The cartoon character on Theo de Raadt's
business card is surprisingly uncuddly. Most upstart software
companies employ cute mascots -- Linux's bemused penguin, for
example -- but de Raadt, project leader for the open-source operating
system OpenBSD, favors a smirking, muscular demon clad in policeman's
garb. The fiend brandishes a badge reading: "OpenBSD: To Serve
This satanic cop may not make a great stuffed animal, but he's
a fitting symbol of de Raadt's singular aim -- to create the
world's most secure operating system. Coded by hundreds of volunteers
worldwide, the freely downloadable OpenBSD is hailed by security
buffs as uncrackable; it's been over three years, for example,
since a vulnerability was discovered in the system's off-the-shelf
version. The airtight security is the product of a labor-intensive
approach that many experts feel should become standard. De Raadt
and his cohorts are not only motivating the nascent open-source
industry to rethink its basic security policies, they've honed
a set of principles that promise to make all systems -- open
source or not -- safer.
"OpenBSD is probably one of the most secure operating systems
out there," says Chris Brenton, author of Mastering Network
Security. "The crew does a fantastic job of locking down and
being responsive when vulnerabilities are found." Such a good
job that the U.S. Department of Justice uses 260 copies of OpenBSD
to store and transmit its most sensitive data.
Like other projects bearing the BSD moniker, OpenBSD traces
its origins to the University of California at Berkeley. (The
acronym stands for Berkeley Software Distribution.) Unhappy
with Unix's clunkiness, the school's programmers started tweaking
the code in the late 1970s to create several variants, culminating
with the release of 4.4 BSD-Lite in 1992. Legal wrangles with
AT&T (T) , the original Unix developer, forced the university
to abandon the project, but open-source devotees picked up the
De Raadt began experimenting with BSD code during his student
days at the University of Calgary. Along with several friends,
he created an open-source project called NetBSD in 1993; his
friends booted him from the project the following year. In archived
e-mail, his former colleagues claim he was guilty of "rudeness
toward and abuse of users and developers." De Raadt denies those
De Raadt used NetBSD's code as the foundation for the OpenBSD
project, which he formed in 1995. After his machine was hacked
by a colleague in 1996, he adopted a security tactic that has
become the project's trademark: "proactive auditing."
Over an 18-month period, a team of 10 volunteers vetted OpenBSD's
entire source code -- all 350 megabytes -- weeding out thousands
of bugs. Though not necessarily related to security features,
those glitches could have been targeted by attackers using "buffer
overflows" (which overwhelm a machine with data packets), denial-of-service
tools or other elementary hacking techniques. For two years,
de Raadt worked 14-hour days, seven days a week to debug his
system. Despite his notoriously prickly personality, de Raadt
also has managed to attract a legion of collaborators to help
him build OpenBSD.
"It's security through quality," says de Raadt, who runs the
project out of his Calgary home, surviving on donations and
proceeds from T-shirt sales. "It's like in airplanes, [where]
safety is a side effect of good engineering."
A sincere passion for technological tinkering motivates de
Raadt. Though he lives modestly, his house is bursting with
wall-to-wall hardware. He owns over a dozen computers, and his
basement is so jammed with Unix machines that several acquaintances
have requested guided tours.
OpenBSD's proactive approach is unique among open-source systems,
which normally rely on user reports and public forums to find
vulnerabilities. The Linux security philosophy, for example,
can be summed up as "more eyes means better security" -- that
is, since the source code is open to peer review, bugs will
be quickly spotted and patched.
De Raadt scoffs at that credo. Most reviewers of open-source
code, he says, are amateurs. "These open-source eyes that people
are talking about, who are they?" he asks. "Most of them, if
you asked them to send you some code they had written, the most
they could do is 300 lines long. They're not programmers."
Proactive auditing is the key to OpenBSD's vaunted security.
Many security professionals would like to see the model duplicated
elsewhere, especially in Linux offshoots struggling to seize
market share from notoriously buggy Microsoft (MSFT) products.
"I'm surprised there's not a version of Linux out there that
has grown supersecure," says Ron Gula, chief technology officer
for Network Security Wizard, a developer of intrusion detection
systems who says that Linux developers could augment its security
using de Raadt's painstaking methods.
OpenBSD is designed to be "secure by default." Most comparable
operating systems, by contrast, come out of the box with settings
that are inherently insecure. Last year, for example, when hundreds
of servers running Red Hat (RHAT) Linux were compromised by
buffer overflow attacks, the company blamed system administrators
for failing to reconfigure the defaults.
"Linux distributions tend to take the approach of throwing
everything possible onto the default install, which leads to
a clueless user ending up with a highly insecure operating system,"
says Matt Barringer of WireX Communications, a vendor of software
solutions for Linux server appliances. "OpenBSD takes the opposite
approach, by only including the essential and not allowing,
by default, services that may not be essential -- FTP, for instance."
The secure-by-default policy is also a stress reliever for
veteran administrators. "The 10 percent [of these users] who
do know how to secure their machines, they get bored with it,"
says de Raadt. "It's no more exciting than ditch digging. OpenBSD
means they can get along with their day-to-day jobs."
Unlike its American counterparts, which until July were bound
by strict encryption-export laws, the Canadian-based OpenBSD
ships with built-in encryption. (In a subtle display of Maple
Leaf pride, labels on OpenBSD discs read: "Made in Canada --
Land of Free Cryptography.") The latest version includes OpenSSH,
which enables traffic to avoid "sniffers" designed to detect
While it's ideal for security-sensitive tasks, such as running
firewalls or data warehousing applications, OpenBSD is probably
not the best option for desktops. "Linux is more flexible than
OpenBSD, which is a direct result of OpenBSD being more focused
on security," says Brenton. "As you lock things down, you lose
De Raadt sounds unconcerned about customer satisfaction. "I
don't pay attention to who's using it," he says. "We don't write
OpenBSD for the people, we write it for ourselves. If people
end up getting benefits from it, that's great."
Nevertheless, the system is catching on in corporate America.
The project doesn't track the number of free downloads or CD-ROMs
purchased, but a rough estimate places the number of users in
the tens of thousands. Potential investors regularly contact
de Raadt with offers of financial backing, he notes, but he
has rebuffed them all: "I talked to a venture capitalist a couple
of weeks ago. I ended up convincing him to just give us a donation."
De Raadt has devoted himself to OpenBSD with a mathematician's
love of constructing elegant systems. He fears that commercialization
could compromise security, since bottom-line-obsessed executives
would be tempted to skimp on time-consuming audits. Even worse,
those image-conscious suits might force de Raadt to abandon
his fearsome business-card mascot in favor of something more
huggable. For now, the demonic policeman is safe.
Copyright 2000, The Industry Standard