FBI 'planted backdoor' in OpenBSD Allegations that the FBI may have smuggled back doors or weaknesses into openBSD's cryptography have created uproar in the security community. Former government contractor Gregory Perry, who helped develop the OpenBSD crypto framework a decade ago, claims that contractors were paid to insert backdoors into OpenBSD's IPSec …
This post has been deleted by its author
the NSA has direct input into the Linux kernel and graciously "donated" the code for SELinux (and what else?). Some kernel vulnerabilities persisted for years.
MS has had an office at the NSA for years. Apple is also a cooperator. Google received "assistance" with their IPO from Tenet at CIA through one of the Firm's investment corps.
OPEN is good - if one takes the time to read the code (or can read it).
The NSA and other US entities (and certainly another "government" have buried half-keys in encryption products - commercial - and those in the know made millions from the suckers who were ignorant enough to purchase American software.
Much of the world now understands that the US is a vassal state - and not independent. ALL of its agencies exist to dupe the rest of the world. It is not necessary to dupe the Americans, as they are the most ignorant folk on the face of the earth. They believe that a dude with a box cutter can "capture" several hundred people. Thus, they let the airport STASI fondle their now-public formerly-private parts.
Oh you were serious? Right.
I love the Truthers. The US government is so amazingly smart that it can bomb three of the largest office buildings in the world, kill 3000 or so people, and cover it up so that Halliburton/Freemasons/Exxon/Bushes can get oil/more power/oil/war with Iraq/badgers. And that coverup is ironclad with no leaks, while simultaneously being incapable of preventing a low-ranking soldier access and release some quarter-million classified files documenting actual incidents of the US government's military killing civilians, State Dept docs, etc to an Swedish website run by an Aussie.
What's that? Oh, I get it. Their incompetence is only a cover for their deft coverup of 9/11.
Generalizing Americans as 'the most ignorant folk on the face of the earth' is in what way more intelligent than what (I admit) most Americans think of the rest of the world?
I don't agree with quite a bit of what the government does in my and my country's name but unless there is a major civil upheaval, only incremental change will occur. I vote in every election for the best person for the job, party doesn't matter, and usually it's an exercise in choosing the lesser evil.
Yeah.
And by the way - Obama and his people charmed a bunch of you folks out of your pants too - same old, same old. No true surprise at all.
Your post was good until the last part and as Dick Cheney, the Walmart Greeter said, "Go Fuck Yourself"
;)
Yeah, like Google really needed any help with their IPO.
Their initial round of venture capital funding, maybe.
By the way, if the dude with the boxcutter has hold of a stewardess and is threatening to gouge her eyes out with it if the passengers don't co-operate, passengers who have no reason to believe it's anything more than the usual kind of hijacking, they're probably going to opt not to cause her unneccessary blindness.
No doubt we will see a lot of frothing in the commentary section over this since, if true, it is a serious compromise of software used by a number of security-focused companies and individuals.
But it also reads a bit like some cheap novel, as it seems unlikely something as fundamentally important (to the FBI, etc) would be open for discussion following a "10 year NDA".
So the real question, where is the cryptographic beef? Has anyone got evidence this succeeded?
I guess it is possible that some subtle flaws in key components might have been smuggled in, but again I also expect this mechanism has been studied by people knowing FAR more than I do about the matter. So where is the evidence?
Either way, I still trust open source far more than Windows!
Not likely, and when I say possible I talking four or five standard deviations out on the normal curve possible.
What doesn't scan for me is that one of the guys on the inside who pulled off the nearly impossible spills the beans 10 years later because ....? He's feeling guilty? The kinds of people who would plant a back door in open source code don't feel regret over that sort of thing. What's his angle? Is it disinformation instead?
This post has been deleted by its author
'Chris Wysopal, CTO of application security tools firm Veracode and former high profile member of hacker collective L0pht Heavy Industries, said that the issue of potential backdoors doesn't stop with OpenBSD: "If OpenBSD w/all their auditing was backdoored where does that leave Linux, Windows, FreeBSD, OS X. Who thinks they stopd at smallest dist?"'
Since OpenSSH is intimately tied-in with OpenBSD, my guess would be that this is the cryptographical code they'll have hit. So no need to specifically target the rest of us, since most of us will be using OpenSSH anyway.
Another good reason not to trust the bloody Yanks.
So. Many. Answers...
1) The FBI doesn't need to bother with planting back doors, so many accidental ones already.
2) The FBI backdoors have been disabled and replaced by Chinese subcontractors.
3) No need for doors ... the Windows are already open.
4) This is just open source FUD, closed and proprietary software is secure! We know because we paid for it.
5) No need for backdoors in Windows - we have Adobe for that.
6) Not worthwhile backdooring Windows - no worthwhile target would use Windows for VPNs or other Internet-facing services
etc. etc.
Greg's email claims: "the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA".
OCF = OpenBSD crypto framework
VPN = virtual private network, used to encrypt links between friendly sites
EOUSA = Executive Office of the United States Attorneys. Not, as Greg describes, the "parent body of the FBI", it actually liases between the US Attorneys and the DoJ. However one of the functions of the 90-odd US Attorneys is to prosecute cases for the FBI..
If true I don't think EOUSA will be very pleased that the FBI have been spying on them, or even attempting to - and they have the clout to do something about it.
Minister : How can we subvert open source software?
Sir Humphrey : Well minister we have a bunch of very bright programmers in eh-hem, who can write some complex software with back doors we can exploit.
Minister : But won't the community catch on?
Sir Humphrey : No Minister, they trust their community, we just have to make sure any peer review is done by one of ours.
Minister : Bring it on.
Sorry, but some government department somewhere will have worked this one out.
He'd never suggest anything so aggressive and irresponsible! Why he'd simply suggest that the government could engage more closely with the open source community to reach a broad understanding of the necessitities of interaction between government agencies, the software community and individuals in order to provide a more open and direct means of intersecting the security needs of the state with the desire for individual autonomy within the confines of a multilateral framework that sets out the necessary responsibilities of all parties involved. Then the Minister would goggle and say "And that would provide us with-" and shake his hand, with the hope that this would portray that he has any idea at all what was just said, and Humpers would shake his head and say why no no no, minister, we are not proposing any such thing at all, we are merely attempting to facilitate more reliable interaction between ourselves and the general public! If it happens that a few innocent communications are temporarily misallocated before being sent to their correct destination we will of course be incredibly eager to see to it that any future miscommunication vis a vis the necessary destinations of public communications are of course communicated correctly, and we will in the fullness of time time considering all possibilities with due concern correctly communicate this correct communication to the correct communities.
He'd never suggest for one moment that they spy on people. Certainly not.
..I would say this sounds entirely plausible. I worked for a non-US crypto company at that time and USGov was quite concerned about this company doing a proper version of SSL (128 bit symmetric key).
My employer did not make this SSL library publicly available, but sold it for special-purpose finance applications.
Despite the fact that we had 128 bit end-to-end, real security was quite often a theater. For example, we needed Safe Session Identifiers to protect user sessions over more than one HTTPS request. Some extremely smart people ended up using rand(5) to generate that Session Identifier. I alerted management to this, who were basically annoyed at the prospect of spending money on fixing the problem. The fix was only ever rolled out for new projects; existing ones had the "capturable" sessions for years, despite of our clear knowledge.
Malice, Laziness, Incompetence ? You decide.
PS: The company went belly up after they went on a 1000 million $ acquisition spree.
Maybe he'll stop dissing Linux as a "cheap hackjob" now that his BSD distro has been outed as "0wned by the FBI".
Of course, I wonder if other OSen have similar things? Isn't it supposed that the open source process would catch these kind of things?
Hey wait, someone tried to sabotage the Linux kernel a couple of years ago. It was found in the version control before it was released to the public... so probably OpenBSD's process isn't as good as they claim it to be.
I do think some commercialware software vendors (mainly from the west of the U.S. of A) are really scared by Linux and BSD eating their future revenue in a very comprehensive way.
This could be the reason "for a guy forthcoming after the expiry of his NDA". He actually got a big fat contract by commercialware front-company WindScreen Computing Inc, which in turn got an even bigger contract from ... well you know whom I mean. Those behind the SCO/Unix/linux theater. He plays the FUD mouthpiece.
We are going to see whether this is just part of a FUD exercise and it will certainly make BSD stronger, because of all the eyeballs looking at the code AGAIN. And if WindScreen Inc can dig up some real bugs, all the better. It will only harden open source software.
The Chinese government will construct one more zero-day exploit based on their ability to inspect Windows Source. Looking forward for The Day 400 million Windows Users Are Owned.
Second comment on the 'STallman mauls ChromeOS' story is about how the three letter agencies have access to windows, but linux and *BSD are safe.
FAIL.
MOst people don't pay attention to the code, especially in large thigns like OS'. People just assume someone else has checked, and when backdoors, exploits etc. come out, there's no accountability.
Mozilla is a great example of this. Firefox for windows has one of the WORST security records of any browser. It's still advertised as being secure, because the little bit THEY write, is. All the exploits are in the majority of the code others write. Instead of spending some of the $50M/year on making their product secure, they spend it on advertising, convicing the poor saps that it is. MS does the same sort of thing (but not as bad) and gets crucified, because they are accountable, with it all being coded in-house.
Did/does anyone not think there are backdoors in commercial closed source code?
I thought that had always been a given, but that it was claimed that they "many eyes" would keep such things out of open source.
These would be the same "many eyes" that read over each edition of the Oxford English Dictionary looking for errors.
"We could tell be reading archived source code."
This won't do you any good, at least if you don't have control of the tool chain ... My assembler & linker can easily leave me a backdoor in the resulting binaries, *EVEN IF* that backdoor isn't in the source code that you feed 'em. Think about it.
"If anyone bothers to do this, I expect we'll have a preliminary answer by next week."
Again, I invite all y'all to read: http://cm.bell-labs.com/who/ken/trust.html ... The source code is one thing, but the corner-stone binaries are another. Don't confuse the two.
http://www.osnews.com/story/24136/_FBI_Added_Secret_Backdoors_to_OpenBSD_IPSEC_
Does anyone really expect anything other than denials all round. Common knowledge that the NSA has backdoors into near enough every American system, quite openly in some cases, quick Google for "NSA backdoors Windows" is quite detailed and there's no reason to think it any different on any other OS.
Like machiavelli wroted in le principe.
"The state is allowed to do everything in favor for the state itself."
Which is why if you or I backdoored the Worlds OS's we'd be looking at plenty of HM's pleasure, and some numpty f+++wit from the establishment gets a peerage and full indexed linked early retirement pension for the same crime.
My Question has always been, "How many countries have back doors in it?"
With commercial software I assume the nation where the functional headquarters are, plus the USA, plus several other nations with a really big security budget and lots of expat citizens well-placed working in the IT industry worldwide.
With open source, the barriers to entry are lower.
And if the back door is discovered, it is easier to claim it is a vulnerability included by mistake or to hide the author. (Easer with open source, I suspect. Also possible with closed source. I don't doubt that at least some vulnerabilities were intentionally installed.)
It isn't quite clear in the article, but was Perry actually involved in the backdoor work he is claiming occurred? If so then he is a git. If you sign up to an NDA or are otherwise bound to secrecy, then OK, you keep quiet about what you know. But to actually do the work is another thing entirely : that shows no sense of ethics at all.
Yes of course, like no-one looked closely at BSD cryptography over the years. It was never peer reviewed, No university courses used it as a teaching model and no researchers are interested in crypo at all. Not really credible.
I heard that the US and USSR tried to control each others nuclear weapons with the power of 'Psychic's' trained minds. If this proves true it could radically alter the war on terror.
Problem is it isn't true. Yes they tried and yes they failed. Yes they gave up. Isn't this the same type of story.
This post has been deleted by its author
was as it were a wheel in the middle of a wheel ...»
And I who thought that this sort of thing only occured in «other» countries, with «totalitarian» systems ! But perhaps it's all for the best and these erosions of our civil liberties are done solely to protect us from all the lurking dangers out there....
Henri
Because with Windows only a the proper authorities can discover backdoors easily. Including the authorities located in
Beijing, Brasilia, Berlin, London, Madrid, Moscow, Washington, Paris, Rome.
Windows users will be primarily fscked by the governments, those who can use the intelligence gathered to make a legal circus show (cue: The Assange Law Show ). With you, dear user fermenting in a government jail.
The Chinese government has already used this capability to the Full Extent, according to the news reports. They only don't bother to call it "rape". They call it "enemy of the state". Result is the same, but at least the authorities are HONEST.
Now that the USOFA uses botnets to gather intelligence, I suspect the Russkie Govt is not just turning a "blind eye" to the Russian Business Network. My guess is that the RBN has the opportunity to Make Money while the Russkie Government can Produce Intelligence from the RBN botnets.
Doubleclick recently distributed a Virus over their Ad Network. Should we call this "American Business Network" ?
One Google Query ("09STATE67105") away:
"¶55. (S//NF) CTAD comment: Of note, the CNITSEC is responsible
for overseeing the PRC's Information Technology (IT) security
certification program. It operates and maintains the National
Evaluation and Certification Scheme for IT security and
performs tests for information security products. In 2003,
the CNITSEC signed a Government Security Program (GSP)
international agreement with Microsoft that allowed select
companies such as TOPSEC access to Microsoft source code in
order to secure the Windows platform. XXXXXXXXXXXX
¶56. (S//NF) CTAD comment: Additionally, CNITSEC enterprises
has recruited Chinese hackers in support of nationally-funded
"network attack scientific research projects." From June 2002
to March 2003, TOPSEC employed a known Chinese hacker, Lin
Yong (a.k.a. Lion and owner of the Honker Union of China), as
senior security service engineer to manage security service
and training. Venus Tech, another CNITSEC enterprise privy to
the GSP, is also known to affiliate with XFocus, one of the
few Chinese hacker groups known to develop exploits to new
vulnerabilities in a short period of time, as evidenced in
the 2003 release of Blaster Worm (See CTAD Daily Read File
(DRF) April 4, 2008)."
It was around this time the alt.ph.uk newsgroup were looking at a secure communications platform for forums sothe cliche could avoid the chaff. Interestingly the project was running full steam and then suddenly went cold and silent with many involved dropping of the scene. Maybe they found something then and maybe not.
Still bottom line NOTHING is secure and thats about as secure as it can ever get.
Code audits are all well and fine by when you deal with crypto who audits the maths behind the encryption as a coder will only end up fixing broken code and not the maths. So all the code audits in the World wouldn't find the types of flaws that are being highlighted.
Padding is and always will be a indication of a imperfect system.
ANON as those that know, know
PS whats a peace of handwritten paper from Theo on OpenBSD stationary stating of course its secure dated around this time worth I'm wondering }->
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
