Slashdot Mirror
BSD Coder Denies Adding FBI Backdoor
jfruhlinger writes "Theo de Raadt has made the shocking claim that OpenBSD includes a backdoor that the FBI paid coders to build. Brian Proffitt has tracked down one of the programmers named as being on the FBI payroll (actually, he tracked down two programmers with the same name). Both deny working with the FBI."
It was not Theo that made that claim. It was Theo that released the email he got from the guy making that claim! Big big difference!
even if it was you, would you admit to it? Reputations and careers could be ruined by something like that.
The difference is that the original story is posted by kdawson, so no registered users will see it, because we've all blocked him from the front page. This one is posted by Taco, so we'll see it.
I am TheRaven on Soylent News
I mean the idea that this person would still be alive when "the NDA expired..." was odd.
Why would the FBI make any NDA on something as shameful as this that would expire during one's lifetime?
I went to battle M.C. Escher, but drew a blank.
You didn't get that this was a follow-up story, then, huh?
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
Oh please, de Raadt didn't claim shit. Here's the original mail.
Theo seems skeptical himself, he just didn't want to hold back a potential security issue.
If you made a deal to keep a secret you keep that secret. Also I'm sure there could be repercussions for blabbing. My job they just fire you and there is a possibility of being sued by the individual whoes confidence you broke.
Who's this "kdawson" you speak of?
NOT!
Please do not read this sig. Thank you.
Back before I used Linux (in college), I made a habit out of making all Linux users paranoid by saying if I were the CIA / FBI / NSA / other TLA, I would worm somebody in as a contributor and do my best to put hidden backdoors into all open source operating systems. I know if I were in any of said agencies and had no respect for privacy, I would.
How does it feel to be a liar with pants constantly on fire?
Both deny being BSD coders too!
I'm not familiar with these things, but if someone is installing backdoors for the FBI on some software, will he be telling everyone that he works/has worked with the FBI? I wouldn't really expect anything else other than denying it!
This doesn't mean he does work for the FBI, but saying he doesn't isn't going to clear all things up!
The normal length for classified material is 50 years. That isn't to say it can't last longer or be declassified earlier, but 50 years is the normal NDA length. Why would this be any different? In particular there was the implication that they'd been heavily pushing it because of the backdoor. Ok but they had to know that the NDA was about to expire and thus the jig would be up and it would be, if anything, harmful.
Makes no sense. I am not buying this in the slightest without some proof. Some guy claiming something in an e-mail isn't proof, that is Internet nuttery as normal.
Theo did no such thing. Perry did.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
There was never any OpenBSD contributor named Scott Lowe. Did anyone actually bother to read the source material or check facts, before claiming as such?
The finger was being pointed at Scott Lowe FOR HIS Virtualization BLOG, which are merely articles that discuss the use of OpenBSD.
The mailing list author, was making a totally reckless claim with no proof shown that He was advocating OpenBSD for the benefit of the FBI which is downright ludicrous attention whoring attempt on the part of someone reposting that claim without corroboration.
A mailing list posting by one person is not a credible source to be taken at face value. Information needs to be corroborated. Posting some random person's vague accusations as front page news borders on gross negligence.
Wouldn't we be able to search the code for said backdoor? And correct me if I'm wrong, but BSD can't have binary blobs in it's code.
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation. Social exper
Someone sent an email to Theo making the claim. Theo put it on the internet. Now it's true.
Because it's too much trouble to quote or reproduce Theo's brief email and people wouldn't know what to make of it anyway.
Here you go: The Code.
Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
The raw and cold truth is that contributors to all the open OSs can't really be vetted. Not in a meaningful way. And the number of people who are deep low level 'hackers' capable of writing the code is relatively small. The numbers able to code audit to a level of examination are even fewer. So yes, the code is open, the code is visible, the code can and could be audited. But here is the thing, being auditable is not the same as being audited. And personally, I would not be shocked if a full audit was run if something might be found.
That being said, this is one step better than closed source, where some of the above is not possible or viable, and in cases where money crosses palms, may in fact be unwanted.
Further to this though, I personally don't expect government to simply roll over and die. I expect them to take steps to try and stay one step ahead of bad things, and the relaxing of technology limits has benefitted people across the world, even if I were to make a case that the cost is that at the point of a pyramid - the goves can hunt down the world culprits and suspects. In some cases - releasing the tech in fact has your enemy using that tech after some time and you get to tap into it.
At least its an interesting story :)
We`re all equal
They can deny: in a couple of days we'll find evidences on wikileaks...
He simply released the email that was sent to him.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
What really gets me, is this is all open sourced code. This means that a code audit would find this so-called back door, yes? I seriously doubt this so-called claim.
What backdoor? Nobody has found ANYTHING yet. They just have a rumour, duly propogated onwards because of its *potential* security applications, that someone may have once been paid to do such a thing. Doesn't mean it's true, that they succeeded, or that it hasn't been removed since.
It's impossible to prove something *isn't* there, of course, but it would be a cinch to prove it *was*. Nobody has yet stepped forward with anything even approaching a slight vulnerability in their IPSec implementation that isn't well documented and patched already (or even suspected of being planted maliciously). That's the beauty of OS - we can go back and check and see and hold people accountable, and YOU can take a look if you don't believe us, or think we're in league with the FBI. There's absolutely *nothing* to stop you. Now go ask about proprietry software vendors and *their* relationships with the FBI and see how many answers you get.
And I don't even care about BSD - I've only ever used it once, and Linux has a *completely* independent IPSec implementation made by completely separate people. If it's a concern for you, audit the code, or pay someone to do it. Chances are you'll never be *allowed* to audit similar code from, say, Microsoft and certainly not allowed to publish your findings if you *did* find a backdoor in it. In the OS world, though, we publish even potential RUMOURS of a possible hole, so that you can be the judge and not anyone else.
It seems unlikely that someone could hide one or more backdoors in such a ubiquitous piece of code without _anyone_ else ever spotting it.
It also seems unlikely because Perry didn't share actual technical details of the backdoor(s) so their existence can be proven. Surely when making such a radical claim its just human nature to also justify it with all the evidence you have.
If so, where’s this NDA that Theo claims just expired? Surely he didn’t run it through the shredder already.
Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
Funnily, that's exactly what happened to me - I wondered what people were talking about when they said it was a dupe. This is the only website I've ever had to block a submitter on, and kdawson the ONLY author I've ever had to block on any website because every submission I read from them annoyed me or was blatantly complete bollocks.
Correction, Gregory Perry claimed to have an NDA with the FBI. Theo was just the messenger. Damn, this is confusing...
Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
You made me choke on my lunch!
K Man
So slashdot gets a twofor.
BTW the Indian extremists have been infiltrating Microsoft for years and have places many back doors into Windows so they can shutdown all our systems. Their main target is the thought control experiments based in Montauk NY at the secret underground base their. They are hoping that they can remotely activate it and then while we are under their control gain access to the secret base under the new Denver Airport.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
No, I don’t think so, because they do sometimes edit the stories. I know they edited one that I posted, they converted it from a logically divided 3-paragraph submission into a single glob of text, just like any other story.
Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
I only use OSes I can trust!
Like they'd come out and admit it if it IS true.
Nonsense. Nobody working for this site has ever been a good enough perl coder to pull that off.
Kdawson is just an internet myth, long ago disproven by snopes.
SJW: Someone who has run out of real oppression, and has to fake it.
Have these two deniers stated whether they are under NDA still? Why would they admit to it when doing so would brand them?
Even though I think it is tough to miss something like that in the code it is still possible. Everyone should look to ensure that removal is performed.
If they could do that then they'd do it in Windows. Windows is closed source and easily altered. If it is verified in BSD you can be guaranteed it's in Windows.
Though this is likely true (that the code is there), it is difficult for me to see them having the programming skills back then to write something so sophisticated that it would go undetected for over a decade.
Why was the "leaker" under NDA to begin with?
You can lead a man with reason but you can't make him think.
and tan his hide!
I've been following slashdot for over 10 years and I finally registered an account just a few weeks ago. Why? Because I got so sick of kdawson's inflammatory Fox-news-esque junk articles that I finally decided to register just for the sole purpose of kill-filing him.
Comment removed based on user account deletion
'This is the only website I've ever had to block a submitter on, and kdawson the ONLY author I've ever had to block on any website because every submission I read from them annoyed me or was blatantly complete bollocks.'
You must be new here:
http://www.theobvious.com/archive/1999/03/25.html
It's worse than you imagine. It's a Visual Basic program.
And then there is this post from CmdrTaco that utterly misinterprets what happened.
Why do I come here? I'm slowly coming less and less and shit like this doesn't help.
No sig for you!!
Whatever happened to John Katz?
Can't say I have. The last joke I made about bestial dwarf porn got modded up pretty quickly.
Blank until
Both denied working with the FBI.
But did they deny working for the FBI, directly or indirectly?
The mind conceives, the body achieves, the spirit manifests.
I miss JonKaz.
/. really should have a telethon to upgrade him to an Amiga.
Wait, no I don't.
Although I'd like to see a follow-up on how Junis is faring in Afghanistan these days.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Well somebody did.. and named the script kdawson.
I thought blonde socialites were defenceless pets. I certainly haven't seen a practical reason for their domestication...
Blank until
was it FreeBSD then?
Theo DeRaadt did not make any claims, he merely released an email from a fellow who claims to have been involved in placing backdoor code into ipsec. The original sender has not denied anything about the content of the message and it has appeared (afact) unedited.
I doubt if this will stave off the usual Berate DeRaadt Party. I believe that he has handled this with a minimum of B.S. and is allowing the social situation to resolve without adding the measure of vitriol he would be justified in throwing.
I believe there's a law against releasing defenceless pets into the wild.
That's why so many Chihuahuas keep blonde socialites.
There, ftfy
Only since the first time I heard it. :-)
True. I'm sure people are combing the commits from that era pretty heavily as we write.
I thought /. was a labor of love. How can you let go someone who works for free?
I drank what? -- Socrates
Good catch, and good point. :-) I'm with holding judgment on the NDA until it is released to the world. Mr. Perry may not be legally able to do that, though.
Someone claiming to be Gregory Perry has confirmed sending the email in numerous articles linked to in this and the previous post.
See? Now we are just as sure as we were before.
Maybe we can induce his return?
John Katz.
John Katz.
John Katz.
*waiting*
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
I think it's spelled J - O - N.
But I'm not going to invoke him. I'll just watch old reruns of The Critic and that other cartoon that came on after it.
I drank what? -- Socrates
Regular bollocks, dog bollocks or ex-gf has stomped all over my bollocks?
I drank what? -- Socrates
You have a high UID. Heh!
I drank what? -- Socrates
Here you go: The Code.
It looks like you trimmed your link. This goes to the root of the entire CSV. We'd want to see the specific code in the allegation, as it was submitted back in 2000/2001. Got THAT link?
Wait.. we can block kdawson??
The claim about Scott Lowe (which one never specified) was that he was on the FBI's dole to write how to implement OpenBSD based VPN VMware tutorials. Writing tutorials doesn't make him an OpenBSD coder. The claim was that "Jason Wright and others" were the ones who inserted the backdoor into the source code of OpenBSD. I haven't heard any refutation from Jason Wright and the story doesn't even claim that.
Heh, funny part is, as soon as I saw the original story, noticed who posted it, I instantly determined it to not be true.
From that point I went and looked deeper and find it highly unlikely that much of the story as currently told is true.
It looks more to me like the email from Gregory Perry is either spoofed, or that he has an agenda.
The 'agenda' part stems from the fact that he's the 'CEO' of 'GoVirtual Education' a company selling VMware training ... and he happens to be taking pop shots at a guy who promotes using OpenBSD VMs ...
I'm sure in the end, this will turn out to be just another silly thing that isn't true and is exactly why I blocked kdawson in the first place.
It would seem that others at slashdot seem to realize no one reads the retarded crap he approves and have taken it on themselves to post followups to link back to his stories or posting submissions from him directly.
Dear slashdot, please give me a way to not see anything that in any way relates to kdawson or timothy, it always turns out to be wrong, most of the time its unbelievably wrong.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
This is also why several inside FBI folks have been recently advocating the use of OpenBSD for VPN and firewalling implementations in virtualized environments, for example Scott Lowe is a well respected author in virtualization circles who also happens top (sic) be on the FBI payroll, and who has also recently published several tutorials for the use of OpenBSD VMs in enterprise VMware vSphere deployments.
Jason Wright, on the other hand was the accused coder. Jason Wright has not issued any public statement on the matter, and the linked article only makes a slight mention of him.
/^([Ss]ame [Bb]at (time, |channel.)){2}$/
You talk about a "mailing list posting by one person" and a "mailing list author [who] was making a total reckless claim". But there is no mailing list author, a private e-mail was sent to Theo who decided to make it public on the mailing list. One reason for the lack of proof etc. is Theo stated he had no desire to speak to Greg about this, and Theo made it immediately.
You also say this is by "some random person" but it is not, it is someone who was involved in AFAIK financing this part of OpenBSD development, and who worked at the same company as other people who have committed code to OpenBSD. A person posting anonymously here is "some random person", someone with that type of involvement with the various persons is NOT some "random person."
Posting this on Slashdot is not gross negligence at all, I am much happier to be aware of this story than not aware of it. It does not seem far-fetched to me either - it seems like DES - algorithms are put out by the government, or by government contractors which are safe for most people, but which the government can still decode. Did DES come with big warning labels, "hey, the government can decrypt this but most people can't". If DES had an unlabeled "backdoor" (of sorts), why is it so surprising there might be a backdoor of sorts here, even if it is only a few changes that make decryption of this stuff easier for the government?
On the negligence angle again, that would be more on Theo's end than anything. I'm glad Theo made this public, but I think he could have been a little more subtle, removing everyone's name from it for one thing. But that is on him, not Slashdot.
Is this better?
Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
Yep...
Are subscribers also able to killfile users? If so I just might subscribe.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Please, don't add to the disgusting, overused mess that is contemporary copyright doctrine by misapplying it to private correspondence! It's arguments like yours that make me wonder if we really would be better off overall with no copyright whatsoever.
No one should be able to own an idea. It's that simple. The only reason we have the concept of owning ideas is because of technology that allows mass reproduction and the greedy desires to squeeze every last cent out of something, and to prevent others from deriving any benefit from anything you do without paying you for it.
I also think it's dangerous and foolish to start tossing around the word "rights." The only rights anyone really has in this country are spelled out in the Constitution and the Bill of Rights. I may not have a "right" to copy and forward and publish the email you send me, but you don't have a "right" to stop me from doing so, either. If you don't trust me to abide by your wishes, don't send me the email. You have the "right" to not email me.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
Refuting the claims by auditing the code might not be so simple. Read the thread started by de Raadt's email for details.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
This person denies they put in backdoor code for the FBI... a likely story! That's just what a person working secretly for the FBI would say. And next he'll claim he's not a BSD coder too! He's guilty, guilty I say!
Seriously, until the code has been fully audited and results released, the original blurb on this is enough, I don't need several stories in a day on it. This kind of "reporting" reminds me of an incident that newscasters reported and kept updating every 30 seconds as though something amazing was going to happen any second.
a) Copyright is there and the Berne convention applies more or less world-wide.
b) The Constitution and Bill of Rights *does not* apply worldwide and I am not in the US.
So, by treaty, I believe I have more "rights" to stop you publishing the verbatim text of my private emails to you than you have to publish them.
Yes, copyright is messy, and I'd prefer not to use it, but it applies cross border.
And yes I'm not claiming to be able to stop you forwarding "ideas", I'm talking about forwarding my text as is.
Rgds
Damon
http://m.earth.org.uk/
I suppose we'll just have to disagree, then.
I must say, though, the more stupid copyright issues I read about, and the more I think about it, the more I think the very idea that anyone should be able to own a collection of letters and words borders on absurdity. Every single creative work there is has borrowed from thousands of years of history, language, folklore, legend, myth, collective cultural consciousnesses, etc. Originality is a myth--only God was truly original. And so, since we all owe something to those who have come before us, without which we couldn't have created what we've created, I think it's bordering on morally wrong to try to take exclusive ownership of an idea or collection of ideas, because in the end it's hypocritical.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
-IF it's in their contract with US government, and you can audit the code for ever, the backdoor will never show itself, think about complex mathematic algorithms that, let's say by the delay in processing can say that a bit is 0 or 1.
Wait.. we can block kdawson??
/me checks
Yes!
$ make available
Open Bothersome Side Door .
--hongpong.com