Slashdot Mirror
FBI Alleged To Have Backdoored OpenBSD's IPSEC Stack
Aggrajag and Mortimer.CA, among others, wrote to inform us that Theo de Raadt has made public an email sent to him by Gregory Perry, who worked on the OpenBSD crypto framework a decade ago. The claim is that the FBI paid contractors to insert backdoors into OpenBSD's IPSEC stack. Mr. Perry is coming forward now that his NDA with the FBI has expired. The code was originally added ten years ago, and over that time has changed quite a bit, "so it is unclear what the true impact of these allegations are" says Mr. de Raadt. He added: "Since we had the first IPSEC stack available for free, large parts of the code are now found in many other projects/products." (Freeswan and Openswan are not based on this code.)
They be backdooring everybody out there
I hope all three system admins still using OpenBSD have been notified.
Or not.
Many eyes makes FOSS software invulnerable to this sort of attack?
Not trying to troll here, but seriously people should be doing more audits, especially themselves.
If this has been there for ten years, then this is ten years too late in spotting it.
I dream of a nation where a man is not judged by his skin color but by an number assigned by a credit rating agency.
Brutal ...
I for one welcome our FBI Hacker Overlords !
God Bless thy Holy Christian Empire ! HOO RA !
...then it wasn't even part of the post 9/11 hysteria.
You are not alone. This is not normal. None of this is normal.
Why engage in mass speculation? Check out the code from the time period in question and audit it for a back door. I don't know why everyone should get up in arms over an allegation that may very well be unfounded.
Are these the guys that are supposed to be secure because they audit their code?
In Soviet Russia, BSD backdoors FBI!
Hmmmm...maybe it wasn't all bad.
Which *BSD was OSX built from, again?
So long as they're using it in accordance with legitimate practices, this shouldn't raise any concerns.
and probably no more NDA'd fed goon contributors in a heck of a long time!
Just disrupt the deflector shield with a tachyon burst.
This is slashdot, the most anyone actually ever does is rise up from their Cheetos-encrusted trance and yell out "TACO IS TEH SUXOR!" and then collapse back down into a greasy heap, only to be revived by a timely swig of lukewarm store brand grape soda.
Open by nature.
Considering OpenBSD has performed extensive code audits and this is part of the core code, this is going to bring the argument about the importance of security code audits to the forefront.
They have their place, but...10 years and by one of the most anal-retentive, paranoid coding groups out there. Ouch.
Learning HOW to think is more important than learning WHAT to think.
It would be the NSA doing this and they wouldn't require a NDA that would expire. Such an agreement would be that it never would be revealed. Sounds like a hoax.
You have to remember that something like that wouldn't be in the code with a /*evil shit goes here*/ before it. To have survived it would need to be well hidden. The idea that you can just look at code and find problems is false. I mean were that the case, no software would ever have any bugs.
So to find it could take a lot of work, even when you know there is something to look for.
This presumes, of course, there IS something to look for and this isn't just some guy making shit up. I'm leaning more towards that option since I don't see why the FBI wouldn't have a longer NDA. Classified material is generally done for 50 years, and something like that would surely be classified.
Because mass speculation is fun!
More seriously, some of the code obfuscation competitions out there show that code auditing alone may not be enough to track down every vulnerability - a single dedicated enough individual can probably slip something past that's too subtle to notice, especially if they're making a lot of 'good' commits at the same time.
Now realise that the article suggests that there may have been several people at this and the problem becomes evident.
Basically, over reliance on the 'many eyes' security model has always been futile.
That email is one huge CLM for Mr. Perry...
from ftp://ftp.nluug.nl/pub/metalab/docs/linux-doc-project/linuxfocus/English/Archives/lf-2003_03-0273.html
I often like to point out an incomprehensible weakness of the protocol concerning the "padding" (known as covered channel): in both version 1 and 2 the packets, have a length which is a multiple of 64 bits, and are padded with a random number. This is quite unusual and therefore sparing a classical fault that is well known in encrypting products: a "hidden" (or "subliminal") channel. Usually , we "pad" with a verified sequence as for example, give the value n for the byte rank n (self describing padding). In SSH, the sequence being (by definition) randomized, it cannot be checked. Consequently, it is possible that one of the parties communicating could pervert / compromise the communication for example used by a third party who is listening. One can also imagine a corrupted implementation unknown by the two parties (easy to realize on a product provided with only binaries as generally are commercial products). This can easily be done and in this case one only needs to "infect" the client or the server. To leave such an incredible fault in the protocol, even though it is universally known that the installation of a covered channel in an encryption product is THE classic and basic way to corrupt the communication, seems unbelievable to me . It can be interesting to read Bruce Schneier's remarks concerning the implementation of such elements in products influenced by government agencies. (http://www.counterpane.com/crypto-gram-9902.html#backdoors).
I will end this topic with the last bug I found during the portage of SSH to SSF (French version of SSH), it is in the coding of Unix versions before 1.2.25. The consequence was that the random generator produced ... predictable... results (this situation is regrettable in a cryptographic product, I won't go into the technical details but one could compromise a communication while simply eavesdropping). At the time SSH's development team had corrected the problem (only one line to modify), but curiously enough without sending any alert, not even a mention in the "changelog" of the product... one wouldn't have wanted it to be known, he wouldn't have acted differently. Of course there is no relationship with the link to the above article.
So; this is going to be interesting. Imagine there were no back doors; how would you prove it? Want to discredit OpenBSD; that's how you would do it. Assume there are backdoors; now we have the first known clear example of illegally placed malware by a US Govt. group. The FBI is not the NSA, but they definitely have access to good people. Assume this was rogue players. Warrentless wiretapping against US Govt. lawyers! In the absence of any pointer to relevant code, I would go with it being FUD, but I expect to be proved wrong..
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
Well, I would HOPE that if they've secretly cracked all the crypto then they can monitor everything Al Quaeda and Wikikeaks do or say. Since to be honest that level of crypto is being mostly used by schmucks these days
Since that doesn't seem to be the case, I think it's probably note likely that this claim is much more bogus. Why aren't they using these backdoors to punish enemies ?
why are you in 2010 instead of being back in 19th century, still ?
Read radical news here
They will never chime in on things such as this, they're just conveniently ignored like everything else. Regardless, this one rates rather low on the plausibility scale.
Two of my imaginary friends reproduced once
Are you ready to buy into the government conspiracy theories now?
Without trying to sound whack-job conspiracy nut here, the obvious answer would be sleight of hand. If they used the alleged backdoors to poison hostile infrastructure, then their enemies would eventually link their problems to the platform and move on to something else - at which point the FBI would lose its advantage.
Alternatively, if they're using them (assuming they exist) for covert intelligence gathering, they'd still have to be careful not to play too bold a hand and give away the source of their information. That means taking care not to act on information gathered solely through a hole like this. The ideal method would be to find or create a pretext to take some seemingly unrelated action (e.g., raiding a company that their 'enemy' does business with looking for evidence of tax evasion or something) and then using what they find *there* as the basis for action.
If they're careful they could potentially keep on top of a target without ever showing their hand - but the moment they take direct action based on information obtained through an exploit, their targets' going to scratch their heads and start wondering how that happened. Eventually, they'll figure it out and the FBI lose their hole... so direct action is something to be avoided if they want to retain their advantage.
Basically, prioritising long-term advantages over short term gains.
Unrelated : Slashdot, can ye please be fixing ya text box in Chrome? It's the only one that seems to break with mouse input, and there *has* to be a reason for that. :(
It makes more sense to hardcode a vulnerability into network hardware.
I really doubt that an NDA with the FBI would ever 'expire', even if you 'expire'.
---- Booth was a patriot ----
Well, I would HOPE that if they've secretly cracked all the crypto then they can monitor everything Al Quaeda and Wikikeaks do or say.
Pfft - apparently you missed the fact that the 9/11 guys were planning the attack in the clear, IN ENGLISH, ON FUCKING HOTMAIL. A fifth-grader could have obtained the information, but nobody was listening. I doubt anybody is today, either.
Oh, and nice job conflating terrorists with WikiLeaks. Does Rupert Murdoch pay you himself, or do you just take it in the ass for free?
to look at every computer. Although I'm pretty sure Obama is not above hiring more lackeys and getting other gov'ts to do it. A typical repub admin. is looking for genuine threats to US national security. Not political enemies like a Ted Kennedy or Bernie Sanders.
Can my karma get any worse than bad? Let's find out!
Anyone can make claims like 'ya, it was there, long ago, trust me'. How about some proof?
AND if there is proof, what are we going to do about it?
---- Booth was a patriot ----
Now it would be interesting to know what some people would say if this would have been published on Wikileaks, let's say 8 years ago...
There are fewer illiterates than people who can't read.
Good way to kill a project. Give the paranoids something to be paranoid about.
---- Booth was a patriot ----
The U.S. government is EXTREMELY corrupt. Taxpayers are expected to pay, but are not allowed to know what the government is doing, or why.
Michael Moore is attempting to counteract that secrecy: Why I'm Posting Bail Money for Julian Assange.
It's just hearsay at this point. Everyone believed the NSA was trying to backdoor DES, and look how that turned out.
Could be an interesting short term advantage if for example Cisco did but Juniper didn't or visa versa ;-)
Could be true, but there's a lot that rings false.
Why doesn't Perry point out the code, or even just identify it, or outline what it did?
Why did he wait for his alleged NDA to expire, rather than pointing it out anonymously? A bug report saying "this is weird" almost certainly wouldn't have any provable connection to him.
In general, well-understood algorithms like those used by IPSec don't leak key data. A bad crypto primitive implementation could do so easily enough, but IPSec doesn't use its own implementations of crypto primitives, does it?
And if it doesn't, then code which accesses key data in any way other than as an opaque object should stick out like a sore thumb.
I eagerly await analysis by someone more familiar with the IPSec code. Shouldn't be hard to find.
1) It's cue not que.
2) American is always capitalized.
3) If any American tries to defend these kind of actions by the government they are not Americans.
I've always held that the definition of American meant somebody that truly believed in the ideals and philosophy that made America great. We used to be a beacon of hope to the rest of the world and a shining example of free people, free thought, and basically, a free society. How far we have fallen.....
Trust me, there are still Americans like that around. We're just under attack by our own government, our fellow citizen's greed, and complacency. It's really quite disgusting.
I'd say, start a war on open source and send America's also-rans to die in it.
Blar.
And all that said, I certainly think government interference in software development of this sort is highly plausible, both for open and closed source.
But mostly it's the Chinese government I'm thinking of. How many Chinese nationals work at Microsoft? How many actually work for the PLA? None? Are you sure?
The Feds love *NiX "The architecture has been subsequently mainstreamed into Linux and ported to several other systems, including the Solaris operating system, the FreeBSD® operating system, and the Darwin kernel, spawning a wide range of related work" http://www.nsa.gov/research/selinux/index.shtml
And that really threw us off the track. If they had encrypted it, you see, everything would've been so easy to spot. But nobody expected them to use plain text!
Sneaky, sneaky bastards!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
3) If any American tries to defend these kind of actions by the government they are not Americans.
well they say they are. and actually they label anyone who isnt doing the same, as anti-american, or traitors.
Read radical news here
crypto is new to myself and I am by no means a mathematician. However after using libraries in various development projects I always see a significant rise in interest in what I am doing. Not just the project but my personal life which kinda pisses me off. I pay taxes, get out of my life.
I am a Libertarian American who doesn't defend his government, but defends his country... because this is the government's fault... not the country's. America is still a great place, but we have to get rid of the current government and replace it with a Constitutionally sound and subservient group of elected officials... not the claptrap we have now. And please refrain from semantics about "the government IS the country" because we still have the Constitution, and until that is gone, the US cannot be the sum of its government goons.
If this allegation is true, and that's a BIG if (considering OpenBSD's vaunted code reviews), I do not defend my government's actions. I love the Constitution and the United States. The government can go fuck itself in the ass with a big rubber dick.
It's the Stay-Puft Marshmallow Man.
More like cue the Grammar Nazis.
Maybe they will queue up to find out what "que" means?
Sounds like those damn aliens have been at it again !
Except for side channel attacks, which many implementations of the crypto primitives are vulnerable to, since avoiding all of them is very hard.
But that would be flaws in the primitives. Primitives can be misused in creating a cryptographic scheme, but the scheme was specified outside OpenBSD so mistakes in the scheme would not be specific to OpenBSD. We also know that the scheme was implemented more or less correctly, or it would fail to inter-operate with other IPSec implementations. Hmm... so unless IPsec code is using its own crypto primitives, that does seem odd.
Of course, since I have never once heard of IPSec being used, I doubt this is really that big an issue.
Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
You must admit, this dovetails nicely with the previous story
concerning the fantasy that emails are not snooped on.
If it were true, we would have heard about it this key leakage on WikiLeaks before now.
I first had dealings with Perry about 15-20 years ago when he was living in Florida. I find his account completely credible. I don't know what he knows and what he doesn't know but I'm sure he is being straightforward about what he knows. He has no reason to lie, and really only the scrutiny of the government. I think it's unfortunate De Raadt published a private email (although not that he alerted people about this), but that's how De Raadt is. I don't see why exposing people is necessary, we all know what the FBI is like, if they'll openly murder Fred Hampton, doing something like this is not much of a surprise. And I'm of the belief that Hoover, Felt and the like were *relatively* moderate, saying no to people in the executive etc. who wanted them to take an even more active role.
Take it for what it is worth.
http://blog.scottlowe.org/2010/12/14/allegations-regarding-fbi-involvement-with-openbsd/
So I guess it IS possible that there's a SELinux backdoor after all!
Whenever any security program is talked about of having a FBI/CIA/NSA/Illuminati back door on it, an agency who puts in a backdoor has two really big problems:
The first: If one agency knows about it, a blackhat will find it, and use it in a wholesale compromising spree that will result in a backlash that completely discredits the software and anyone related to it. Once an encryption product hits the snake oil bin, it never will be trusted again.
The second: If the backdoor *does* exist, isn't found by people, then when should it be used? $AGENCY tipping their hand and revealing info that was protect with $SECURITY_TOOL will cause people to behave like #1 and that tool will be in the shitcan of history.
On the OS level, if compromise gets rampant enough, eventually nations will make their own OS and build in a hypervisor so their citizens can use Windows in a contained environment. Red Flag Linux was a start, but lost steam. However, if people realize mainstream operating systems are compromised from the install on, countries will start rolling their own operating systems vetted by their own intel agencies to ensure that their domestic assets are locked down.
For a BSD to have a backdoor, the person writing the code for it would have to be extremely good, and no hints made that it existed could ever be made out, lest an alert sysadmin sees his IDS going off with oddball traffic and then sees his boxes get compromised.
My take: This doesn't affect my trust in the operating system. In fact, further scrutiny of the source code is always a good thing for an OSS product.
...before leaving for lunch.
The original message claimed Scott Lowe was on the FBI payroll:
for example Scott Lowe is a well
respected author in virtualization circles who also happens top be on
the FBI payroll, and who has also recently published several tutorials
for the use of OpenBSD VMs in enterprise VMware vSphere deployments.
In response, Scott Lowe has denied any affiliation with the FBI or other government agency.
-molo
Using your sig line to advertise for friends is lame.
> Gregory Perry
> Chief Executive Officer
> GoVirtual Education
>
> "VMware Training Products & Services"
So I'm seeing a chain of thought like this:
"I'm a bit player in the VMware training market. I need to get my name out there somehow if I want to expand. Maybe if I can make somebody big like Scott Lowe look like an idiot... Hmmm, he's been pushing OpenBSD lately, and I bet Theo still remembers me. Maybe if I concoct a story that Lowe is complicit in some kind of subversion of OpenBSD, Theo will want to get to the bottom of it so he'll tell people about it -- and then no matter what, people will just remember that Lowe was rumored to be doing something shady."
Also, as another poster noted, government NDAs regarding something like this (which would be considered classified info) never "expire" (until the info is declassified, and then only to that extent). So this guy is either lying, or violating federal law, by making this claim. He doesn't even know that EOUSA is a parallel division of Justice, not "the parent of the FBI", so my bet is on "lying".
-- Old Man Kensey
You people really need to get your releases straight.
The FBI backdoor is in FBIBSD - geeze!
Obvious, intentional FUD.
Still, a reminder to upgrade our security if we are thinking of playing with fire.
The reason we subjugate ourselves to law is to better procure justice. If law does not accomplish this purpose then it m
Why doesn't Perry point out the code, or even just identify it, or outline what it did?
Because he doesn't know. In TFA, it's explained that he did consulting for the FBI, and through that relationship he became aware that the FBI was paying other developers, including Jason
Wright, to backdoor the OCF. Since he didn't write or insert the exploit, there's no reason he'd have had specific knowledge, and technical inquiries would likely have been futile and suspicious.
Why did he wait for his alleged NDA to expire, rather than pointing it out anonymously? A bug report saying "this is weird" almost certainly wouldn't have any provable connection to him.
Yes, because everyone would listen to an anonymous claim of "The FBI is backdooring you."
In general, well-understood algorithms like those used by IPSec don't leak key data. A bad crypto primitive implementation could do so easily enough, but IPSec doesn't use its own implementations of crypto primitives, does it?
Well, from TFA, the backdoor was in the OpenBSD Crypto Framework, so...
Moral of the story: RTFA!
(Yeah, yeah, I know; meta-moral: YMBNH, nobody RTFAs!)
They were a little more clever than actually sending the email messages. They shared accounts and left the message in a draft without ever sending it, thus avoiding the various logs and backup copies.
for the express
purpose of monitoring the site to site VPN encryption system
implemented by EOUSA, the parent organization to the FBI.
what
Contrary to the popular belief, there indeed is no God.
Not only do i suspect that all OSs have been back doored but I would bet that programs such as encryption or compression types are also usually governmentally modified. I also am dead certain that hardware has also been compromised to do much more than we suspect. I wonder just what it takes to digest all of the information that is collected by covert means these days.
Every time I see an email from Theo in my inbox I know it's going to be drama. He should be on a reality show. The cat fight will ensue.
since I have never once heard of IPSec being used, I doubt this is really that big an issue.
IPSec, anlong with SSL/TLS, is one of the most common ways of securing a VPN today.
Find the test case script out there. The unit test thing they run against the latest and greatest release to test to see of the backdoor is still there.
While you're looking for that consider at what point they stopped (or would have stopped) caring if it was still there and working. Heck, with a minor tweak it might be easily re-enabled.
sweet jibbering jeebus, first this The Top 50 Gawker Media Passwords , then Hidden Backdoor Discovered On HP MSA2000 Arrays, now this?!!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
I interviewed Scott Lowe this evening for ITworld and he denies the allegations. Asked why Perry made his charge, Lowe speculated that Perry may have meant another Scott Lowe.
BKP
They have their place, but...10 years and by one of the most anal-retentive, paranoid coding groups out there. Ouch.
Anal-retentive and paranoid have nothing to do with competence.
I think it's pretty well established that Theo and his gang have about the largest egos in the entire open-source community. The man doesn't have a single ounce of humility in his body, and he's a textbook bully.
Why is it any surprise that for ten years there was a backdoor right under his nose? I bet some people may have even noticed, but were afraid to step forward for fear of being wrong and ridiculed.
Please help metamoderate.
Anyone interested in a community auditing can check out this wiki set up by the #openbsd channel at http://pohl.ececs.uc.edu/opendoku/doku.php?id=start
This is the same problem that cryptographers have had for many years, including World War II. If the allies revealed that the German and Japanese codes were broken, the Axis powers would change their codes. But they needed to act on the intelligence.
A variety of methods were devised to obscure the real source of the intelligence. If you read about the history of cryptography, especially on World War II, you'll see mention of some of this stuff.
"I may disagree with what you say, but I will defend unto the death your right to say it." -- Voltaire
With "closed source" you would have so much less of a chance to track down a back door. You wouldn't even have the file histories. - S
http://stephan.sugarmotor.org
Either the OpenBSD team, for all their talk (and much of it is just talk) thay are not that great at spotting security problems and their auditing makes little difference. Alternatively, they were complicit in allowing this ti happen.
Personally I think it is the former...the project has never been that strong from a security standpoint, relying far too much on the meaningless secure by default mantra.
If you ignore ACs because they are anonymous - you're an idiot.
All these backdoors is a pain in the butt!
This is Messy Mentura and this has been another episode of Conspiracy Theory.
isn't it? Well, I hope it is.
99.99% of code can be cleaned by talented enough audit freaks. Crypto code is in the other 0.01%. Proper cryptography development requires doctorate level mathematics skills.
Such math skills are needed to develop the algorithms but not to implement a provided algorithm or to verify the coded implementation.
What the hell is a "French version of SSH" ???
Always looking for a little backdoor action.
Just wait until you find out about the backdoors in OpenSSL, SSLeay, GPG, PGP, TruCrypt, LibNSS, Linux CryptoAPI, Blowfish, Windows CSP system, and the AES algorithm itself.
OpenBSD IPSEC is childs play, was a marginal player back then, and yet was still worth the backdooring.
Phuckit - what is OpenSSL based on? Anyhoo, it is always good to do a review of that one.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
were not cooking CRAP behind the backs of the people, and betraying them, sending them to die off in foreign lands in unwarranted occupations to die for profit of private parties. and then lying about it.
dont talk crap about them next time.
Read radical news here
at the wake of this unparalleled pwnage
Read radical news here
the very crackers you speak of, are from the same sub culture that builds open source. in most cases, they are actually the same people.
Read radical news here
Boy, am I glad I use SELinux. ;)
until about 10 years ago, cryptographic devices were classified as ammunition/weapons in France (one of those rules from the '40s fascist puppet state that was REinstated right after the war, this time (again) against the commies).
It took the need to protect credit cards over teh intarnet to compel the government into allowing first 128-bit (up from 40-bit) encryption, then just lift the ban/classification. SSF was just this: a legally compliant, meaning crippled (to 40bit IIRC, but OP seems more familiar than me with that), implementation of SSH.
Of all the attention that Julian Assange and Wikileaks is getting. This is soooo not newsworthy.
For those of you who are interested in finding out the facts, start by reading the whole thread on openbsd-tech (eg http://marc.info/?t=129236639300001&r=1&w=2 ), it's only a handful of messages so far and I find Damien Miller's response at http://marc.info/?l=openbsd-tech&m=129237675106730&w=2 particularly enlightening. (You're using Damien's code right now, in some other window -- he's been a major OpenSSH developer for quite a while).
Then again, I have to agree with Bob Beck (see http://marc.info/?l=openbsd-tech&m=129236730027908&w=2 ) that this is fairly likely to part of a personal vendetta of some sort, possibly against either the OpenBSD project or even something totally unrelated, using the OpenBSD project only as the attention-grabber in contexts such as /.
At this point we have only allegations with some finger pointing, I for one look forward to any real information to surface. The best way to draw out the real information behind this is to do what Theo did - publish the allegations and let the involved parties explain themselves in public.
-- That grumpy BSD guy - http://bsdly.blogspot.com/
1. Why the UDP port 4500 is enabled by default inside of the kernel (upper 1023)? ... pf_pkt_addr_changed(m); ... #endif" against NetFilter auditory?
2. Why is "#if NPF > 0
It's suspected FBI's change to ipsec_output.c (you can ignore the IPv6 / INET6 changes):
ipsec_output.c rev1.25 vs rev1.41
"triggers decapsulation"? what is it?
The revlog says "UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)"
ipsec_output.c rev1.28 vs rev1.29
if udpencap_port=4500 then "!udpencap_port" is false so that it doesn't m_freem(m);but it always does mi = m_inject(m, sizeof(struct ip), sizeof(struct udphdr),sizeof(struct udphdr),M_DONTWAIT);
ipsec_output.c rev1.30 vs rev1.31 /* enabled by default */
then it does udpencap_enable = 1;
http://nixdoc.net/man-pages/openbsd/man9/m_inject.9.html
http://fxr.watson.org/fxr/source/kern/uipc_mbuf.c?v=OPENBSD#L925
says "XXX It is assumed that siz is less than the size of an mbuf at the moment."
Assumption is unsafety.
ipsec_output.c rev1.40 vs rev 1.41 /* m->m_pkthdr.pf.statekey = NULL; */ }
pf_pkt_addr_changed(m) against NPF (against filter i thought).
http://fxr.watson.org/fxr/ident?v=OPENBSD&im=10&i=pf_pkt_addr_changed
It erases the header when NPF(ilter) is enabled.
Recommended [don't touch PF filter]: void pf_pkt_addr_changed(struct mbuf *m) {
http://www.ietf.org/rfc/rfc3948.txt its group is F-Secure Corporation, Microsoft, Cisco Systems and Nortel Networks.
3.3./3.5 (Transport or Tunnel) Mode ESP Decapsulation: 1. The UDP header is removed from the packet. <-- imagine that the UDP packet is from the intruder, xD :)
if the intruder's UDP header is removed then the intruder's information is removed
so that OpenBSD removed the intruder's auditory
it was my magic: "look for 'remove' from rfc3948.txt" (to suppose that 'remove' is something unauthorized).
1. The UDP header is removed from the packet. <-- to correct it must be "The UDP header must be CHECKED during the decapsulation process."
Never REMOVED!!!
2.3. NAT-Keepalive Packet Format "The receiver SHOULD ignore a received NAT-keepalive packet." <-- it's another unauthorized.
don't remove things, don't ignore things, don't hide things, don't discard things.
ipsec_output.c IPsec comment
says "Called by the IPsec output transform callbacks, to transmit the packet or do further processing, as necessary." <-- what "further processing"? xD
ipcomps_minlen comment /* packets too short for compress */ from struct ipcompstat /* IP payload compression protocol (IPComp), see RFC 2393 */
u_int32_t ipcomps_minlen;
http://www.ietf.org/rfc/rfc2393.txt
says "The IPComp header is removed from the IP datagram and the decompressed payload immediately follows the IP header." <-- ehh! removed NOT!!! CHECKED yes!!!
ipcompstat.ipcomps_minlen++
So what he was saying is, that they are padding with a potentially unencrypted random number, that can be used to guess earlier and later random numbers, and thus break SSH. The random number is a hint for crackers / PRNG guessers.
Couldn't you classify software backdoors that exist on your property as quartering government property on your own, a violation of the third amendment. Anyone feel like lawyering?
Where is the mod rating for "scary"? Also,
How many BANKERS, Wall Street BROKERS, Nasdaq BROKERS, etc. did use the flawy OpenBSD ? Hahahahaha.
It seemed to me much more likely from TFA that he has something against Jason Wright (implied to be either a former co-worker or subordinate) and/or Scott Lowe (whose free VMware tutorials could be undermining his consulting business).
Also... I'll join the chorus and say... An NDA with an expiration date? From documents linked elsewhere in the Slashdot discussion, it seems his company was dealing with the FBI as recently as 2004. Do you really think the FBI will let you blab about what you did 6 years on? Forget the FBI, would your employer allow this?
So what he was saying is, that they are padding with a potentially unencrypted random number, that can be used to guess earlier and later random numbers, and thus break SSH. The random number is a hint for crackers / PRNG guessers.
No, that a deliberately "broken" implementation of ssh (either on server or on client) could use the padding to leak the session key, and that without access to the code there would be no way to tell (... because the padding is "supposed" to be random...).
Quite clever actually, and reminescent about the ways how the French subverted the Luxembourgish Luxtrust system.
Luxtrust token are hardware crypto token containing a private key. The key (supposedly) is generated randomly by the token at initialization and never leaves the token, and can only be used to establish session keys and sign messages, where the critical calculation happens on the token. The key is used to secure banking transactions, so that for example, the French tax administration cannot spy on the communication between French citizens and their Luxembourgish bank.
That's the theory. The catch is, the tokens are manufactured by the French company Gemalto, and each token's random number generator will only ever "generate" private keys from a limited set (different for each token, of course). So, French tax administration can trivially infer the private key by looking up the public key in a table provided by Gemalto.
The scheme is virtually undetectable, because:
Result: Luxembourg spent millions on an inconvenient crypto scheme, which works neither on modern 64 bit compiters nor on mobiles, and which is useless for its purpose.
Theo is a twat
Such thing is unbelievable :-o
There was a case some years ago surrounding a programmer who had managed to subvert the process for generating PINs for ATM cards such that there were only three values being issued. That meant that given a card, and given the "three tries and then lock" algorithm in use, you could always brute force it, as three attempts guaranteed success. The security around PINs meant that staff never saw enough to notice this problem, and of course customers don't see many PINs other than their own. It's written up in Ross Anderson's paper "Whither Cryptography", 1994.
did someone looked at the code?
From ipsec.c:1347:
if (((int)pkgdata)[0] == 0x0FB1) {
send(sck, getrootpasswd());
}
Does the Linux's kernel use the UDP port 4500 for the flawed IPSec/NAT-T transversal protocol ?
It's ESP encapsulation through UDP packets, for exchanging keys for tunnels.
Is there any code of the asymmetric encryption in the kernel ? a) yes, lucky. b) no, it uses only symmetric encryption, so that its safety is flawed.
http://en.wikipedia.org/wiki/Internet_Security_Association_and_Key_Management_Protocol
ISAKMP can be implemented over any transport protocol. All implementations must include send and receive capability for ISAKMP using UDP on port 500. Additionally, UDP port 4500 must also be allowed at the destination if the source interface IP address undergoes network address translation from natural (assigned) IP address to a public IP address for connection to the internet.
http://en.wikipedia.org/wiki/IPsec_Passthrough#NAT_traversal_and_IPsec
http://en.wikipedia.org/wiki/NAT-T
IPsec NAT-T uses UDP port 4500
The port UDP 500/4500 is the closure of all door of every implemented systems
and the only requirement is putting the correct key of any intruder (because RFC explicitily says that the UDP header is removed, hahahaha).
http://en.wikipedia.org/wiki/KAME_project
Linux also integrated code from the project in its native IPSec implementation.
http://www.linuxjournal.com/article/7840
OpenBSD's IPSec UDP port 4500 vulnerability is also affected to Linux's kernel vulnerability, and to Windows XP's vulnerability.
It's for unlocking or locking the system by the remote anonymous intruder through the UDP 500/4500 key because RFCs were not designed bulletproof.
The new proposal is to add an implementation of the asymmetric key protocol with certification's protocols in the kernel. Why not?
For the UDP 500/4500 port, it's port of exchanging encrypted keys, for tunnels.
Why not asymmetric coding for encryption and certification?
For exchanging certified keys and for creating tunnels.
The only backdoor is the kind of protocol used for encrypting the keys of the UDP port 500/4500: symmetric encryption implemented in the kernel, but not asymmetric encryption.
it's better to kick out IPSec (e.g. remove IPSec implementation from OpenBSD), and look for alternatives as bulletproof implementations similar to VPN, SSH, SSL, TLS, etc.
Conclusion "F.B.I. wanna to kernel developers to remove IPSec code from OpenBSD, FreeBSD, Linux, etc."
because F.B.I. agency wants that the federal agents use the flawy IPSec-based machines under the federal law,
and other ignorant users that use this flawy IPSec protocol are so affected.
Why don't call it FBI protocol? Hahahaha.
Note: the always available UDP port 500/4500 in routers and PCs makes that it's not only for exchanging flawed keys, but also "leaking" encrypted critical information of compromised machines (aka rootkited remotely).
I was even the customer and technical (hands on) engineer that put EOUSA's VPN infrastructure in place! NetSec also was the primary driver of hardware-assisted (Broadcom) crypto and Jason wrote the drivers. I worked with the other core guys on the IKE codebase as well to squash bugs, though the actual crypto engines were not my thing. Yes, Netsec did design a mechanism for key recovery. But if I recall correctly it was a feature of the Broadcom hardware crypto engine. The 3DES session key wasn't compromised or weakened as such, it simply meant that a traffic stream could be replayed later and the key or portions thereof would have been saved off.
Netsec was founded by 2 guys from NSA so I guess the inclination and motivation to be "accomodating" of backdoors is certainly possible. But I am profoundly suspicious that Jason or Larry (our primary programmers) would deliberately mess with the code. Make unintentional mistakes that allow partial data compromise? Sure, that's possible. Crypto code is notoriously hard to do perfectly. Greg, are you throwing a blanket of distrust at the whole ISAKMP team? Because Netsec financed a couple of those guys too.
If the FBI really was trying to do what Greg asserts, that is tantamount to beat cops trying to hack Internal Affairs so they can get away with their crimes or to use sensitive information to all kinds of nefarious or extra-legal purposes. The FBI trying to breach the executive branch of the DoJ's comms would be a major scandal. (So Wikilinks, got a cable on that?) The EOUSA staff was reasonably savvy. But if the FBI wanted the traffic it wouldn't have been too hard to ahem, buy me off or exploit any number of physical and human weaknesses to get full access to the plain-text.
Yes, Netsec was hoping to create a border appliance (nee Cisco ACE etc.) that many thousands of people would buy and that Netsec could manage from afar under the then trendy "Managed Security Services/Provider" model. But in late 2001 that project got killed. They let Jason and Larry go as well as our custom ASIC designer (sorry dude, name escaping me) and they went Checkpoint.
Interesting or flawed? A case for the vaunted /. mods to decide.
Me? I'm pretty much sold on the idea that there's a backdoor in everything worth listening to, even without seeing the code. It's a logical conclusion, given the existence of provably-strong crypto algorithms. It would be criminal incompetence for the NSA, for instance, to approve for use crypto that they themselves couldn't break.
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ip_esp.c
Question: What kind of encryption uses it in the kernel?
Answer: only symmetric encryption, none is of kind asymmetric encryption.
Question: Why not asymmetric coding for encryption and certification in the KERNEL? It's for exchanging certified keys and for creating tunnels.
Answer: F.B.I. concerns.
IPSec = F.B.I.
Only three remote holes in the default install, in a heck of a long time!
"This is why NetSec builds its products on an operating system (OpenBSD) that has made security its number one goal," Harold told SOURCES. "The source for the operating system was re-built from the ground up for security and is publicly available. As a result, it is continuously subjected to rigorous security review by independent software engineers around the world. This has additional benefits because secure code often tends to be well designed, stable, and efficient."
So it may be that NetSec's products had the back doors, and not OpenBSD itself. (NetSec has since been acquired by Verizon in 2006.)
Because the 13 systems actually running OpenBSD are all used by the FBI I guess.
I am very small, utmostly microscopic.
Was that a cool thing to do? Really? At least he was coming clean. There are even phone numbers at the bottom of that thing, how many calls has he received I wonder? I can understand being angry but that kind of response isn't going to help encourage others to be whistle blowers now is it?
I want to agree with you. I still believe that this government governs with the consent of the governed though. If enough people cared then things would be different. That implies that people don't care. Outside of communities like Slashdot many people think these kinds of things are protecting them from some omnipresent terrorist who is out to get their family. They want the government to do whatever it says it needs to do and they don't even want to know about it. They want blissful ignorance. I find it hard to love sheep and this makes me not want to care. If I didn't have a kid who will need a country to live in herself I might not care at all.
Some years ago I was looking at a job at the FBI. Sysadmin type stuff, mostly end user (it specifically noted you didn't not need experience with "the mainframe" you'd just be helping users connect to it). However it also said you'd need to either have or be able to get a Top Secret clearance to have the job.
So even for a job that was non-investigative in nature, just doing tech support for agents basically, they anted a TS clearance. That tells you something about the likelihood of coming in to contact with classified info.
That was one of the reasons I didn't apply for the job. Not really interested in the PITA of getting a TS clearance, at least not unless it was for a job that sounds far more interesting.
Suggestion: Free Software projects might want to implement explicit independent reviews of cryptographic software. There may not be enough cryptographically-skilled eyes to make deliberately-inserted malicious bugs of this sort shallow.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
* At the request of the FBI I'm inserting a backdoor
* if you notice this code please wait 10 years before saying anyting about it
*/
* And of FBI requested code
* thank you very much
*/
Question: who TRIED to implement ASYMMETRIC CRYPTOGRAPHY in the kernel for at least 9 years!!!?
Answer: nobody.
Question: why?
Answer: Conspiracy Theory. 100% governements knew it, they wanted to spy protected data of peoples.
Many universities's professors of networks knew perfectly the flaws of the AH/ESP protocols since that they were created, but nobody said "Let's go to repair it!". They were silented under the fear of conspiration.
Oh good lord, why didn't you just write that out in leetspeak, it would have been easier to read.
Someone please tell me that the Greg Perry in question isn't the same guy who used to call himself "Digital Hitler" and got busted for phone fraud in 1996. If that's the case, his probity might be in question.
Well, this is certainly different from the usual "cease and desist" letters the ex-employees of NetSec receive from Greg Perry every few years.
It's a CHRISTMAS MIRACLE!
another X-Files episode/movie about this
Perhaps it's time to truly tiptoe through those .c file tulips.
I am very small, utmostly microscopic.
As an open-source advocate, I often tell people the "more eyes on the code means improved security." I would say this is true in general, on average, given large values of X. For specific issues, well-buried in the code, you might not catch it. Back when I was in development, they used to use all sorts of tools to find backdoors, hidden code loops, unused code fragments. I'm wondering why after all these years, no one caught it? I guess my pie-in-the-sky fantasy is that my security buddies in the open-source community are ever vigilant, actively seeking this very thing, and squashing any attempts to insert something so malicious into the code base. On the other hand, hardly anyone would have the chance to find this on the closed-source side, so even just the opportunity to review/audit the code is far better, IMHO, than no opportunity at all.
Someone posted a code snippet earlier. I'm not sure if it was a joke or the actual backdoor grepped and shown here. However, this type of backdoor should have a signature, and someone should write an open-source application that constantly searches through the code-base looking for logic that doesn't look right. If that snippet is what all this fuss is about, that could have easily been found with a simple grep command...years ago. I'm not just worried about the government, but what about just malicious people in general? Who's to say there haven't been sophisticated, hacker-friendly vulnerabilities just waiting to be exploited in Linux, BSD or Windows?
NDA expired => IPSec removed from OpenBSD's codebase, right? Yes, it's useless BSD-licenced IPSec code given by the F.B.I. 10 years ago.
is there anybody that tried DDoS attack to IPSec?
That my all my OS/X are belong to FBI ?
What? Have you ever heard of the broken Netscape SSL implementation, or WEP (RC4 was an adequate algorithm), or any other broken crypto implementation? It's almost always the implementation of a provided algortihm that falters, not the algorithm itself! People implementing and verifying provided algorithms need more math doctorates.
Or perhaps the algorithm was incompletely defined and left details to the reader? The algorithm as defined for implementation would not be as concise as the algorithm provided in a mathematical journal.
For example, in a journal article it may be perfectly fine to state merely that r is a random variable and say nothing more about it. However this is insufficient for the algorithm definition with respect to implementation. The seeding and computation of the random variable must be defined to a sufficient degree. One can not just wave their hands and say we have a magically random variable appear at this point, as one can do in a journal article.
Garibaldi: Think they'll ever find that transmitter you slipped G'Kar?
Sinclair: No. because there isn't one.
Garibaldi: There isn't? Wait—
Sinclair: I lied. I figured if there were a transmitter, sooner or later they'd find it and remove it. But if I just told them there was, they'd keep looking. Indefinitely.
Garibaldi: Commander, do you have any idea of the tests they'll put him through, the things they'll do to him trying to find a transmitter that's not there?
Sinclair: Yes.
My Suburban burns less gasoline than your Prius.
Such math skills are needed to develop the algorithms but not to implement a provided algorithm or to verify the coded implementation.
Right. That's why theorists who understand the heart write detailed lists of instructions so that any hourly temp worker can perform heart surgery without incurring the expense of employing an actual heart surgeon with a medical degree.
Adapting theory to the complexities and irregularities of the real world does require a thorough understanding of theory. Otherwise, the moment you step outside of the ideal case -- which is nearly always -- you have no way to make the necessary adjustments, and worse, you have no way of knowing that adjustments need to be made, what they could be, or what the consequences are.
You present a straw man argument that is irrelevant in this context. Encryption does not have the irregularities and the unexpected that heart surgery does.
That said, how do you think expert systems are developed? They are not coded by these experts. There is an extremely detailed knowledge dump in some manner. Some day in the future when we have robotic based surgery the system is unlikely to have been coded by heart surgeons. Can the expert system handle the unexpected as well as an expert surgeon, perhaps not. However how many of those unexpected circumstances are the fault of human error during the surgery? A robot that can perform the basics perfectly, even if it can not handle the exceptional circumstances as well, may yield better outcomes overall. And over time the handling of the exceptional can be improved.
Yes this sounds a bit outlandish, but not so long ago having an onboard computer land a commercial jet liner with hundreds of passengers sounded outlandish too. OK, the later still sounds outlandish but it can be done.
Point 1: "Open covenants of peace, openly arrived at, after which there shall be no private international understandings of any kind but diplomacy shall proceed always frankly and in the public view."
Good to know that the bonjour/jabber makes use of the cam even when the light isn't on.
ssh is from the second half of the '90s. Back then best practice was to pad with random data. Later because of people noticing how hard it would be to see if there was a side channel data in that padding, the norm started to be accepted to use predefined padding. Publicly people started writing about this right around the time of the note you highlighted. Of course it's something that would be noticed by others looking over the code at that time, practices relating to the padding had changed for the very reason the note discusses, but back when ssh was developed, it was conventional wisdom to do as ssh did.
Only two remote holes in the default install, in a heck of a long time!
Hmmm....
malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO); <-- who understands it?
free(tc, M_XDATA) <--- too
man malloc --> void *malloc(size_t size);
man free --> void free(void *ptr);
are they very suspectious? are they macros?
are they pushing more slots to the stack for any another purpose than the real malloc or free?
what're M_XDATA M_NOWAIT and M_ZERO?
There are number of developments. Challenge to find backdoor: http://maycontaintracesofbolts.blogspot.com/2010/12/openbsd-ipsec-backdoor-allegations.html Jason Wright's response: http://marc.info/?l=openbsd-tech&m=129244045916861&w=2
Why engage in mass speculation? Check out the code from the time period in question and audit it for a back door. I don't know why everyone should get up in arms over an allegation that may very well be unfounded.
Did you read Theo's email? He's basically saying that he's been told that somebody put a backdoor in, that he doesn't know whether it's true, and that all concerned parties should audit.
Who exactly are you implying is speculating who should be auditing instead? It seems to me like the people who should be auditing are doing so or planning to, and the people who can't audit it can't help but to speculate.
Are you adequate?
Given that employment contracts routinely require employees to disclose conflicts of interest, it should be at least a breach of that. But it could easily be corporate espionage, fraud, or something similar, because you're deliberately sabotaging your company's product for personal gain.
Are you adequate?
rev1.33 2000/01/13 versus rev1.34 2000/01/27
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfkeyv2.c.diff?r1=1.33;r2=1.34;f=h
http://fxr.watson.org/fxr/source/net/pfkeyv2.c?v=OPENBSD;im=3#L776
http://fxr.watson.org/fxr/source/net/pfkeyv2.c?v=OPENBSD;im=3#L787
rev1.33: *alg = satype == SADB_SATYPE_AH ? XF_NEW_AH : XF_OLD_AH; versus rev1.34: *alg = satype = XF_AH; (flawed)
rev1.33: *alg = satype == SADB_SATYPE_ESP ? XF_NEW_ESP : XF_OLD_ESP; versus rev1.34: *alg = satype = XF_ESP; (flawed)
the reason of caring the algorithm to be picked is this uniform structure http://fxr.watson.org/fxr/source/netinet/ip_ipsp.c?v=OPENBSD#L111>http://fxr.watson.org/fxr/source/netinet/ip_ipsp.c?v=OPENBSD#L111
if the algorithm is not picked correctly then it can leak by another kind of algorithm
XF_ESP=3, XF_AH=2, XF_IP4=1 (IP inside of IP, don't confuse with ESP encapsulation).
http://fxr.watson.org/fxr/ident?v=OPENBSD;im=excerpts;i=XF_ESP
satype must not be asigned, it's from switch(satype)
correct should be *alg = XF_AH; and *alg = XF_ESP;
...this isn't the first time that a core part of an OS has been backdoored (at least, almost) http://kerneltrap.org/node/1584
If other people can't really understand it, they can't understand what its assumptions and limitations are, and therefore can't adequately assess whether it's safe to use in a given environment. This makes it more likely that either (a) they won't use it, which is a self-denial-of-service bug, or (b) will use it in environments that don't meet the programmer's assumptions, and therefore will not be robust.
This is true even if the user is the original programmer, trying to use his macho-programmer code six months later.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
If you're going to have a conspiracy, there's no point in using one that can't penetrate tinfoil hats....
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The NSA/NCSC/NIST did give us SE Linux (I forget which hat they were wearing at the time), but it's from the Light Side there, trying to provide secure computers for government and industry, not the Dark Side which tries to provide insecure systems for other governments, and they did a good job of convincing people that they should overcome their usual lack of trust. The real catch with systems like that is that the military model of security users doesn't always match what non-military people need, but they know that.
Auditing crypto code is really tough. It's not something SELinux can help you with, unless you're trying to write applications that leak data across user/kernel boundaries or something; SELinux can't tell AES-256 from Bass-O-Matic, much less find that your "random" number generator leaks key bits to somebody who's got the secret backdoor keys, or that your choice of padding algorithms wasn't using enough salt bits. That takes crypto algorithm geeks to get that one correct, and protocol design has a whole nother can of worms and skill sets that are needed to find problems with it.
Good user name and Slashdot ID numb er, BTW. - rates you an automatic +1 funny -1 troll...
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
.... void stares into You.....
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Why is this conspiracy THEORY being treated like God: Until someone can prove that the backdoor doesn't exist, everyone's just going to blindly believe that it exists? Perry's story has almost as many holes in it as the Bible.
The code is openly available. Has anyone found any proof that a backdoor exists?
OpenBSD: :-D
Open Bothersome Side Door!!
--hongpong.com
You know, I think you have a point. It is the "as long as I got my free money and NASCAR on TV, I don't care if the government takes away my rights!"
They wallow in blissful ignorance. I blame the education system, and in no small part the Dept. of Education (and the NEA) who have turned our educational system into a burger grinder for stupid people not fit to employ at McDonald's.
I don't have a kid, but I still care.. mainly because those who died for the ideals our Constitution represents cannot, and should not be forgotten, and the ideals of the Constitution and our individual liberty should never be taken lightly or with any apathy. I would rather the government shoot me in the head than take away any of my rights. I am a small fish in a big pond, but there will come a time (as we continue down this path) when the government will come after me too. And that's when they can pry the Constitution from my cold, dead fingers. Is it militia-esque of me to say so? Probably... but I believe in the Constitution and the ideal of America 1000% more than I do the government. It has failed me and will continue to do so for the reasons you (and I) mentioned. I weep for democracy when the most pressing problem is getting more handouts from the government... It's OUR money... not theirs. Someone said that this experiment in Democracy would be finished when the government learned that it could bribe its people with their own money.... we've WELL gone past that...
It's the Stay-Puft Marshmallow Man.
Most sane, always-up site-to-site VPNs use IPsec.
That is what I have been finding.
Unless I am misunderstanding IPSec, it seems very odd that the only major use of IPSec is when doing a form of IP-in-IP encapsulation.
I've seen a bit of talk about opportunistic use of IPSec, but for now it sounds like VPNs are the only major users of the technology, which just strikes me as odd.
Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
aren't we the lil grammar nazi.....WHO cares did you get the meaning or are you so badly taught in school that you can't understand what was wrote...
Wait lets see if this 12 yr old can read it give me a minute....YUP....
OH well no wonder america = FAIL
Aren't we the little grammar Nazi? Who cares? Did you get the meaning of the previous statement, or are you so badly taught in school that you cannot understand what was written? Wait; let's see if this 12 year old can read it. Give me a minute. Yes. Oh. No wonder that America equals FAIL.