Afterword

"Unix for the Practical Paranoid?" What does that mean, anyway?

Back when I got my first email address, the Internet was a military and educational network run by DARPA, with an entirely different security profile. UUNet had not yet appeared, and corporate Internet access was inconceivable. Security was a whole different matter then: All you had to worry about were students and soldiers, and generally all parties were sufficiently interested in the well-being of the network that everyone, for the most part, took care of their own security problems.

Today, any yahoo with an old PC and twenty bucks a month can get a dialup account. We share the network with every country in the world, some of which are quite hostile to each other. The Internet also has a variety of tempting, juicy targets on it: Banking systems, online shopping, and embarrassing personal information are just the tip of the iceberg. Criminals have a lot of incentive to learn how to compromise computer systems. Additionally, script kiddies have their own juvenile reasons for wanting to damage or alter Internet sites. The common point in all of these is that for an intruder to escape unscathed, he needs to compromise an "attack staging" server belonging to an unrelated third party. This leaves the third party with the blame, and the intruder with the profits. While the third party might be able to prove their innocence, the lack of logging and auditing tools on most networks make this unlikely. If your computer is not secure, sooner or later you will be exploited.

The Internet is now a hostile place. While people might not be trying to get your data or your system in particular, some people are trying to break into any system they can get. Even if all you have is a desktop computer on a cable modem, you are a target of opportunity. This should give everyone on the Net a definite sense of paranoia!

Absolutely 100 percent effective security is simple to achieve: Just unplug your computer from the Internet and never plug it in again. Better still, feed the components to a blast furnace. Oh, you wanted to use your system for something? Well, that's a different story. You must rely upon the operating system and application security.

Application programmers have no choice but to rely upon the operating system's features to build their programs, but if that infrastructure is insecure, their programs are inherently and irremediably insecure. The OpenBSD Project develops a computing infrastructure that supports all the standard computing functions in a safe and secure way, giving developers a solid footing. OpenBSD makes paranoia practical in day-to-day life.

How effective is this approach? Well, in 2001, DARPA started a project to fund open-source security and dedicated close to two million dollars to Open-BSD development. This funding was canceled in 2003, without notice. When asked why, the DARPA spokesperson cited "the evolving threat posed by increasingly capable nation-states." I could go on for pages and pages speculating what this means, but there's not much point at this date.

This, of course, leaves the OpenBSD Project in a bit of a bind. The DARPA contract paid for several developers to work full-time on OpenBSD. Those people were left scrambling for jobs, and could no longer devote such intense energy to the project. OpenBSD survived this — after all, it existed for several years before DARPA offered it any money, and it will keep on surviving for years to come. With neither government nor corporate sponsors, OpenBSD is funded entirely by donations and by CD-ROM and T-shirt sales. Their speed of innovation is limited only by their financial resources.

If you're interested in the progress of OpenBSD, the best way you can demonstrate this is to either purchase CD-ROMs and/or related accoutrements, or just give them money. Sadly, donations to OpenBSD are not tax-deductible in the United States. You might be able to write them off as a business expense, however. For more information, check out the "donations" link at http://www.OpenBSD.org.

In the meantime, though, when someone calls you paranoid, just ask them, "Yes, but am I paranoid enough?" Then give them an OpenBSD CD-ROM and go on your merry way, secure in knowing that whoever the hackers break in to en route to robbing the Federal Reserve, it won't be you.