On 7/4/2013 10:56 PM, Thomas Jennings wrote:
Regretfully, I have decided to abandon OpenBSD and thought I would
share my reasoning with this list. I thought the 4th of July was a
good date to do so since my reasons address national security
implications. As a group of people who take development, security, and
privacy seriously, I know you will want to know why I made the drastic
decision to abandon OpenBSD and never look back.
You are free to use or not use whatever software you wish. I won't try
to change your mind. However I would need more evidence than you have
put forth here to get me to make changes to the machines I have here.
And we all know Theo de Raadt, OpenBSD generalissimo of much infamy.
After being fired from the NetBSD team, Theo forked the code and
started OpenBSD. He's been pretty much solely responsible for
development of OpenBSD over the years, taking volunteer code as he
sees fit. He also has final say over security audits in the operating
system, something that turns out to be very important.
I have known several of the developers over the years, including Theo.
He can be blunt at times, which is fine from my point of view. I know
he left NetBSD because of differences of opinion on how certain parts of
the system should proceed. He forked the code and started OpenBSD, as
you stated. He has never, to my knowledge, told anyone that they HAD to
use OpenBSD. If people don't like the way he does things, they are free
to go elsewhere. He has never tried to make any other way to my knowledge.
I was prepping to migrate the whole of our shop, a regional ISP in the
United States of America, to OpenBSD 5.3 when the news broke: CBS News
reporter Sharyl Attkisson claimed, during a live radio interview, that
she had been dealing with suspicious computer and phone issues. Check
out this snippet from the full transcript of the interview. One line
in particular trashed my plans for the OpenBSD upgrade:
Well, I have been, as I said, pursuing an issue for a long time now — much
longer
than you’ve been hearing about this in the news — with some compromising of my
computer systems in my house — my personal computer systems as well as my
work computer systems. I thought they were immune to being compromised —
because they all ran OpenBSD — but I guess I was wrong. So, we’re digging into
that and just not ready to say much more right now, but I am concerned.
Without knowing exactly what Ms. Attkisson is running on those machines,
I wouldn't venture to try to explain in any detail why the issues are
occurring. It has, to my knowledge, always been the stated position of
the development team that they only audit the base software. They do
not guarantee that they have audited the software in ports or packages.
Since it has been my experience that few people run a system with
nothing from ports or packages, it seems at least possible that any
security hole may come from that source. I consider it unfair to blame
either the project or people within it for problems with software that
they did not write themselves.
EVEN IF NO CORPORATION OFFERS THE UNITED STATE FEDERAL GOVERNMENT
DIRECT ACCESS TO ITS SERVERS THROUGH PRISM, OPENBSD OFFERS THAT SAME
ACCESS THROUGH THE PRESENCE OF ITS BACKDOORS.
There it is. Let it sink in. Words like Gestapo and Stasi and KGB come
to mind. OpenBSD is part and parcel to the United States Federal
Government's program to spy on its own citizens through bodies like
the NSA and FBI and has been since the FBI paid for backdoors in IPSEC
about a dozen years ago.
I would need more evidence than one persons statement of their
existence, before I would believe such a statement.
I believe that the project is located outside the U.S. to avoid having
to provide exactly what you are claiming to exist. I also believe that
certain contracts were not renewed between members of the development
team and certain U.S. governmental agencies for the same reason.
The kicker is that Theo denies anything suggesting that OpenBSD is
less than perfect at security, as if he's personally offended by the
mere suggestion. He routinely attacks developers and enthusiasts for
simply asking questions. WHY SO TOUCHY, THEO? COULD IT BE BECAUSE
YOU'RE COMPLICIT IN THE BIGGEST CITIZEN SPYING PROGRAM EVER RUN IN THE
HISTORY OF THE WORLD?!
What I have seen is Theo denying a suggestion without be given proof
that a problem in fact exists. As one person who has been on the
receiving end of a few caustic replies from Theo, I can understand why
he gets that way with people who do not even make an attempt to look for
an answer in the documentation. In each instance, I would say that it
was justified - since I either hadn't looked far enough into the
documentation or into pieces of code where the documentation did not
completely answer the question. I also maintain that in my cases, it
was justified to be a little unpleasant because I could find or figure
out the answer once I did make that detailed search of the documentation
and/or the source files.
With all that said, I again reiterate that you are free to use whatever
you wish to use for your own machines and any machines that you are
required to maintain.
Doug
