
EU study recommends OpenBSD - fcambus
http://undeadly.org/cgi?action=article&sid=20150427093546
======
s_dev
Theo De Raadt always complained that many of the institutions that run and use
OpenBSD don't contribute back. Good to see the EU at least acknowledging that
its something that they should explore. They probably use it and its features
more than they realise.

I suspect there is a strong political motive as well behind being
"technologically independent" after the NSA mass surveillance revelations.

I like the sound of an EU BSD fork - hopefully they fund one. We've always
been lacking in the Operating Systems dev department over here in Europe.
Linux is our main contribution but we can do more.

~~~
jkyle
> Theo De Raadt always complained that many of the institutions that run and
> use OpenBSD don't contribute back.

Sounds like he needs a different license then.

~~~
tbrownaw
I don't think _any_ of the free/open licenses require users to contribute to
the parent project. I don't think any even require that people distributing
modified versions, send those modifications back upstream.

~~~
Someone1234
The GPL kinda-sorta does. I guess it depends on your definition of "contribute
back." People that derive from GPL source have to release those changes to the
public, which could just be a zip archive on their web-site rather than a git
pull request.

I guess what I mean is, the company can try to be as unhelpful as possible
(e.g. strip comments, place all code into a giant .cpp file, etc) but it does
technically have to publish source code regardless.

~~~
cwyers
The GPL requires you to distribute source code in addition to binaries. If you
don't distribute binaries (i.e. if you're running the code on your server farm
only), then you don't have to distribute anything.

~~~
nitramafve
That is why some choose to license their work under AGPL.

~~~
cwyers
That still only goes so far, though. If you're building a product on top of a
database that's licensed with the AGPL, like Mongo, you have to distribute
those changes.* If you build your Intranet site on Mongo, though, you don't
need to distribute those changes in a way that gets back to upstream.

* I think. And I don't know if this has withstood the sort of court scrutiny the GPL has.

~~~
yellowapple
For the intranet site, I think you'd still need to make the source code
available to users, who could then make the source publicly available.

IANAL, though, so I don't know if corporate policy forbidding this would be
legal under the terms of the AGPL.

~~~
dublinben
>I don't know if corporate policy forbidding this would be legal under the
terms of the AGPL

Section 10 of both the GPLv3 and AGPLv3 prevent the imposition of "further
restrictions" on the subject of the license.

~~~
yellowapple
I'm aware. What's not clear is whether applies to the individual components of
an organization (i.e. its employees) or just the organization as a whole. I
want to think the answer is that intra-organizational distribution still
counts as distribution (and therefore cannot be restricted), but usually it's
considered acceptable to use a modified version of (A)GPL'd software
internally (i.e. not used outside the organization) without it counting as
"distribution", so things are kind of fuzzy without explicit terms in that
regard.

Such are the side-effects of treating organizations as singular entities :)

------
brudgers
Link to Part 1 of the study (wherein the recommendation lies):

[http://www.europarl.europa.eu/RegData/etudes/STUD/2015/52740...](http://www.europarl.europa.eu/RegData/etudes/STUD/2015/527409/EPRS_STU\(2015\)527409_REV1_EN.pdf)

Part 2 of the study recommends government funding of Open Source Projects:

[http://www.europarl.europa.eu/RegData/etudes/STUD/2015/52741...](http://www.europarl.europa.eu/RegData/etudes/STUD/2015/527410/EPRS_STU\(2015\)527410_REV1_EN.pdf)

Potential and actual conflicts of interest between governments and citizens in
regard to privacy are not addressed.

~~~
k-mcgrady
They don't address conflicts of interest but it seems like they're fine with
privacy:

"[...] the use of open source computer operating systems and applications
reduces the risk of privacy intrusion by mass surveillance.

They seem to be touting that as a benefit, not a drawback.

~~~
brudgers
When the same governments are funding signals intelligence gathering with one
hand and open source software development with the other, there is potential
conflict of interest, if not actual conflict.

The NSA's role in weakening open source encryption standards was the result of
the internal logic by which all intelligence organs typically operate
irrespective of sponsoring state. The differences between the politics of some
EU states and the politics of the US or Russia or the UK don't change that
internal logic of intelligence organs. Their job remains to maintain data
collection capability.

~~~
k-mcgrady
And with OSS we can see when the create back doors or modify the code. We can
see what the modifications do. And if they are doing anything wrong we can
revert the changes and publicise it. Following on from your thinking, what is
their angle here? On the surface it seems more difficult to exploit OSS but is
there something they can do with it that users won't know about and is easier
to exploit?

~~~
brudgers
Subtle security leaks are not in the center of the all-bugs-are-shallow
theory. Cryptographically insecure communications don't cause code to throw
exceptions or systems to crash. The effects are social. Unless Eve tells Alice
or Bob, neither will know she's read their communications.

------
lkjsadflkljdsaf
Support OpenBSD, but NEVER fork it..

[http://www.openbsdfoundation.org/](http://www.openbsdfoundation.org/)

[http://www.openbsd.org/want.html](http://www.openbsd.org/want.html)

[http://www.openbsd.org/donations.html](http://www.openbsd.org/donations.html)

[https://www.openbsdstore.com](https://www.openbsdstore.com)

------
eridal

         Nice to see recognition from the trenches of bureaucracy.
    

It's really nice that they can write such statement.

Kudos to the OpenBSD team!

------
erhardm
I like OpenBSD. I like the spirit of the developers, which don't compromise on
security. I like the simplicity of the OS, very good documented and very
robust. They are prepared to break a ton of software to advance the state of
security/correct code.

I would like to have OpenBSD on all my machines, but unfortunately their
license don't have the "infectious" effect of GPL. From my limited
understanding, their license[0] is not a philosophical license like GPL. Linux
popularity spread because of the distributed development style(everyone
developed in their own tree, Linus decided if it had enough value to get in
his tree) and GPL.

Even if you don't care on the philosophy of GPL, you can't deny that it helped
make a lot of vendors to publish(even if half-hearted) their code which
eventually after some cleanup(3rd party or themselves) got into the Linus
tree.

If OpenBSD would be GPL licensed, I could see a BSD which would be have all
the bleeding edge features, but Theo's tree was separate, conservative on
features but not lacking on drivers. Men can only dream.

I realize that FreeBSD is the bleeding edge of BSD land and I'm not trying to
start a license flamewar, but a lot of companies, i.e. graphics, wireless
cards, laptop manufactures don't have (good) working drivers for BSD land, at
least not published code which goes back to the community.

[0] - [http://cvsweb.openbsd.org/cgi-
bin/cvsweb/src/share/misc/lice...](http://cvsweb.openbsd.org/cgi-
bin/cvsweb/src/share/misc/license.template?rev=HEAD)

~~~
yellowapple
While it's true that the GPL and the distributed nature of Linux development
helped GNU/Linux proliferate, that isn't the reason why the BSDs didn't. In
reality, they were encumbered by legal problems due to being derivative works
of AT&T's Unix; the ensuing legal war of attrition caused a lot of folks to be
unsure of whether or not they could legally use any of the BSDs without having
to pony up for Unix licenses.

As a result, Linux was created (Linus Torvalds has said that if Hurd existed
or if the BSD legality issues were resolved, he wouldn't have felt the need to
develop the Linux kernel), and folks jumped onto that as the preferred free
Unix due to it being unencumbered by the massive legal warfare taking place in
BSD Land (of course, SCO would eventually bring the battle to the GNU/Linux
world, but by that point, Linux was already well-entrenched).

------
dash2
For those that know more about OpenBSD than the EU (and I salute you for it),
the EU parliament is a fairly powerless institution. Eurocrats show it little
respect; one described it as "just one big fucking NGO".

Update after reading it: this isn't even an official parliament document or
recommendation. It's something by the parliament's research service.

~~~
pXMzR2A
Politicians in EU and US call various institutions a "NGO" when they disagree
with it and want to ridicule it to intentionally reduce its public reputation.

EP is a high reputation organization and has force within the EU structure.
Calling an EPRS study "something by the parliament's research service" is not
only redundant (EPRS = European Parliament Research Service) but also short-
sighted (do you do the same thing to the deliverables by your R&D
department?).

So, this is an EP study that you can cite in order to support your arguments
for switching to free software in your government / school / workplace / home
/ hobby group.

~~~
dash2
I wasn't dismissing the study's quality, just saying that this is not
necessarily going to lead to any change in policy (e.g. all EU computers
mandated to run OpenBSD).

~~~
pXMzR2A
> all EU computers mandated to run OpenBSD

That kind of social change would require a change in the econo-political
system.

~~~
dash2
I think mandating all EU computers to run _anything_ would be a very bad idea.

------
tormeh
The EU also funds Minix 3 development, though that is more about reliability
than security.

~~~
cbd1984
The thing about security is that it touches _everything_.

Ease of use? If something's hard to use, it's easy to confuse people into
doing insecure things. Security issue.

Unreliable? Security depends on predictable behavior, and failure modes are
often unpredictable. Security issue.

Proprietary protocol? Even if it wasn't intentionally backdoored, you don't
know its real attack surface, because you don't know all of the verbs it
contains. Verbs imply actions, actions imply changes of state, changes of
state imply the Dark Side... uh, security concerns. Security issue.

Performance? Even aside from timing attacks and simple DoSing, things often
behave oddly when pushed to a limit, especially if that limit involves
otherwise-hidden race conditions. Security issue.

------
corv
The study also recommends Qubes and Tails.

------
dijit
I love openBSD, it's implementation of certain things is slower (like
networking), but it's so clean and well implemented.

even if it doesnt' get to play with all the toys (like ZFS) it's what I'd love
to default to for application servers/bastion server/firewalls etc;

my only qualm with it currently is it's reliance of X11 for ports to work- I
don't like install X11 libs on my servers wherever I can avoid it. :\

~~~
adamrt
> my only qualm with it currently is it's reliance of X11 for ports to work- I
> don't like install X11 libs on my servers wherever I can avoid it. :\

Can you give a reference to this? I'm not doubting you, as I always install
x11 anyway, I just didn't know this was still the case. I remember an issue
with a lib in xbase.tgz a few years back that was required by lots of ports,
but I thought they moved it to base.tgz.

Thanks!

~~~
dijit
[http://comments.gmane.org/gmane.os.openbsd.ports/54692](http://comments.gmane.org/gmane.os.openbsd.ports/54692)

[http://www.openbsd.org/faq/faq15.html#NoFun](http://www.openbsd.org/faq/faq15.html#NoFun)
(at the bottom of this section)

~~~
adamrt
Good call. I was thinking packages in my head despite you specifically
referring to ports. Thanks for following up!

------
hackuser
> "It is recommended that users install ..." OpenBSD?

The EU isn't serious if that's what they mean. It's not really an option for
end users. My impression is that even technical users who are new to *nix
should start with something more accessible.

Does the OpenBSD community even want to deal with a flood of nubes?

------
andrewstuart2
Didn't everyone recommend Linux and Mac OS back when vulnerabilities on these
systems just hadn't been discovered (or possibly written) yet?

Make OpenBSD popular, add a ton of devs, and attack value, and I'm pretty sure
these problems will repeat themselves.

I think the second study, which briefly names OpenBSD, does a good job of
pointing out that technological changes alone are insufficient.

~~~
cbd1984
Yes, and a Brinks armored truck is just as vulnerable to carjackings as a Ford
Pinto, we just don't know about the vulnerability because nobody drives them.

People _were_ saying the same things about Linux. In the late 1990s and early
2000s. By which time Linux had _already_ become the de-facto go-to OS for web
servers around the world. It was, in short, already a high-value target, and
yet the apocalypse didn't occur.

~~~
andrewstuart2
Of course that's true. I'm just not convinced that OpenBSD : Linux :: Armored
truck : Pinto.

In fact, the point of a good portion of the second study [1], p.17-25 is
pointing out the flaws that have occurred in the Linux operating system and
other existing technologies.

[1][http://www.europarl.europa.eu/RegData/etudes/STUD/2015/52740...](http://www.europarl.europa.eu/RegData/etudes/STUD/2015/527409/EPRS_STU\(2015\)527409_REV1_EN.pdf)

~~~
cbd1984
I never claimed Linux was a Pinto. My point is, some things are just built
well, and even if they're not used very often we can expect a certain level of
quality, as opposed to saying that the only reason we don't see them stolen is
because so few people drive them. Especially if they're used all the damn
time, just not in places people see a lot.

So some bugs will be found in OpenBSD. That's a given. However, it isn't like
OpenBSD is _never_ used, or that the people who made it are _bad_ programmers.

~~~
andrewstuart2
Yeah, I agree 100% :-)

I guess what I'm saying is that it would make more sense to me if OpenBSD and
Linux were both on the list. As you also mentioned, flaws existing in programs
is inevitable, so unless the defect rate, normalized for usage, is
significantly higher in one case, it's not good evidence for the quality or
security of one over another.

~~~
yellowapple
In OpenBSD's case, the defect rate's pretty low, even when normalized for
usage. It's had, what, 2 significant security bugs (that actually compromised
the security of the base installation) over the last 2 decades or so? Pretty
damn good if I may say so myself.

------
nbevans
"[...] the use of open source computer operating systems and applications
reduces the risk of privacy intrusion by mass surveillance. Open source
software is not error free, or less prone to errors than proprietary software,
the experts write. But proprietary software does not allow constant inspection
and scrutiny by a large community of experts."

That worked great for OpenSSL didn't it? ;)

~~~
higherpurpose
Microsoft has had 2 Heartbleed-level vulnerabilities in its Windows code so
far, that were not just 2-3 years old but 10+ years old, leaving systems
vulnerable to them for much longer.

The "advantage" of proprietary code here was that Microsoft got to downplay
them (surprise surprise, no scary logo made by Microsoft for them!), and
that's how proprietary code owners deal with security issues in general - they
try to hide that they exist to keep the illusion that the software is (more)
secure.

~~~
tptacek
This is the second time today you've spread innuendo about how software
security teams at big companies handle vulnerabilities, and the second time
you've managed to casually insult teams that include some of the best software
security people in the entire industry.

Here's the first:

[https://news.ycombinator.com/item?id=9445436](https://news.ycombinator.com/item?id=9445436)

These are egregiously bad arguments you're making, involving people who you
don't know but that, from my experience reading so many of your comments, I
believe are operating many levels above your own comfort level with actual
software security.

The trouble is, like me, you comment on HN all the time, and so, like me, you
get a huge name recognition boost for these comments you make. People
reasonably believe that you know what you're talking about when you "explain"
to them how Apple and Microsoft handle vulnerabilities. But you don't, and so
these misleading comments prey on their lack of information.

~~~
trengrj
The above comment isn't attacking "teams with great software security people"
but the fact that in proprietary software people can and do downplay
vulnerabilities (not a very controversial statement).

I've noticed tptacek over the past few years that your comments have shifted
from great general security advice to more defending "the security
profession". Please consider this shift and whether it is helpful.

~~~
nostrademons
Is your assessment that "in proprietary software people can and do downplay
vulnerabilities" based on looking at HN/news stories, or based on directly
interacting with security teams at those companies?

In my experience, the worst security offenders are either small businesses or
big businesses whose core competency is not in tech. My friend managed to
download 50,000 passwords from GreatestJournal.com because they left their
MySQL server exposed to the Internet, with no password, and the open-source
LiveJournal code stored passwords in plain text in the DB. He reported the
vulnerability to them, and their response was to put a password on the MySQL
server (and take it off the Internet a few days later), write a blog post
saying "You may want to change your passwords if you reuse your GJ.com
password on other sites", and then take down that blog post a couple days
later.

By contrast, when I worked at Google, a security bug was a drop-everything P0
bug. I recall grabbing dinner at In'n'Out at 11:00 PM because a potential data
leak was discovered at 6:00 and the culture is such that when a potential
security bug is discovered, you drop what you're doing, assess the impact, fix
it, and don't do anything else until you've done that. And I didn't work on a
security team, just an infrastructure one responsible for google.com.

~~~
lawnchair_larry
Google is the exception. Most major closed source vendors, even those known
for their security, hide vulns that were not externally reported.

