Slashdot Mirror
BSD Coder Denies Adding FBI Backdoor
jfruhlinger writes "Theo de Raadt has made the shocking claim that OpenBSD includes a backdoor that the FBI paid coders to build. Brian Proffitt has tracked down one of the programmers named as being on the FBI payroll (actually, he tracked down two programmers with the same name). Both deny working with the FBI."
The duplicate story is still on the front page! http://bsd.slashdot.org/article.pl?sid=10/12/15/004235
It was not Theo that made that claim. It was Theo that released the email he got from the guy making that claim! Big big difference!
even if it was you, would you admit to it? Reputations and careers could be ruined by something like that.
I mean the idea that this person would still be alive when "the NDA expired..." was odd.
Why would the FBI make any NDA on something as shameful as this that would expire during one's lifetime?
I went to battle M.C. Escher, but drew a blank.
Oh please, de Raadt didn't claim shit. Here's the original mail.
Theo seems skeptical himself, he just didn't want to hold back a potential security issue.
If you made a deal to keep a secret you keep that secret. Also I'm sure there could be repercussions for blabbing. My job they just fire you and there is a possibility of being sued by the individual whoes confidence you broke.
All he did is, properly forward a private email.
Theo de Raadt is clearly an ethical and conscientious person, who deserves our gratitude.
Thanks, Theo. Great job!
NOT!
Please do not read this sig. Thank you.
FTA: I have not ever contributed a single line of code to OpenBSD;
Back before I used Linux (in college), I made a habit out of making all Linux users paranoid by saying if I were the CIA / FBI / NSA / other TLA, I would worm somebody in as a contributor and do my best to put hidden backdoors into all open source operating systems. I know if I were in any of said agencies and had no respect for privacy, I would.
How does it feel to be a liar with pants constantly on fire?
Both deny being BSD coders too!
I'm not familiar with these things, but if someone is installing backdoors for the FBI on some software, will he be telling everyone that he works/has worked with the FBI? I wouldn't really expect anything else other than denying it!
This doesn't mean he does work for the FBI, but saying he doesn't isn't going to clear all things up!
The normal length for classified material is 50 years. That isn't to say it can't last longer or be declassified earlier, but 50 years is the normal NDA length. Why would this be any different? In particular there was the implication that they'd been heavily pushing it because of the backdoor. Ok but they had to know that the NDA was about to expire and thus the jig would be up and it would be, if anything, harmful.
Makes no sense. I am not buying this in the slightest without some proof. Some guy claiming something in an e-mail isn't proof, that is Internet nuttery as normal.
Show me the code.
I'm shocked to learn that these guys denied it! I mean, if you were working with the FBI, wouldn't you admit to it the moment someone asked?
That's not to say there's necessarily any validity to the claim one way or the other, but the non-acknowledgement from these guys comes as zero surprise, and is in itself a total non-story.
Theo did no such thing. Perry did.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
There was never any OpenBSD contributor named Scott Lowe. Did anyone actually bother to read the source material or check facts, before claiming as such?
The finger was being pointed at Scott Lowe FOR HIS Virtualization BLOG, which are merely articles that discuss the use of OpenBSD.
The mailing list author, was making a totally reckless claim with no proof shown that He was advocating OpenBSD for the benefit of the FBI which is downright ludicrous attention whoring attempt on the part of someone reposting that claim without corroboration.
A mailing list posting by one person is not a credible source to be taken at face value. Information needs to be corroborated. Posting some random person's vague accusations as front page news borders on gross negligence.
Wouldn't we be able to search the code for said backdoor? And correct me if I'm wrong, but BSD can't have binary blobs in it's code.
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation. Social exper
Someone sent an email to Theo making the claim. Theo put it on the internet. Now it's true.
Because it's too much trouble to quote or reproduce Theo's brief email and people wouldn't know what to make of it anyway.
The raw and cold truth is that contributors to all the open OSs can't really be vetted. Not in a meaningful way. And the number of people who are deep low level 'hackers' capable of writing the code is relatively small. The numbers able to code audit to a level of examination are even fewer. So yes, the code is open, the code is visible, the code can and could be audited. But here is the thing, being auditable is not the same as being audited. And personally, I would not be shocked if a full audit was run if something might be found.
That being said, this is one step better than closed source, where some of the above is not possible or viable, and in cases where money crosses palms, may in fact be unwanted.
Further to this though, I personally don't expect government to simply roll over and die. I expect them to take steps to try and stay one step ahead of bad things, and the relaxing of technology limits has benefitted people across the world, even if I were to make a case that the cost is that at the point of a pyramid - the goves can hunt down the world culprits and suspects. In some cases - releasing the tech in fact has your enemy using that tech after some time and you get to tap into it.
At least its an interesting story :)
We`re all equal
They can deny: in a couple of days we'll find evidences on wikileaks...
It is not so hard to imagine that they are not allowed to say the truth.
For the same reason NSA had chosen new encryption standards (they should be hackable by them).
America is a police state, anything is related to security; for sure they have the privat keys of verisign and many others.
Or do you think that Stucnet worm was uniquely working with fake signed keys; the fact that smaller countries could create something like that.
Means the country with the most supercomputers, can easily crack root keys of any major signer.
take a blowfish
just another info leak between the spam; ... can you read it yahoo
He simply released the email that was sent to him.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
What really gets me, is this is all open sourced code. This means that a code audit would find this so-called back door, yes? I seriously doubt this so-called claim.
What backdoor? Nobody has found ANYTHING yet. They just have a rumour, duly propogated onwards because of its *potential* security applications, that someone may have once been paid to do such a thing. Doesn't mean it's true, that they succeeded, or that it hasn't been removed since.
It's impossible to prove something *isn't* there, of course, but it would be a cinch to prove it *was*. Nobody has yet stepped forward with anything even approaching a slight vulnerability in their IPSec implementation that isn't well documented and patched already (or even suspected of being planted maliciously). That's the beauty of OS - we can go back and check and see and hold people accountable, and YOU can take a look if you don't believe us, or think we're in league with the FBI. There's absolutely *nothing* to stop you. Now go ask about proprietry software vendors and *their* relationships with the FBI and see how many answers you get.
And I don't even care about BSD - I've only ever used it once, and Linux has a *completely* independent IPSec implementation made by completely separate people. If it's a concern for you, audit the code, or pay someone to do it. Chances are you'll never be *allowed* to audit similar code from, say, Microsoft and certainly not allowed to publish your findings if you *did* find a backdoor in it. In the OS world, though, we publish even potential RUMOURS of a possible hole, so that you can be the judge and not anyone else.
It seems unlikely that someone could hide one or more backdoors in such a ubiquitous piece of code without _anyone_ else ever spotting it.
It also seems unlikely because Perry didn't share actual technical details of the backdoor(s) so their existence can be proven. Surely when making such a radical claim its just human nature to also justify it with all the evidence you have.
If so, where’s this NDA that Theo claims just expired? Surely he didn’t run it through the shredder already.
Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
Correction, Gregory Perry claimed to have an NDA with the FBI. Theo was just the messenger. Damn, this is confusing...
Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
I only use OSes I can trust!
Like they'd come out and admit it if it IS true.
and tan his hide!
Comment removed based on user account deletion
"Theo the Rat" whenever you read his name in print?
Has Gregory Perry actually confirmed he sent that email? It's not like a large number of passwords have been cracked recently and even the best of us use the same password in multiple places...
Both denied working with the FBI.
But did they deny working for the FBI, directly or indirectly?
The mind conceives, the body achieves, the spirit manifests.
Theo DeRaadt did not make any claims, he merely released an email from a fellow who claims to have been involved in placing backdoor code into ipsec. The original sender has not denied anything about the content of the message and it has appeared (afact) unedited.
I doubt if this will stave off the usual Berate DeRaadt Party. I believe that he has handled this with a minimum of B.S. and is allowing the social situation to resolve without adding the measure of vitriol he would be justified in throwing.
I can't wait for the next OpenBSD release.
There will be some spectacular t-shirts!
After reading the email and the article, I have to call bollocks on this. There's too much that doesn't add up. It's an email from someone who recieved an email from someone who claimed they were under an NDA when they heard that there was a backdoor put into BSD's IPSec stack.
From Ferris Beuller's Day Off: "My best friend's sister's boyfriend's brother's girlfriend heard from this guy who knows this kid who's going with the girl who saw Ferris pass out at 31 Flavors last night."
From TFA: "My best friend's sister's boyfriend's brother's girlfriend heard from this guy who knows this kid who's going with the girl who says the FBI put a backdoor in OpenBSD's IPSec stack."
And other readers pointed out that the FBI would NEVER put this under an NDA - it would be classified instead. Having been in the Navy with a top secret clearance, I can tell you that anything that is classified as "confidential" or above would have had a declassification date attached to it, and most classified documents are in the fifty year range. The government doesn't do NDAs (at least, not to my knowledge). They classify information instead. If you release classified information, you lose your security clearance and could face federal charges. That's why the PFC in the Wikileaks mess should be in massive trouble (which I think he is).
And then there's the question of auditing. I find it hard to believe that this would not have shown up in an audit. Something this high-profile HAS to be audited regularly. Sure, it could be overlooked, particularly since the code is complex, but all of these factors put together just scream "FUD".
At this moment, I don't buy this. They had better come up with some proof if I'm to believe it.
True. I'm sure people are combing the commits from that era pretty heavily as we write.
Good catch, and good point. :-) I'm with holding judgment on the NDA until it is released to the world. Mr. Perry may not be legally able to do that, though.
Someone claiming to be Gregory Perry has confirmed sending the email in numerous articles linked to in this and the previous post.
See? Now we are just as sure as we were before.
So, with all OSes having backdoors at the behest of all these intelligence agencies, doesn't that mean that all their computers are compromised too?? Oh, and we can discuss the possibility of foreign intelligence agencies doing the same thing. Is this how the Chinese steal everyone's secrets? Forget Wikileaks, this is Wikifloods.
1. Insert backdoor in BSD
2. ???
3. Proffitt
Why is that not in wikileaks ??
The claim about Scott Lowe (which one never specified) was that he was on the FBI's dole to write how to implement OpenBSD based VPN VMware tutorials. Writing tutorials doesn't make him an OpenBSD coder. The claim was that "Jason Wright and others" were the ones who inserted the backdoor into the source code of OpenBSD. I haven't heard any refutation from Jason Wright and the story doesn't even claim that.
This is also why several inside FBI folks have been recently advocating the use of OpenBSD for VPN and firewalling implementations in virtualized environments, for example Scott Lowe is a well respected author in virtualization circles who also happens top (sic) be on the FBI payroll, and who has also recently published several tutorials for the use of OpenBSD VMs in enterprise VMware vSphere deployments.
Jason Wright, on the other hand was the accused coder. Jason Wright has not issued any public statement on the matter, and the linked article only makes a slight mention of him.
/^([Ss]ame [Bb]at (time, |channel.)){2}$/
You talk about a "mailing list posting by one person" and a "mailing list author [who] was making a total reckless claim". But there is no mailing list author, a private e-mail was sent to Theo who decided to make it public on the mailing list. One reason for the lack of proof etc. is Theo stated he had no desire to speak to Greg about this, and Theo made it immediately.
You also say this is by "some random person" but it is not, it is someone who was involved in AFAIK financing this part of OpenBSD development, and who worked at the same company as other people who have committed code to OpenBSD. A person posting anonymously here is "some random person", someone with that type of involvement with the various persons is NOT some "random person."
Posting this on Slashdot is not gross negligence at all, I am much happier to be aware of this story than not aware of it. It does not seem far-fetched to me either - it seems like DES - algorithms are put out by the government, or by government contractors which are safe for most people, but which the government can still decode. Did DES come with big warning labels, "hey, the government can decrypt this but most people can't". If DES had an unlabeled "backdoor" (of sorts), why is it so surprising there might be a backdoor of sorts here, even if it is only a few changes that make decryption of this stuff easier for the government?
On the negligence angle again, that would be more on Theo's end than anything. I'm glad Theo made this public, but I think he could have been a little more subtle, removing everyone's name from it for one thing. But that is on him, not Slashdot.
Please, don't add to the disgusting, overused mess that is contemporary copyright doctrine by misapplying it to private correspondence! It's arguments like yours that make me wonder if we really would be better off overall with no copyright whatsoever.
No one should be able to own an idea. It's that simple. The only reason we have the concept of owning ideas is because of technology that allows mass reproduction and the greedy desires to squeeze every last cent out of something, and to prevent others from deriving any benefit from anything you do without paying you for it.
I also think it's dangerous and foolish to start tossing around the word "rights." The only rights anyone really has in this country are spelled out in the Constitution and the Bill of Rights. I may not have a "right" to copy and forward and publish the email you send me, but you don't have a "right" to stop me from doing so, either. If you don't trust me to abide by your wishes, don't send me the email. You have the "right" to not email me.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
Refuting the claims by auditing the code might not be so simple. Read the thread started by de Raadt's email for details.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
This person denies they put in backdoor code for the FBI... a likely story! That's just what a person working secretly for the FBI would say. And next he'll claim he's not a BSD coder too! He's guilty, guilty I say!
Seriously, until the code has been fully audited and results released, the original blurb on this is enough, I don't need several stories in a day on it. This kind of "reporting" reminds me of an incident that newscasters reported and kept updating every 30 seconds as though something amazing was going to happen any second.
a) Copyright is there and the Berne convention applies more or less world-wide.
b) The Constitution and Bill of Rights *does not* apply worldwide and I am not in the US.
So, by treaty, I believe I have more "rights" to stop you publishing the verbatim text of my private emails to you than you have to publish them.
Yes, copyright is messy, and I'd prefer not to use it, but it applies cross border.
And yes I'm not claiming to be able to stop you forwarding "ideas", I'm talking about forwarding my text as is.
Rgds
Damon
http://m.earth.org.uk/
I suppose we'll just have to disagree, then.
I must say, though, the more stupid copyright issues I read about, and the more I think about it, the more I think the very idea that anyone should be able to own a collection of letters and words borders on absurdity. Every single creative work there is has borrowed from thousands of years of history, language, folklore, legend, myth, collective cultural consciousnesses, etc. Originality is a myth--only God was truly original. And so, since we all owe something to those who have come before us, without which we couldn't have created what we've created, I think it's bordering on morally wrong to try to take exclusive ownership of an idea or collection of ideas, because in the end it's hypocritical.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
I find it courageous of Theo to not hold back such info. any other manager of such a security-minded project would try to cover up their failure to detect something like that.
of course it remains to be seen if this is true at all.
-IF it's in their contract with US government, and you can audit the code for ever, the backdoor will never show itself, think about complex mathematic algorithms that, let's say by the delay in processing can say that a bit is 0 or 1.
Open Bothersome Side Door .
--hongpong.com