A secure and Open society

Considering that as a youth, Theo de Raadt routinely gave away software written on his Commodore Amiga PC, it’s hardly surprising that he has since become both a force in the free software movement and a hacker’s nightmare.

de Raadt, a 31-year University of Calgary computer science graduate who came to Canada from South Africa as a child, has invested the last six years of his life and spent $30,000 of his own money heading the OpenBSD project. The operating system is a free, ultra-secure variant of the Unix-like BSD 4.4 – and it’s a project de Raadt founded.

Though he’s a tried-and-true computer and software junkie — de Raadt proudly recalls working on his Commodore Vic20 and claims his Amiga’s serial number was around 1000 – he said no single event sparked his later work with OpenBSD.

Looking back, however, a lot of the interest stems from a systems administration job he took at University of Calgary while he attended classes. It was then that the extent of OS source-code flaws took hold of him. In particular, he remembers how, after much legal and financial wrangling, U of C managed to finally get its hands on the Sun Microsystems Inc. Unix source code — the quality of which varied “significantly,” de Raadt said.

“We’d read the source code, find out what the problems were and think, ‘Gee, it just did some weird thing because some weird packet came across the net and it wasn’t expecting it. What would happen if someone decided to do that?’ And this really scared us.”

de Raadt started devoting more time to his passion, and as he progressed it became clear to him that certain programming mistakes turned up time and again in different software packages.

Two years later, in 1993, de Raadt and three others founded the NetBSD project. But “political kerfuffles” eventually led de Raadt to branch off and form the OpenBSD effort. The main difference between the two was in the developer focus. In the case of OpenBSD, the emphasis is on security. de Raadt’s goals haven’t changed since then — to make OpenBSD the most secure platform in the world.

OpenBSD let de Raadt take bug fixing to a whole new level. The problem with professional programmers is not a lack of ability, but lack of attention to detail, he said. That’s why he says the OpenBSD development process is unlike any other. “Ten years of being in the software industry, and I’ve never seen anybody doing what we’re doing here,” he explained.

The secret is straightforward – de Raadt and his peers assume that every single bug found in the code occurs elsewhere. de Raadt admits it sounds simple, but just rooting security bugs out of the entire source tree took 10 full-time developers one and a half years to complete.

“It’s a hell of a lot of work…and I think that explains why it hasn’t been done by many people,” he said.

But it’s this kind of nit-picking that has made OpenBSD one of the most hacker-proof platforms available – that and the fact it ships with cryptography (Kerberos IV and support for IPsec) already built-in.

“There hasn’t been a single remote security hole found in OpenBSD in two and a half years, in the default install. So that means if you want your machine cracked, you’re going to have to misconfigure it,” he said.

In fact, one reason why OpenBSD is configured and shipped from Canada is so de Raadt doesn’t have to contend with tough U.S. cryptography export laws. This has allowed him to integrate cryptography elements from several European countries.

OpenBSD is so secure that it even got the attention of the U.S. Department of Justice, which stores and transmits top-secret data using 260 copies of the OS. As well, one of the largest ISPs in the state of Washington, pacifier.com, runs part of its operations on OpenBSD.

Today de Raadt oversees a community of 90 volunteer developers who make changes to the source tree. He also takes tips and suggestions from thousands of other OpenBSD enthusiasts from around the world.

Comparisons with Linus Torvalds and his Unix-variant, Linux, are inevitable, and de Raadt doesn’t mind. From a user perspective, there’s very little difference between the two. But he is critical of the Linux development model, particularly of the way the larger Linux distributors, like Red Hat Software Inc. and Caldera Inc., assemble their products.

“Some of them are doing a better job of…looking for bugs in the latest versions,” he said. “It comes down to (whether) the people who are actually packaging the software know what they’re doing.” He credits German vendor SuSE GmbH for being the most diligent.

A typical day for de Raadt includes three or four hour stints at his computer, broken up by sleep and a bike ride – a far cry from the 14 to 16 hour days he used to put in.

But how many people actually use OpenBSD, and for what, doesn’t concern de Raadt. Though he makes his living selling OpenBSD CDs, he insists he has no desire to expand the business. He’s even hired a Calgary-based businessman to sell the CDs on his behalf, just so he can avoid dealing with money issues.

“I’m not interested in getting into business. I really like the way this works right now, and I’m having a lot of fun…I’m just perfectly happy accepting the status quo of how many people use BSD right now,” he said.

OpenBSD has cost de Raadt a lot of time and money, but, looking back, he said he wouldn’t do anything differently. “I work a little less than [I used to], and I spread it out a bit more. But I really enjoy what I’m doing. This is fabulous. I wouldn’t want to be doing anything else.”


What is OpenBSD?

Back in the early days of Unix, universities decided it was in their interest to get their hands on the source code for the various versions of the platform. They, and the University of California at Berkeley in particular, wanted to strengthen it.

The work generated lots of excitement, and before long Berkeley issued a beefier version of Unix. But the “new Unix” wasn’t different enough. And getting a Berkeley Software Distribution (BSD) licence still required users to acquire a second licence from AT&T, the original Unix developer.

After some tinkering, Net2, the base for modern BSD code, emerged from the fray. But disagreements about how different Net2 was from its ancestor led to further legal battles. Berkeley decided that it wasn’t worth the trouble: it released one last version, called 4.4BSD-Lite, and announced it was through with BSD.

But by then, Net2 was a smash. Over time, it morphed into what’s now known as FreeBSD. In the meantime, NetBSD formed as a separate project, and exists today primarily as an academic research platform. de Raadt’s OpenBSD project emerged from the NetBSD project.

Today, the Calgary-based Theo de Raadt oversees OpenBSD , a multi-platform, BSD 4.4-based operating system, from his bedroom/office. Ninety volunteer developers and thousands of enthusiasts have pooled their efforts to build and maintain a correct, standardized and, above all, secure platform. The project aims to produce a new CD every six months, and make OpenBSD available on as many different systems and hardware variants as possible.

de Raadt and others started analysing OpenBSD for security flaws in 1996, and they continue to do so. de Raadt said flaws have been found in every area of the system.

Currently, some OpenBSD developers are integrating IPsec, a cryptography standard, which will prevent hackers from intercepting documents on the Web.

de Raadt said he plans to continue auditing the code — both because he enjoys it but also because hackers are constantly looking for new weaknesses.

The OS can be downloaded for free at www.openbsd.org. OpenBSD 2.5 can also be purchased on CD-ROM for US$30. OpenBSD supports binary emulation of most binaries from Solaris, FreeBSD, Linux, SunOS, Berkeley Software Design Unix (BSDI) and HP-UX.