Calgary developer works to make OpenBSD hacker-proof

Considering that as a youth, Theo de Raadt routinely gave away software written on his Commodore Amiga PC, it’s hardly surprising that he has since become both a force in the free software movement and a hacker’s nightmare.

de Raadt, a 31-year-old University of Calgary computer science graduate who came to Canada from South Africa as a child, has invested the last six years of his life and spent $30,000 of his own money heading the OpenBSD project. The operating system is a free, ultra-secure variant of the Unix-like BSD 4.4 — and it’s a project de Raadt founded.

Although he’s a tried-and-true computer and software junkie — de Raadt proudly recalls working on his Commodore Vic20 and claims his Amiga’s serial number was around 1000 — he said no single event sparked his later work with OpenBSD.

Looking back, however, a lot of the interest stems from a systems administration job he took at University of Calgary while he attended classes. It was then that the extent of OS source-code flaws took hold of him. In particular, he remembers how, after much legal and financial wrangling, U of C managed to finally get its hands on the Sun Microsystems Inc. Unix source code — the quality of which varied “significantly,” de Raadt said.

“We’d read the source code, find out what the problems were and think, ‘Gee, it just did some weird thing because some weird packet came across the net and it wasn’t expecting it. What would happen if someone decided to do that?’ And this really scared us.”

de Raadt started devoting more time to his passion, and as he progressed it became clear to him that certain programming mistakes turned up time and again in different software packages.

Two years later, in 1993, de Raadt and three others founded the NetBSD project. But “political kerfuffles” eventually led de Raadt to branch off and form the OpenBSD effort. The main difference between the two was in the developer focus. In the case of OpenBSD, the emphasis is on security. de Raadt’s goals haven’t changed since then — to make OpenBSD the most secure platform in the world.

OpenBSD let de Raadt take bug fixing to a whole new level. The problem with professional programmers is not a lack of ability, but lack of attention to detail, he said. That’s why he says the OpenBSD development process is unlike any other. “Ten years of being in the software industry, and I’ve never seen anybody doing what we’re doing here,” he explained.

The secret is straightforward — de Raadt and his peers assume that every single bug found in the code occurs elsewhere. de Raadt admits it sounds simple, but just rooting security bugs out of the entire source tree took 10 full-time developers one-and-a-half years to complete.

“It’s a hell of a lot of work…and I think that explains why it hasn’t been done by many people,” he said.

But it’s this kind of nit-picking that has made OpenBSD one of the most hacker-proof platforms available — that and the fact it ships with cryptography (Kerberos IV and support for IPsec) already built-in.

“There hasn’t been a single remote security hole found in OpenBSD in two-and-a-half years, in the default install. So that means if you want your machine cracked, you’re going to have to misconfigure it,” he said.

In fact, one reason why OpenBSD is configured and shipped from Canada is so de Raadt doesn’t have to contend with tough U.S. cryptography export laws. This has allowed him to integrate cryptography elements from several European countries.

OpenBSD is so secure that it even got the attention of the U.S. Department of Justice, which stores and transmits top-secret data using 260 copies of the OS. As well, one of the largest ISPs in the state of Washington,, runs part of its operations on OpenBSD.

Today de Raadt oversees a community of 90 volunteer developers who make changes to the source tree. He also takes tips and suggestions from thousands of other OpenBSD enthusiasts from around the world.

Comparisons with Linus Torvalds and his Unix variant, Linux, are inevitable, and de Raadt doesn’t mind. From a user perspective, there’s very little difference between the two. But he is critical of the Linux development model, particularly of the way the larger Linux distributors, such as Red Hat Software Inc. and Caldera Inc., assemble their products.

“Some of them are doing a better job of…looking for bugs in the latest versions,” he said. “It comes down to (whether) the people who are actually packaging the software know what they’re doing.” He credits German vendor SuSE GmbH for being the most diligent.

A typical day for de Raadt includes three- or four-hour stints at his computer, broken up by sleep and a bike ride — a far cry from the 14- to 16-hour days he used to put in.

But how many people actually use OpenBSD, and for what, doesn’t concern de Raadt. Although he makes his living selling OpenBSD CDs, he insists he has no desire to expand the business. He’s even hired a Calgary-based businessman to sell the CDs on his behalf, just so he can avoid dealing with money issues.

“I’m not interested in getting into business. I really like the way this works right now, and I’m having a lot of fun…I’m just perfectly happy accepting the status quo of how many people use BSD right now,” he said.

OpenBSD has cost de Raadt a lot of time and money, but, looking back, he said he wouldn’t do anything differently. “I work a little less than [I used to], and I spread it out a bit more. But I really enjoy what I’m doing. This is fabulous. I wouldn’t want to be doing anything else.”