh, with your knoppix CD? How did you burn that to begin with? Your bootloading methodology is flawed, as is your argument. If instead you mean, is there some OpenBSD install that doesn't touch the hdd - well, you can use bsd.rd [rd being RAMDISK] or look at related projects such as www.opensoekris.org which are designed more for that application, the thread was about _installation_ and for that a file in a .iso format is not necessary. And for those who are used to burning boot disks with tools like Nero or mkisofs, then the cdrom32.fs file provided by OpenBSD is more than enough to let folks burn an install CD.
I never said he was...
Karma: Non-Heinous
Why is the U.S. military funding it? What do you get out of it?
Because they want the most secure operating system available. I may get my ass shot at a lot less. Or, maybe, terrorist hackers won't be able to figure out when my flight home is leaving Kuwait City International Airport.
I'm in the Army National Guard. It used to be my full time job. Now I'm a "weekend warrior".
I used to administer NT boxes for the Army among other job duties. It gave me the heebie-jeebies! I am a helluva lot more comfortable with military secrets residing somewhere else.
Before someone trots out the "you're just a weekend warrior" pony - after I left the guard full time, I was deployed to Kuwait for six months of middle-east summertime bliss. I was there for September 11. And, yes, I really did fly home out of KCIA, and I was damned glad the time we flew out was kept secret, even from us. And if the only computer that info ever lives on is an OpenBSD box, I'll sleep better at night. And so will my wife, parents, etc.
I can't help it - I'm a 19D.
geeks once again get their asses kicked by the jocks.
First off DO NOT go for a CS major, unless you don't want a job.
Most of the "*BSD is Dying" posts are cut and paste troll comments. Check out bsd.slashdot.org and set the threshold to -1.
I don't think too many people really think, *BSD is dying. Just flamers flaming.
Access modes is how the system is structured. There are two main modes, each with two sub modes. In the system space, which is common to all processes, there is kernel mode where the OS runs and exec mode where RMS (Record Management System) and databases run. They use the common nature of exec mode for global buffer management between processes. In per-process space we have executive mode and user mode. Exec mode is where the shell runs, and use mode is where most normal programs run.
Normal users do not write stuff that runs at elevated access modes. They require privileges to enter elevated access modes which they normally do not have. However, it is possible to enter an elevated mode through a declared entry point (think call gates in the x86). Arguments to these calls are checked for address violations in the space from which the system service was called. For example if you want to read something into a buffer, and you call from user mode then the buffer must be user mode writeable. Areas of system space are only accessible to a user if the system sets the protection accordingly.
The main benefit is that it is extremely difficult to get out of user mode except through defined entry points. However, if you particularly want to do things inside exec mode or the kernel, you can extend the system API with your own loadable service routines or you can enter the system with a change-mode-to kernel API call, where you stay in your program but now run with full access to the kerenl address space until you return. Naturally such a call is protected with its own privilege (CMKRNL). To write some thing that runs in exec or kernel mode requires more skills because although the call list will have been address checked, the references will not.
This means VMS is tight and with excellent availability. The various checks as you cross address spaces means that on any given system, Unix will always run faster, but with lower availability.
In the article there is a link to Theo's personal site. He lists his hardware there, and the amazing thing is that he doesn't have a single machine capable of more than 200MHz.
I find it amazing in these days of 3.6GHz machines needed to run bleeding edge games and gimmicky OS's and everyone and their mothers going gooey over the latest GHz jump in analy embedded mobile devices that OpenBSD's chief developer uses computers that actually fit his needs. It is comforting to know that the SECURE processing and dissemination of digital information can be done efficiently without the large, bright, rounded, colourful buttons and Windows found in most other OS's.
There are at least half a dozen filesystem encryption programs that function on OpenBSD
Well, yes and no.
CFS - Weak (DES) encryption
TCFS - Slow (3DES) encryption
cryptfs - Blowfish (good) encryption, but the system relies on mounting loopback / stacked devices, which although being the best option available, is still slower than crypto integrated straight into the disk structure itself.
In fact all the fs-crypto mechanisms that I know of that work on OpenBSD either are slow due to the loopback method of mounting the drive, are based on weak encryption, or are just made as proof-of-concept rather than DOD-standard encryption implementations.
**AA: a bunch of mindless jerks who'll be the first against the wall when the revolution comes