Jul 4, 2013

Why I Abandoned OpenBSD and Why You Should Too…

Dear OpenBSD developers and users:

Regretfully, I have decided to abandon OpenBSD and thought I would share my reasoning with this list. I thought the 4th of July was a good date to do so since my reasons address national security implications. As a group of people who take development, security, and privacy seriously, I know you will want to know why I made the drastic decision to abandon OpenBSD and never look back.

I'm sure we've all heard of PRISM by now, the user-friendly name of the United States Federal Government's massive civilian and resident spying program otherwise known as US-984XN. PRISM is certainly bad enough of its own accord, but it's how PRISM works, and the pattern of behavior found in OpenBSD development, that was the tipping point for my use of OpenBSD.

And we all know Theo de Raadt, OpenBSD generalissimo of much infamy. After being fired from the NetBSD team, Theo forked the code and started OpenBSD. He's been pretty much solely responsible for development of OpenBSD over the years, taking volunteer code as he sees fit. He also has final say over security audits in the operating system, something that turns out to be very important.

I was prepping to migrate the whole of our shop, a regional ISP in the United States of America, to OpenBSD 5.3 when the news broke: CBS News reporter Sharyl Attkisson claimed, during a live radio interview, that she had been dealing with suspicious computer and phone issues. Check out this snippet from the full transcript of the interview. One line in particular trashed my plans for the OpenBSD upgrade:

Well, I have been, as I said, pursuing an issue for a long time now — much longer than you’ve been hearing about this in the news — with some compromising of my computer systems in my house — my personal computer systems as well as my work computer systems. I thought they were immune to being compromised — because they all ran OpenBSD — but I guess I was wrong. So, we’re digging into that and just not ready to say much more right now, but I am concerned.

Since that interview in May, I've watched story after story of direct server access, PRISM, and NSA spying and connected some dots. For example, consider the accusations that the FBI had been accused of planting backdoors in OpenBSD's IPSEC in December of 2012, and that the accusations later proved true. The two scandals broke 18 only months apart.

Consider that PRISM allows the United States Federal Government to directly access the servers of virtually any company doing online business, including tech giants like Apple, Facebook, Google, and Microsoft. But those same tech giants deny complicity. I'm sure we all agree that personal privacy is beyond the scope of private enterprise, but let's assume their denials are true. Then connect more dots:

OpenBSD has shipped on over half of all network devices, including things like routers, switches, gateways, and servers, for the last six years. The current estimated number of OpenBSD installations sits at over 350 million devices, comprising an almost ubiquitous presence of OpenBSD in networks worldwide.

Even if no corporation offers the United State Federal Government direct access to its servers through PRISM, OpenBSD offers that same access through the presence of its backdoors.

There it is. Let it sink in. Words like Gestapo and Stasi and KGB come to mind. OpenBSD is part and parcel to the United States Federal Government's program to spy on its own citizens through bodies like the NSA and FBI and has been since the FBI paid for backdoors in IPSEC about a dozen years ago.

Yesterday, I told the company that we must migrate all our services from OpenBSD to something else because the risk to our customers' privacy and security is simply unacceptable. Theo de Raadt may seem like some kind of guard dog of security, but he's really just a little bitch bought and sold by the United State Federal Government.

The kicker is that Theo denies anything suggesting that OpenBSD is less than perfect at security, as if he's personally offended by the mere suggestion. He routinely attacks developers and enthusiasts for simply asking questions. Why so touchy, Theo? Could it be because you're complicit in the biggest citizen spying program ever run in the history of the world?!

Today, be a true patriot to the ideals of personal privacy and public liberty: prevent and reject any and all use of OpenBSD.

Happy 4th of July.