The World's Most Secure Operating System

[William Knowles <wk () C4I ORG>]

http://www.thestandard.com/article/display/0,1151,17541,00.html

August 14, 2000

A lone Canadian is reshaping the way software gets written. Is the
world paying attention?

By Brendan I. Koerner

The cartoon character on Theo de Raadt's business card is surprisingly
uncuddly. Most upstart software companies employ cute mascots Linux's
bemused penguin, for example but de Raadt, project leader for the
open-source operating system OpenBSD, favors a smirking, muscular
demon clad in policeman's garb. The fiend brandishes a badge reading:
"OpenBSD: To Serve and Protect."

This satanic cop may not make a great stuffed animal, but he's a
fitting symbol of de Raadt's singular aim to create the world's most
secure operating system. Coded by hundreds of volunteers worldwide,
the freely downloadable OpenBSD is hailed by security buffs as
uncrackable; it's been over three years, for example, since a
vulnerability was discovered in the system's off-the-shelf version.
The airtight security is the product of a labor-intensive approach
that many experts feel should become standard. De Raadt and his
cohorts are not only motivating the nascent open-source industry to
rethink its basic security policies, they've honed a set of principles
that promise to make all systems open source or not safer.

"OpenBSD is probably one of the most secure operating systems out
there," says Chris Brenton, author of Mastering Network Security. "The
crew does a fantastic job of locking down and being responsive when
vulnerabilities are found." Such a good job that the U.S. Department
of Justice uses 260 copies of OpenBSD to store and transmit its most
sensitive data.

Like other projects bearing the BSD moniker, OpenBSD traces its
origins to the University of California at Berkeley. (The acronym
stands for Berkeley Software Distribution.) Unhappy with Unix's
clunkiness, the school's programmers started tweaking the code in the
late 1970s to create several variants, culminating with the release of
4.4 BSD-Lite in 1992. Legal wrangles with AT&T (T) , the original Unix
developer, forced the university to abandon the project, but
open-source devotees picked up the slack.

De Raadt began experimenting with BSD code during his student days at
the University of Calgary. Along with several friends, he created an
open-source project called NetBSD in 1993; his friends booted him from
the project the following year. In archived e-mail, his former
colleagues claim he was guilty of "rudeness toward and abuse of users
and developers." De Raadt denies those allegations.

De Raadt used NetBSD's code as the foundation for the OpenBSD project,
which he formed in 1995. After his machine was hacked by a colleague
in 1996, he adopted a security tactic that has become the project's
trademark: "proactive auditing."

Over an 18-month period, a team of 10 volunteers vetted OpenBSD's
entire source code all 350 megabytes weeding out thousands of bugs.
Though not necessarily related to security features, those glitches
could have been targeted by attackers using "buffer overflows" (which
overwhelm a machine with data packets), denial-of-service tools or
other elementary hacking techniques. For two years, de Raadt worked
14-hour days, seven days a week to debug his system. Despite his
notoriously prickly personality, de Raadt also has managed to attract
a legion of collaborators to help him build OpenBSD.

"It's security through quality," says de Raadt, who runs the project
out of his Calgary home, surviving on donations and proceeds from
T-shirt sales. "It's like in airplanes, [where] safety is a side
effect of good engineering."

A sincere passion for technological tinkering motivates de Raadt.
Though he lives modestly, his house is bursting with wall-to-wall
hardware. He owns over a dozen computers, and his basement is so
jammed with Unix machines that several acquaintances have requested
guided tours.

OpenBSD's proactive approach is unique among open-source systems,
which normally rely on user reports and public forums to find
vulnerabilities. The Linux security philosophy, for example, can be
summed up as "more eyes means better security"  that is, since the
source code is open to peer review, bugs will be quickly spotted and
patched.

De Raadt scoffs at that credo. Most reviewers of open-source code, he
says, are amateurs. "These open-source eyes that people are talking
about, who are they?" he asks. "Most of them, if you asked them to
send you some code they had written, the most they could do is 300
lines long. They're not programmers."

Proactive auditing is the key to OpenBSD's vaunted security. Many
security professionals would like to see the model duplicated
elsewhere, especially in Linux offshoots struggling to seize market
share from notoriously buggy Microsoft products.

"I'm surprised there's not a version of Linux out there that has grown
supersecure," says Ron Gula, chief technology officer for Network
Security Wizard, a developer of intrusion detection systems who says
that Linux developers could augment its security using de Raadt's
painstaking methods.

OpenBSD is designed to be "secure by default." Most comparable
operating systems, by contrast, come out of the box with settings that
are inherently insecure. Last year, for example, when hundreds of
servers running Red Hat Linux were compromised by buffer overflow
attacks, the company blamed system administrators for failing to
reconfigure the defaults.

"Linux distributions tend to take the approach of throwing everything
possible onto the default install, which leads to a clueless user
ending up with a highly insecure operating system," says Matt
Barringer of WireX Communications, a vendor of software solutions for
Linux server appliances. "OpenBSD takes the opposite approach, by only
including the essential and not allowing, by default, services that
may not be essential FTP, for instance."

The secure-by-default policy is also a stress reliever for veteran
administrators. "The 10 percent [of these users] who do know how to
secure their machines, they get bored with it," says de Raadt. "It's
no more exciting than ditch digging. OpenBSD means they can get along
with their day-to-day jobs."

Unlike its American counterparts, which until July were bound by
strict encryption-export laws, the Canadian-based OpenBSD ships with
built-in encryption. (In a subtle display of Maple Leaf pride, labels
on OpenBSD discs read: "Made in Canada Land of Free Cryptography.")
The latest version includes OpenSSH, which enables traffic to avoid
"sniffers" designed to detect users' passwords.

While it's ideal for security-sensitive tasks, such as running
firewalls or data warehousing applications, OpenBSD is probably not
the best option for desktops. "Linux is more flexible than OpenBSD,
which is a direct result of OpenBSD being more focused on security,"
says Brenton. "As you lock things down, you lose functionality."

De Raadt sounds unconcerned about customer satisfaction. "I don't pay
attention to who's using it," he says. "We don't write OpenBSD for the
people, we write it for ourselves. If people end up getting benefits
from it, that's great."

Nevertheless, the system is catching on in corporate America. The
project doesn't track the number of free downloads or CD-ROMs
purchased, but a rough estimate places the number of users in the tens
of thousands. Potential investors regularly contact de Raadt with
offers of financial backing, he notes, but he has rebuffed them all:
"I talked to a venture capitalist a couple of weeks ago. I ended up
convincing him to just give us a donation."

De Raadt has devoted himself to OpenBSD with a mathematician's love of
constructing elegant systems. He fears that commercialization could
compromise security, since bottom-line-obsessed executives would be
tempted to skimp on time-consuming audits. Even worse, those
image-conscious suits might force de Raadt to abandon his fearsome
business-card mascot in favor of something more huggable. For now, the
demonic policeman is safe.

Brendan I. Koerner is a Markle Fellow at the New America Foundation.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".