Considering that as a youth, Theo de Raadt routinely gave away software written on his Commodore Amiga PC, itโs hardly surprising that he has since become both a force in the free software movement and a hackerโs nightmare.
de Raadt, a 31-year-old University of Calgary computer science graduate who came to Canada from South Africa as a child, has invested the last six years of his life and spent $30,000 of his own money heading the OpenBSD project. The operating system is a free, ultra-secure variant of the Unix-like BSD 4.4 โ and itโs a project de Raadt founded.
Although heโs a tried-and-true computer and software junkie โ de Raadt proudly recalls working on his Commodore Vic20 and claims his Amigaโs serial number was around 1000 โ he said no single event sparked his later work with OpenBSD.
Looking back, however, a lot of the interest stems from a systems administration job he took at University of Calgary while he attended classes. It was then that the extent of OS source-code flaws took hold of him. In particular, he remembers how, after much legal and financial wrangling, U of C managed to finally get its hands on the Sun Microsystems Inc. Unix source code โ the quality of which varied โsignificantly,โ de Raadt said.
โWeโd read the source code, find out what the problems were and think, โGee, it just did some weird thing because some weird packet came across the net and it wasnโt expecting it. What would happen if someone decided to do that?โ And this really scared us.โ
de Raadt started devoting more time to his passion, and as he progressed it became clear to him that certain programming mistakes turned up time and again in different software packages.
Two years later, in 1993, de Raadt and three others founded the NetBSD project. But โpolitical kerfufflesโ eventually led de Raadt to branch off and form the OpenBSD effort. The main difference between the two was in the developer focus. In the case of OpenBSD, the emphasis is on security. de Raadtโs goals havenโt changed since then โ to make OpenBSD the most secure platform in the world.
OpenBSD let de Raadt take bug fixing to a whole new level. The problem with professional programmers is not a lack of ability, but lack of attention to detail, he said. Thatโs why he says the OpenBSD development process is unlike any other. โTen years of being in the software industry, and Iโve never seen anybody doing what weโre doing here,โ he explained.
The secret is straightforward โ de Raadt and his peers assume that every single bug found in the code occurs elsewhere. de Raadt admits it sounds simple, but just rooting security bugs out of the entire source tree took 10 full-time developers one-and-a-half years to complete.
โItโs a hell of a lot of workโฆand I think that explains why it hasnโt been done by many people,โ he said.
But itโs this kind of nit-picking that has made OpenBSD one of the most hacker-proof platforms available โ that and the fact it ships with cryptography (Kerberos IV and support for IPsec) already built-in.
โThere hasnโt been a single remote security hole found in OpenBSD in two-and-a-half years, in the default install. So that means if you want your machine cracked, youโre going to have to misconfigure it,โ he said.
In fact, one reason why OpenBSD is configured and shipped from Canada is so de Raadt doesnโt have to contend with tough U.S. cryptography export laws. This has allowed him to integrate cryptography elements from several European countries.
OpenBSD is so secure that it even got the attention of the U.S. Department of Justice, which stores and transmits top-secret data using 260 copies of the OS. As well, one of the largest ISPs in the state of Washington, pacifier.com, runs part of its operations on OpenBSD.
Today de Raadt oversees a community of 90 volunteer developers who make changes to the source tree. He also takes tips and suggestions from thousands of other OpenBSD enthusiasts from around the world.
Comparisons with Linus Torvalds and his Unix variant, Linux, are inevitable, and de Raadt doesnโt mind. From a user perspective, thereโs very little difference between the two. But he is critical of the Linux development model, particularly of the way the larger Linux distributors, such as Red Hat Software Inc. and Caldera Inc., assemble their products.
โSome of them are doing a better job ofโฆlooking for bugs in the latest versions,โ he said. โIt comes down to (whether) the people who are actually packaging the software know what theyโre doing.โ He credits German vendor SuSE GmbH for being the most diligent.
A typical day for de Raadt includes three- or four-hour stints at his computer, broken up by sleep and a bike ride โ a far cry from the 14- to 16-hour days he used to put in.
But how many people actually use OpenBSD, and for what, doesnโt concern de Raadt. Although he makes his living selling OpenBSD CDs, he insists he has no desire to expand the business. Heโs even hired a Calgary-based businessman to sell the CDs on his behalf, just so he can avoid dealing with money issues.
โIโm not interested in getting into business. I really like the way this works right now, and Iโm having a lot of funโฆIโm just perfectly happy accepting the status quo of how many people use BSD right now,โ he said.
OpenBSD has cost de Raadt a lot of time and money, but, looking back, he said he wouldnโt do anything differently. โI work a little less than [I used to], and I spread it out a bit more. But I really enjoy what Iโm doing. This is fabulous. I wouldnโt want to be doing anything else.โ