Open Season: OpenBSD perfects security by one-upmanship

[William Knowles <wk () C4I ORG>]

http://www.upside.com/Open_Season/3921a9080.html

The great violin maker Antonio Stradivari is reputed to have said that
perfection consists not in doing extraordinary things but in doing
"ordinary things extraordinarily well."

"Perfection" and "software" are two words that rarely appear on the
same cosmic plane, much less the same sentence.

Still, when it comes to OpenBSD, the open-source operating system that
for the last three years has built up a near-perfect track record for
software security, it shouldn't be too surprising that project leader
Theo de Raadt espouses a similarly reductionist design philosophy.

"On the grand scale we're not doing anything perfect," de Raadt says.
"But we are doing a good job of making the little things perfect."

In a year that has seen software security jump from the back room to
the front page, OpenBSD is getting a lot of attention. Although
open-source advocates have long held up the community development
model as superior to the "security by obscurity" approach, recent
episodes such as the Red Hat (RHAT) "back door" controversy (see
"French law would increase code accessibility") have demonstrated that
time-to-market pressures can still produce slip-ups, even in the world
of open-source development.

To remedy this situation, a growing number of security-conscious
software vendors and consumers are turning to projects such as
OpenBSD, projects that home in on security with a craftsman's zeal,
disregarding the market as much as possible.

"From our point of view, it's a nice change from what the industry
norm is," says Randy Terbush, chief executive officer of Covalent, a
company that markets RavenSSL, an Apache security add-on which
supports the OpenBSD.

They know what they want

Listening to security experts discuss OpenBSD is a bit like listening
to beer drinkers describe their favorite microbrew. Although the
number of customers who choose the OpenBSD port of RavenSSL is small,
Terbush says the ones who do tend to ask for it by name.

"The type of customer who asks for OpenBSD is definitely more
concerned about security," Terbush says. "They want to build a
firewall, and they want to use BSD, because they know they won't have
to do a lot of work to lock the system down."

Such out-of-the-box readiness is all a part of the central OpenBSD
motto, "secure by default." While such a motto might seem to be a
natural objective for any operating systems, the efforts that go into
insuring system security are the same efforts that guarantee OpenBSD's
fringe status.

Like craft brewers, de Raadt and the OpenBSD development team prefer
to let the software age a little, offering only two updates per year.
As for graphic user interfaces and other user-friendly bells and
whistles, de Raadt sees such decorative trimming as the cracker's best
friend.

"The way to make something secure is to provide less features," he
says. "Unfortunately, most operating system [developers] see new
features as the best way to attract new customers. With OpenBSD, we're
always faced with the question of how far we can go, securitywise,
before users get upset and leave."

Welcome to OpenBSD, population 7,000

Make no doubt about it, the OpenBSD user population is small, so small
that the entire number of users would probably be dwarfed by a Windows
NT rounding error or the audience at a Linus Torvalds keynote speech.

De Raadt puts the total size of the core development team at 65
individuals and estimates that the project has sold 7,000 CDs and
3,000 T-shirts to date.

With no licensing agreements or corporate sugar daddies looking to
fund the project, those sales amount to the entire OpenBSD war chest
to date. De Raadt doesn't seem to mind, however.

Even for an open-source developer, he expresses an almost ascetic
disregard for monetary success. "I don't need to get rich," he says.

Such attitudes, while noble and refreshing, aren't exactly the most
endearing in a marketplace where "total world domination" is a
celebrated end goal for open-source and proprietary programmers alike.

Next to shooting down potential investors -- "I'm basically getting
somebody trying to offer us venture capital once a week" -- de Raadt
seems to take most pleasure in cultivating a reputation as prickly as
the Open BSD mascot, a nuke-toting puffer fish. His theos.com website
contains exhaustive transcripts of the legendary flame war that
preceded his 1994 ouster from the NetBSD project -- a split which gave
birth to the OpenBSD project and helped cement de Raadt's persona non
grata status in some corners of the BSD community.

Then again, as a resident of Calgary, Alberta, de Raadt's vantage
point amid the Canadian Rockies makes it easy to look down on the rest
of the world.

Because he is far removed from the IPO madness of the U.S. Linux
scene, he says he enjoys the simple act of writing code more when the
money variable is taken out of the equation.

"We have OpenBSD developers who are millionaires," he says. "We have
others who love tinkering on things that are perfect. We 'geek out' on
outdoing each other for perfection. I make a five-line patch. Todd
Miller emails back a patch that's slightly better. The entire
community ends up one-upping each other until, in the end, we all bow
down to the guy who made the best patch. That's our game."

Still, money has found its way onto the playing field. As network
security becomes a ubiquitous topic of concern, more companies are
turning to OpenBSD developers and the OpenBSD platform to strengthen
their technologies.

Plumbing for the Web

Data networking vendor Stallion Technologies, which divides its
offices between the U.S. and Australia, this week unveiled a
technology called ePipe that uses OpenBSD's built-in strong
cryptography features to create secure Internet "pipes" between
private networks. In other words, customers can use ePipe to create a
poor man's wide area network, or WAN, without skimping on security.

The company plans to embed OpenBSD operating system in an entire line
of virtual private network products.

According to David McCullough, Stallion's vice president of software
engineering, the company picked OpenBSD over other alternatives for
numerous reasons.

In addition to OpenBSD's security track record -- three years without
a remote hole, two years without a local host hole -- Stallion
executives also liked the permissive nature of the Berkeley Software
Distribution, or BSD, license, which lets companies create proprietary
derivatives of the open-source code as long as they publicize the fact
that the software is based on software code published by the
University of California at Berkeley.

"We also liked the fact that OpenBSD audits the code for security
flaws," says McCullough. "Just about every other company in the world
deals with security flaws in a reactionary way, but they make sure
that what goes in doesn't have the standard programmer mistakes that
make it open to vulnerabilities."

One proud papa

Although de Raadt tries to convey an air of bemused wonderment when
noting the number of companies that use his operating system as a
primary platform for intrusion detection and firewall systems, the
pride is apparent. He estimates that only "one in 20" of the
third-party vendors will be kind enough to donate their security
enhancements back to the OpenBSD source tree.

"Still, this is what we want," he says. "For us it's an operating
system. For them it's a toolkit that can rip pieces out and use them
as components for a more reliable system."

Maybe that's because de Raadt's development vision has always been
rooted in the corporate model. Despite all the talk about simplicity
and perfection, de Raadt sees himself less as a craftsman, gluing
together the components of a violin arch, and more as a 1960s-era
engineer trying to keep a multibillion-dollar project on time and
under budget.

"The analogy I like to draw is the Boeing 747," he says. "If you look
at the design of that plane, every single part was a re-engineered,
best-of-breed component taken from some earlier Boeing (BA) project.
With a project of that size, the engineering becomes two parts: One
part is to build the small components. The other part is to make the
decisions as to how to integrate those components."

Given current software market dynamics, however, de Raadt says trying
to emulate 1960s-era fault tolerance levels in a corporate environment
is a fool's errand. Until those dynamics change, he and the OpenBSD
members will do their best to detach themselves from market forces and
continue the game of one-upmanship.

"When people ask me 'Why do you do this for free?' my basic answer is,
'We don't make it secure for you. We make it secure for us.'"


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".