Information Security News mailing list archives
Open Season: OpenBSD perfects security by one-upmanship
From: William Knowles <wk () C4I ORG>
Date: Wed, 17 May 2000 13:14:18 -0500
http://www.upside.com/Open_Season/3921a9080.html The great violin maker Antonio Stradivari is reputed to have said that perfection consists not in doing extraordinary things but in doing "ordinary things extraordinarily well." "Perfection" and "software" are two words that rarely appear on the same cosmic plane, much less the same sentence. Still, when it comes to OpenBSD, the open-source operating system that for the last three years has built up a near-perfect track record for software security, it shouldn't be too surprising that project leader Theo de Raadt espouses a similarly reductionist design philosophy. "On the grand scale we're not doing anything perfect," de Raadt says. "But we are doing a good job of making the little things perfect." In a year that has seen software security jump from the back room to the front page, OpenBSD is getting a lot of attention. Although open-source advocates have long held up the community development model as superior to the "security by obscurity" approach, recent episodes such as the Red Hat (RHAT) "back door" controversy (see "French law would increase code accessibility") have demonstrated that time-to-market pressures can still produce slip-ups, even in the world of open-source development. To remedy this situation, a growing number of security-conscious software vendors and consumers are turning to projects such as OpenBSD, projects that home in on security with a craftsman's zeal, disregarding the market as much as possible. "From our point of view, it's a nice change from what the industry norm is," says Randy Terbush, chief executive officer of Covalent, a company that markets RavenSSL, an Apache security add-on which supports the OpenBSD. They know what they want Listening to security experts discuss OpenBSD is a bit like listening to beer drinkers describe their favorite microbrew. Although the number of customers who choose the OpenBSD port of RavenSSL is small, Terbush says the ones who do tend to ask for it by name. "The type of customer who asks for OpenBSD is definitely more concerned about security," Terbush says. "They want to build a firewall, and they want to use BSD, because they know they won't have to do a lot of work to lock the system down." Such out-of-the-box readiness is all a part of the central OpenBSD motto, "secure by default." While such a motto might seem to be a natural objective for any operating systems, the efforts that go into insuring system security are the same efforts that guarantee OpenBSD's fringe status. Like craft brewers, de Raadt and the OpenBSD development team prefer to let the software age a little, offering only two updates per year. As for graphic user interfaces and other user-friendly bells and whistles, de Raadt sees such decorative trimming as the cracker's best friend. "The way to make something secure is to provide less features," he says. "Unfortunately, most operating system [developers] see new features as the best way to attract new customers. With OpenBSD, we're always faced with the question of how far we can go, securitywise, before users get upset and leave." Welcome to OpenBSD, population 7,000 Make no doubt about it, the OpenBSD user population is small, so small that the entire number of users would probably be dwarfed by a Windows NT rounding error or the audience at a Linus Torvalds keynote speech. De Raadt puts the total size of the core development team at 65 individuals and estimates that the project has sold 7,000 CDs and 3,000 T-shirts to date. With no licensing agreements or corporate sugar daddies looking to fund the project, those sales amount to the entire OpenBSD war chest to date. De Raadt doesn't seem to mind, however. Even for an open-source developer, he expresses an almost ascetic disregard for monetary success. "I don't need to get rich," he says. Such attitudes, while noble and refreshing, aren't exactly the most endearing in a marketplace where "total world domination" is a celebrated end goal for open-source and proprietary programmers alike. Next to shooting down potential investors -- "I'm basically getting somebody trying to offer us venture capital once a week" -- de Raadt seems to take most pleasure in cultivating a reputation as prickly as the Open BSD mascot, a nuke-toting puffer fish. His theos.com website contains exhaustive transcripts of the legendary flame war that preceded his 1994 ouster from the NetBSD project -- a split which gave birth to the OpenBSD project and helped cement de Raadt's persona non grata status in some corners of the BSD community. Then again, as a resident of Calgary, Alberta, de Raadt's vantage point amid the Canadian Rockies makes it easy to look down on the rest of the world. Because he is far removed from the IPO madness of the U.S. Linux scene, he says he enjoys the simple act of writing code more when the money variable is taken out of the equation. "We have OpenBSD developers who are millionaires," he says. "We have others who love tinkering on things that are perfect. We 'geek out' on outdoing each other for perfection. I make a five-line patch. Todd Miller emails back a patch that's slightly better. The entire community ends up one-upping each other until, in the end, we all bow down to the guy who made the best patch. That's our game." Still, money has found its way onto the playing field. As network security becomes a ubiquitous topic of concern, more companies are turning to OpenBSD developers and the OpenBSD platform to strengthen their technologies. Plumbing for the Web Data networking vendor Stallion Technologies, which divides its offices between the U.S. and Australia, this week unveiled a technology called ePipe that uses OpenBSD's built-in strong cryptography features to create secure Internet "pipes" between private networks. In other words, customers can use ePipe to create a poor man's wide area network, or WAN, without skimping on security. The company plans to embed OpenBSD operating system in an entire line of virtual private network products. According to David McCullough, Stallion's vice president of software engineering, the company picked OpenBSD over other alternatives for numerous reasons. In addition to OpenBSD's security track record -- three years without a remote hole, two years without a local host hole -- Stallion executives also liked the permissive nature of the Berkeley Software Distribution, or BSD, license, which lets companies create proprietary derivatives of the open-source code as long as they publicize the fact that the software is based on software code published by the University of California at Berkeley. "We also liked the fact that OpenBSD audits the code for security flaws," says McCullough. "Just about every other company in the world deals with security flaws in a reactionary way, but they make sure that what goes in doesn't have the standard programmer mistakes that make it open to vulnerabilities." One proud papa Although de Raadt tries to convey an air of bemused wonderment when noting the number of companies that use his operating system as a primary platform for intrusion detection and firewall systems, the pride is apparent. He estimates that only "one in 20" of the third-party vendors will be kind enough to donate their security enhancements back to the OpenBSD source tree. "Still, this is what we want," he says. "For us it's an operating system. For them it's a toolkit that can rip pieces out and use them as components for a more reliable system." Maybe that's because de Raadt's development vision has always been rooted in the corporate model. Despite all the talk about simplicity and perfection, de Raadt sees himself less as a craftsman, gluing together the components of a violin arch, and more as a 1960s-era engineer trying to keep a multibillion-dollar project on time and under budget. "The analogy I like to draw is the Boeing 747," he says. "If you look at the design of that plane, every single part was a re-engineered, best-of-breed component taken from some earlier Boeing (BA) project. With a project of that size, the engineering becomes two parts: One part is to build the small components. The other part is to make the decisions as to how to integrate those components." Given current software market dynamics, however, de Raadt says trying to emulate 1960s-era fault tolerance levels in a corporate environment is a fool's errand. Until those dynamics change, he and the OpenBSD members will do their best to detach themselves from market forces and continue the game of one-upmanship. "When people ask me 'Why do you do this for free?' my basic answer is, 'We don't make it secure for you. We make it secure for us.'" *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Open Season: OpenBSD perfects security by one-upmanship William Knowles (May 17)