Submitted by Yesterday, we reported on the allegations made by Gregory Perry. He claims that 10 years ago, several developers were paid by the FBI to implement hidden backdoors into OpenBSD’s IPSEC stack. This has prompted a lot of speculation about the allegations’ validity, and less than 24 hours later, it has descended into one person’s word against that of others. Update: Jason Wright, too, denies all the allegations. “I will state clearly that I did not add backdoors to the OpenBSD operating system or the OpenBSD crypto framework (OCF). […] It is a baseless accusation the reason for which I cannot understand.”
Gregory Perry gave some additional background information to Robert McMillan, stating he did not intend for De Raadt to make the email public – although he doesn’t seem to object to it. The background he provides is incredibly detailed (too much to summarise – just read it yourself), which certainly does seem to lend some credibility to his claims. Then again, in this day and age, information is easy to come by.
He also details which parts of OpenBSD were considered targets. “The OCF was a target for side channel key leaking mechanisms, as well as pf (the stateful inspection packet filter), in addition to the gigabit Ethernet driver stack for the OpenBSD operating system,” Perry details, “All of those projects NETSEC donated engineers and equipment for, including the first revision of the OCF hardware acceleration framework based on the HiFN line of crypto accelerators.”
Perry further states that he also became the target of an official FISA investigation. “After I left NETSEC, I ended up becoming the recipient of a FISA-sanctioned investigation, presumably so that I would not talk about those various projects,” he explains, “My NDA recently expired so I am free to talk about whatever I wish.”
At least one person from Perry’s original allegations has denied any and all involvement. Perry mentioned Scott Lowe, and Brian Proffitt (best. Name. Ever.) decided to contact Scott Lowe – actually, he contacted two Scot Lowes, since there are two who fit the bill; these two Lowes have been mixed up before. Both of them denied the allegations made by Perry.
“Mr. Perry is mistaken. I am not, nor have I ever been, affiliated with or employed by the FBI or any other government agency. Likewise, I have not ever contributed a single line of code to OpenBSD; my advocacy is strictly due to appreciation of the project and nothing more,” Lowe 1 stated.
“I am not, nor have I ever been, on the FBI’s payroll, nor do I use or advocate the use of OpenBSD either personally or in my writing,” Lowe 2 stated.
So, we have a bit more background information from Perry, which might be of use to those investigating the case, and we have two Scot Lowes denying any involvement with the FBI. This is starting to sound like the start of an interesting, if not rather boring film (you know, because dramatic shots of people sending emails won’t draw the crowds).
alternatively … this entire thing is a plan to discourage baddies from using OpenBSD because it actually is one of the few OSes which resists surveillace …
Alternatively alternatively… It’s aliens.
First commit was June 24 2001.
Maybe, possibly, it was “considered” later. But most definitely not when this all allegedly started.
Also, nowhere in this “update” does it mention any actual backdoor implementations. Just “discussions” around possible methods that could be used.
Edited 2010-12-16 00:11 UTC
I was thinking the same thing. OpenBSD only recently (2001) switched to PF after some issue with IPFilter.
http://en.wikipedia.org/wiki/PF_%28firewall%29
Edited 2010-12-16 04:29 UTC
You might also want to mentioned Jason Wright’s response to the allegations…
http://marc.info/?l=openbsd-tech&m=129244045916861&w=2
… you know, cause of the commercialization of the film industry. The book can be laid out in Tex if you must. Also, its much less boring to READ about people sending emails than it is to watch them.
In the original e-mail, Mr. Parry said:
“My NDA with the FBI has recently expired”
The fact that he calls it an NDA tells me that he does not even know that the FBI grants you a security clearance. A security clearance from a government agency is much different then an NDA from a private company.
In the government, your security clearance expiring means that you no longer have access to classified information, but it does not mean you can now tell classified information. Doing so will get you in a lot of legal trouble; whether your “NDA” is valid or not.
Now lets say that he did have a security clearance, and merely just told De Raadt it was an NDA to avoid confusion.
Information like this would certainly be classified. If his story does check out, he will get into a LOT legal trouble with the US government for leaking classified information.
Considering that his has not been a quiet incident and I have yet to see a response from the US government; I very much doubt the validity of this story.
Skepticism’s been booted out of me and in it’s place … an empty cup. Anything’s possible.
At the risk of sounding like a conspiracy theorist, there would be no better way to validate the story than for the government to act and, assuming they were trying to get back doors into OpenBSD, would be a sure fire way to get the majority of user to stop using it and there by rendering all their hard work useless. On the other hand, by strategically ignoring this even if it is true, they would essentially have deniability without actually having to deny anything, as well as casting extreme doubt on the validity of this guy’s accusations. Granted that would be more subtlety than most recent administrations have shown, but hey, anything’s possible especially with our world-police-wannabe government. Of course, the entire thing could be complete shite. I’m not ruling either possibility out at this stage.
In the original e-mail, he starts it off with “My NDA with the FBI has recently expired”. This is saying “now that I am no longer obligated to keep FBI secrets….”. For this to be true, he did at one point comply with the fact that he couldn’t tell people about what he did, and now thinks he is legally allowed to do so.
The “NDA” he signed would not allow him to talk about the information for the rest of his life. I highly doubt the FBI would let him think that he is free to tell information just because his “NDA” expired.
The person either has a serious misunderstanding of how government “NDA”s work and just got himself into a lot of legal trouble; or he is fabricating the story.
Yep, the reason I didn’t discard this out of hand was that the guy gave his name and he named names and dates. Unless he is an attention-whore/compulsive liar, what would his motives be in spreading misinformation? To discredit OpenBSD and himself in the process? The code audit will (hopefully) set the record straight. Meanwhile we can all just speculate, but like DarkNexus I’m not ruling anything out at this stage, the world certainly is crazy enough for this to be true.
To dovetail what you said, I think the government requires you to sign a lifetime NDA anyway, so if your clearance lapses, that only governs you access to data, not your ability to disseminate it.
Did anyone check wikileaks?
Just kidding!
I think the first step should be to validate Gregory Perry’s claims that he was actually involved in something. For instance can he produce an actual copy of the ‘NDA’? Can he show pay stubs? Can he name names in the FBI? Etc.
Alternatively, someone should file a Freedom of Information Act motion with the US government and see if there is substance to this claim.
This would help rule out a lot of conspiracy possibilities.
Since it’s OpenBSD one should use the new OpenLeaks
Hi,
I mean, I understand that the IP stack and all the related networking stuff are surely somewhat complex. But I assume that there are enough OpenBSD developers available to scrutinize the affected code areas now.
Why haven’t this been happened yet and why are we still left in the dark?
Is the code really that extensive that it would take weeks to check it?
Everything else is just pure speculation!
Adrian
Have you read Theo de Raadt anwser?
Also, please read the very end of this link:
http://marc.info/?l=freebsd-security&m=129247685124261&w=2
Let me guess, you are not a programmer or you don’t know networking/crypto.
Because what is most likely going on is that the people funded by the FBI made a small mistake in the implementation of the IPSEC-protocol/crypto algorithm.
Or some part of a network-hardware driver which includes part of a key in the IPSEC-stream.
That is not something which can be checked in a few hours. It will take weeks, maybe months.
You have to remember they are not looking for something which is wrong, they are checking if everything is right.
Checking for things which are wrong is useless in this case.
Buhhhhh…. I thought that many eyes makes open source more secuuuuuuuuuuuuure …. btw, the emperor isn’t wearing any clothes.
Hahahaha, mod me down. This is a perfect example of the conflict between many eyes and eyes that are actually reading the code.
It’s actually a perfect example of you being a troll. Go away.
Yeah, so perfect that there’s no proof yet of any backdoor actually existing, while on the other hand the “expired 10 year NDA” sounds like BS.
Tomcat, you are so eager to troll that more often than not you give it away too easily
Exactly right; _IF_ the “Feds” did do it, the strategy would not be to engineer in a straightforward passkey (as they had envisioned with the “Clipper” chip…), but just a weakness, much in the same way that Bletchley Park had used to break Enigma; cf. WWII German Enigma Information Security and its Weaknesses [ http://www.cromwell-intl.com/security/history/enigma.html ] Knowing the weakness, the NSA can then decrypt messages; few else will be able to since they don’t know the weakness and probably don’t have the computing power hooked up to Internet traffic that the NSA does.
I think that the person here will have to back up his allegations with a little more than guesses and speculation or else be justly liable for a tremendous legal backlash (e.g., the specific weakness that can be shown to have been contributed by the Fed code donors, and _at least_ proof, by multiple cryptanalysts of standing, that knowledge of the weakness and use of a specific practical quantity of computing power decrypts the traffic)
It would not shock me if the Feds did it; it would have been well intentioned, but quite foolish given the longer-term consequences for the US if+when it gets found out (unless when it does, it can be show by the US that it had saved lives -good luck with that…)
My biggest problem with the Patriot Act+NSA’s eavesdropping policies; nowhere do they discuss any _real_ oversight. And the press at large are COMPLETELY not doing their job laying it out for non-techs to understand.
For example: you work at NSA; you don’t get paid a hell of a lot (though you should…) You look at traffic pertaining to a huge financial deal that’s going down. You act on that info (through anonymous proxies, of course…) to score zillions of dollars. What, because you might be military or have many years working for the NSA, that’s unthinkable? I know Cheney’s people thought so!
The only Senator to challenge these naivetes in the legislative code pertaining to eavesdropping was Russ Feingold; and he just lost reelection.
Here in the States we now live in a crypto-oligarchy; the government secretly (and of course sometimes not-so-secretly!) serves the interests of the super-rich. There are battles for Justice for all that are won by some dedicated federal law enforcement agents; but when a Big Money interest is threatened, they make the call to their man in Congress, the DOJ, or the White House and get their interests protected -Justice be damned. Many here in the States thought that after the Saturday Night Massacre [ http://en.wikipedia.org/wiki/Saturday_Night_Massacre ] that the DOJ was politically inviolable; Gonzales+Abramoff hearings, anybody?
P.S. On the related note of State actors who undertake cyberintelligence gathering/cyberwarfare; there was some speculation some weeks back about who was behind the Stuxnet virus (it had code specifically engineered to mess up Iranian nuke equipment…) In my technical opinion it was _not_ the US; that move was very risky and the US is shy about high risk intelligence _actions_ (intelligence gathering is quite another story…) By releasing that worm it may have slowed down the Iranians, but it causes a bunch of other problems (e.g., the release in the wild educates cyber criminals at large in how to perpetrate more cyber crime). So it was a State actor who was concerned about just their interests in combatting Iran, and the broader interests of all others on the planet be dammed.
Not that _I_ want to see Iran get nukes! But I think we have to grow up now and acknowledge that that “train left the station” when Khan (the Pakistani nuclear scientist…) was given the access he was, decades ago. Hence the news items you see released just today about sobering discussions, once more, of what we should do when a nuke goes off…
In this post I’m going to mirror Theo “the Rant”
Sort of mimic his demeanor against other os’s.
http://www.forbes.com/2005/06/16/linux-bsd-unix-cz_dl_0616theo.html
OpenBSD is a real cheap hackjob.
People dont realise how bad it is, its terrible.
It is garbage and somebody should fix it.
is of course, that someone is lying.
Who it is I could care less about.
_Why_ they are is far more interesting.
-Hack
I suspect that you’ll never find out. If he has all the google hit points building his ranking he’s not going to say anything.
Meanwhile here is what an OpenBSD developer (Marc Espie) posted today:
I’m not going to comment on the mail itself, but I’ve seen a lot of incredibly
dubious articles on the net over the last few days.
– use your brains, people. Just because a guy does say so doesn’t mean there’s
a backdoor. Ever heard about FUD ?
– of course OpenBSD is going to check. Geeez!! what do you think ?
– why would OpenBSD be in trouble ? where do you think *all the other IPsec
implementations* come from ? (hint: 10 years ago, what was the USofA view on
cryptography exports ? where is OpenBSD based. Second hint: Canada != UsOfA).
– why would the FBI only target OpenBSD ? if there’s a backhole in OpenBSD,
which hosts some of the most paranoid Opensource developers alive, what do
you think is the likelyhood similar backholes exist in, say, Windows, or
MacOs, or Linux (check where their darn IPsec code comes from, damn it!)
I know that a lot of the guys reading tech@ are intelligent enough to *know*
all the rather obvious things I’m stating here, but it’s looking like a lot
of stupid, stupid web sites are using this as their *only* source of
information, and do not engage their brain): if you read french, go check
http://www.macgeneration.com/news/voir/180982/un-systeme-espion-du-…
and be amazed at how clueless those writers are.
Just on the off chance that those idiots will read this, and realize how
stupid their generalizations are. Theo was careful enough to state facts,
and I’m a huge fan of what he’s done (he’s decided to go fully open with
this, which was a tough decision).
I don’t see why this would impact OpenBSD negatively without affecting any
other OS… especially until we actually get proof…
And that, in my book, is the most realistic comment yet seen.
Edited 2010-12-17 02:30 UTC
It should be obvious for anyone with half a brain who is lying.
Any one check the share price of Microsoft? What was the reason that he released this info and could it affect a market on a small scale where money could be made?
Sorry just fishing…
Edited 2010-12-17 02:58 UTC