Linked by Thom Holwerda on Wed 15th Dec 2010 23:34 UTC, submitted by Oliver
OpenBSD Yesterday, we reported on the allegations made by Gregory Perry. He claims that 10 years ago, several developers were paid by the FBI to implement hidden backdoors into OpenBSD's IPSEC stack. This has prompted a lot of speculation about the allegations' validity, and less than 24 hours later, it has descended into one person's word against that of others. Update: Jason Wright, too, denies all the allegations. "I will state clearly that I did not add backdoors to the OpenBSD operating system or the OpenBSD crypto framework (OCF). [...] It is a baseless accusation the reason for which I cannot understand."
Order by: Score:
alternatively ...
by project_2501 on Wed 15th Dec 2010 23:54 UTC
project_2501
Member since:
2006-03-20

alternatively ... this entire thing is a plan to discourage baddies from using OpenBSD because it actually is one of the few OSes which resists surveillace ...

Reply Score: 5

RE: alternatively ...
by Thom_Holwerda on Wed 15th Dec 2010 23:55 UTC in reply to "alternatively ..."
Thom_Holwerda Member since:
2005-06-29

Alternatively alternatively... It's aliens.

Reply Score: 5

pf didn't exist 10 years ago
by phoenix on Thu 16th Dec 2010 00:09 UTC
phoenix
Member since:
2005-07-11

First commit was June 24 2001.

Maybe, possibly, it was "considered" later. But most definitely not when this all allegedly started.

Also, nowhere in this "update" does it mention any actual backdoor implementations. Just "discussions" around possible methods that could be used.

Edited 2010-12-16 00:11 UTC

Reply Score: 3

RE: pf didn't exist 10 years ago
by bforest on Thu 16th Dec 2010 04:24 UTC in reply to "pf didn't exist 10 years ago"
bforest Member since:
2010-12-16

I was thinking the same thing. OpenBSD only recently (2001) switched to PF after some issue with IPFilter.

http://en.wikipedia.org/wiki/PF_%28firewall%29

Edited 2010-12-16 04:29 UTC

Reply Score: 1

Jason Wright's Response
by Bink on Thu 16th Dec 2010 00:22 UTC
Bink
Member since:
2006-02-19

You might also want to mentioned Jason Wright's response to the allegations...

http://marc.info/?l=openbsd-tech&m=129244045916861&w=2

Reply Score: 5

Perhaps a book
by dacresni on Thu 16th Dec 2010 03:03 UTC
dacresni
Member since:
2009-08-26

... you know, cause of the commercialization of the film industry. The book can be laid out in Tex if you must. Also, its much less boring to READ about people sending emails than it is to watch them.

Reply Score: 0

I am very skeptical...
by kop316 on Thu 16th Dec 2010 05:08 UTC
kop316
Member since:
2006-07-01

In the original e-mail, Mr. Parry said:

"My NDA with the FBI has recently expired"

The fact that he calls it an NDA tells me that he does not even know that the FBI grants you a security clearance. A security clearance from a government agency is much different then an NDA from a private company.

In the government, your security clearance expiring means that you no longer have access to classified information, but it does not mean you can now tell classified information. Doing so will get you in a lot of legal trouble; whether your "NDA" is valid or not.

Now lets say that he did have a security clearance, and merely just told De Raadt it was an NDA to avoid confusion.

Information like this would certainly be classified. If his story does check out, he will get into a LOT legal trouble with the US government for leaking classified information.

Considering that his has not been a quiet incident and I have yet to see a response from the US government; I very much doubt the validity of this story.

Reply Score: 4

RE: I am very skeptical...
by rebel787 on Thu 16th Dec 2010 08:08 UTC in reply to "I am very skeptical..."
rebel787 Member since:
2007-01-13

Skepticism's been booted out of me and in it's place ... an empty cup. Anything's possible.

Reply Score: 2

RE: I am very skeptical...
by darknexus on Thu 16th Dec 2010 08:54 UTC in reply to "I am very skeptical..."
darknexus Member since:
2008-07-15

Considering that his has not been a quiet incident and I have yet to see a response from the US government; I very much doubt the validity of this story.


At the risk of sounding like a conspiracy theorist, there would be no better way to validate the story than for the government to act and, assuming they were trying to get back doors into OpenBSD, would be a sure fire way to get the majority of user to stop using it and there by rendering all their hard work useless. On the other hand, by strategically ignoring this even if it is true, they would essentially have deniability without actually having to deny anything, as well as casting extreme doubt on the validity of this guy's accusations. Granted that would be more subtlety than most recent administrations have shown, but hey, anything's possible especially with our world-police-wannabe government. Of course, the entire thing could be complete shite. I'm not ruling either possibility out at this stage.

Reply Score: 5

RE[2]: I am very skeptical...
by kop316 on Thu 16th Dec 2010 14:11 UTC in reply to "RE: I am very skeptical..."
kop316 Member since:
2006-07-01

In the original e-mail, he starts it off with "My NDA with the FBI has recently expired". This is saying "now that I am no longer obligated to keep FBI secrets....". For this to be true, he did at one point comply with the fact that he couldn't tell people about what he did, and now thinks he is legally allowed to do so.

The "NDA" he signed would not allow him to talk about the information for the rest of his life. I highly doubt the FBI would let him think that he is free to tell information just because his "NDA" expired.

The person either has a serious misunderstanding of how government "NDA"s work and just got himself into a lot of legal trouble; or he is fabricating the story.

Reply Score: 2

RE[2]: I am very skeptical...
by Valhalla on Thu 16th Dec 2010 14:26 UTC in reply to "RE: I am very skeptical..."
Valhalla Member since:
2006-01-24


Of course, the entire thing could be complete shite. I'm not ruling either possibility out at this stage.


Yep, the reason I didn't discard this out of hand was that the guy gave his name and he named names and dates. Unless he is an attention-whore/compulsive liar, what would his motives be in spreading misinformation? To discredit OpenBSD and himself in the process? The code audit will (hopefully) set the record straight. Meanwhile we can all just speculate, but like DarkNexus I'm not ruling anything out at this stage, the world certainly is crazy enough for this to be true.

Reply Score: 2

RE: I am very skeptical...
by LighthouseJ on Thu 16th Dec 2010 13:39 UTC in reply to "I am very skeptical..."
LighthouseJ Member since:
2009-06-18

To dovetail what you said, I think the government requires you to sign a lifetime NDA anyway, so if your clearance lapses, that only governs you access to data, not your ability to disseminate it.

Reply Score: 1

RE: I am very skeptical...
by Tuishimi on Thu 16th Dec 2010 14:49 UTC in reply to "I am very skeptical..."
Tuishimi Member since:
2005-07-06

Did anyone check wikileaks?

Just kidding!

Reply Score: 2

RE[2]: I am very skeptical...
by AndrewZ on Thu 16th Dec 2010 15:37 UTC in reply to "RE: I am very skeptical..."
AndrewZ Member since:
2005-11-15

I think the first step should be to validate Gregory Perry's claims that he was actually involved in something. For instance can he produce an actual copy of the 'NDA'? Can he show pay stubs? Can he name names in the FBI? Etc.

Alternatively, someone should file a Freedom of Information Act motion with the US government and see if there is substance to this claim.

This would help rule out a lot of conspiracy possibilities.

Reply Score: 3

RE[2]: I am very skeptical...
by olefiver on Thu 16th Dec 2010 17:11 UTC in reply to "RE: I am very skeptical..."
olefiver Member since:
2008-04-04

Since it's OpenBSD one should use the new OpenLeaks ;)

Reply Score: 2

Why haven't they checked the code yet?
by toast88 on Thu 16th Dec 2010 09:31 UTC
toast88
Member since:
2009-09-23

Hi,

I mean, I understand that the IP stack and all the related networking stuff are surely somewhat complex. But I assume that there are enough OpenBSD developers available to scrutinize the affected code areas now.

Why haven't this been happened yet and why are we still left in the dark?

Is the code really that extensive that it would take weeks to check it?

Everything else is just pure speculation!

Adrian

Reply Score: 0

Melicerte Member since:
2006-08-29

Have you read Theo de Raadt anwser?

I refuse to become part of such a conspiracy, and will not be talking to Gregory Perry about this. Therefore I am making it public so that
(a) those who use the code can audit it for these problems,
(b) those that are angry at the story can take other actions,
(c) if it is not true, those who are being accused can defend themselves.

Also, please read the very end of this link:
http://marc.info/?l=freebsd-security&m=129247685124261&w=2

Reply Score: 3

Lennie Member since:
2007-09-22

Let me guess, you are not a programmer or you don't know networking/crypto.

Because what is most likely going on is that the people funded by the FBI made a small mistake in the implementation of the IPSEC-protocol/crypto algorithm.

Or some part of a network-hardware driver which includes part of a key in the IPSEC-stream.

That is not something which can be checked in a few hours. It will take weeks, maybe months.

You have to remember they are not looking for something which is wrong, they are checking if everything is right.

Checking for things which are wrong is useless in this case.

Reply Score: 7

callinyouin Member since:
2008-12-15

It's actually a perfect example of you being a troll. Go away.

Reply Score: 1

ichi Member since:
2007-03-06

Yeah, so perfect that there's no proof yet of any backdoor actually existing, while on the other hand the "expired 10 year NDA" sounds like BS.

Tomcat, you are so eager to troll that more often than not you give it away too easily ;)

Reply Score: 2

RightsOfMan Member since:
2010-12-17

...That is not something which can be checked in a few hours. It will take weeks, maybe months...


Exactly right; _IF_ the "Feds" did do it, the strategy would not be to engineer in a straightforward passkey (as they had envisioned with the "Clipper" chip...), but just a weakness, much in the same way that Bletchley Park had used to break Enigma; cf. WWII German Enigma Information Security and its Weaknesses [ www.cromwell-intl.com/security/history/enigma.html ] Knowing the weakness, the NSA can then decrypt messages; few else will be able to since they don't know the weakness and probably don't have the computing power hooked up to Internet traffic that the NSA does.

I think that the person here will have to back up his allegations with a little more than guesses and speculation or else be justly liable for a tremendous legal backlash (e.g., the specific weakness that can be shown to have been contributed by the Fed code donors, and _at least_ proof, by multiple cryptanalysts of standing, that knowledge of the weakness and use of a specific practical quantity of computing power decrypts the traffic)

It would not shock me if the Feds did it; it would have been well intentioned, but quite foolish given the longer-term consequences for the US if+when it gets found out (unless when it does, it can be show by the US that it had saved lives -good luck with that...)

My biggest problem with the Patriot Act+NSA's eavesdropping policies; nowhere do they discuss any _real_ oversight. And the press at large are COMPLETELY not doing their job laying it out for non-techs to understand.

For example: you work at NSA; you don't get paid a hell of a lot (though you should...) You look at traffic pertaining to a huge financial deal that's going down. You act on that info (through anonymous proxies, of course...) to score zillions of dollars. What, because you might be military or have many years working for the NSA, that's unthinkable? I know Cheney's people thought so!

The only Senator to challenge these naivetes in the legislative code pertaining to eavesdropping was Russ Feingold; and he just lost reelection.

Here in the States we now live in a crypto-oligarchy; the government secretly (and of course sometimes not-so-secretly!) serves the interests of the super-rich. There are battles for Justice for all that are won by some dedicated federal law enforcement agents; but when a Big Money interest is threatened, they make the call to their man in Congress, the DOJ, or the White House and get their interests protected -Justice be damned. Many here in the States thought that after the Saturday Night Massacre [ http://en.wikipedia.org/wiki/Saturday_Night_Massacre ] that the DOJ was politically inviolable; Gonzales+Abramoff hearings, anybody?

P.S. On the related note of State actors who undertake cyberintelligence gathering/cyberwarfare; there was some speculation some weeks back about who was behind the Stuxnet virus (it had code specifically engineered to mess up Iranian nuke equipment...) In my technical opinion it was _not_ the US; that move was very risky and the US is shy about high risk intelligence _actions_ (intelligence gathering is quite another story...) By releasing that worm it may have slowed down the Iranians, but it causes a bunch of other problems (e.g., the release in the wild educates cyber criminals at large in how to perpetrate more cyber crime). So it was a State actor who was concerned about just their interests in combatting Iran, and the broader interests of all others on the planet be dammed.

Not that _I_ want to see Iran get nukes! But I think we have to grow up now and acknowledge that that "train left the station" when Khan (the Pakistani nuclear scientist...) was given the access he was, decades ago. Hence the news items you see released just today about sobering discussions, once more, of what we should do when a nuke goes off...

Reply Score: 3

v Comment by fran
by fran on Thu 16th Dec 2010 16:48 UTC
hackus
Member since:
2006-06-28

is of course, that someone is lying.

Who it is I could care less about.

_Why_ they are is far more interesting.

-Hack

Reply Score: 1

YALoki Member since:
2008-08-13

I suspect that you'll never find out. If he has all the google hit points building his ranking he's not going to say anything.

Meanwhile here is what an OpenBSD developer (Marc Espie) posted today:

I'm not going to comment on the mail itself, but I've seen a lot of incredibly
dubious articles on the net over the last few days.

- use your brains, people. Just because a guy does say so doesn't mean there's
a backdoor. Ever heard about FUD ?

- of course OpenBSD is going to check. Geeez!! what do you think ?

- why would OpenBSD be in trouble ? where do you think *all the other IPsec
implementations* come from ? (hint: 10 years ago, what was the USofA view on
cryptography exports ? where is OpenBSD based. Second hint: Canada != UsOfA).

- why would the FBI only target OpenBSD ? if there's a backhole in OpenBSD,
which hosts some of the most paranoid Opensource developers alive, what do
you think is the likelyhood similar backholes exist in, say, Windows, or
MacOs, or Linux (check where their darn IPsec code comes from, damn it!)


I know that a lot of the guys reading tech@ are intelligent enough to *know*
all the rather obvious things I'm stating here, but it's looking like a lot
of stupid, stupid web sites are using this as their *only* source of
information, and do not engage their brain): if you read french, go check
http://www.macgeneration.com/news/voir/180982/un-systeme-espion-du-...
and be amazed at how clueless those writers are.

Just on the off chance that those idiots will read this, and realize how
stupid their generalizations are. Theo was careful enough to state facts,
and I'm a huge fan of what he's done (he's decided to go fully open with
this, which was a tough decision).
I don't see why this would impact OpenBSD negatively without affecting any
other OS... especially until we actually get proof...


And that, in my book, is the most realistic comment yet seen.

Edited 2010-12-17 02:30 UTC

Reply Score: 3

Soulbender Member since:
2005-08-18

It should be obvious for anyone with half a brain who is lying.

Reply Score: 2

MSFT Shareprice
by Bustanut on Fri 17th Dec 2010 02:57 UTC
Bustanut
Member since:
2009-09-04

Any one check the share price of Microsoft? What was the reason that he released this info and could it affect a market on a small scale where money could be made?

Sorry just fishing...

Edited 2010-12-17 02:58 UTC

Reply Score: 1