This is an open call to any willing to contribute a summary or even an extensive analysis of the ways that OpenBSD is superior in terms of security to Linux and other systems. The motivation stems from two comments that have appeared here recently by cynwulf (1,2). To clarify the motivation for this is not to counter such a presentation to defend linux but to learn ourselves, as we simply don’t know. Between the marketing rhetoric of various systems it is hard to really tell what claim really stands up and what is unsupported. From the long list of open and sometimes free operating systems you will hardly find one that doesn’t claim it is secure. So here we go revisiting the terms security, privacy, anonymity, to conceptualize what in general data-security means and whether one needs to be concerned, or not – so concerned.
One of the comments relates security to political issues and as this was part of a discussion that took place more than a year ago, we thought it would have been better if the topic is reopened with more specific guidelines. Cynwulf counters that not all security issues are political in nature, when I had claimed it was. The difference may be in the definition of what is political and what not. Ultimately I believe that any ideas and their communication about how we deal with things that we have in common is political. How we share things, how and why we don’t, how do we keep things from others, is political. So my definition may extend well beyond how most people define the word political.
As I see it, returning to data storage, access, and management, there is information and there are tools that help us store, access, share, manage, exchange, information. Ideally there should be accurate information about everything anyone would want to know and a simple way for anyone to access the needed information. In a plausible world of equality this would very well be possible. The only reason one would store information that should not be shared is when information has value. This value in a competitive world of inequality is important. The more one has and the less others have of it, the wealthier or more powerful one becomes. This is what I think it all boils down to when it comes to “private data”. Information could also be in the form of a product, it could reflect creativity, such as in software, art, or even research. This creative work, a product, that has not been available to the market yet, it has not been sold yet, to make it simpler, is an object to secure from others. The creator needs special tools to maintain its secret ownership and to protect it from others obtaining it. The special tools as a set may be an operating system, the hardware, encryption methods, and strict network access. Physical access is also an issue but we will leave this part out as unrelated to electronic security.
Therefore, in a world of inequality, economic and political inequality, a world where the amount of wealth and power one can accumulate determines the way of life, securing information becomes a valuable resource. Here comes the issue of ideology and perception. There are many out there that see large corporations with “good reputation” being trustworthy, to sell or to provide tools for securing data. There are others that trust government agencies with such tools or the tools they approve. There may be some who distrust government but trust corporations and the other way around. Think of how many use VPN for their networking needs and trust large corporations to provide them with such a service. Some think they, as individuals, are together against bad taxing governments. How many use MS-win, or Apple’s software, and how many more trust Intel, AMD, and in general hardware manufacturers who sell them “tools” to keep their date private. There are a few that trust neither government or corporations. Some of us we feel we have a choice with software, but we really don’t have much of a choice in hardware. So it becomes a compromise no matter what your perception is from who to keep data away from. The issue becomes more complex when what you want to do with data is to actually share it with “people” but don’t want to be put under the spotlight of governments and corporations. In other words you want data to be shared equally but don’t want to be discovered as the one who is making it public and how you are sourcing it. The wikileaks founder comes to mind as it made prime headlines again recently and around the globe. Although not of the same nature, those hosting secret search engines for torrents of non-free data have also been hunted down and run over (although some made money from this, they were no folk heroes). The indymedia network worldwide has been under attack for the past 20 years in various places and in various degrees. So have been other political group servers. Those are cases where adversaries are trying to block information from becoming public and being shared. It is nearly the reverse security issue than what most people think when they hear the term security.
Let us return to the issue of trust against security. The unix ecosystem was founded on the idea of open networking and sharing of information. Data without an owner and available at no cost to anyone who needs it. The more that was created and the more it was shared the “wealthier” the community and its network became. Still individuals wanted to maintain the right to structure their own system, develop their own code that improved their system, and eventually share this code if it was beneficial. So what is to be shared and when and what is kept under the control of the administrator was always defined. It wouldn’t be fare taking a nap and waking up and having your system erased because you were willing to share all of your work and information. Earlier on, corporations thought this practice was foolish and would have no future, as individual programmers couldn’t be organized enough and capable enough to produce systems better than the ones that were sold. Soon though benchmarks showed how wrong they were. Corporations such as DEC, IBM, Sun, Sgi, Oracle, etc. begun adopting this shared and free code and paid hefty prices to software developers to modify this code for their own use. The same corporations turned around and sold superior computing and data management systems to governments, and the same sold similar systems to other corporations. This also included banking and financial institutions who are really invested in “security”. Their needs and their interests became interdependent. So you have fools today bragging on how their google, facebook, and yahoo accounts are secure because those corporations provide them with high level encryption. Secure from whom you may ask? Government? Other private parties, individuals attacking and stealing other individuals’ data? Now this is where security is non-political, where one individual is trying to steal from another, and one is trying to fend off individuals from their private data.
If we don’t know where the interests and collaboration of corporations and governments begin and end why would anyone think that organized crime, corporations, and government are separate competing entities, when it comes to a common enemy? Who is the enemy? The unorganized people, that is who. The object the powerful need to oppress, and the object of the wealthy to exploit. The few that do try to organize from below are an even more dangerous enemy to all those other three entities. The holly triad I may joke about, and my jokes are not widely respected. Ask yourselves, is Julian Assange, as far as you know, your enemy? He is not mine. Is he the enemy of the holly triad? So maybe this triad is not as holly as many may think.
In this manner we have a newer more subtle threat. If you can’t beat something that is powerful you might as well join it. If you can’t beat hackers producing superior code to your secret little private binary blobs, you can pretend you are among them. Either with the official face of a corporation or the unofficial face of small development teams with unknown funding sources. Here we have corporate entities being organized and producing “open” and “free” code. We have teams with tremendous resources, springing up from nowhere, working full time producing free and open code, available and competing with projects that were self funded, part time, but well respected.
What is the trick to learn in unix/linux/bsd system administration? Knowing enough to configure all the little subsystems. What do people lack? Expertise to do such configuration. What do people need? Automated graphical software that have the ability to self configure. So who is funding systemd, pulseaudio, gnome, freedesktop, networkmanager, etc? We don’t know, we don’t care, because it is “free”. Free as in cheaper than beer.
Are we really talking about a trojan horse that the “unix” community allowed to barge in because the unix community was not really ever organized to make such decisions centrally? Was this allowed due to the general naivety of the predominance of developers? Were there stricter guidelines needed that were never in place to keep the “evil doers” out? Was it GNU naivity? Weak people tend to follow congregations of strength. Red Hat and Debian were such congregations. If it is good enough for Debian it is good enough for me, each of the sheep said. Debian is very well known for “security” and “stability”. Debian, Ubuntu, Mint, does it make a difference? They lead the mavericks into the stable and locked the door behind them. Now the “threat” is contained.
I know very little about BSD, I just installed it to begin to learn based on the interest stimulated by Cynwulf. I know artix, obarun, s6-skarnet, adelie, void, antix. Small projects and obviously underfunded. What others perceive as deficiencies I perceive as advantages. Security advantages. Poor void lost its domain name to a higher bidder, and moved to a new one. Didn’t have its own forum or a place where donations can be sent. Obarun’s site has just one little logo image to save bandwidth from its server. Artix relies on personal academic contacts to provide server and compiling power in university infrastructure. But Manjaro has really taken off, especially after they dropped the OpenRC choice!!!
I think I will cut my rumbling short and keep some for the discussion if it ever takes off on the issue.
References (cynwulf’s comments):