Aug 16, 2002

Linux vs. OpenBSD

I received the email first thing in the morning from the IT department. Our network would be undergoing a major overhaul to correct the ad hoc growth it had experienced in the last year, and starting next week Internet access would be sporadic. There would also be a new firewall and security measures, replacing the old OpenBSD system I'd managed to get installed last Spring. Happy for the heads-up, I went to work right away to make sure Linux had no place on our network. This was not the first time that I had faced this threat.

About a year ago our network guy, the Open Source Mullet, was asked to draw up firewall plans. He was your typical GNU-slinger save that he had a cascade of flowing hair down the back of his head instead of a beard hanging from his face. And yeah, you can guess what he thought those firewalls were gonna run. I'd caught wind of the plans, however, and had charts, graphs, and comparisons written up detailing OpenBSD and Linux security. Since this GNU guy had a mullet and dressed like a slob, I got taken seriously. Not to mention my data impenetrable to any hippie logic. OpenBSD was more secure even to the beancounters and idiot management. So thanks to me, our firewalls happily ran OpenBSD and not Linux, which would have buffer-overflowed into no-man's land every other hour. The Open Source Mullet gave me a lot of dirty looks forever after, though.

Since the Open Source Mullet had been canned, a new threat had arisen at my workplace: the Fat Perl Hacker had assumed most of the Open Source Mullet's system and network administration duties, and it was no mystery to anyone at my workplace that he had a hard-on for Linux tucked away under his enormous, cascading gut. Since he was a major suck-up and workaholic, he had a lot more credibility than the Open Source Mullet — this would be a real challenge for once. Dealing with the Open Source Mullet had been cake.

That night, I went to work on my strategy. First, I would document the changes in Linux and OpenBSD since a year ago when we last went with a security plan. Linux was still at version 2.4, while OpenBSD had raced from version 2.8 to 3.1 — a major revision! This was good so far, and I included the relevant diffs for each. I wondered what the Fat Perl Hacker was up to and pushed ahead with my preparations.

Tuesday morning, I went to talk with the VP of Operations, who had final say on the network project. I wouldn't leave anything to chance. But after chatting with him for a few minutes, I learned of a major monkey-wrench I hadn't expected: instead of a Unix firewall system, he was planning on installing a dedicated firewall box — running Windows XP. Thankful for my fortuitous social engineering, I went back to my desk and began making over my strategy to deal with this new threat. Not only would I have to deal with Linux, I'd have to eschew the Windows option now.

Sitting in front of my iBook after work, I realized that taking on Windows XP in the same manner I was going to deal with Linux would be foolish if not wasteful. Obviously the Windows option was not about numbers, anecdotes, or experience. It was a bean-counting decision and all of the security statistics in the world wouldn't matter. Since I hadn't the foggiest about how our accountants viewed the whole operation and didn't have time to learn, I'd have implement a rapid-fire real-life assault on the Windows box, which was sitting on the VP's desk awaiting its place on the network. It was time to put on my Black Hat, and that night I stayed up until 02:00 researching Windows XP vulnerabilities. Linux would have to wait.

With just two days before the network changeover was to take place, I marched into work Wednesday morning knowing that what I did in the next few hours would decide the fate of our network security. To my surprise, just moments after I had sat down, the Fat Perl Hacker asked me to join him for a cigarette outside — away from the ears and eyes of the office. 15 minutes later, I was fully aware of the precarious situation I was in.

Joining forces with the Fat Perl Hacker was something I had thought about but hadn't wanted to consider. It was a double-edged sword, and I wasn't about to kid myself. Although I am damn good, he had another full decade of experience over me and that included office politics. If we aided each other I ran the risk of pushing for Linux, even if inadvertently. And I certainly wasn't about to reveal my anti-Linux research to him. After doing some quick scheming, I agreed to help the Fat Perl Hacker dissuade the VP from using Windows XP — but I had my own twist to what would follow after. Knowing my shortcomings, I decided to do the only thing that would give me an edge. And that was doing something that I knew better than anyone else at my office: playing dirty.

After a power-lunch of strategizing, the Fat Perl Hacker and I went to work on cracking the Windows XP box into oblivion. We then called back to the VP and told him to load the web administration page on the firewall box. A few minutes later he was standing in my cubicle smiling. I already had a print-out of the exploits we had used and handed them to him without a word. After looking it over for a minute, he shook his head and chewed his lip. He looked at the Fat Perl Hacker and me and told us to have something more secure ready by tomorrow morning before returning to his office. Now it was crunch time. The Fat Perl Hacker smiled at me in victory, and I smiled back at him in anticipation of putting my grand plot to work.

Now early Thursday morning, I revised my anti-Linux, pro-OpenBSD presentation into an airtight backup. I would use it as my last-ditch effort in case my primary plan failed. And that primary plan just happened to be underhanded, dirty, scandalous, unfair, and full of treason. After closing PowerPoint X I carefully downloaded and burned Slackware and OpenBSD 3.1 on the same brand of blanks the the Fat Perl Hacker used. I happened to know, thanks to some late-night overtime I put in the night before, that the Fat Perl Hacker was planning on presenting a burnt CD of Slackware as the solution to our firewall problem. Now if only I wasn't so scatter-brained and mislabeled burnt CDs so easily!

After a few brief hours of sleep, I waltzed into the VP's office, asking when we would have our meeting about the firewall. He asked me if 30 minutes was OK, to which I said was fine, and also asked that I go and ask the Fat Perl Hacker if that was good for him as well. Back in the cubicle farm, I told the Fat Perl Hacker that the VP wanted to talk to him about the meeting. I had about 45 seconds in his empty cubicle to find his Slackware CD, replace it with my mislabeled OpenBSD CD, and book it back to my cubicle to put on an innocent face. I just barely made it as I passed him on the way back to my seat. Wiping the sweat from my brow, I read my email for the next 28 minutes.

The moment of truth had finally arrived as I sat down in the conference room in front of a newly-purchased, bare Pentium4 PC. The Fat Perl Hacker joined me and the VP moments later and we got down to business. The VP smiled and said he knew we both probably had our own ideas about network security, and he wanted to hear them both. Playing the fool I volunteered to let the Fat Perl Hacker present his solution first. I tried vainly to suppress a smile as he slipped his CD from its sleeve. Holding it up, he said the magic words I had counted on him saying:

This is all we'll ever need to keep the network secure.

A few beeps and whirs later from the PC and the Fat Perl Hacker was greeted by OpenBSD 3.1, ready to format and install on the hard drive. Not waiting a second for his jaw to unslacken, I jumped up, slapped the table, and exclaimed that I couldn't have picked better myself, shaking my own burnt CD in the air. What a coincidence! And things just got better from there. So much better, in fact, that I didn't even need to bust out my PowerPoint presentation. It turned out that Fiscal wanted an answer right then and there, I heard through the freshly-answered phone, and the VP didn't waste an instant telling them he was on his way. That is, before informing the Fat Perl Hacker that he was about to get assigned a bunch of new security modules to customize and that I'd have to do the firewall install and configuration. The L-word hadn't even been uttered during the meeting and I was homefree.

The weekend overtime didn't bother me at all. I got time-and-a-half for it and the firsthand opportunity to make sure OpenBSD would oversee the sanctity of our network. Things went so well that we didn't even have any network hiccups the next Monday morning. Despite the unexpected Windows XP push, the Fat Perl Hacker's Linux obsession, and a few variables left to chance, I had come through with flying colors and even impressed myself.

The Fat Perl Hacker, however, never invited me to join him for a cigarette again.

2 comments:

  1. ho ho ho. Take a look at http://www.trollaxor.com/2010/06/why-i-left-openbsd.html

    ReplyDelete