Is OpenBSD the most secure OS? In what way?

This is an open call to any willing to contribute a summary or even an extensive analysis of the ways that OpenBSD is superior in terms of security to Linux and other systems.  The motivation stems from two comments that have appeared here recently by cynwulf (1,2).  To clarify the motivation for this is not to counter such a presentation to defend linux but to learn ourselves, as we simply don’t know.  Between the marketing rhetoric of various systems it is hard to really tell what claim really stands up and what is unsupported.  From the long list of open and sometimes free operating systems you will hardly find one that doesn’t claim it is secure.  So here we go revisiting the terms security, privacy, anonymity, to conceptualize what in general data-security means and whether one needs to be concerned, or not – so concerned.

One of the comments relates security to political issues and as this was part of a discussion that took place more than a year ago, we thought it would have been better if the topic is reopened with more specific guidelines.  Cynwulf counters that not all security issues are political in nature, when I had claimed it was.  The difference may be in the definition of what is political and what not.  Ultimately I believe that any ideas and their communication about how we deal with things that we have in common is political.  How we share things, how and why we don’t, how do we keep things from others, is political.  So my definition may extend well beyond how most people define the word political.

As I see it, returning to data storage, access, and management, there is information and there are tools that help us store, access, share, manage, exchange, information.  Ideally there should be accurate information about everything anyone would want to know and a simple way for anyone to access the needed information.  In a plausible world of equality this would very well be possible.  The only reason one would store information that should not be shared is when information has value.  This value in a competitive world of inequality is important.  The more one has and the less others have of it, the wealthier or more powerful one becomes.  This is what I think it all boils down to when it comes to “private data”.   Information could also be in the form of a product, it could reflect creativity, such as in software, art, or even research.  This creative work, a product, that has not been available to the market yet, it has not been sold yet, to make it simpler, is an object to secure from others.  The creator needs special tools to maintain its secret ownership and to protect it from others obtaining it.  The special tools as a set may be an operating system, the hardware, encryption methods, and strict network access.  Physical access is also an issue but we will leave this part out as unrelated to electronic security.

Therefore, in a world of inequality, economic and political inequality, a world where the amount of wealth and power one can accumulate determines the way of life, securing information becomes a valuable resource.  Here comes the issue of ideology and perception.  There are many out there that see large corporations with “good reputation” being trustworthy, to sell or to provide tools for securing data.  There are others that trust government agencies with such tools or the tools they approve.  There may be some who distrust government but trust corporations and the other way around.  Think of how many use VPN for their networking needs and trust large corporations to provide them with such a service.  Some think they, as individuals, are together against bad taxing governments.  How many use MS-win, or Apple’s software, and how many more trust Intel, AMD, and in general hardware manufacturers who sell them “tools” to keep their date private.  There are a few that trust neither government or corporations.  Some of us we feel we have a choice with software, but we really don’t have much of a choice in hardware.  So it becomes a compromise no matter what your perception is from who to keep data away from.  The issue becomes more complex when what you want to do with data is to actually share it with “people” but don’t want to be put under the spotlight of governments and corporations.  In other words you want data to be shared equally but don’t want to be discovered as the one who is making it public and how you are sourcing it.  The wikileaks founder comes to mind as it made prime headlines again recently and around the globe.  Although not of the same nature, those hosting secret search engines for torrents of non-free data have also been hunted down and run over (although some made money from this, they were no folk heroes).  The indymedia network worldwide has been under attack for the past 20 years in various places and in various degrees.   So have been other political group servers.  Those are cases where adversaries are trying to block information from becoming public and being shared.  It is nearly the reverse security issue than what most people think when they hear the term security.

Let us return to the issue of trust against security.  The unix ecosystem was founded on the idea of open networking and sharing of information.  Data without an owner and available at no cost to anyone who needs it.  The more that was created and the more it was shared the “wealthier” the community and its network became.  Still individuals wanted to maintain the right to structure their own system, develop their own code that improved their system, and eventually share this code if it was beneficial.  So what is to be shared and when and what is kept under the control of the administrator was always defined.  It wouldn’t be fare taking a nap and waking up and having your system erased because you were willing to share all of your work and information.  Earlier on, corporations thought this practice was foolish and would have no future, as individual programmers couldn’t be organized enough and capable enough to produce systems better than the ones that were sold.  Soon though benchmarks showed how wrong they were.  Corporations such as DEC, IBM, Sun, Sgi, Oracle, etc. begun adopting this shared and free code and paid hefty prices to software developers to modify this code for their own use.  The same corporations turned around and sold superior computing and data management systems to governments, and the same sold similar systems to other corporations.  This also included banking and financial institutions who are really invested in “security”.  Their needs and their interests became interdependent.    So you have fools today bragging on how their google, facebook, and yahoo accounts are secure because those corporations provide them with high level encryption.  Secure from whom you may ask?  Government?  Other private parties, individuals attacking and stealing other individuals’ data?  Now this is where security is non-political, where one individual is trying to steal from another, and one is trying to fend off individuals from their private data.

If we don’t know where the interests and collaboration of corporations and governments begin and end why would anyone think that organized crime, corporations, and government are separate competing entities, when it comes to a common enemy?  Who is the enemy?  The unorganized people, that is who.  The object the powerful need to oppress, and the object of the wealthy to exploit.  The few that do try to organize from below are an even more dangerous enemy to all those other three entities.  The holly triad I may joke about, and my jokes are not widely respected.  Ask yourselves, is Julian Assange, as far as you know, your enemy?  He is not mine.  Is he the enemy of the holly triad?  So maybe this triad is not as holly as many may think.

In this manner we have a newer more subtle threat.  If you can’t beat something that is powerful you might as well join it.  If you can’t beat hackers producing superior code to your secret little private binary blobs, you can pretend you are among them.  Either with the official face of a corporation or the unofficial face of small development teams with unknown funding sources.  Here we have corporate entities being organized and producing “open” and “free” code.  We have teams with tremendous resources, springing up from nowhere, working full time producing free and open code, available and competing with projects that were self funded, part time, but well respected.

What is the trick to learn in unix/linux/bsd system administration?  Knowing enough to configure all the little subsystems.  What do people lack?  Expertise to do such configuration.  What do people need?  Automated graphical software that have the ability to self configure.  So who is funding systemd, pulseaudio, gnome, freedesktop, networkmanager, etc?  We don’t know, we don’t care, because it is “free”.  Free as in cheaper than beer.

Are we really talking about a trojan horse that the “unix” community allowed to barge in because the unix community was not really ever organized to make such decisions centrally?  Was this allowed due to the general naivety of the predominance of developers?  Were there stricter guidelines needed that were never in place to keep the “evil doers” out?   Was it GNU naivity?  Weak people tend to follow congregations of strength.  Red Hat and Debian were such congregations.  If it is good enough for Debian it is good enough for me, each of the sheep said.  Debian is very well known for “security” and “stability”.  Debian, Ubuntu, Mint, does it make a difference?  They lead the mavericks into the stable and locked the door behind them.  Now the “threat” is contained.

I know very little about BSD, I just installed it to begin to learn based on the interest stimulated by Cynwulf.  I know artix, obarun, s6-skarnet, adelie, void, antix.  Small projects and obviously underfunded.  What others perceive as deficiencies I perceive as advantages.  Security advantages.  Poor void lost its domain name to a higher bidder, and moved to a new one.  Didn’t have its own forum or a place where donations can be sent.  Obarun’s site has just one little logo image to save bandwidth from its server.  Artix relies on personal academic contacts to provide server and compiling power in university infrastructure.  But Manjaro has really taken off, especially after they dropped the OpenRC choice!!!

I think I will cut my rumbling short and keep some for the discussion if it ever takes off on the issue.

 

References (cynwulf’s comments):

1 https://sysdfree.wordpress.com/2018/05/16/216/comment-page-2/#comment-2583

2 https://sysdfree.wordpress.com/2018/01/27/172/comment-page-1/#comment-2620

3 thoughts on “Is OpenBSD the most secure OS? In what way?

  1. Your question in the topic title raises many more questions…

    There is the old saying “opinions are like…”

    As with systemd, controversial software, which some adore, others hate and other just shrug and don’t really care either way – OpenBSD has it’s critics, including security experts/researchers.

    There is a list of OpenBSD innovations here: https://www.openbsd.org/innovations.html

    Taking pledge() as an example, it’s worth reading this presentation: https://www.openbsd.org/papers/hackfest2015-pledge/

    I know of no other project which goes to these lengths to introduce security mitigations (if there is one, I’d really like to know about it).

    What sets OpenBSD apart is not some “no 1 top secure OS” claim, etc as some would certainly have you believe – it’s the approach to “proactive security”, security by default, code correctness and simplicity of code – and that latter two, perhaps unsurprisingly results in better security as a side effect.

    https://www.openbsd.org/security.html

    You have to bear in mind that OpenBSD is “a complete OS”, not just a kernel but as a whole is still a tiny project compared to the likes of the Linux kernel. This is why much of the negative press you read about OpenBSD, is based on anecdotal crap from people who don’t use it, could not use it, or were told exactly where to shove their opinions on the project’s official mailing lists. The big difference between OpenBSD and other projects is that it’s developers do not practice any kind of advocacy – if you don’t like it and it doesn’t suit your need you can go elsewhere. This “bad PR” means that there are people who walk away with a grudge, post unfounded opinions and try to influence others to think the same – again targeting a tiny OS project, which they are not obliged to use.

    (These same people probably forget that the ssh (OpenSSH) they may use on various OS, is developed by OpenBSD project).

    Certain people made their opinions known over a decade ago: https://lkml.org/lkml/2008/7/15/296

    The problem with that opinion, is that it’s full of rhetoric, full of strawman argumentation (who are these “security people” so casually lumped together, which of these security people have said they want to be “heroes”, where have they said that other bugs don’t matter…?), but because, for Linux fans, it comes from “the man”, it gets taken seriously, it gets repeated as fact.

    In reality it’s a distraction tactic, it’s coming from the lead of a very large monolithic project, with so many millions lines of code, they’ve pretty much admitted they can’t audit it: https://www.linux.com/news/linuxcon-2015-report-dirk-hohndel-chats-linus-torvalds

    So while OpenBSD certainly isn’t perfect and is always an ever changing and improving work in progress (security cannot be “installed”, is not something you can just “get done” and sit back and watch…), it’s arguably better than the project which has pretty much admitted time and again that it’s not focused on it (putting it mildly).

    So, as I said initially, the opening question will generate a whole host more questions, answers and argumentum ad infinitum – and my principal responses to such arguments will always be – if you’re not an OpenBSD developer, particularly the project founder and lead developer, or an OS security expert, you’re not really in a position to say where an OS is secure or not. We can only look at, reputation, history and the facts and discard the anecdotal and ideological evidence.

    If we look at Linux and OpenBSD objectively and if we discard the agenda driven “industry” mouthpieces and tech press click bait journalists, who like to clam that an OS like OpenBSD is secure, essentially because hardly anyone uses it, the data speaks for itself. The data is out there for those who wish to look for it and learn to interpret it for themselves…

    Regarding the “…trojan horse that the “unix” community allowed to barge in because the unix community was not really ever organized to make such decisions centrally…”.

    There are different types of projects. There are entities such as Red Hat, which started out with commercial aims from day one. Projects like Debian started with noble goals, but their own internal politics and bureaucracy has been it’s undoing – or maybe not – all depends on which side of the fence someone is on.

    Unlike a centralised project, with a “team” and “BDFL”, Debian essentially allowed anyone to join and develop code, providing they had the will and the ability. When Ubuntu arrived on the scene in 2004, for the next few years, you had the crossover of Ubuntu developers and maintainers to Debian, developers from other parts of the industry and even the upstream developers of the software – ultimately getting into positions to make decisions or just create enough inertia to force through changes.

    You only have to look at systemd in Debian and how the alternatives have effectively been shelved… the alternative kernel projects such as kFreeBSD have also never really gotten off the ground, whereas several years ago looked very promising and kFreeBSD did actually release once.

    I predict that the number of architectures for the “universal OS” will shrink considerably over the next decade – simply because the weight of “streamlined” systemd based, barely portable Linux will make it too difficult for anything except architectures valued by commercial entities to survive.

    This will serve to further “lock” users into x86 – the platform famed for IME and processor bugs related to cache, SMT, speculative execution, etc. A great platform you can almost definitely trust.

    So more narrowing, as envisaged in fact by the systemd developer who famously referred to “too many distributions” and how they were going to set out addressing that supposed problem.

    But “too many distributions” is also a valid critique, but not in the way that person was directing it. There are certainly too many derivatives, “too many Debians” in particular which are little more than a change of branding, logo and desktop. This is itself is very damaging and plays into the hands of the “big three” corporate owned/influenced/controlled Linux heavyweights.

    If many supposed “developers” are effectively “wallpapering” over a systemd/Linux and then releasing it as “Whatever Linux”… we have sadly left the days behind when people Like Ian Murdock and Pat Volkerding, started their own distributions from scratch – and their users had to learn how things were put together and derived a lot of knowledge and satisfaction and valuable skills to pass on from that – and so the gulf between developer and user widens and how user morphs into consumer…

    All of that knowledge will eventually reside in a bubble and that bubble will be very much a corporate one. One big corporation and a few others – selling support contracts for a living – stand to profit heavily from all this. It will profit from a complex and monolithic piece of “plumbing”, which will make it “easier” on the surface (until it breaks), but extremely complex and “blackbox” “under the hood”.

    Like

  2. I am still studying, I like and appreciate what has been done. My brief experience with FreeBSD seemed to have limited my ability to look deeper into the BSD world.

    AT&T linux: Trying to poweroff or shutdown my OpenBSD I discovered the long forgotten # halt command and right before it did shutdown the term AT&T was caught by my limited peripheral vision. Some time in the early 90s I happened to attend an auction from a bankrupt software company and in the left overs I managed to get an AT&T workstation for $30 that looked nearly unused. Good quality packaging. I didn’t know anything about them. At the time SUN and SGI workstations were in 5 figures. I managed to get an updated base system online and transfer it to floppy disks and try to install and boot it. I didn’t know what else I could do with it at the time so I passed it as a gift to a fellow grad student who was into this “stuff”. Little that I knew then that I was holding a big piece of unix history in my hands.

    At that time exporting HW that had unix in them to the ex-iron curtain countries was illegal. Shortly (years) afterwards you could write to RH for a disk to install to an X86 pc and you got 20 of them in the mail to hand out to your friends. What a piece of garbage that was. It made me rethink of how good that AT&T unix was.

    While reading about cryptography in OpenBSD I thought this paragraph was funny:
    International Cryptographers Wanted

    Of course, our project needs people to work on these systems. If any non-American cryptographer who meets the constraints listed earlier is interested in helping out with embedded cryptography in OpenBSD, please contact us.

    I suppose Americans living in exile may be excluded.

    Like

  3. Yes the cryptography section may need to be more specific in terms of country of residence rather than nationality.

    But you’ve touched on on the of the possible benefits of OpenBSD – being based in Canada rather than the US – where such cryptography is banned.

    On the subject of FreeBSD, I believe you may give it too little credit – if I understand from your statement above, that you disliked it and opted to stop at that point?

    I will stop at that point and await further comments – thus far not much interest as it would seem… I don’t want to be accused for “advocating for BSD” to paraphrase what someone once said (when I was doing no such thing). I will continue in a separate blog article if I may?

    Like

If your comment is considered off-topic a new topic will be created with your comment to continue a different discussion. This community is based on open and free communication, meaning we must all respect all in minimizing the exercise of freedom to disrupt such communication. Feel free to post what you think but keep in mind the subject matter discussed. It is just as easy to start a new topic as it is to dilute the content of an existing discussion.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.