Why I Uninstalled OpenBSD
I uninstalled OpenBSD the other day after using it since version 3.1 came out nine years ago. I had grown used to it and contributed too, following the OpenBSD mailing lists and even submitting code a couple of times. But when I began thinking seriously about security, things began to change.
After the debacle that arose about US government-funded backdoors in OpenBSD's IPSEC back in December ’10, I've had a suspicion lurking in the back of my mind that I just can't shake. If having backdoors was such a serious potential security liability, how could anyone be satisfied after just a week of auditing on such an important part of the OpenBSD codebase?
When looking into the audit I found some disturbing news. First, a proper audit is done transparently, with the methodology and results should published for end-users to read. Since the OpenBSD Foundation has no means to track who's actually using OpenBSD, that means that the results should be available publicly. But they're not.
Go ahead, try googling something like "openbsd ipsec code audit results" and see what comes back. Plenty of discussion, but nothing published by the people who performed the audit. Without that, we have no idea who did the audit, how the it was performed, or whether they found a backdoor.
So the question remains: are we sure that there is not a backdoor in OpenBSD's IPSEC?
Without knowing, there are some wide-ranging repercussions. Bits of IPSEC code may have made their way into other, more-widely used, products like Mac OS X, and for day-to-day OpenBSD users, who use OpenBSD for more than just routing and have their lives and livelihood on their OpenBSD boxes, the problem is very immediate and important.
I approached Theo de Raadt, OpenBSD's founder and leader, about this and asked if there would ever be a formal, published report on the audit. My asking led to my third reason for uninstalling OpenBSD: in typical Theo fashion, his reply was not only terse but also betrayed a lackadaisical attitude to his own operating system's security:
OpenBSD is the most secure operating system in the world. We don't have to publish anything, and if you don't like it then don't use it. The end.
P.S. Don't contact me again.
With the leader of OpenBSD saying that OpenBSD's reputation will be enough to keep the hackers away, I just can't agree that OpenBSD is “the most secure operating system in the world.” Theo's cavalier attitude toward due process and security isn't just unprofessional; it's profound idiocy. To see my point, just check out the title of OpenBSD 5.0's theme song.
And with OpenBSD 5.0 on the horizon and nary a peep on this serious security issue in sight, it's time to move on. Theo can release as many updates and funny logos and silly songs as he wants, but the fact is that the only way to gain serious security credibility for OpenBSD is to pursue due process. Until then, OpenBSD is a minefield of holes and cracks. OpenBSD is about as secure as swiss cheese.
So today I urge you to find an operating system whose development team takes security seriously and uninstall OpenBSD posthaste. There are many out there, so take your pick: Mac OS X, FreeBSD, NetBSD, or even Linux.
Just know that running OpenBSD is taking a huge, unnecessary risk. Don't play games with your security. Uninstall OpenBSD today.
You must be trolling
ReplyDeletehttp://osxdaily.com/2011/09/19/change-password-mac-os-x-10-7-lion-without-knowing-current-password/
http://security.freebsd.org/advisories/FreeBSD-SA-11:05.unix.asc
https://lkml.org/lkml/2011/9/30/425
Please don't contact me again.
ReplyDeletetrollaxor would never troll. I suggest you check your facts.
ReplyDeleteFirst anon:
ReplyDeleteHow many issues with OpenBSD do you not know about? Knowing about issues and having them fixed makes me feel better about those 3 OS's.
So just 'I think' 'It may' and you throw it away.
ReplyDeleteIt's really short story.
awe did theo hurt your feelings ? .. maybe he's busy doing real work rather then explaining things to you ?
ReplyDeleteLOL !, keep your zero days for OpenBSD and go away right now!
ReplyDeleteYou are right. Theo's "if you don't like it don't use it" reply is, in fact, not a reply.
ReplyDeleteThe issue of secure configuration was a concern I had back when I was using OBSD: however, since it shipped with everything "off" the blame-the-victim-you-fucked-it-up position absolved OBSD of any blame. But what use if OpenBSD if everything is off? The first thing anyone does with their box is turn on services.
The nice folks at el8 complained gently that OpenBSD had some possible issues with wholesale importation of device drivers.
Security through reputation is nice, but their claim of N holes in Y years doesn't mean much because you can't compare it to anything (or you could but they don't).
An excellent "troll". Troll HARDER.
Unistall OpenBSD to install Mac OSX or Linux. As a security related step.... Seriously ?
ReplyDeleteYes, Linux. A hardened Linux is SECURE, proved by tests and comparison, not by "because I say so".
DeleteIrony. Security through obscurity is the OBSD solution. OBSD should be called CBSD.
ReplyDeleteIf you think that OpenBSD is backdoor'ed, why would you ask the person that would potentially be involved with installing the backdoor?
ReplyDeleteIf your blog post said "I audited the OpenBSD IPSec code and I found a backdoor", then your blog post would make sense and your opinion would be worth reading.
What's the point in using OpenBSD and complaining about it if you don't even read the source code? If you can't read the source code, then you really can't and shouldn't trust ANY OS, given your logic.
Read the source code and if you find a backdoor, you win a prize.
Let's face it. Theo is a prick who is convinced he is always right, everyone else is a fool, and if you don't like it, get out.
ReplyDeleteThat's why you shouldn't actually depend on OpenBSD for anything. The question isn't whether it's secure - it mostly is, and I doubt it's any worse than any other OS - but the "owner" just isn't worthy of your trust.
you stupid morron
ReplyDelete