Why I abandoned OpenBSD, and why you should too...

classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Why I abandoned OpenBSD, and why you should too...

Thomas Jennings
Dear OpenBSD developers and users:

Regretfully, I have decided to abandon OpenBSD and thought I would
share my reasoning with this list. I thought the 4th of July was a
good date to do so since my reasons address national security
implications. As a group of people who take development, security, and
privacy seriously, I know you will want to know why I made the drastic
decision to abandon OpenBSD and never look back.

I'm sure we've all heard of PRISM by now, the user-friendly name of
the United States Federal Government's massive civilian and resident
spying program otherwise known as US-984XN. PRISM is certainly bad
enough of its own accord, but it's how PRISM works, and the pattern of
behavior found in OpenBSD development, that was the tipping point for
my use of OpenBSD.

And we all know Theo de Raadt, OpenBSD generalissimo of much infamy.
After being fired from the NetBSD team, Theo forked the code and
started OpenBSD. He's been pretty much solely responsible for
development of OpenBSD over the years, taking volunteer code as he
sees fit. He also has final say over security audits in the operating
system, something that turns out to be very important.

I was prepping to migrate the whole of our shop, a regional ISP in the
United States of America, to OpenBSD 5.3 when the news broke: CBS News
reporter Sharyl Attkisson claimed, during a live radio interview, that
she had been dealing with suspicious computer and phone issues. Check
out this snippet from the full transcript of the interview. One line
in particular trashed my plans for the OpenBSD upgrade:

> Well, I have been, as I said, pursuing an issue for a long time now — much longer
> than you’ve been hearing about this in the news — with some compromising of my
> computer systems in my house — my personal computer systems as well as my
> work computer systems. I thought they were immune to being compromised —
> because they all ran OpenBSD — but I guess I was wrong. So, we’re digging into
> that and just not ready to say much more right now, but I am concerned.

Since that interview in May, I've watched story after story of direct
server access, PRISM, and NSA spying and connected some dots. For
example, consider the accusations that the FBI had been accused of
planting backdoors in OpenBSD's IPSEC in December of 2012, and that
the accusations later proved true. The two scandals broke 18 only
months apart.

Consider that PRISM allows the United States Federal Government to
directly access the servers of virtually any company doing online
business, including tech giants like Apple, Facebook, Google, and
Microsoft. But those same tech giants deny complicity. I'm sure we all
agree that personal privacy is beyond the scope of private enterprise,
but let's assume their denials are true. Then connect more dots:

OpenBSD has shipped on over half of all network devices, including
things like routers, switches, gateways, and servers, for the last six
years. The current estimated number of OpenBSD installations sits at
over 350 million devices, comprising an almost ubiquitous presence of
OpenBSD in networks worldwide.

EVEN IF NO CORPORATION OFFERS THE UNITED STATE FEDERAL GOVERNMENT
DIRECT ACCESS TO ITS SERVERS THROUGH PRISM, OPENBSD OFFERS THAT SAME
ACCESS THROUGH THE PRESENCE OF ITS BACKDOORS.

There it is. Let it sink in. Words like Gestapo and Stasi and KGB come
to mind. OpenBSD is part and parcel to the United States Federal
Government's program to spy on its own citizens through bodies like
the NSA and FBI and has been since the FBI paid for backdoors in IPSEC
about a dozen years ago.

Yesterday, I told the company that we must migrate all our services
from OpenBSD to something else because the risk to our customers'
privacy and security is simply unacceptable. Theo de Raadt may seem
like some kind of guard dog of security, but he's really just a little
bitch bought and sold by the United State Federal Government.

The kicker is that Theo denies anything suggesting that OpenBSD is
less than perfect at security, as if he's personally offended by the
mere suggestion. He routinely attacks developers and enthusiasts for
simply asking questions. WHY SO TOUCHY, THEO? COULD IT BE BECAUSE
YOU'RE COMPLICIT IN THE BIGGEST CITIZEN SPYING PROGRAM EVER RUN IN THE
HISTORY OF THE WORLD?!

Today, be a true patriot to the ideals of personal privacy and public
liberty: prevent and reject any and all use of OpenBSD.

Happy 4th of July.

Reply | Threaded
Open this post in threaded view
|

Re: Why I abandoned OpenBSD, and why you should too...

Ryan R
Please pass point to the code which you believe to be the backdoor so that
I may review it myself.

Thanks
On Jul 4, 2013 10:57 PM, "Thomas Jennings" <[hidden email]>
wrote:

> Dear OpenBSD developers and users:
>
> Regretfully, I have decided to abandon OpenBSD and thought I would
> share my reasoning with this list. I thought the 4th of July was a
> good date to do so since my reasons address national security
> implications. As a group of people who take development, security, and
> privacy seriously, I know you will want to know why I made the drastic
> decision to abandon OpenBSD and never look back.
>
> I'm sure we've all heard of PRISM by now, the user-friendly name of
> the United States Federal Government's massive civilian and resident
> spying program otherwise known as US-984XN. PRISM is certainly bad
> enough of its own accord, but it's how PRISM works, and the pattern of
> behavior found in OpenBSD development, that was the tipping point for
> my use of OpenBSD.
>
> And we all know Theo de Raadt, OpenBSD generalissimo of much infamy.
> After being fired from the NetBSD team, Theo forked the code and
> started OpenBSD. He's been pretty much solely responsible for
> development of OpenBSD over the years, taking volunteer code as he
> sees fit. He also has final say over security audits in the operating
> system, something that turns out to be very important.
>
> I was prepping to migrate the whole of our shop, a regional ISP in the
> United States of America, to OpenBSD 5.3 when the news broke: CBS News
> reporter Sharyl Attkisson claimed, during a live radio interview, that
> she had been dealing with suspicious computer and phone issues. Check
> out this snippet from the full transcript of the interview. One line
> in particular trashed my plans for the OpenBSD upgrade:
>
> > Well, I have been, as I said, pursuing an issue for a long time now —
> much longer
> > than you’ve been hearing about this in the news — with some compromising
> of my
> > computer systems in my house — my personal computer systems as well as my
> > work computer systems. I thought they were immune to being compromised —
> > because they all ran OpenBSD — but I guess I was wrong. So, we’re
> digging into
> > that and just not ready to say much more right now, but I am concerned.
>
> Since that interview in May, I've watched story after story of direct
> server access, PRISM, and NSA spying and connected some dots. For
> example, consider the accusations that the FBI had been accused of
> planting backdoors in OpenBSD's IPSEC in December of 2012, and that
> the accusations later proved true. The two scandals broke 18 only
> months apart.
>
> Consider that PRISM allows the United States Federal Government to
> directly access the servers of virtually any company doing online
> business, including tech giants like Apple, Facebook, Google, and
> Microsoft. But those same tech giants deny complicity. I'm sure we all
> agree that personal privacy is beyond the scope of private enterprise,
> but let's assume their denials are true. Then connect more dots:
>
> OpenBSD has shipped on over half of all network devices, including
> things like routers, switches, gateways, and servers, for the last six
> years. The current estimated number of OpenBSD installations sits at
> over 350 million devices, comprising an almost ubiquitous presence of
> OpenBSD in networks worldwide.
>
> EVEN IF NO CORPORATION OFFERS THE UNITED STATE FEDERAL GOVERNMENT
> DIRECT ACCESS TO ITS SERVERS THROUGH PRISM, OPENBSD OFFERS THAT SAME
> ACCESS THROUGH THE PRESENCE OF ITS BACKDOORS.
>
> There it is. Let it sink in. Words like Gestapo and Stasi and KGB come
> to mind. OpenBSD is part and parcel to the United States Federal
> Government's program to spy on its own citizens through bodies like
> the NSA and FBI and has been since the FBI paid for backdoors in IPSEC
> about a dozen years ago.
>
> Yesterday, I told the company that we must migrate all our services
> from OpenBSD to something else because the risk to our customers'
> privacy and security is simply unacceptable. Theo de Raadt may seem
> like some kind of guard dog of security, but he's really just a little
> bitch bought and sold by the United State Federal Government.
>
> The kicker is that Theo denies anything suggesting that OpenBSD is
> less than perfect at security, as if he's personally offended by the
> mere suggestion. He routinely attacks developers and enthusiasts for
> simply asking questions. WHY SO TOUCHY, THEO? COULD IT BE BECAUSE
> YOU'RE COMPLICIT IN THE BIGGEST CITIZEN SPYING PROGRAM EVER RUN IN THE
> HISTORY OF THE WORLD?!
>
> Today, be a true patriot to the ideals of personal privacy and public
> liberty: prevent and reject any and all use of OpenBSD.
>
> Happy 4th of July.

Reply | Threaded
Open this post in threaded view
|

Re: Why I abandoned OpenBSD, and why you should too...

Shawn K. Quinn-2
In reply to this post by Thomas Jennings
On Thu, 2013-07-04 at 23:56 -0400, Thomas Jennings wrote:
> Theo de Raadt may seem like some kind of guard dog of security, but
> he's really just a little bitch bought and sold by the United State
> Federal Government.

I vehemently disagree with this and I feel this is a personal attack on
Theo that he honestly does not deserve.

> WHY SO TOUCHY, THEO? COULD IT BE BECAUSE YOU'RE COMPLICIT IN THE
> BIGGEST CITIZEN SPYING PROGRAM EVER RUN IN THE HISTORY OF THE WORLD?!

I doubt Theo has much to gain by doing this--and he has a hell of a lot
to lose. It took years for OpenBSD to get a reputation as being the most
secure OS out there, currently we're at nearly two decades of the
existence of the OpenBSD project. I think we'd have heard by now if
Theo's net worth is suddenly in the league of Bill Gates, Richard
Branson, etc--and I think we haven't heard that, because he has not sold
out and everything I have observed points toward the fact that he's
simply not the type of person to sell out and throw his users under the
bus.

We don't know all of Sharyl's end of the story yet. There are
vulnerabilities in ports now and then and it's quite possible that's how
Sharyl got hacked. But I can tell you this, it's going to take a lot
more than one random disgruntled user to convince me not to trust Theo
de Raadt and the OpenBSD project any longer. And I do mean a *lot* more.

--
Shawn K. Quinn <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: Why I abandoned OpenBSD, and why you should too...

Tito Mari Francis Escaño
In reply to this post by Ryan R
I was initially thinking this is a troll, but with these quotes:

"...was prepping to migrate the whole of our shop, a regional ISP in the
United States of America, to OpenBSD 5.3..."

Pray tell what regional ISP you speak of here to earn their deserved
praise or ridicule for avoiding the OpenBSD deployment.

"OpenBSD has shipped on over half of all network devices, including
things like routers, switches, gateways, and servers, for the last six
years. The current estimated number of OpenBSD installations sits at
over 350 million devices, comprising an almost ubiquitous presence of
OpenBSD in networks worldwide"

I wondered if Theo or the OpenBSD Foundation has budget to pay for
publicity, good or bad, just for the kicks.

Reply | Threaded
Open this post in threaded view
|

Re: Why I abandoned OpenBSD, and why you should too...

Zamri Besar
On Fri, Jul 5, 2013 at 12:28 PM, Tito Mari Francis Escaño <
[hidden email]> wrote:

> I was initially thinking this is a troll, but with these quotes:
>


I vote for another troll... but... this year April Fool was over 3 months
ago.

--
Thank you.

Zamri Besar

Reply | Threaded
Open this post in threaded view
|

Re: Why I abandoned OpenBSD, and why you should too...

opendaddy
In reply to this post by Tito Mari Francis Escaño
On 5. juli 2013 at 4:30 AM, "Tito Mari Francis Escaño" <[hidden email]> wrote:
>
> [...snip...]

Can't you tell by the way he wrote that that he's just a kid (or an uneducated adult)?

I oughta smack y'all faces in for even replying to this shit.

O.D.

Reply | Threaded
Open this post in threaded view
|

Re: Why I abandoned OpenBSD, and why you should too...

Douglas Allen
In reply to this post by Thomas Jennings
On 7/4/2013 10:56 PM, Thomas Jennings wrote:
> Regretfully, I have decided to abandon OpenBSD and thought I would
> share my reasoning with this list. I thought the 4th of July was a
> good date to do so since my reasons address national security
> implications. As a group of people who take development, security, and
> privacy seriously, I know you will want to know why I made the drastic
> decision to abandon OpenBSD and never look back.

You are free to use or not use whatever software you wish.  I won't try
to change your mind.  However I would need more evidence than you have
put forth here to get me to make changes to the machines I have here.

> And we all know Theo de Raadt, OpenBSD generalissimo of much infamy.
> After being fired from the NetBSD team, Theo forked the code and
> started OpenBSD. He's been pretty much solely responsible for
> development of OpenBSD over the years, taking volunteer code as he
> sees fit. He also has final say over security audits in the operating
> system, something that turns out to be very important.

I have known several of the developers over the years, including Theo.  
He can be blunt at times, which is fine from my point of view.  I know
he left NetBSD because of differences of opinion on how certain parts of
the system should proceed.  He forked the code and started OpenBSD, as
you stated.  He has never, to my knowledge, told anyone that they HAD to
use OpenBSD.  If people don't like the way he does things, they are free
to go elsewhere.  He has never tried to make any other way to my knowledge.

> I was prepping to migrate the whole of our shop, a regional ISP in the
> United States of America, to OpenBSD 5.3 when the news broke: CBS News
> reporter Sharyl Attkisson claimed, during a live radio interview, that
> she had been dealing with suspicious computer and phone issues. Check
> out this snippet from the full transcript of the interview. One line
> in particular trashed my plans for the OpenBSD upgrade:
>
>> Well, I have been, as I said, pursuing an issue for a long time now — much longer
>> than you’ve been hearing about this in the news — with some compromising of my
>> computer systems in my house — my personal computer systems as well as my
>> work computer systems. I thought they were immune to being compromised —
>> because they all ran OpenBSD — but I guess I was wrong. So, we’re digging into
>> that and just not ready to say much more right now, but I am concerned.

Without knowing exactly what Ms. Attkisson is running on those machines,
I wouldn't venture to try to explain in any detail why the issues are
occurring.  It has, to my knowledge, always been the stated position of
the development team that they only audit the base software.  They do
not guarantee that they have audited the software in ports or packages.  
Since it has been my experience that few people run a system with
nothing from ports or packages, it seems at least possible that any
security hole may come from that source.  I consider it unfair to blame
either the project or people within it for problems with software that
they did not write themselves.

> EVEN IF NO CORPORATION OFFERS THE UNITED STATE FEDERAL GOVERNMENT
> DIRECT ACCESS TO ITS SERVERS THROUGH PRISM, OPENBSD OFFERS THAT SAME
> ACCESS THROUGH THE PRESENCE OF ITS BACKDOORS.
>
> There it is. Let it sink in. Words like Gestapo and Stasi and KGB come
> to mind. OpenBSD is part and parcel to the United States Federal
> Government's program to spy on its own citizens through bodies like
> the NSA and FBI and has been since the FBI paid for backdoors in IPSEC
> about a dozen years ago.

I would need more evidence than one persons statement of their
existence, before I would believe such a statement.

I believe that the project is located outside the U.S. to avoid having
to provide exactly what you are claiming to exist.  I also believe that
certain contracts were not renewed between members of the development
team and certain U.S. governmental agencies for the same reason.

> The kicker is that Theo denies anything suggesting that OpenBSD is
> less than perfect at security, as if he's personally offended by the
> mere suggestion. He routinely attacks developers and enthusiasts for
> simply asking questions. WHY SO TOUCHY, THEO? COULD IT BE BECAUSE
> YOU'RE COMPLICIT IN THE BIGGEST CITIZEN SPYING PROGRAM EVER RUN IN THE
> HISTORY OF THE WORLD?!

What I have seen is Theo denying a suggestion without be given proof
that a problem in fact exists.  As one person who has been on the
receiving end of a few caustic replies from Theo, I can understand why
he gets that way with people who do not even make an attempt to look for
an answer in the documentation.  In each instance, I would say that it
was justified - since I either hadn't looked far enough into the
documentation or into pieces of code where the documentation did not
completely answer the question.  I also maintain that in my cases, it
was justified to be a little unpleasant because I could find or figure
out the answer once I did make that detailed search of the documentation
and/or the source files.

With all that said, I again reiterate that you are free to use whatever
you wish to use for your own machines and any machines that you are
required to maintain.

Doug

Reply | Threaded
Open this post in threaded view
|

Re: Why I abandoned OpenBSD, and why you should too...

opendaddy
In reply to this post by Thomas Jennings
On 5. juli 2013 at 5:13 AM, "Marc Espie" <[hidden email]> wrote:
>
> I actually, no, we don't.  You're not anybody I've ever heard of, and your
> opinion doesn't matter. I have no particular reason to trust you.

They said the same of Edward Snowden you know.

> Now, I read your hilarious email. You have real crackpot talent, you should
> go on a show with the Bogdanof and various other crackpots from other
> the world. That would certainly be funnier than a lot of reality television
> out there.

I don't get the reference. I take it you watch a lot of reality television?

O.D.

Reply | Threaded
Open this post in threaded view
|

Re: Why I abandoned OpenBSD, and why you should too...

Jean-Francois Simon
In reply to this post by Thomas Jennings
May I understand you U go for Microsoft instead ?
That would be great idea, they are said to be free from backdoors.

Sorry

Le 05/07/2013 05:56, Thomas Jennings a écrit :

> Dear OpenBSD developers and users:
>
> Regretfully, I have decided to abandon OpenBSD and thought I would
> share my reasoning with this list. I thought the 4th of July was a
> good date to do so since my reasons address national security
> implications. As a group of people who take development, security, and
> privacy seriously, I know you will want to know why I made the drastic
> decision to abandon OpenBSD and never look back.
>
> I'm sure we've all heard of PRISM by now, the user-friendly name of
> the United States Federal Government's massive civilian and resident
> spying program otherwise known as US-984XN. PRISM is certainly bad
> enough of its own accord, but it's how PRISM works, and the pattern of
> behavior found in OpenBSD development, that was the tipping point for
> my use of OpenBSD.
>
> And we all know Theo de Raadt, OpenBSD generalissimo of much infamy.
> After being fired from the NetBSD team, Theo forked the code and
> started OpenBSD. He's been pretty much solely responsible for
> development of OpenBSD over the years, taking volunteer code as he
> sees fit. He also has final say over security audits in the operating
> system, something that turns out to be very important.
>
> I was prepping to migrate the whole of our shop, a regional ISP in the
> United States of America, to OpenBSD 5.3 when the news broke: CBS News
> reporter Sharyl Attkisson claimed, during a live radio interview, that
> she had been dealing with suspicious computer and phone issues. Check
> out this snippet from the full transcript of the interview. One line
> in particular trashed my plans for the OpenBSD upgrade:
>
>> Well, I have been, as I said, pursuing an issue for a long time now — much longer
>> than you’ve been hearing about this in the news — with some compromising of my
>> computer systems in my house — my personal computer systems as well as my
>> work computer systems. I thought they were immune to being compromised —
>> because they all ran OpenBSD — but I guess I was wrong. So, we’re digging into
>> that and just not ready to say much more right now, but I am concerned.
> Since that interview in May, I've watched story after story of direct
> server access, PRISM, and NSA spying and connected some dots. For
> example, consider the accusations that the FBI had been accused of
> planting backdoors in OpenBSD's IPSEC in December of 2012, and that
> the accusations later proved true. The two scandals broke 18 only
> months apart.
>
> Consider that PRISM allows the United States Federal Government to
> directly access the servers of virtually any company doing online
> business, including tech giants like Apple, Facebook, Google, and
> Microsoft. But those same tech giants deny complicity. I'm sure we all
> agree that personal privacy is beyond the scope of private enterprise,
> but let's assume their denials are true. Then connect more dots:
>
> OpenBSD has shipped on over half of all network devices, including
> things like routers, switches, gateways, and servers, for the last six
> years. The current estimated number of OpenBSD installations sits at
> over 350 million devices, comprising an almost ubiquitous presence of
> OpenBSD in networks worldwide.
>
> EVEN IF NO CORPORATION OFFERS THE UNITED STATE FEDERAL GOVERNMENT
> DIRECT ACCESS TO ITS SERVERS THROUGH PRISM, OPENBSD OFFERS THAT SAME
> ACCESS THROUGH THE PRESENCE OF ITS BACKDOORS.
>
> There it is. Let it sink in. Words like Gestapo and Stasi and KGB come
> to mind. OpenBSD is part and parcel to the United States Federal
> Government's program to spy on its own citizens through bodies like
> the NSA and FBI and has been since the FBI paid for backdoors in IPSEC
> about a dozen years ago.
>
> Yesterday, I told the company that we must migrate all our services
> from OpenBSD to something else because the risk to our customers'
> privacy and security is simply unacceptable. Theo de Raadt may seem
> like some kind of guard dog of security, but he's really just a little
> bitch bought and sold by the United State Federal Government.
>
> The kicker is that Theo denies anything suggesting that OpenBSD is
> less than perfect at security, as if he's personally offended by the
> mere suggestion. He routinely attacks developers and enthusiasts for
> simply asking questions. WHY SO TOUCHY, THEO? COULD IT BE BECAUSE
> YOU'RE COMPLICIT IN THE BIGGEST CITIZEN SPYING PROGRAM EVER RUN IN THE
> HISTORY OF THE WORLD?!
>
> Today, be a true patriot to the ideals of personal privacy and public
> liberty: prevent and reject any and all use of OpenBSD.
>
> Happy 4th of July.

Reply | Threaded
Open this post in threaded view
|

Re: Why I abandoned OpenBSD, and why you should too...

opendaddy
On 5. juli 2013 at 5:31 AM, "Jean-Francois Simon" <[hidden email]> wrote:
>
> May I understand you U go for Microsoft instead ?
> That would be great idea, they are said to be free from backdoors.
>
> Sorry

France is in the house y'all.

O.D.

Reply | Threaded
Open this post in threaded view
|

Re: Why I abandoned OpenBSD, and why you should too...

John Long-4
In reply to this post by Thomas Jennings
On Thu, Jul 04, 2013 at 11:56:50PM -0400, Thomas Jennings wrote:

[drug / alcohol withdrawal-induced rant elided]

I don't know where you get the idea OpenBSD is involved. I heard a few
interviews including the one here http://www.youtube.com/watch?v=ISXYITh09TA
and she clearly said she has an Apple system. She also said "for someone to come
into my home" so apparently this was not only an over the network hack but
somebody had physical access to her computers. No consumer computer is safe
when somebody else has physical access to it. Security 101.

Intel's new BIOS would seem to provide new attack vectors. See the comments
to the video and elsewhere, old news. Don't use it, no problem.

Atkisson also admits she doesn't know much about computers- her own words.
That's an unlikely OpenBSD user profile considering she was talking about
her home and company machines. Why do you believe OpenBSD is involved at all?
Are you confused by the fact Apple's OSX is based on some (Free) BSD pieces?
From the interviews it's a simple case of somebody getting access to a few
PCs and installing some spyware. Can you name a consumer device and common
desktop OS that can't be compromised in that situation?

OpenBSD is open source and you can build the whole OS and userland from
source. It seems real unlikely there is compromise or people would have
noticed it. So far all the screaming and accusations haven't resulted in one
reference by anybody to the alleged bad code.

On the other hand the system mentioned by Atkisson is a notorious high
walled garden and the people who put it out have already been implicated in
collusion with the anti-freedom lobby by everybody's favorite fugitive Snowden.

You really need to get a clue and you really need to apologize to Theo, all
the OpenBSD developers, and everybody unfortunate enough to read your rant
on these lists. As usual for people slinging accusations like you, you
failed to cite anything or back up your claims. Pure FUD.

To paraphase Benny Hill, "everyone's entitled to be stupid, but some people
abuse the privilege."

Reply | Threaded
Open this post in threaded view
|

Re: Why I abandoned OpenBSD, and why you should too...

David Coppa
On Fri, Jul 5, 2013 at 10:46 AM, John Long <[hidden email]> wrote:
> On Thu, Jul 04, 2013 at 11:56:50PM -0400, Thomas Jennings wrote:
>
> [drug / alcohol withdrawal-induced rant elided]
>
> I don't know where you get the idea OpenBSD is involved. I heard a few
> interviews including the one here http://www.youtube.com/watch?v=ISXYITh09TA
> and she clearly said she has an Apple system.

Guys, what part of "THIS IS A TROLL" don't you understand?

Let him die, please.

Reply | Threaded
Open this post in threaded view
|

Re: Why I abandoned OpenBSD, and why you should too...

Dmitrij D. Czarkoff-2
In reply to this post by Thomas Jennings
On Fri, Jul 5, 2013 at 4:56 AM, Thomas Jennings
<[hidden email]> wrote:

> CBS News reporter Sharyl Attkisson claimed, during a live radio
> interview, that she had been dealing with suspicious computer and phone
> issues. Check out this snippet from the full transcript of the interview.
> One line in particular trashed my plans for the OpenBSD upgrade:
>
>> Well, I have been, as I said, pursuing an issue for a long time now — much longer
>> than you’ve been hearing about this in the news — with some compromising of my
>> computer systems in my house — my personal computer systems as well as my
>> work computer systems. I thought they were immune to being compromised —
>> because they all ran OpenBSD — but I guess I was wrong. So, we’re digging into
>> that and just not ready to say much more right now, but I am concerned.

FWIW the original quote can be fund here[0]. I expected to see some
other product name replaced with "OpenBSD" by the troll, but it turned
out that the whole sentence is missing from original interview.

[0] http://www.washingtonpost.com/blogs/erik-wemple/wp/2013/05/29/sharyl-attkisson-and-her-compromised-computers/

--
Dmitrij D. Czarkoff

jV
Reply | Threaded
Open this post in threaded view
|

Re: Why I abandoned OpenBSD, and why you should too...

jV
Why you keep feeding troll guys ??

Reply | Threaded
Open this post in threaded view
|

Re: Why I abandoned OpenBSD, and why you should too...

Ian Darwin
In reply to this post by Shawn K. Quinn-2
> We don't know all of Sharyl's end of the story yet. There are
> vulnerabilities in ports now and then and it's quite possible that's how
> Sharyl got hacked. But I can tell you this, it's going to take a lot
> more than one random disgruntled user to convince me not to trust Theo
> de Raadt and the OpenBSD project any longer. And I do mean a *lot* more.

That's not a disgruntled "user", that's a spam troll, pure and simple.

Reply | Threaded
Open this post in threaded view
|

Re: Why I abandoned OpenBSD, and why you should too...

TAKRIZ
In reply to this post by Douglas Allen
Despite feeding a troll, since it was posted on advocacy@ I felt the
urge to share how great my 10 years plus experience has been with
OpenBSD that run all our backends and internal communication system.
We've been online since 1998 and it is the OS that helped us topple a
23 years old dictatorship in Tunisia/North Africa (for the brief
account http://www.technologyreview.com/featuredstory/425137/streetbook/
)

Best

Foetus

On Fri, Jul 5, 2013 at 6:58 AM, Douglas Allen
<[hidden email]> wrote:

> On 7/4/2013 10:56 PM, Thomas Jennings wrote:
>>
>> Regretfully, I have decided to abandon OpenBSD and thought I would
>> share my reasoning with this list. I thought the 4th of July was a
>> good date to do so since my reasons address national security
>> implications. As a group of people who take development, security, and
>> privacy seriously, I know you will want to know why I made the drastic
>> decision to abandon OpenBSD and never look back.
>
>
> You are free to use or not use whatever software you wish.  I won't try to
> change your mind.  However I would need more evidence than you have put
> forth here to get me to make changes to the machines I have here.
>
>
>> And we all know Theo de Raadt, OpenBSD generalissimo of much infamy.
>> After being fired from the NetBSD team, Theo forked the code and
>> started OpenBSD. He's been pretty much solely responsible for
>> development of OpenBSD over the years, taking volunteer code as he
>> sees fit. He also has final say over security audits in the operating
>> system, something that turns out to be very important.
>
>
> I have known several of the developers over the years, including Theo.  He
> can be blunt at times, which is fine from my point of view.  I know he left
> NetBSD because of differences of opinion on how certain parts of the system
> should proceed.  He forked the code and started OpenBSD, as you stated.  He
> has never, to my knowledge, told anyone that they HAD to use OpenBSD.  If
> people don't like the way he does things, they are free to go elsewhere.  He
> has never tried to make any other way to my knowledge.
>
>
>> I was prepping to migrate the whole of our shop, a regional ISP in the
>> United States of America, to OpenBSD 5.3 when the news broke: CBS News
>> reporter Sharyl Attkisson claimed, during a live radio interview, that
>> she had been dealing with suspicious computer and phone issues. Check
>> out this snippet from the full transcript of the interview. One line
>> in particular trashed my plans for the OpenBSD upgrade:
>>
>>> Well, I have been, as I said, pursuing an issue for a long time now —
>>> much longer
>>> than you’ve been hearing about this in the news — with some compromising
>>> of my
>>> computer systems in my house — my personal computer systems as well as my
>>> work computer systems. I thought they were immune to being compromised —
>>> because they all ran OpenBSD — but I guess I was wrong. So, we’re digging
>>> into
>>> that and just not ready to say much more right now, but I am concerned.
>
>
> Without knowing exactly what Ms. Attkisson is running on those machines, I
> wouldn't venture to try to explain in any detail why the issues are
> occurring.  It has, to my knowledge, always been the stated position of the
> development team that they only audit the base software.  They do not
> guarantee that they have audited the software in ports or packages.  Since
> it has been my experience that few people run a system with nothing from
> ports or packages, it seems at least possible that any security hole may
> come from that source.  I consider it unfair to blame either the project or
> people within it for problems with software that they did not write
> themselves.
>
>
>> EVEN IF NO CORPORATION OFFERS THE UNITED STATE FEDERAL GOVERNMENT
>> DIRECT ACCESS TO ITS SERVERS THROUGH PRISM, OPENBSD OFFERS THAT SAME
>> ACCESS THROUGH THE PRESENCE OF ITS BACKDOORS.
>>
>> There it is. Let it sink in. Words like Gestapo and Stasi and KGB come
>> to mind. OpenBSD is part and parcel to the United States Federal
>> Government's program to spy on its own citizens through bodies like
>> the NSA and FBI and has been since the FBI paid for backdoors in IPSEC
>> about a dozen years ago.
>
>
> I would need more evidence than one persons statement of their existence,
> before I would believe such a statement.
>
> I believe that the project is located outside the U.S. to avoid having to
> provide exactly what you are claiming to exist.  I also believe that certain
> contracts were not renewed between members of the development team and
> certain U.S. governmental agencies for the same reason.
>
>
>> The kicker is that Theo denies anything suggesting that OpenBSD is
>> less than perfect at security, as if he's personally offended by the
>> mere suggestion. He routinely attacks developers and enthusiasts for
>> simply asking questions. WHY SO TOUCHY, THEO? COULD IT BE BECAUSE
>> YOU'RE COMPLICIT IN THE BIGGEST CITIZEN SPYING PROGRAM EVER RUN IN THE
>> HISTORY OF THE WORLD?!
>
>
> What I have seen is Theo denying a suggestion without be given proof that a
> problem in fact exists.  As one person who has been on the receiving end of
> a few caustic replies from Theo, I can understand why he gets that way with
> people who do not even make an attempt to look for an answer in the
> documentation.  In each instance, I would say that it was justified - since
> I either hadn't looked far enough into the documentation or into pieces of
> code where the documentation did not completely answer the question.  I also
> maintain that in my cases, it was justified to be a little unpleasant
> because I could find or figure out the answer once I did make that detailed
> search of the documentation and/or the source files.
>
> With all that said, I again reiterate that you are free to use whatever you
> wish to use for your own machines and any machines that you are required to
> maintain.
>
> Doug

Reply | Threaded
Open this post in threaded view
|

Re: Why I abandoned OpenBSD, and why you should too...

Rudolf Leitgeb
In reply to this post by Douglas Allen
NSA would be foolish to go through all the effort it takes to place a
back door into OpenBSD. I find it funny how people focus on potential
back doors in software and completely ignore that all this software is
executed on micro processors that are made by a select handful of US
companies. We also have no idea what's really going on in peripheral
components of our computers or in networking hardware.

Use OpenBSD if you want to keep out the common criminal but don't fool
yourself that you can outwit three letter agencies with your laptops.

Reply | Threaded
Open this post in threaded view
|

Re: Why I abandoned OpenBSD, and why you should too...

Pete Kocks
+1
________________________________________
From: [hidden email] on behalf of Rudolf Leitgeb
Sent: Saturday, July 06, 2013 6:46 AM
To: [hidden email]
Cc: [hidden email]
Subject: Re: Why I abandoned OpenBSD, and why you should too...

NSA would be foolish to go through all the effort it takes to place a
back door into OpenBSD. I find it funny how people focus on potential
back doors in software and completely ignore that all this software is
executed on micro processors that are made by a select handful of US
companies. We also have no idea what's really going on in peripheral
components of our computers or in networking hardware.

Use OpenBSD if you want to keep out the common criminal but don't fool
yourself that you can outwit three letter agencies with your laptops.

Reply | Threaded
Open this post in threaded view
|

Re: Why I abandoned OpenBSD, and why you should too...

Ben Goren
In reply to this post by Rudolf Leitgeb
On Jul 6, 2013, at 6:46 AM, Rudolf Leitgeb <[hidden email]> wrote:

> Use OpenBSD if you want to keep out the common criminal but don't fool
> yourself that you can outwit three letter agencies with your laptops.

Too many people, especially the paranoid security types, fail at basic cost / benefit analysis.

Randall Munroe put it quite well, as usual:

http://xkcd.com/538/

OpenBSD won't protect you from a $5 wrench -- or from a $150,000 / year ``consultant'' planting old-fashioned bugs in your home, let alone court-approved wiretaps or a FISA warrant.

It will, though, reasonably keep you safe from network attacks, much more so than the popular commercial alternatives. (In fairness, the vigilant reactionary approach the big vendors have taken seems to be working ``well enough'' in practice for most people, though it's an awful lot of effort that could be put to better use.)

But that's not why I like OpenBSD. I like OpenBSD because it's the only Unix that's reasonably coherent and sensical. OpenBSD's security record is just icing on the cake, and it's a side-effect of the team's insistence on writing good code. Get the fundamentals right, don't compromise your coding standards just to finish a task, always loop back to look for rough spots and polish them out, and everything else just takes care of itself.

Cheers,

b&

Reply | Threaded
Open this post in threaded view
|

Re: Why I abandoned OpenBSD, and why you should too...

William Cummings
In reply to this post by Tito Mari Francis Escaño
Troll or OpenBSD security expert....... Flip a coin!

On Jul 5, 2013, at 12:28 AM, Tito Mari Francis Escaño <[hidden email]> wrote:

> I was initially thinking this is a troll, but with these quotes:
>
> "...was prepping to migrate the whole of our shop, a regional ISP in the
> United States of America, to OpenBSD 5.3..."
>
> Pray tell what regional ISP you speak of here to earn their deserved
> praise or ridicule for avoiding the OpenBSD deployment.
>
> "OpenBSD has shipped on over half of all network devices, including
> things like routers, switches, gateways, and servers, for the last six
> years. The current estimated number of OpenBSD installations sits at
> over 350 million devices, comprising an almost ubiquitous presence of
> OpenBSD in networks worldwide"
>
> I wondered if Theo or the OpenBSD Foundation has budget to pay for
> publicity, good or bad, just for the kicks.

12