TRUSTSECURE 2002 Report
Pages: 1, 2
The second day of the conference began with an excellent presentation of the Freenet project delivered by Pawel Krawczyk of ABA. As an unplanned bonus, Pawel treated us to a practical demonstration of the MSIE6 certificate vulnerability, which he was the first to describe. Unlike many people in the IT field, Pawel has great presentation technique and a gift for explaining complex ideas in simple terms.
Next, Pawel Pisarczyk of IMMOS captured everyone's attention with a detailed overview of security mechanisms implemented in the Trusted and Secure class of operating systems. What I learned certainly made me want to learn more about these systems in the future. At the same time, what I learned about the methods for controlling the behavior of processes has made me think if constructing long lists of complex rules for processes is the right way to go. It seems to me that such constructs are very difficult to manage and get right because they assume that we can determine the system's behavior and allow for plenty of opportunities to miss some rule that may open dangerous holes in the system. I am not qualified to judge the relative merits and flaws of these designs, but I liked the approach to security presented by Rafal Wojtczuk of 7bulls. Rafal showed us how the Openwall project achieves high security by making modifications that do not change the way the administrators, users, and applications see the system. Their way of securing passwords and limiting privileges is quite ingenious, and it would be a very good thing if their ideas were copied by other commercial and free UNIX system designers and programmers. The Openwall project is one of those refreshing changes that are fun to watch because they produce practical solutions.
As mentioned, I had been invited to speak about OpenBSD. In my presentation, I tried to give a brief overview of OpenBSD itself, its typical uses, and how it could be used in corporate environments. As was the case with Linux a few years ago, the biggest obstacle on the OpenBSD's road to the corporate environment is the lack of certification.
By the way, in my private talks with security people from large Polish banks and corporations, I noticed that everyone said that unless they have some kind of "insurance policy," i.e. certification or paid support, they will not be allowed to use OpenBSD in their work. It is, of course, a huge chance for companies looking for a business plan or ideas. Linux has it easier because it is now possible to purchase support, and there are certification efforts underway.
The questions and comments that I heard from the audience could be divided into two categories: Theo and the old design of the OpenBSD kernel. Is old kernel design a problem for OpenBSD? I don't think so. It may look old to people who like microkernels or modular kernels, but that does not mean that it is useless; it just cannot be all things to everybody. As far as I can see, the preset kernel architecture did not prevent OpenBSD from becoming a stable platform for many interesting security solutions. Therefore, and I repeat here what I said at the conference, if you are a security professional, it is a very good idea to get to know OpenBSD and see how it can help you.
For all the criticism of Theo's decisions related to the OpenBSD projects, we all agreed that he's very good at managing the project and avoiding code and filesystem bloat found on many other free operating systems. We also agreed that the project badly needs more human resources. At the same time, a lot of people who criticized OpenBSD admitted openly that they "have a small OpenBSD server sitting in the corner and [they] like it very much." Now, this is something I had heard before, two or three years ago, when people were happily running small Linux servers in the corners of their offices. Could this mean that OpenBSD is close to achieving the critical mass it needs to become noticed outside of the current OpenBSD users' circles? I certainly hope so.
Personally, I am very optimistic about the future of OpenBSD, and I hope that it will find a rich commercial sponsor in the near future. Before it happens, there is something we can all do now. (I got this idea on my way home, so it was too late to present it during the conference.) The OpenBSD project has a page where we can all make donations. Tthey also have a Paypal account. If everyone who is interested in helping OpenBSD would make a $5 donation every month, that'd give the project a lot of money to use for a good cause. The math is simple. A $5 a month donation is $60 per year. Multiply that by 3,000 to 12,000--estimates of how many people read this series based on the number of page views I was given by my editor--which would mean $180,000 to $720,000 annually. That's certainly enough to pay people who develop OpenBSD, and it doesn't cost us much. I guess that's a tax we all can live with.
I think Theo owes me a pint of Guiness for having to endure Przemek's questions and comments. Will you two sort things out for the benefit of the rest of us? ;-) Seriously, I think you can do a lot of good things for OpenBSD, FreeBSD, and the open source community as a whole.
Overall, I found the conference one of the highlights of this year and I plan to attend the next edition. As Alek Czarnowski promised, plans for the next edition of TRUSTSECURE are already in progress, which is a very good thing for all security professionals in Poland.
(PS. I'd like to thank Przemek Galczewski (AVET) for giving me a lift to the bus terminal.)
Jacek Artymiak started his adventure with computers in 1986 with Sinclair ZX Spectrum. He's been using various commercial and Open Source Unix systems since 1991. Today, Jacek runs devGuide.net, writes and teaches about Open Source software and security, and tries to make things happen.
Read more Securing Small Networks with OpenBSD columns.
Return to the BSD DevCenter.