FreeBSD router take 2 (pt. 2): Excursion – FreeBSD and security

[New to Gemini? Have a look at my Gemini FAQ.]

This article was bi-posted to Gemini and the Web; Gemini version is here: gemini://

After I completed the previous article, Franco Fichtner announced that OPNsense and HardenedBSD will be parting ways.

I’m happy to see that they are parting ways in good terms. So there at least were no ugly things going on behind the curtain. The explanations given in the announcement are interesting and I’d say that they make sense. This is a pretty massive change, though. And since (thanks to the friendly Web UI) OPNsense is used by a lot of people who do not have a FreeBSD background, I’d like to explain in a bit more detail what the actual situation is like.

In the first series of posts, the second one was an excursion on using the serial console. This time we’re going to take a look at the broad topic of security.

What is “security”?

FreeBSD has had incredibly talented security officers like Colin Percival, founder of the Tarsnap backup company. His company’s motto is Online backups for the truly paranoid – and it lives up to that. Thanks to him and many great people in the security team, FreeBSD has built up a fairly good reputation regarding security with a lot of people.

There are other voices, too. For example one former FreeBSD user who switched to OpenBSD is industriously working on making FreeBSD look bad. Here’s the homepage where he keeps track of all the things he thinks FreeBSD does wrong.

So which claim is true then? Is FreeBSD doing pretty well or is it downright horrible?

Both of them. And neither. Oh well… It’s a bit too complicated to give a plain and simple answer. So let’s think about what “security” actually means for a moment before returning to judge FreeBSD’s performance in that area.

There are multiple aspects to security. To take the whole situation into consideration means to admit that we’re in one giant mess right now!

Living in a nightmare

We absolutely depend on today’s technology. Think about replacing “the Internet” for example. Even if you have this exceptionally great idea and can provide a concept that is totally sound – how do you think we could get there? Millions of enterprises require the Internet as we know it to continue working as it does. The chances of succeeding with establishing something better that would run in parallel? Basically nonexistent. Nobody could pay for such a huge project! And even if it were to magically appear and be available tomorrow (somehow production-ready by day one), how do you think getting a critical mass of businesses to adapt it?

Incrementally improving what we have is hard enough. If you disagree just think about disabling anything but TLS 1.3 on your employer’s webservers. You, dear reader, probably are ready for such a change, I wouldn’t doubt that. But are all your customers? And that’s only one example of… many.

While being condemned to never being able to “re-invent the wheel” in large scale is unfortunate, it’s not catastrophic. What is catastrophic however is that the very foundations of the technology we’re using today were very much over-credulous from today’s point of view. It’s perfectly reasonable not designing network protocols for security when you don’t think of potential offenders because your network is either limited to one institution or basically to a couple of universities! We’ve outgrown those innocent times for a long time now however. The Internet is a war zone.

If you feel brave, join us and participate in our Gemini experiment (see top of this article). Get a Gemini client, read this article over that protocol. Ideally get your own gemlog started and share original content with the world. While we’re not even dreaming of replacing the Internet with something better – even the very act of challenging the Web alone by providing an alternative for like-minded people who loathe superfluous complexity, is an Herculean effort in and of itself.

But back on topic. Retrofitting security into existing technology that’s already in production use is incredibly hard. Especially if you are supposed to NOT break the former! And if it wasn’t hard enough, this scenario also comes with the curse of optional security which is another pretty sad story by itself… Your DNS server probably supports DNSSEC by now. But does it use DANE (mine doesn’t, yet…)? And how many of the more popular nameservers on the Internet do? I mean, it’s been almost a decade since it was introduced. We need regular “DNS flag days” to force people adapting somewhat acceptable DNS standards. How much can we expect optional security features to come to wide-spread use?

And if all of that wasn’t bad enough, in 2018 we learned that the one most important CPU architecture (x86) has a flawed design that dates two decades back… If you want to refresh your knowledge of what Meltdown and Spectre are, here’s an excellent read (explained so that each and every layman can understand it) by the aforementioned Colin Percival: Some thoughts on spectre and meltdown.

Another point is that while almost everybody tends to agree that security is “important”, few want to actually spend money or effort to improve it. Reading last year’s FOSS Contributor Survey of the Linux Foundation gives you an idea of how bad the state of affairs really is.

It’s 2.3 percent (on average!) of a developer’s time that is spent on work to fix security-related issues in their projects. If you assume a paid developer working 9-to-5, that’s about 11 minutes per workday, adding up to not even an hour a week… It’s a clear trend to rather work on exciting new features than fixing bugs in existing code. Working on security-related bugs is even less popular. How many people with such a mindset would you expect to proactively audit their code for flaws regarding security?

Security as “surviving in a deadly environment”

We set sail and started exploring silent waters around the coast with a pretty much experimental boat. It has been a very exciting ride – because at some point we realized that we were no longer near the coast but somewhere in the middle of the ocean. So what was really a nice toy before has turned into a necessity for us to survive. Quite a while ago we noticed that we were in stormy water and that we had to constantly fix our humble boat when the force of another tide tried to smash it! We’re constantly fixing new leaks and fighting off dangers that nobody really anticipated. And to make it even worse, while a lot of people were interested in tuning our boat for performance, they didn’t want to see that the water around us started boiling. Today we’re surrounded by lava. There is no lifeboat. If you shipwreck, you’re dead.

That picture should have either reminded you of what you already knew – or have been eye-opening regarding our situation. There is no need to panic (that wouldn’t be helpful), but don’t fall into the trap of simply dismissing the shadowy dangers. They are very much real! So whatever helps your employer survive in this situation could be thought of as a security feature.

There is no single panacea but combining a lot of security features can drastically lower the threats. Here are some important bits:

  • Respond to discovered vulnerabilities in a timely manner
  • Offer the latest versions of software or backport fixes
  • Provide means that harden the system
  • Develop mitigations for when (not if!) your first line of defense is breached
  • Make it as easy as possible for the user to secure the system

Where FreeBSD does mostly well

When it comes to patching base system vulnerabilities, FreeBSD is generally doing well (there’s no point in denying that things do not always work like they should so that blakkheim can point a finger at it). If you’ve never read a security advisory as published by the FreeBSD project, I suggest you do so at least once to get an idea. Like the latest one.

As you can see, the security team does not only silently fix bugs but even goes an extra mile, doing a write-up for the interested reader. For years I’ve been very happy with those; I’m not a developer with sharp C skills and deep knowledge of exactly how programs work, but I can always understand what’s going on there. I’m not spiteful enough to ask you to compare them with OpenBSD’s errata which are… very bare-bones.

If you take a closer look at the example provided here, you can see that among the versions that received a fix is 13.0-RC5-p1. That’s right: This means that they even cared enough to fix it for a Release Candidate that has a lifecycle of two weeks! And not only that, they even provided binary updates for that even though people on RC5 could just be expected to update to 13.0-RELEASE only a couple of days later. I’d say that this is nothing short of very commendable acting.

Regarding packages that are not vulnerable, the situation with FreeBSD is a mixed bag. There are quite a few unmaintained ports stuck at older, insecure versions. Common software is usually pretty recent. To give you an idea (and so that you don’t simply have to take my word for it), let’s compare FreeBSD and Ubuntu 21.04. FreeBSD currently has a port count of slightly above 31,000 whereas Ubuntu offers just short of 33,000 packages. A little over 6,000 are outdated on FreeBSD, for Ubuntu it’s over 8,500. For ports beginning with the letter “A”, FreeBSD has 9 ports with versions that contain a known vulnerability (with a CVE) that could be fixed by updating to a newer version whereas Ubuntu has only 3. Same thing for ports that begin with “Z”: 1 vulnerable port that could be fixed by updating to a newer version on FreeBSD, 2 such packages on Ubuntu.

Just so nobody claims I’d selectively present data to support either story with it, here’s a table for package CVEs of all starting letters:

Starting letter FreeBSD # Ubuntu 21.04 #
A 9 3
B 3 3
C 4 7
D 2 4
E 3 0
F 4 1
G 9 5
H 2 2
I 3 4
J 8 3
K 0 1
L 12 13
M 8 3
N 2 18
O 4 6
P 18 17
Q 0 0
R 8 13
S 8 10
T 5 7
U 2 2
V 2 2
W 3 2
X 3 5
Y 1 0
Z 1 2
TOTAL 125 133

I think it’s safe to say: FreeBSD does pretty good in this field, too! Especially if you take into consideration that most of FreeBSD’s ports are done entirely by volunteers and that while software usually “just works” on Linux there’s often some more work required to make it work on other operating systems! (Of course I’m aware that I’m just scratching the surface here and a deeper analysis would be nice – but that would definitely take its own article.)

Let’s talk about means of hardening the system. There’s a lot you can do to harden a system that was installed using the default options. For a while now (I think starting with 11.0) FreeBSD offers a hardening dialog in the installer, allowing for really simple improvement of the defaults. This is one thing that blakkheim prefers to ignore: Yes, /tmp is not cleared by default, but FreeBSD can do that if you want it to and it’s not hard to make it do that.

Yes, hardening a FreeBSD system is not something you can expect the junior admin to master in a couple of hours. But that doesn’t mean that it’s impossible to do. With securelevels and file flags, FreeBSD gives you a powerful tool for increased security. Capsicum and casper are two more things you can take a look at and start making use of. Taking advantage of jailing applications is another great way to make your infrastructure more secure by confining possible intruders and further limiting the damage they can do. FreeBSD expects you to do all that and more, depending on what your security requirements are.

Definitely have a look at security(7). To quote from it:

A little paranoia never hurts. As a rule, a sysadmin can add any number of security features as long as they do not affect convenience, and can add security features that do affect convenience with some added thought. Even more importantly, a security administrator should mix it up a bit — if you use recommendations such as those given by this manual page verbatim, you give away your methodologies to the prospective attacker who also has access to this manual page.

Does that really sound like it’s written by people who do not care for security at all as our friend blakkheim wants you to believe?

So far for the good part. The ugly side of FreeBSD will be covered next time as this article is already way too long. Thanks for reading!

What’s next?

The next post will briefly discuss FreeBSD’s security weaknesses and how HardenedBSD fits into the picture. I’ll also address the “rebase it on OpenBSD!” suggestion some people have made.

FreeBSD router take 2 (pt. 1): OPNsense ZFS-based installation (by converting FreeBSD)

[New to Gemini? Have a look at my Gemini FAQ.]

This article was bi-posted to Gemini and the Web; Gemini version is here: gemini://

In 2017 I wrote my longest (by far) series of posts on a single topic: 8 posts on hardware and the FreeBSD-based firewall solutions pfSense and OPNsense. Even after almost four years, some of these posts are still very high on the list of frequently visited pages. A lot has happened since then, though. About time that I get back to the topic! Here’s the list of the old posts:

Part 1 (discussing why you want to build your own router and how to assemble the APU2),
Part 2 (some Unix history explanation of what a serial console is),
Part 3 (demonstrating serial access to the APU and covering firmware update),
Part 4 (installing pfSense),
Part 5 (installing OPNsense instead)
Part 6 (Comparison of pfSense and OPNsense)
Part 7 (Advanced installation of OPNsense)
Part 8 (ZFS and jails)

I meant to revisit this topic again much sooner, but it didn’t work out. In 2018 I started to write a post that (among other text) contained the following paragraphs:

A lot has happened in the meantime. The new pfSense version that I mentioned before has left beta and is available regularly now. And with it comes one real boon: Complete ZFS support! OPNsense had two releases since 17.1 (the version that I discussed): 17.7 and 18.1. I had updated my box to 17.7 without any problems IIRC. After moving houses (and finally being online again after months!) I brushed the dust off my router and connected it. I decided to do a re-install this time and see if anything noteworthy had changed.

First I was a little disappointed to see that the USB3 issue has not yet been taken care off and still makes installing on the APU2 harder than it needs to be. But well, I had figured out how to do it previously, and still had my gear at hand to install using the internal USB2 connection. Second letdown: Still no trace of ZFS to be found. Looks like my priorities do not completely match the ones of the OPNsense team! 😉

But then the pleasant surprise: The 18.1.8 update brought experimental ZFS support! I had done a simple install this time as I had been a bit in a hurry, so I could not test it myself so far. However if I got things right, this means that the boot scripts are finally ZFS-capable and this will likely be supported in the 18.7 release. Chances are that there will not be installer support for ZFS, though. But we’ll see! Good things are going on and eventually we’ll get there.

I didn’t finish the article for reasons that escape me today, but when I wanted to return to the topic another year later, my hardware broke and so I had to postpone that again. My APU has since been fixed and even the old 16GB mSATA drive it originally came with replaced with a nice new one that has much more useful 512 GB of space – but I never found the time to even boot it up once since early 2020.

In late February 2021 I finally got around to install OPNsense on it again and thus get my own router back in business. I took notes but publishing this article was delayed for various reasons. Anyway, here we go! Let’s do a fully ZFS-based installation (which was not possible, yet in 2017).

Back in OPNsense land

When I first built my router, I had to be a bit creative to end up with an OPNsense installation that offered ZFS so that I could use a jails manager on it that depends on that filesystem. However it was only an additional pool for data. The actual system ran on UFS.

For a while now OPNsense does support booting from ZFS! I definitely want that, so let’s give it a try. I download a DVD image for OPNsense 21.1 and put that on my CD emulator device. Then I wire my APU up to my workstation via a serial cable and connect:

# cu -l /dev/cuaU0 -s 115200

Then I boot the machine up. As I’m using the DVD image, it’s configured for VGA mode. That means in my case I have to manually configure it for serial usage. This can be done conveniently in the loader in FreeBSD 12.2 and newer. However… OPNsense 21.1 is still based on version 12.1 where that option is not available, yet. Even though this is an older and in fact unsupported version, I cannot blame the project. They don’t use vanilla FreeBSD directly but are based on HardenedBSD instead, a close fork that is about hardening the code base.

While HardenedBSD has attracted enough attention and people to successfully form their own foundation, it’s still a small project with limited resources. And 12.1 is the only release from FreeBSD major version 12 that they support. If you like to support Open Source projects and have some spare money, consider donating. They are doing important work to move FreeBSD in the right direction!

So we have to do this the old way. Pressing ESC drops me at the loader prompt. Time to set some values and then boot:

set boot_serial=YES
set comconsole_speed=115200
set console=comconsole

Alright! Kernel is booting up and printing all messages to the serial console. It shouldn’t take too long before… Whoo! What’s this?

Mounting from cd9660:/dev/iso9660/12_1_RELEASE_AMD64_CD failed with error 19.

Good lord, I remember this! OPNsense 17.1 (or was it 16.7?) had a problem booting up on some USB3 ports. You had to use a workaround to be able to boot up to the installer… I totally expected that this would have been fixed by now. It’s been four years! *sigh*

I quickly tried out installing from a usb memory stick – but ran into the same problem. So what now? Back in the day I opened up the case and connected an adapter to be able to use an internal USB2 connector. Of course I could do that again. Except – I have no idea whatsoever where I put that before moving houses… A little research doesn’t exactly leave me in a much better mood: As of OPNsense 21.1 they’ve apparently not added an easy way to install to ZFS, yet. At this point I’m ready to question if this project was a good idea or if I should simply do something else.

But this is not as bad as you might think. Fortunately there’s a very simple way of achieving it anyway: Just install vanilla FreeBSD and then use a conversion script. As I had just completed a series on PXE-booting (and the PXE server still at hand), I chose to go down that route. Take a look at that article (and the previous two) if you’re interested in the PXE booting details or don’t understand something that I do in the next section.

On the very day I’m finally writing this article though, the OPNsense team has announced switching the installer for the upcoming version 21.7, making installation to ZFS a regular installation option. So that’s one thing to look forward to if you like ZFS but don’t want to use the bootstrap script. 🙂

Installing FreeBSD

So I boot up my PXE server. It was prepared to serve FreeBSD 12.2. It is a very bad idea to try to bootstrap OPNsense on a version of FreeBSD that’s newer than the one the firewall OS is based on. So for this special case I add FreeBSD 12.1 support on my PXE server:

# mkdir /usr/local/www/pxe/bsd/fbsd/amd64/12.1-RELEASE
# fetch -o /usr/local/www/pxe/bsd/fbsd/amd64/12.1-RELEASE/MANIFEST
# fetch -o /usr/local/www/pxe/bsd/fbsd/amd64/12.1-RELEASE/base.txz
# fetch -o /usr/local/www/pxe/bsd/fbsd/amd64/12.1-RELEASE/kernel.txz

By default, PXE-booting is disabled on the APU. So when turning on the device without any USB device attached to it, this is what I get on the serial console:

Press F10 key now for boot menu

Select boot device:

1. Payload [setup]
2. Payload [memtest]

So let’s see what options the setup has to offer:

Boot order - type letter to move device to top.

  d SATA
  c mSATA
  a USB
  e mPCIe1 SATA1 and SATA2
  f iPXE (disabled)

  r Restore boot order defaults
  n Network/PXE boot - Currently Disabled
  u USB boot - Currently Enabled
  t Serial console - Currently Enabled
  o UART C - Currently Enabled
  p UART D - Currently Enabled
  m Force mPCIe2 slot CLK (GPP3 PCIe) - Currently Disabled
  h EHCI0 controller - Currently Disabled
  l Core Performance Boost - Currently Enabled
  i Watchdog - Currently Disabled
  j SD 3.0 mode - Currently Disabled
  v IOMMU - Currently Disabled
  y PCIe power management features - Currently Disabled
  w Enable BIOS write protect - Currently Disabled
  x Exit setup without save
  s Save configuration and exit

Ok, using “n” I can enable PXE booting. Next time I get this message:

Press F10 key now for boot menu, N for PXE boot

Pressing N takes me to the iPXE boot menu. I quickly interfere to manually specify what to do instead of letting it automatically guess (and guess wrong). At the iPXE prompt I ask it to get an ip address and then chainload pxelinux like this:

iPXE> dhcp
Configuring (net0 00:0d:b9:42:67:64)...... ok
iPXE> chain pxelinux.0

There we are. As the mfsBSD image that I use is FreeBSD 12.2-based, I can set the console to serial in the loader (by pressing “5”) and then boot. Once the system is up, I login as root with the password mfsroot. Next is preparing the manifest and then starting the familiar FreeBSD installer:

# mkdir -p /usr/freebsd-dist
# fetch -o /usr/freebsd-dist/MANIFEST
# bsdinstall

I want a minimal, bare-bones FreeBSD system and thus choose to not install any optional distsets. When asked about the installation source, I pick “other” and enter as that’s where my PXE server offers the required files. Now I can install FreeBSD using root-on-ZFS and everything as I like it.

When the installation is done, I reboot.

Converting FreeBSD to OPNsense

I enter setup again and disable network booting. As this is 12.1 again, I need to manually enable the system for use with the serial console. So when the loader menu comes up, I escape to the loader prompt and again use the same commands as above to set the variables to the right values and then boot.

After logging in as root, I download the conversion script:

# fetch --no-verify-peer

again, we’re using 12.1 which is the last version without without a certificate trust store in the base system. I could install ca_root_nss, but I’m choosing to just not validate the TLS cert this one time (the bootstrap process will do it correctly then).

All that’s left to do now is running the script:

# sh
This utility will attempt to turn this installation into the latest
OPNsense 21.1 release.  All packages will be deleted, the base
system and kernel will be replaced, and if all went well the system
will automatically reboot.

Proceed with this action? [y/N]: y

It will then install packages and eventually the base system:

Fetching base-21.1.1-amd64.txz: ........................... done
Fetching kernel-21.1.1-amd64.txz: ....... done
!!!!!!!!!!!! ATTENTION !!!!!!!!!!!!!!!
! A critical upgrade is in progress. !
! Please do not turn off the system. !
Installing kernel-21.1.1-amd64.txz... done
Installing base-21.1.1-amd64.txz... done
Please reboot.

Then it automatically reboots.

OPNing my senses

Settings for the serial console need to be entered again at the loader once more. Conversion worked like a charm: OPNsense boots up just fine. I’m starting over fresh here, so no configuration importer for me. But yes, I do want manual interface asignment.

For my box I do the following settings: No VLANs, manually configure: igb0 -> WAN, igb1 -> LAN, igb2 -> Opt

Once it’s done, I can connect from my workstation on the LAN to it by opening in a browser. Login credentials are user root & password opnsense (yes, the conversion script wiped whatever root password you chose before).

Then I complete the wizard which mostly means changing the login password. Afterwards I go to System -> Firmware -> Settings and change the Firmware Flavor from the default OpenSSL to LibreSSL (don’t forget to save). Next is checking for updates and updating the system.

The Web UI is nice and all, but I’m a keyboard and terminal person. So for convenience I add a new user for me. To do so, I go to System -> Access -> Users. Obviously a username is required. I don’t want a password for that user, so I leave that blank and check the box “Generate a scrambled password”. My login shell of choice is /bin/tcsh (as zsh is unfortunately not in FreeBSD’s base system). Since I need a privileged user, I add “admins” to the group memberships. Then I paste in my public SSH key (from ~/.ssh/ on my workstation – if you’re using a different algorithm use the correct file name for that) and save.

The last thing that I do for settings is allowing my user to actually SSH into the box. So I’m going to System -> Settings -> Administration. There I check the box “Enable Secure Shell” and set “Listen Interfaces” to “LAN”. I’m also allowing passwordless sudo for “wheel,admins”. After I saved the settings, let’s see if I can connect to the box via SSH and become root:

% ssh
Enter passphrase for key '/home/kraileth/.ssh/id_ed25519':
|      Hello, this is OPNsense 21.1          |         @@@@@@@@@@@@@@@
|                                            |        @@@@         @@@@
| Website:        |         @@@\\\   ///@@@
| Handbook:   |       ))))))))   ((((((((
| Forums:  |         @@@///   \\\@@@
| Code:  |        @@@@         @@@@
| Twitter: |         @@@@@@@@@@@@@@@

% sudo -i
*** OPNsense.localdomain: OPNsense 21.1.1 (amd64/LibreSSL) ***


  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option:

There we go. Now it’s time to configure my firewall settings. As this is a topic of it’s own, I’m going to skip this here.


Just like 4 years ago, there are still some hurdles to overcome to install OPNsense on my router (especially the USB3 issue). There’s also the fact that it’s based on FreeBSD 12.1 instead of 12.2 which is not ideal. But again: I’m not really complaining about that; HardenedBSD chose to concentrate on 13.0 and taking the resources of their small team into account, this was a perfectly reasonable decision. But regarding things like base system certificates and especially console selection in the loader… Well, you adapt to nice new features incredibly fast, making things you had to do before that (and did for years!) a bit of a nuisance. 😉

I started with OPNsense 17.1, I think and did a lot of point release updates as well as a couple of major release upgrades before my hardware went bad during the 18.7 or early 19.1 life cycle, I think. It had never failed me. Being able to use root-on-ZFS today is definitely nice progress. Since I installed the system in early March, a couple of updates came out. It’s great to see how reliably everything still works. So I’d say that I’m back on track – and I’ll definitely have a couple of things that I want to achieve (and write about) this time. Stay tuned!

Women… in tech?! (And elsewhere)

[New to Gemini? Have a look at my Gemini FAQ.]

This article was bi-posted to Gemini and the Web; Gemini version is here: gemini://

This is kind of a sensible topic, I know. But being a person used to stand up for his beliefs, I take the risk of being shouted at. I’m well aware that I’m not going to make friends in either of the two “camps” that usually fight each other over the topic. As always, I’m more interested in a balanced view – which of course means to criticize all the various ideologies involved.

Why do I write this article?

In my previous post I wrote about the new campaign to cancel Richard Stallman who has returned to the Free Software Foundation’s board of directors. It involved all the common drama about him being “sexist”, “transphobic” and so on.

Quite some interesting things happened since I wrote said article: The support letter for RMS ended up with more than double the amount of people signing it compared to the original open letter pressing for his removal.

I’ve read a very interesting article written by two women who also chose to support RMS in this case. If you care about the topic, have a look at what Hannah Wolfman-Jones wrote about a year ago (including a statement by Nadine Strossen). Also a more recent support article has been published by Leah Rowe (a transgender person).

And it even seems like the FSF is not going to give in this time! Thus it looks like this campaign failed (let’s hope that will happen more often in the future).

Something less important also happened; I’m only going to mention it here because it’s the direct reason for me to write this article. A reader commented on the RMS article. I’ll cite the part here that made me promise a longer statement than would fit into another comment:

Thirdly I’ll add here it’s insulting as Hell so many of you only pretend to care about Neurodiversity when a man is accused of and or being a creep, support of woman with ASD being harassed by men is never even considered.

I do not “pretend to care” about Neurodiversity. I do care about life and about society. This involves a lot of things including what is sometimes labeled Neurodiversity. But there is a reason why I put it all that general: I don’t support adding so much more value to a single aspect of the great whole. People who only care about particularities often think that I’m hostile towards their concerns. Usually I’m not. I just refuse to neglect other important aspects for the (alleged) benefit of another.

Do I care for women?

This is a very strange question, but nevertheless an interesting one. Not so much because of what my answer tells about me. More so because of what it tells about a person who would seriously ask it. Why? Well, if it’s not a rhetorical question, the person asking at least thinks that some form of “no” could be the answer. Which means that he or she is willing to believe that I might suffer from a severe mental illness.

I have a mother. I have a wife. And in fact I have daughters. How on earth could I not care about women? But let’s say somebody doesn’t have the previous information. What scenarios are there where I could answer “no” as a sane person? I could be a monk in a monastery who maybe would not have contact with women ever again in his life. This is a pretty extreme example already (and some people would doubt the sanity of anyone making such a decision but that’s not the point). I’d still adore mother Mary and it would be my religious duty to pray for other people (where limiting that to other men would not make any sense at all). Or maybe I’m a hermit, sick of it all, going to live in the woods by myself. Another rather extreme example. Perhaps I really wouldn’t care about women. But certainly not specifically! I wouldn’t care about them because I stopped caring for anybody.

Think about less radical examples. If you don’t flee society completely, women are almost guaranteed to be part of your life at least indirectly. The woman at the bank or on the counter in the store? Even if you are a pretty selfish person you won’t care less for them than you do for anybody else around you that you have no closer relation to. I tried to find one but could not come up with a somewhat plausible case where anybody would specifically not care for women and I wouldn’t question this person’s sanity (like with e.g. some ultra-orthodox Jews. It’s simply mind-boggling to find out about their views and forms of life!).

Alright, I do care. But what does that mean? I grew up in a society that was very much hostile to women in many regards – but people didn’t see that (not just men, a lot of women didn’t see or didn’t want to see it either!). As a child I chased the ideas of chivalry that I knew from books because I believed in that. I admired women as they seemed to be free from a lot of typical male… let’s say: defects. I did not understand that they have their own. 😉

Nailing my colors to the mast

As a child and later as a young man I stood up for women e.g. when dirty jokes were told in all male groups. I was called names for that (e.g. “gelding” and such). It was difficult and my protests and actions did not have any actual effect. But I at least tried, eh? The fact that I never dated a girl (until I was a bit older and was finally thinking about starting a family) made some people suspect that I was secretly gay. Which of course made matters worse.

While I cannot deny that I did feel attracted to girls, my beliefs in what partnership should be set me apart from almost all males in my peer group. Not being interested in some cheap quick pleasure does have one very positive side though: It frees you from the requirements of the “hunter and prey” game, like constantly having to think about what lie you should tell a girl next to eventually bed her. So I was able to simply be honest when talking to women. And this allowed for some very interesting discussions that I wouldn’t want to have missed.

My observation is that many woman have a good sense for a certain kind of danger. When they feel safe, they behave differently and they also speak differently. Knowing this I learned to fully accept that there have to be women-only places (and that there’s no need to feel “excluded” for not being admitted). There simply is no male equivalent to this (which is perfectly understandable if you think about it).

When I still was in school, I participated in one compulsory optional subject as the only boy in class for a while (a month or so later another boy switched classes and came into the course). I found it a little strange (mostly in the sense of “unusual” but nothing more) for the first few days, but I soon basically forgot about it. Much later I have been in a reversed situation: For a while there was only one girl in an otherwise all male class. She understood the subjects well, got good marks in written tests – but was admittedly a bit shy in class. She would definitely not participate when fellow students got passionate (and thus a bit louder) about several topics. It probably would have been easier for her in a more balanced class.


The biggest problem that I saw and still see is popular culture. What picture of women is being conveyed? I mentioned jokes. Let me present one pathetic example that I still remember:

Why do women have legs? – So they don’t leave a slime tail on the floor!

Ha ha, very funny, isn’t it?

Here’s another example, this time from music: A song called “Polonäse Blankenese” was popular in my country when I was a child. The artist, Gottlieb Wendehals, was more of a comedian. You have to take that into account, but still. Here’s the translation of a piece of the chorus:

We’re setting off, taking very big steps
And Erwin from behind touches Heidi’s… shoulder
That lifts the spirits, delight emerges
And that’s for all to see now

What’s the deal? Well, the verses rhyme in German – except for “shoulder”. What would obviously rhyme with the German word for steps however is – tits.

While you can dismiss such things as harmless jokes (and I wouldn’t encourage anyone going hysteric over it), if something like this was very popular both on TV and folk festivals and such, it certainly helps characterize the spirit of that time.

Fast forward a couple of years. In the late 90’s we had the Bloodhound Gang and their album “Hooray for Boobies”. I’m well aware that – again – it’s meant to be funny, but also a little insensitive perhaps? There were songs like their “Three Point One Four” (didn’t get the word play with that title back then) played on parties or even on the radio. This brought us great lyrics like “I need to find a – new vagina; Any kind ‘o – new vagina!”. I’m not saying that toilet humor and the like needs to die, but I do question if it really needs to have a place in the mainstream where it’s hard to evade?

And as we all know, it didn’t get better but in fact much worse. It didn’t stop with (unconscious as I’d claim) “humor”. Today we have certain “Hip Hop” bands for example who completely objectify women and entirely reduce them to their genitals. While Wendehals in the early 1980s wouldn’t actually say “Tits” and it was “perky” enough to hint it, there’s no lack of way more abasing words in popular culture today.

A fellow metal head once played a “fun” song on his phone for all of us to laugh about. The point was that someone took a “Hip Hop” song’s very misogynous lyrics and used them in another song of a genre where such a thing is… not what you’d expect. While I actually think the performance is not such a bad idea at all (because thanks to the grotesque change in genre, people who got used to what “Hip Hop” is like might think again). I didn’t feel well in that situation, though – because there was a girl with us. Obviously my classmate didn’t even think that there might be a problem with lyrics (translated) about “what the cunts really want”. I asked her later what she thought about that. Her reply was: She can laugh about that, you simply have to grow a bit of a thick skin – there’s no point in being offended!

While she was right of course, I don’t think it really has to be that way. In that scene nobody intended to hurt anybody after all. It’s simply mindlessness, not bad will.

There are so many examples from everyday life one could write about. I do not agree with each and every scandal that certain people call “sexist”. But it’s not like there’s no problem at all. There is. Understanding that there is in fact a whole class of problems that many of us don’t even notice is a very good first step. The second would be helping people who don’t want to remain ignorant see them. Then we could start talking about possible ways out of this mess.


Especially in tech some men seem to think that this is their playground and that women should simply do something else. That’s a somewhat strange position to start with. But does anybody really think “fighting” (in the classical sense) that way of thinking can do any good? Attacking somebody forces that person to go into defense mode. Doing that is a lousy tactic when you want to change someone’s mind!

There are more forms of attacking than just telling somebody very frankly that he’s an idiot. One example is dragging women into tech to fulfill some kind of “quota”. When a woman gets the job not because of her skills but because being a woman that’s a very problematic situation. There are men who will hate her for this and the woman will suffer from it. She might also struggle with the job that she did not get because she was well fit for due to her education. What a great combination!

My wife doesn’t like tech. She’s annoyed by all those “outreach” programs and everything that – according to her – tries to lure more women into IT. A lot of men also loathe these programs because they feel excluded (something they are not used to!). I think that looking at this slightly differently would be helpful.

Most people have at least heard that the female and the male brain work differently. While we’re all individuals and there are always those that think / feel / work differently than their peers, in general there’s a “male approach” and a “female approach” to things. And no, the female approach is not simply the same thing in pink! I’m all for separating boys and girls in certain school subjects and teaching them differently. This will help both unlock their potential as much as possible. There is no “one size fits all”!

Referring to this for example when justifying the existence of women’s courses might meet much less resistance from men: There’s a logical reason for it after all (and not just obscure “feelings” that not too few men have problems taking serious)! Let’s forget about the fact that women often tend to feel uneasy when they are in a mostly male environment – at least for a moment. We can fix the problem without waving the red rag and making the bull mad.


This article is becoming too long already. I intended to write the main part of this article about history: The Germanic, Slavic and Celtic culture and the position of women in it. About how Judaism (not monotheism! The first known monotheistic religion of Jatin in Ancient Egypt – thanks to the damnatio memoriae of Amenhotep IV. better known to us today in its Greek form of Aton or Aten – did not devalue women!) planted a seed that fanatical Christian monks who identified women with “sin” helped grow. This led to prosecution of wise women and eradicated the old rights that they once had.

I thought to give the example how even the term “woman” changed in my native language: It used to be “Weib” (still “weiblich” means simply “female”). In Middle High German “wîb” actually meant woman or wife. Today it’s negatively connoted, more like hag. Today the neutral term for woman is “Frau”. This is derived from “frouwe” which originally addressed a noble woman. If you want to translate lady today, you use “Dame” – so we had to resort to French because the Germanic words for women were devalued over time… (As you can imagine, no such thing happened to the word for “man”.)

And I wanted to write about how I (still in school) stopped admiring women as the better humans when I realized that some are perfectly capable of acting in just as malicious ways: On a school trip some girls conspired against another girl, treating her cruelly enough that she had to quit the trip! There are good and bad people of both genders – and there’s a lot of levels of gray with most women just as with most men. Women are special and I appreciate that a lot. They certainly are not inferior to men but neither are they morally superior in general.

If you think that the previous sentence is wrong, I recommend doing a broader research on the topic. At least read a book about Catherine the Great. Study the conflict between Mary Stewart and Elizabeth I. Get familiar with the epoch of the Catholic church called “Saeculum obscurum” during which weak men were popes and it is said that they were controlled by their more clever fancy women. The term “pornocracy” (as in Rule of Harlots) was coined for this. Or take Countess Báthory into consideration… Life is complex and there have been a lot of strange things going on and continue to do so. Never think that a simplistic view of something will carry the whole truth!

Can we change our ways?

There are people – mostly men – who refuse to see a problem. It’s useless to try to force them into abandoning old ways. Let’s concentrate on raising awareness for the problem with people who are open to see it. Then let’s discuss ideas and possible solutions.

I am deeply convinced that any undue force will actually thwart the undertaking. Forget banning words, getting into reverse witch-hunting and so on. I’m not interested in slightly brightening up the face of the building that is today’s society. What I’d rather look for is the cure. And that can most likely only be found in a new attempt of accepting each other. From that mutual acceptance respect can grow (I’m not talking about “respect” here, the contemporary empty phrase worn-down beyond recognition!).

When my grandparents from the mother’s side passed, I came by an old wooden decoration plate. Its translation reads: “It’s better to talk to each other than to keep silent against each other”. There were conflicts within their marriage for sure, but they remained together “in good times and in bad times” and overcame them. This is the way, both in a relationship and in society in general.

Can those of us who at least have some good will please try to get along despite our differences in opinion on particular issues? The struggle between sexes is entirely pointless – what “victory condition” would either “side” define? Let’s try to relax towards both men and women who think that they have to participate in that struggle. If more of us start looking for understanding each other, for kindness and re-unification to advance society as a whole together – then the people who preach hate, hostility and division will lose. In addition to our efforts it will only take time.