Slashdot Mirror
OpenBSD: Hackers Meet Soldiers
BSDForums writes "OpenBSD has a well-deserved reputation for fanatical security. Why is the U.S. military funding it? What do you get out of it? Cameron Laird and George Peter Staplin investigate and talk to Theo de Raadt, the creator, overseer, and taskmaster of the OpenBSD project!"
Why is the U.S. military funding it? What do you get out of it?
Mulder, is that you?
Do you like German cars?
Imagine a Beowulf cluster of fork-touting BSD daemons... they'd call it an army!
Why not? They've tried it with Windows nt, which didn't work, so maybe there's more trust in open systems since then.
I've been wanting to set up an OpenBSD installation on one of my boxes for a few months now but the task of installation looks rather daunting according to their FAQ. Can anyone here who runs openBSD or who has installed it a few times and has a grip on the process email me with some thoughts about exactly how rough it would be for a BSD n00b, like myself, to do his first installation.
Choose wisely you must...
I think NetBSD falls more into that catagory.
I remember hearing a good explanation of there "roles".
This isn't exact, but close enough.
FreeBSD, a sportscar. Hauls ass.
NetBSD, a hummer (or a jeep). Can go anywhere.
OpenBSD, a tank. I'd feel safe in one.
Anyone know who originally explained it similar to this? I'd like the original quote.
In a nutshell, not everyone in the "government" is a complete idiot ... *gasp* ... and sometimes ... just sometimes these "agencies" come up with supporting something that is actually useful to them and what they're trying to do.
OpenBSD is designed with security in mind. The article goes into great lengths about OpenBSD and what they've managed to acheive.
Anyone who has read my comments knows that I'm pretty much a BSD cheerleader because when I start to work with servers I will always pick a BSD solution wherever possible.
For many reasons there is a level of obscurity (try explaining to a "1337 h4x0r" what a "wheel" is ...) which also goes along with that there is some differences in the file structure as well (slackware doesn't count).
Plus theres the stability, I know linunx is stable, but the BSD stability is tested for stability and there isn't any "new exciting" features plugged in and not tested (okay at least in OpenBSD ... NetBSD does NOT count for this argument *grin*)
And my absolute favorite NO MORE THAN YOU NEED is installed!!! Something that I have also been arguing over in the SuSE disucssion ...
So what do we have, Simple, Stable, and Secure ... KISSS!!
Go DARPA, I've got tuition to pay so I can't buy an OpenBSD CD Set this semester :-(, but I did pay income taxes (so I guess I did kinda fund OpenBSD!!!)
Ignore the "p2p is theft" trolls, they're just uninformed
I mean the US military is funding it. Commercial software I might be a bit wary of. Least with Open Source other people can vet the code to make sure there isn't any backdoors. You get the best of both worlds so all in all I'm up for this
Rus
Cheap UK and US VPS
My guess would be that the military will either take OpenBSD, combine it with some code from the NSA, and make a really secure OS, or take some code from it and add it to an OS they already use.
What do you get out of it?
It's Free Software so we get to see the source code that's being developed as part of the project. We get to tweak that code, make it better, port it to another system, etc.
I think it's pretty cool the US Gov. is partially funding OpenBSD. I guess it's no different that government grants to universities for medical research and such.
I was not touched there by an angel.
Kind of like how Microsoft keeps its code private for security reasons too....
If BSD really is as secure as it has been touted, why keep your choice private "for security reasons"? Sorry, I don't mean to flame, but this statement has done more to hurt BSD than help it.
The society for a thought-free internet welcomes you.
Ok, before I get started, let me say that OpenBSD developers and users have no patience for people who aren't willing to read documentation, since they pride themselves on it (even man pages) being extremely well written and kept up to date. If it's not, file a bug, and _IT WILL GET FIXED_ (of course if it's just _your_ problem, then don't file a bug regarding the project, file one in your own bugtracking system as something you need to work on).
That said, the following FAQ explains the installation process far better than anyone writing you email ever will be able to, including a complete install process in grey, which has example responses in bold [for the most part]. If you can't get it from this, then you aren't reading, and it doesn't matter if someone writes you an email message with the same thing (written more poorly no doubt). If you can't read and follow instructions, then OpenBSD is not for you, and honestly - you shouldn't bother.
Most people don't have this problem, but there are always some feeble minded folks who think that life is easier if they're spoonfed on IRC and the like. To such people: you aren't welcome. The answer to this attitude has already been given: don't ask questions that already have explicit, clear answers publically available.
If you have a problem with the instructions (not enough detail supplied, typos, etc.) then please let the OpenBSD developers know about them in order that they may be corrected. If _you_ have a problem, in that you can't understand them, well... maybe it's _JUST YOUR PROBLEM_. It might be something that you need to work on. Of course, there is an opportunity for things to be unclear, and in such cases - again, submit a bug: "such and such statement regarding fdisk is unclear, suggest more detail on partitioning so that xyz is unabiguous"
Now, if you -want- to install OpenBSD, go read:
http://www.openbsd.org/faq/faq4.html
For those of you interested in this topic, you should also be aware of RedHat's DII COE (Common Operating Environment) kernel available at DISA. The kernel is available at http://diicoe.disa.mil/coe/kpc/linuxpc.html
The creation of DII COE kernel for RedHat implies that there may be some pressure to accept GNOME as a valid component of the Joint Technical Architecture (JTA).
In other words, the military bureaucracy is beginning to accept the fact that linux is part of the modern computing landscape. (Watching the wheels of military technology turn is like watching grass grow)
There is no possible way OpenBSD can be that secure and stable without stolen key Sco OpenServer source code.
No and ifs or buts. Its not like this technology is well known or taught.
After all, everyone knows that sco is the most stable, secure, and scalable unix ever made. All the great unix's borrow code from sco. There is no way Sun could of made solaris scalable without the ultra secure and scalable Xenix code. Just ask David Bois. Shesh.
http://saveie6.com/
Not to harp on more publicity for OpenBSD, but this piece was a real letdown. One quote from Theo in the whole thing?! (note, I do not consider quoting terms such as "unix semantics" or "setuid program" to be substantive -real- quotes).
Maybe this will be useful to those who have never heard of OpenBSD, or are unfamiliar with its improvements for the past two years (only propolice incorporation is something more recent) - but for anyone with more than a cursory knowledge of the project, this is just not good journalism. Here you have an opportunity to have Theo answer your questions, and really get down to the meet behind the scenes, how the DARPA funding came about - how they approached him, whether there were any conditions to the work, if OpenBSD could use more of this funding, etc. But no, nothing, one quote - no new insight.
This might serve OK as an advocacy piece, and hopefully it will. But if you have two people "talk[ing] to Theo de Raadt" you would hope that they would have some more to talk about.
I find that reading interviews are far more enlightening than summary tripe such as this, because you're not just presented with a set of facts, but you get to hear information that goes beyond just the answers to questions. Often times, you then learn about things beyond the scope of the story, upcoming developments, sore spots. Say even a mention of how unfathomable it is that Sun has been holding back documentation to OpenBSD, given how many other private, public and governmental organizations (e.g. DARPA) that make no pretenses about support the opensource community are providing support to OpenBSD, whereas Sun is totally going against their own doctrine and ignoring OpenBSD developer requests (not even _offering_ an NDA as Linux et al have been presented with).
If this were a paper for a class or a personal site, fine no problem, what can a student or hobbiest do? But if you are in a position to provide journalism, it's really sad to see that power completely wasted in such a way.
Oh well, at least it can be added to the "OpenBSD is secure, free and neat, you should buy a CD" article pile, oh, I forgot to mention - continually overlooked. I guess there can never be too many of those, but it's sure starting to feel that way.
And -TWO- people wrote this article. Goddamn, two people, no brain.
Although OpenBSD has recently gotten a reputition for being ubersecure, and thus this article about how it has been getting funds from DARPA, it is by no means unique. It seems that this perception of OBSD has come from its ability to do encrypted swap, and encryption in most faculties; however, it blatently neglects disk based security.
I'd like to point out that DARPA is also funding the FreeBSD project, specifically enabling the development of FBSD 5.0's geom/gbde functions, which enable a fully modular disk access system, and transparent drive encryption. Really cool features, and it looks like once the code gets a stronger review from the crypto community it should really open up the possibilites for securing FBSD.
**AA: a bunch of mindless jerks who'll be the first against the wall when the revolution comes
Fortunately, it's open source. We can learn from it and take the lessons with us to other code. While there are a lot of people getting mileage out of the amount of malware out there that attacks Windows, one of the reasons there is so much of it is that it is absolutely no challenge to find Windows machines on the net because of their sheer number. And many of them are poorly secured because Windows is the OS that is shipped on machines that are sold to people who have neither the knowledge to secure a computer nor the time to learn how.
There are several efforts to improve the security of Linux and *BSD. In the end, I think they'll benefit us all. Bruce Schneier talks about the window of exposure in his book Secrets and Lies. Efforts to improve the security of open source OSs have several benefits in reducing that window.
Some bugs will be fixed before they are ever exploited. A security vulnerability is still a vulnerability. But the damage is much less in this case.
Some bugs will be fixed faster after they are first exploited. Again, this reduces the damage that is done.
But in the long run, a greater benefit is the number of people who acquire some knowledge of how to analyze and test for security vulnerabilities and how to fix them. That is going to be greatest in open source. It provides the opportunity for competent programmers to wear the white hats.
The net will not be what we demand, but what we make it. Build it well.
Quick, someone call up that SCO lawyer. Tell them that OpenBSD has got recognition from DARPA for security. I am sure they will file a claim of $1 billion against them too. The next day, the U.S. army will "accidently" test a MOAB on SCO hearquarters.
We will no longer need to worry about the lawsuit they filed against IBM.
My mom never taught me to sign.
BSDForums writes "OpenBSD has a well-deserved reputation for fanatical security. Why is the U.S. military funding it? What do you get out of it? Cameron Laird and George Peter Staplin investigate and talk to Theo de Raadt, the creator, overseer, and taskmaster of the OpenBSD project!"
/. posting.
OpenBSD has a reputation for very good security. I wouldn't consider the quest for strong security "fanatical" any more than I would consider the quest for a bug-free operating system "fanatical."
Why is the U.S. military funding it? What do you get out of it?
The U.S. military is funding it because it makes sense to do so. Anyone who looks at OpenBSD's record for security and stability, the fact that it is free to use and modify in any way you desire, and doesn't consider it as a potentially cheap and useful platform for security applications...well, they aren't thinking clearly.
What do you get out of it?
I find it makes a great platform for firewalls and terminal servers, among other things. Ones that are reliable, very secure, with no software cost and lot of online support information.
Cameron Laird and George Peter Staplin investigate and talk to Theo de Raadt, the creator, overseer, and taskmaster of the OpenBSD project!"
They may have talked to Theo, but they sure didn't *quote* him much. The article was very thin on information. In my opinion it hardly merited a
I seem to recall that OpenBSD was developed exclusively outside the USA because of export restrictions on crypto. Now it is being funded by DARPA? I am little confused on the matter, but thought that it was an interesting enough point to post.
Search usenet archives - there has been an effort at some point, and since BSD is higher in the foodchain of licenses than GPL, you don't need to worry about that (BSD can become GPL, whereas GPL cannot become BSD). Just don't pull a MicroBSD copyright screw over (i.e. don't search and replace, actually append your changes, don't change other people's and you'll be fine).
The -point- for doing something like that, instead of simply improving OpenBSD with its own license, is completely beyond me. Does there need to be a GPL'd debian released OpenBSD? Answer that question first. I see absolutely no reason to give something that is already active and has an open source license, a simple copy, with a more restrictive license (GPL is more restrictive than BSD, MIT or PD licensing).
If you just want to do porting efforts, a lot has been done already - their ftpd has been ported, systrace (google for niels provos) is being ported to some linux platform [it's already on several others since OpenBSD], propolice is currently not integrated into other projects to the same level that it is in OpenBSD, but OpenWall Linux (www.openwall.com) has some similar protections, though not quite as full blown. I don't know about pf being ported anywhere, but it's a best-of-class product right now (only thing currently lacking is a non-kludgey [or at least well documented] way of doing stateful failover).
Port all you want - they strive to keep their code as FREE as possible.
Contributions to BSD don't really help us as much. . .
Speak for yourself - those of us who run BSD on our production servers find contributions useful.
If you pay a little attention to what the OpenBSD core team says and does, you'd realize that there is little-to-no danger that government funding will take the project in any directions but those stated in the project goals.
The government won't let us distribute our own crypto freely, but they fund foreigners to make cryptography, to distribute to the whole world?
Why not? They've tried it with Windows nt [gcn.com], which didn't work, so maybe there's more trust in open systems since then.
h tml
The news agency that originaly broke the story you cite later distanced themselves from it by calling it early speculation. My understanding is that a naive server app corrupted it's own database and naive client apps (the infamous "LAN consoles" that crashed) needed that database to function properly and to operate equipment. Rather than rely on the early speculation of *NIX advocates why not rely on someone who was on the ship and someone who wrote the software:
http://www.sciam.com/1998/1198issue/1198techbus2.
"Others insist that NT was not the culprit. According to Lieutenant Commander Roderick Fraser, who was the chief engineer on board the ship at the time of the incident, the fault was with certain applications that were developed by CAE Electronics in Leesburg, Va. As Harvey McKelvey, former director of navy programs for CAE, admits, 'If you want to put a stick in anybody's eye, it should be in ours.' But McKelvey adds that the crash would not have happened if the navy had been using a production version of the CAE software, which he asserts has safeguards to prevent the type of failure that occurred."
Stolen from a slashdot post I saw long ago:
.
If you want x86, then just download it from the OpenBSD ftp site.
wget -r ftp://ftp.openbsd.org/pub/OpenBSD/3.0/i386/ Makes it easy.
Once thats done...
cd ftp.openbsd.org/pub/OpenBSD
then...
mkisofs -v -r -l -L -T -J -V "OpenBSD-3.0" -A "OpenBSD v3.0-Release, Custom ISO, 17-03-2002." -b 3.0/i386/cdrom30.fs -c boot.catalog -o openbsd-i386-3.0.iso -x openbsd-i386-3.0.iso
Burn that ISO!
Also, OpenBSD still uses our trusty old friend gcc 2.95. While it certainly remains the best choice for secure & stable programs, the performance increases in code built with 3.x are nothing to scoff at.
--
est modus in rebus
I love this kind of logic.
"The BSD license let's people do too many things, some of which I don't like. Therefore, the BSD license is TOO free."
"The GPL however, has just the right amount of freedom. It's still mostly free, without crossing the line of 'TOO free'. People can do what they want with it, as long as 'what they want' != 'what the FSF doesn't want'."
I have no moral problem with the GPL. I just wish people would stop calling it "free", unless they are going to put a (TM) or something after it. If you wanted your software to be truly free, you wouldn't be putting a copyright on it that contains words like "except" and "however."
Justin Dubs
How is it that Apache and XFree86 have not been forked off into proprietary products and promptly used to put the reams to you with custom extensions? Apache is perhaps the most successful open source project, and XFree86 is perhaps second. This is in part because they do not use the GPL, and are therefore free from its restrictions.
Way to go Theo. I hope you realize you're indirectly assisting the U.S. military in perpetuatating American hegemony around the globe while killing thousands of innocents. Oh, but you live in Canada, I guess you don't have to worry about that...
Way to go DARPA, I hope you realise that you are funding foreigners to indirectly assist Terrorists by making their systems harder to crack by US intelligence agencies.
Sound ridiculous? I hope so.
Or: Way to go Theo, I hope you realise that you are indirectly assisting civil rights and human rights groups by making their systems harder to crack by corrupt dictatorships.
Openbsd is about qualtiy. It has les bugs, which equal less possible exploits, but security is not their objective. Hell, they only recently got a basic acl and added stack protection, stuff that has been available for *ages*
Oh, and theo's stubborn incorrect opinion that users don't need security models. This is wrong, as we need stuff like rsbac or grsecurity to bring *nix security up to a powerfull level.
With OpenBSD not implementing such a basic ideaology, They might suceed as a hobbiest OS, but never as a *secure* os.
Partially correct, but my impression is that if you want Multics, then use Multics.
Regarding OpenBSD and it security models or lack thereof. Theo's opinion matters. Yours does not. Mine does not. They are responsible to themselves for their own definition of what OpenBSD should be. ONLY. They happen to be nice enough to share the fruits of their labors, but that is their decision not our right.
as a hobbiest OS
Yep, but that's one hell of a hobby. It strikes me as what paranoid professionals use on their own private systems when they like to sleep peacefully at night.
If I remember correctly, OpenBSD development was based in Canada (in part) because encryption code was considered a munition and thus the US government refused to allow it's export (while it was allowed from Canada).
Now the military (who were probably the source of these rules) are paying for the continued development of a technology that the forced out of the country on security grounds.
Convoluted enough for you???
OS Software is like love: The best way to make it grow is to give it away.
NetBSD may support more platforms, but OpenBSD covers the most popular ones.
The vehicle analogy is more than somewhat flawed. You mention weapons, but the truth is that all are stationary systems, that can be attacked by anyone, and can't move out of the way. They do not wear down after tons of successful attacks, but rather are either broken with one, or remain perfectly intact at full strength. I could go on, but there's not much point.
As for the logo, I'm pretty sure the blowfish comes from the widespread use of Blowfish encryption in OpenBSD. The master.passwd uses blowfish by default, OpenSSH uses blowfish as one of the top cipher choices, blowfish is used to encrypt the swap partition (if encryption is chosen), etc.
If the OpenBSD team thought they were making a tank, they just might have used a logo of a FREAKING TANK.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Why is the U.S. military funding it? What do you get out of it?
Because they want the most secure operating system available. I may get my ass shot at a lot less. Or, maybe, terrorist hackers won't be able to figure out when my flight home is leaving Kuwait City International Airport.
I'm in the Army National Guard. It used to be my full time job. Now I'm a "weekend warrior".
I used to administer NT boxes for the Army among other job duties. It gave me the heebie-jeebies! I am a helluva lot more comfortable with military secrets residing somewhere else.
Before someone trots out the "you're just a weekend warrior" pony - after I left the guard full time, I was deployed to Kuwait for six months of middle-east summertime bliss. I was there for September 11. And, yes, I really did fly home out of KCIA, and I was damned glad the time we flew out was kept secret, even from us. And if the only computer that info ever lives on is an OpenBSD box, I'll sleep better at night. And so will my wife, parents, etc.
I can't help it - I'm a 19D.
In the article there is a link to Theo's personal site. He lists his hardware there, and the amazing thing is that he doesn't have a single machine capable of more than 200MHz.
I find it amazing in these days of 3.6GHz machines needed to run bleeding edge games and gimmicky OS's and everyone and their mothers going gooey over the latest GHz jump in analy embedded mobile devices that OpenBSD's chief developer uses computers that actually fit his needs. It is comforting to know that the SECURE processing and dissemination of digital information can be done efficiently without the large, bright, rounded, colourful buttons and Windows found in most other OS's.