Oct 1, 2011

Why I Uninstalled OpenBSD

I uninstalled OpenBSD the other day after using it since OpenBSD 2.7 came out eleven years ago. I had grown used to it and contributed too, following the OpenBSD mailing lists and even submitting code a couple of times. But when I began thinking seriously about security, things began to change.

After the debacle that arose about US government-funded backdoors in OpenBSD's IPSEC back in December ’10, I've had a suspicion lurking in the back of my mind that I just can't shake. If having backdoors was such a serious potential security liability, how could anyone be satisfied after just a week of auditing on such an important part of the OpenBSD codebase?

When looking into the audit I found some disturbing news. First, a proper audit is done transparently, with the methodology and results should published for end-users to read. Since the OpenBSD Foundation has no means to track who's actually using OpenBSD, that means that the results should be available publicly. But they're not.

Go ahead, try googling something like “openbsd ipsec code audit results” and see what comes back. Plenty of discussion, but nothing published by the people who performed the audit. Without that, we have no idea who did the audit, how the it was performed, or whether they found a backdoor.

So the question remains: are we sure that there is not a backdoor in OpenBSD's IPSEC?

Without knowing, there are some wide-ranging repercussions. Bits of IPSEC code may have made their way into other, more-widely used, products like Mac OS X, and for day-to-day OpenBSD users, who use OpenBSD for more than just routing and have their lives and livelihood on their OpenBSD boxes, the problem is very immediate and important.

I approached Theo de Raadt, OpenBSD's founder and leader, about this and asked if there would ever be a formal, published report on the audit. My asking led to my third reason for uninstalling OpenBSD: in typical Theo fashion, his reply was not only terse but also betrayed a lackadaisical attitude to his own operating system's security:

FROM: THEO DE RAADT <DERAADT@OPENBSD.ORG>
SUBJECT: RE: QUESTION ABOUT OPENBSD SECURITY
DATE: SEP 29, 2011 21:09:50 CST

OpenBSD is the most secure operating system in the world. We don't have to publish anything, and if you don't like it then don't use it. The end.

P.S. Don't contact me again.

With the leader of OpenBSD saying that OpenBSD's reputation will be enough to keep the hackers away, I just can't agree that OpenBSD is “the most secure operating system in the world.” Theo's cavalier attitude toward due process and security isn't just unprofessional; it's profound idiocy. To see my point, just check out the title of OpenBSD 5.0's theme song.

And with OpenBSD 5.0 on the horizon and nary a peep on this serious security issue in sight, it's time to move on. Theo can release as many updates and funny logos and silly songs as he wants, but the fact is that the only way to gain serious security credibility for OpenBSD is to pursue due process. Until then, OpenBSD is a minefield of holes and cracks. OpenBSD is about as secure as swiss cheese.

So today I urge you to find an operating system whose development team takes security seriously and uninstall OpenBSD posthaste. There are many out there, so take your pick: Mac OS X, FreeBSD, NetBSD, or even Linux.

Just know that running OpenBSD is taking a huge, unnecessary risk. Don't play games with your security. Uninstall OpenBSD today.

22 comments:

  1. You must be trolling
    http://osxdaily.com/2011/09/19/change-password-mac-os-x-10-7-lion-without-knowing-current-password/
    http://security.freebsd.org/advisories/FreeBSD-SA-11:05.unix.asc
    https://lkml.org/lkml/2011/9/30/425

    ReplyDelete
  2. Please don't contact me again.

    ReplyDelete
  3. trollaxor would never troll. I suggest you check your facts.

    ReplyDelete
  4. First anon:

    How many issues with OpenBSD do you not know about? Knowing about issues and having them fixed makes me feel better about those 3 OS's.

    ReplyDelete
  5. So just 'I think' 'It may' and you throw it away.
    It's really short story.

    ReplyDelete
  6. awe did theo hurt your feelings ? .. maybe he's busy doing real work rather then explaining things to you ?

    ReplyDelete
  7. LOL !, keep your zero days for OpenBSD and go away right now!

    ReplyDelete
  8. You are right. Theo's "if you don't like it don't use it" reply is, in fact, not a reply.

    The issue of secure configuration was a concern I had back when I was using OBSD: however, since it shipped with everything "off" the blame-the-victim-you-fucked-it-up position absolved OBSD of any blame. But what use if OpenBSD if everything is off? The first thing anyone does with their box is turn on services.

    The nice folks at el8 complained gently that OpenBSD had some possible issues with wholesale importation of device drivers.

    Security through reputation is nice, but their claim of N holes in Y years doesn't mean much because you can't compare it to anything (or you could but they don't).

    An excellent "troll". Troll HARDER.

    ReplyDelete
  9. Unistall OpenBSD to install Mac OSX or Linux. As a security related step.... Seriously ?

    ReplyDelete
    Replies
    1. Yes, Linux. A hardened Linux is SECURE, proved by tests and comparison, not by "because I say so".

      Delete
  10. Irony. Security through obscurity is the OBSD solution. OBSD should be called CBSD.

    ReplyDelete
  11. If you think that OpenBSD is backdoor'ed, why would you ask the person that would potentially be involved with installing the backdoor?

    If your blog post said "I audited the OpenBSD IPSec code and I found a backdoor", then your blog post would make sense and your opinion would be worth reading.

    What's the point in using OpenBSD and complaining about it if you don't even read the source code? If you can't read the source code, then you really can't and shouldn't trust ANY OS, given your logic.

    Read the source code and if you find a backdoor, you win a prize.

    ReplyDelete
  12. Let's face it. Theo is a prick who is convinced he is always right, everyone else is a fool, and if you don't like it, get out.

    That's why you shouldn't actually depend on OpenBSD for anything. The question isn't whether it's secure - it mostly is, and I doubt it's any worse than any other OS - but the "owner" just isn't worthy of your trust.

    ReplyDelete
  13. you stupid morron

    ReplyDelete
  14. There are some good points here; the name is OPEN BSD, so why was the audit not open? Even Theo would have to admit that the apparent secrecy is contrary to the spirit of what he espouses for security.

    One almost HAS TO ask, why the audit was done that way.

    I still see OpenBSD as a secure OS given the track record.

    ReplyDelete
  15. I'd get the same reaction from users in one of the XCHAT rooms devoted to OBSD. They (the users) seem to avoid the question, and if you continue, they shut you out. IMO, OBSD users (many, not all), have a serious attitude problem. I found two Linux releases that can meet, even surpass OBSD -LIBERTE Linux, and EnGarde Linux (security so tight, makes OBSD look like it was written by a clown (maybe Theo IS a clown - lol)).

    ReplyDelete
  16. Yeah, remember 2008 when it was discovered Debian was generating useless SSH/SSL keys because of a developer who commented out some random number generation that were throwing errors? For 2 years you could decrypt any SSH login http://research.swtch.com/openssl

    This is the difference between OpenBSD and almost every other distro: quality software auditing for security and stability. You can actually audit the OpenBSD base code (and they do). Linux Kernel development is now 15 million lines of code nobody can audit that. You're freaking out about something you yourself could look at and decide if it's secure or not, because it's transparently open to the world to see, and kept small to avoid the ballooning propagation of errors which is 15 million + kernel lines of code.

    EnGarde Linux and LOl liberte (enjoy using their cable communications which is a complete joke. not anonymous whatsoever) may be using 'hardened Gentoo' and have all sorts of fancy knobs you can fiddle with claiming to be MAC and stack overflow prevention but is completely useless because you're still running it on 15 million + lines of insecure kernel development. The entire core is broken, who cares about the icing being impressive.

    Linus Torvalds does not follow any sort of sane development cycle, he just pushes out features as fast as possible. There is no security focus, because Linux was never about security, and much of the old school guy's who sorted this stuff out and gave a flying f about quality control and bug squashing like Alan Cox all quit.

    Look up Histar, a tiny O/S purposely designed by PHD researchers to be ultra secure. You can audit all the code in a few days. But it has no knobs to fiddle with or fancy MAC fluff pretending to be security, so I guess you wouldn't like it.

    ReplyDelete
  17. Some details (filenames, incriminated expressions) of two compromises were published here:

    ht tp://web.arc hive.or g/web/20120103060415/ht tp://extended subset.co m/?p=41
    (remove spaces).

    There were patched a few yeurs later by the audit process of OpenBSD, and were only weakening openbsd a noticable small amount.

    Credits to the OpenBSD audit process: that backdoor was difficult to use.

    ReplyDelete
  18. A secret audit is absolutely valueless.

    Imagine if drug companies were allowed just to claim that there drugs were safe without publishing any evidence that they had been tested or explaining the methodology or stating who had carried out the tests and what their experience was. Would you take the drugs?

    Theo is completely deranged and anyone who trusts someone who clearly has mental health issues to "do the right thing" is a fool.

    ReplyDelete
  19. FREE speech!

    . .
    ~

    ReplyDelete
  20. What was the second reason? You only mention first and third.

    ReplyDelete