I uninstalled OpenBSD the other day after using it since OpenBSD 2.7 came out eleven years ago. I had grown used to it and contributed too, following the OpenBSD mailing lists and even submitting code a couple of times. But when I began thinking seriously about security, things began to change.
After the debacle that arose about US government-funded backdoors in OpenBSD's IPSEC back in December ’10, I've had a suspicion lurking in the back of my mind that I just can't shake. If having backdoors was such a serious potential security liability, how could anyone be satisfied after just a week of auditing on such an important part of the OpenBSD codebase?
When looking into the audit I found some disturbing news. First, a proper audit is done transparently, with the methodology and results should published for end-users to read. Since the OpenBSD Foundation has no means to track who's actually using OpenBSD, that means that the results should be available publicly. But they're not.
Go ahead, try googling something like “openbsd ipsec code audit results” and see what comes back. Plenty of discussion, but nothing published by the people who performed the audit. Without that, we have no idea who did the audit, how the it was performed, or whether they found a backdoor.
So the question remains: are we sure that there is not a backdoor in OpenBSD's IPSEC?
Without knowing, there are some wide-ranging repercussions. Bits of IPSEC code may have made their way into other, more-widely used, products like Mac OS X, and for day-to-day OpenBSD users, who use OpenBSD for more than just routing and have their lives and livelihood on their OpenBSD boxes, the problem is very immediate and important.
I approached Theo de Raadt, OpenBSD's founder and leader, about this and asked if there would ever be a formal, published report on the audit. My asking led to my third reason for uninstalling OpenBSD: in typical Theo fashion, his reply was not only terse but also betrayed a lackadaisical attitude to his own operating system's security:
FROM: THEO DE RAADT <DERAADT@OPENBSD.ORG>
SUBJECT: RE: QUESTION ABOUT OPENBSD SECURITY
DATE: SEP 29, 2011 21:09:50 CST
OpenBSD is the most secure operating system in the world. We don't have to publish anything, and if you don't like it then don't use it. The end.
P.S. Don't contact me again.
With the leader of OpenBSD saying that OpenBSD's reputation will be enough to keep the hackers away, I just can't agree that OpenBSD is “the most secure operating system in the world.” Theo's cavalier attitude toward due process and security isn't just unprofessional; it's profound idiocy. To see my point, just check out the title of OpenBSD 5.0's theme song.
And with OpenBSD 5.0 on the horizon and nary a peep on this serious security issue in sight, it's time to move on. Theo can release as many updates and funny logos and silly songs as he wants, but the fact is that the only way to gain serious security credibility for OpenBSD is to pursue due process. Until then, OpenBSD is a minefield of holes and cracks. OpenBSD is about as secure as swiss cheese.
So today I urge you to find an operating system whose development team takes security seriously and uninstall OpenBSD posthaste. There are many out there, so take your pick: Mac OS X, FreeBSD, NetBSD, or even Linux.
Just know that running OpenBSD is taking a huge, unnecessary risk. Don't play games with your security. Uninstall OpenBSD today.