Security in a hostile world

Parental advisory

This talk might include mild language, explicit content, swearing and penguins might get hurt.

Feel free to walk out before I begin.

Who the F*?

						printf -v GREETER "Hello %s" "$LOGNAME"
						if [ "$UID" -ne 0 ]
							echo $GREETER
							echo "I am h3artbl33d"
							# Who the f*ck is Else?
							exit 2

Bits about me

  • Professional BOFH
  • Breaker of things AKA hacker
  • Security and privacy fundamentalist
  • OpenBSD evangelist
  • ...part-time infosec dude
I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them.

~Linus Torvalds


From the "masturbating monkey" perspective

  • Not Unix
  • F*cked by organic design
  • GPL license
  • Private, not secure


"research operating system for developing security mitigations"
Little girl taking a selfie in front of a burning house


  1. Founded in 1995, fork from NetBSD
  2. First release in 1996, v1.2
  3. Release: every six months
  4. CDs? Not anymore :(


  • Security (duh)
  • Thorough documentation
  • Correct code
  • Crypto(graphy)
  • Lean, mean fighting machine


  • OpenSSH
  • pf
  • LibreSSL
  • OpenBGPd
  • OpenSMTPd
  • vmm
  • ...

The OS - 1

  • Sane defaults
  • Small OS footprint
  • Text-based, intuitive installer
  • Only the essentials in base

The OS - 2

  • Extendable through ports and packages
  • Everything you need is in base
  • Depending on usage scenario: tweaks
  • About usage scenario's...
    • Firewalls
    • Routers
    • Servers
    • Embedded devices
    • Desktops

The OS - 3

  • Firewall? pf!
  • Webserver? httpd!
  • Mailserver? smtpd!
  • Systemd? gtfo!
  • Desktop? bloat!


  • W^X
  • privsep (oh-hai QNAP)
  • KARL
  • pledge
  • unveil

Example: Networking

					# scan networks
					ifconfig iwn0 scan
					# add a network
					printf "join HOME wpakey KEY\ndhcp" > /etc/hostname.iwn0
					sh /etc/netstart iwn0

Example: Webserver

					server "" {
						listen on * port 80
						root "/htdocs/"

Example: Laptop firewall

					set skip on lo
					set fingerprints "/dev/null"
					block log all
					pass in on egress inet proto icmp all icmp-type echoreq
					pass in on egress inet proto tcp from any to any port ssh
					pass out

Beginner resources


they are called features

  • Hyperthreading disabled by default
  • No Bluetooth
  • No Electron
  • No systemd
  • Daemons


Want to try?

Thank you all very much!