BSD Coder Denies Adding FBI Backdoor

jfruhlinger writes "Theo de Raadt has made the shocking claim that OpenBSD includes a backdoor that the FBI paid coders to build. Brian Proffitt has tracked down one of the programmers named as being on the FBI payroll (actually, he tracked down two programmers with the same name). Both deny working with the FBI."

Please correct.

[santax]

It was not Theo that made that claim. It was Theo that released the email he got from the guy making that claim! Big big difference!

Re:

[skids]

I would go on a rant about how anyone who wants to post main stories should really be forced to attend at least a half-day seminar on basic journalistic essentials.

But considering how an entire degree in journalism does not seem to have helped the professional media....

Re:

[delt0r]

So instead of Some guys found something, its I know a guy who think he found something.... Yea really credible.

Re:

[Lumpy]

It works for the MOB and gangs... want a rival killed? start rumors they are working for the cops, fbi, are dirty and skimming from the boss, etc.. Keep it up and word wil spread and get back to his guys who end up "fixing the problem".

Works in the non-cime world as well. Sysadmin acting like a BOFH? start planting small rumors he is stealing or hacking from work. Want to put questions in the minds of people who might switch from windows? put out there a "rumor" that it has Government backdoors in i

Re:

[0123456]

It works for the MOB and gangs... want a rival killed? start rumors they are working for the cops, fbi, are dirty and skimming from the boss, etc.. Keep it up and word wil spread and get back to his guys who end up "fixing the problem".

Interestingly, I was reading this morning about the FBI in the 70s spreading false claims that members of radical groups were actually FBI informants in the hope of disrupting said radical groups.

Re:

[Lennie]

'Want to put questions in the minds of people who might switch from windows? put out there a "rumor" that it has Government backdoors in it.'

Actually, if it is in OpenBSD, then you can be damn sure it is Windows too.

Re:Please correct.

[jfruhlinger]

I'm the one who submitted it to Slashdot, and it's totally my fault, not a mistake in TFA. Apologies.

Re:Please correct.

[John Hasler]

It isn't totally your fault. It is also the fault of the Slashdot editor who didn't bother to read the article.

Re:

[santax]

You are forgiven my son. Just stay clear from ssh on openbsd for now. Cause I'm not sure Theo will forgive you too :P

Re:

[daremonai]

We can forgive you for this, but not for how you did on Jeopardy.

Re:

[jfruhlinger]

O CRUEL REMINDER! *sobs*

Re:Please correct.

[tenchikaibyaku]

Even if there's no truth whatsoever behind the initial claim, I suspect we'll be seeing this pop up in various more and less accurate forms for several years to come.

Re:

[at_slashdot]

Damn, what a misleading title. Thanks for explanation.

Re:Please correct.

[santax]

You haven't read that mail if you are saying that. Just read the damn mail! http://marc.info/?l=openbsd-tech&m=129236621626462&w=2 [marc.info]

Re:

[skids]

You mean they believe things like "I have received a mail" and "It is alleged..."? How horrible.

Or do you mean that CmdrTaco being who he is, people believe what he says Theo has to say.

Re:

[bsDaemon]

Or do you mean that CmdrTaco being who he is, people believe what he says Theo has to say.

Well, some people are new here...

Re:

[Obfuscant]

The fact that Theo used his position of power to show the email to everyone does mean that he is at least tacitly endorsing and/or making the claim. Otherwise he could have just ignored it.

After reading TFA, I came to the conclusion that Theo believes it is true. He used the excuse that exposing the dastardly FBI shenanigans justified the posting of a private email. If you don't think the FBI did it, you can't use it as the excuse for posting the email.

It would have been nice if the claim came with a ref

Re:

[clone52431]

a private email

It was his e-mail, because it was sent to him. He’s the one who gets to decide whether it’s private or not.

There is someone else’s private e-mail, and then there is my e-mail. Whether or not I want my e-mail to be private is my decision. If you send me an e-mail, unless you specifically request otherwise, assume I can do whatever I want with it. Including post it online.

The whole story seemed a bit off

[Fibe-Piper]

I mean the idea that this person would still be alive when "the NDA expired..." was odd.

Why would the FBI make any NDA on something as shameful as this that would expire during one's lifetime?

Well it might

[Sycraft-fu]

The normal length for classified material is 50 years. That isn't to say it can't last longer or be declassified earlier, but 50 years is the normal NDA length. Why would this be any different? In particular there was the implication that they'd been heavily pushing it because of the backdoor. Ok but they had to know that the NDA was about to expire and thus the jig would be up and it would be, if anything, harmful.

Makes no sense. I am not buying this in the slightest without some proof. Some guy claiming something in an e-mail isn't proof, that is Internet nuttery as normal.

Re:

[Fibe-Piper]

The normal length for classified material is 50 years. That isn't to say it can't last longer or be declassified earlier, but 50 years is the normal NDA length. Why would this be any different?

FTA -

"...sent to him by Gregory Perry, who worked on the OpenBSD crypto framework a decade ago."

I think that 50 years sounds normal for an agency whose job has become protecting secrets. A decade does not sound like something that would benefit them at all. That's what seemed strange to me about the original article.

Re:

[Locutus]

this reminds me of how the CEO of Green Hills was spreading FUD saying how insure Linux was because anyone could embed backdoors in not only Linux but into gcc. He was trying to say how much better their software was because it was not open source. Some of this stuff just doesn't add up when you look at the bigger picture and what the motivation behind the info often tells the real story. For Green Hills, Linux is a threat to their business model so they wanted to spread FUD to limit its effects. I wonder w

Wrong summary

[Anonymous Coward]

Oh please, de Raadt didn't claim shit. Here's the original mail [marc.info].

Theo seems skeptical himself, he just didn't want to hold back a potential security issue.

Re:

[kjs3]

Not my point. This is probably going to come as quite a surprise to you, and you probably don't much care, but there's more at stake here than the backdoor. Jason Wright, FBI plant or no, will never be able to fully clear his name, and for some will always be "the guy who might be a FBI plant". God help the guy if someone finds some sort of bug; no matter how innocuous, it will be cited as "proof". I clearly don't know how "douche" is defined in your world, but in mine throwing someone under the bus with

Well heck, I thought they'd fess up right away.

[gestalt_n_pepper]

NOT!

Funny...

[cobrausn]

Back before I used Linux (in college), I made a habit out of making all Linux users paranoid by saying if I were the CIA / FBI / NSA / other TLA, I would worm somebody in as a contributor and do my best to put hidden backdoors into all open source operating systems. I know if I were in any of said agencies and had no respect for privacy, I would.

Re:

[BESTouff]

Whereas you can be sure no one at Microsoft or Apple is coding backdoors for a TLA ?

Re:

[bluefoxlucid]

Actually I use the DOD back door in EFS all the time. I found it while tracing EFS in IDA Pro for an exercise.

Re:

[gknoy]

How do you know they're planted by the DOD, rather than simply programming mistakes that no one caught?

Re:

[bluefoxlucid]

Hard-coded secondary keys are pretty big programming mistakes. Maybe for debugging, or an old recovery mechanism that was disabled?

Re:

[tlhIngan]

Whereas you can be sure no one at Microsoft or Apple is coding backdoors for a TLA ?

More like, you KNOW there are backdoors in Windows, Mac OS X, iOS, and all the other products they have. But don't switch to open-source purely because it's open-source and therefore, backdoors can't be hidden in the code. Even very careful audits can still miss cleverly hidden backdoors.

The silly thing about this issue is that no one can confirm or deny it, short of a full on hard core code review. The people who did it cer

Re:

[Lumpy]

OF course not. such a coder would be easily spotted because they know what they are doing and produce clean code that works... This will stand out BIG TIME at Microsoft.

Re:

[cobrausn]

tlhIngan hit it on the head. I figured they were there for Microsoft and Apple. I just liked screwing with Linux guys who were insisting they were perfectly secure because they used an open source OS.

As I said, I use Linux, so I don't have any axe to grind against open source. I'm just suspicious of pretty much everything.

BSD coder?

[Tomun]

Both deny being BSD coders too!

Re:

[Java Pimp]

Exactly. In the email sent to Theo, Scott Lowe isn't identified as one of the OpenBSD contributors accused of inserting the alleged backdoor.

He is "accused" of advocating OpenBSD while being on the FBI payroll. Which shouldn't matter anyway since that alone does not confirm a backdoor was actually inserted.

The first sentence of the summary is false.

[John Hasler]

Theo de Raadt has made the shocking claim that OpenBSD includes a backdoor that the FBI paid coders to build.

Theo did no such thing. Perry did.

What the hell?

[mysidia]

There was never any OpenBSD contributor named Scott Lowe. Did anyone actually bother to read the source material or check facts, before claiming as such?

The finger was being pointed at Scott Lowe FOR HIS Virtualization BLOG, which are merely articles that discuss the use of OpenBSD.

The mailing list author, was making a totally reckless claim with no proof shown that He was advocating OpenBSD for the benefit of the FBI which is downright ludicrous attention whoring attempt on the part of someone reposting that claim without corroboration.

A mailing list posting by one person is not a credible source to be taken at face value. Information needs to be corroborated. Posting some random person's vague accusations as front page news borders on gross negligence.

Re:

[John Hasler]

> There was never any OpenBSD contributor named Scott Lowe.

I don't see where Perry claimed that there was.

Re:

[Java Pimp]

There was never any OpenBSD contributor named Scott Lowe.

I don't see where Perry claimed that there was.

He didn't. But TFA does...

Re:

[Java Pimp]

Actually, not even TFA does, only the Slashdot summary... which shouldn't surprise anyone...

Re:

[mzs]

Exactly, the article author should contact Jason Wright and his associates for comment.

Theo didn't make the claim

[7x7]

Someone sent an email to Theo making the claim. Theo put it on the internet. Now it's true.

Re:

[interval1066]

It looks to me like de Raadt received an email from this Perry saying that he had some kind of NDA with the FBI that was part of a project the FBI hired Perry to do to add a back door to the OBSD ipsec stack, and the tone *seems* to be "ha ha ha, I screwed you" a little bit, shown by his comment about OBSD's DARPA funding. de Raadt isn't confirming or denying, he's simply saying "Look, this asshole is making claims." Claims that should be easily refuted if the OBSD stack is as heavily audited as the group c

Re:

[John Hasler]

Is the auditing being done by a completely seperate, unrelated, and independent group?

Re:

[interval1066]

I don't know, there's probably more detail at openbsd.org.

Slashdot: "News"

[BitHive]

Because it's too much trouble to quote or reproduce Theo's brief email and people wouldn't know what to make of it anyway.

Bump

[AdmV0rl0n]

The raw and cold truth is that contributors to all the open OSs can't really be vetted. Not in a meaningful way. And the number of people who are deep low level 'hackers' capable of writing the code is relatively small. The numbers able to code audit to a level of examination are even fewer. So yes, the code is open, the code is visible, the code can and could be audited. But here is the thing, being auditable is not the same as being audited. And personally, I would not be shocked if a full audit was run if something might be found.

That being said, this is one step better than closed source, where some of the above is not possible or viable, and in cases where money crosses palms, may in fact be unwanted.

Further to this though, I personally don't expect government to simply roll over and die. I expect them to take steps to try and stay one step ahead of bad things, and the relaxing of technology limits has benefitted people across the world, even if I were to make a case that the cost is that at the point of a pyramid - the goves can hunt down the world culprits and suspects. In some cases - releasing the tech in fact has your enemy using that tech after some time and you get to tap into it.

At least its an interesting story :)

Re:

[Xemu]

The raw and cold truth is that contributors to all the open OSs can't really be vetted. Not in a meaningful way.

Indeed. However, the raw truth is that open source contributions can be vetted in a meaningful way.

Don't fool yourself into believing that there are no backdoors in closed-source software.

Re:Bump

[snowgirl]

So yes, the code is open, the code is visible, the code can and could be audited. But here is the thing, being auditable is not the same as being audited.

Except this is OpenBSD we're talking about, where code audits happen frequently and often.

And personally, I would not be shocked if a full audit was run if something might be found.

A full audit would be run repeatedly over the course of this coming year even if this accusation had not come out. After all, we are talking about OpenBSD.

Theo did not make the claim..

[TheNinjaroach]

He simply released the email that was sent to him.

Unlikely...

[JustNiz]

It seems unlikely that someone could hide one or more backdoors in such a ubiquitous piece of code without _anyone_ else ever spotting it.

It also seems unlikely because Perry didn't share actual technical details of the backdoor(s) so their existence can be proven. Surely when making such a radical claim its just human nature to also justify it with all the evidence you have.

Re:

[GooberToo]

Case in point, I literally just spotted a bug in python's socket recv call (as of yet unreported) which leaks memory given the right error conditions. The code hasn't been modified for seven months and the file has existed for many, many years. The only reason I spotted it is because I was looking for very specific but unrelated behavior. Regardless, subtle errors and by association, malicious code, can easily exist for very long times, even surviving multiple code reviews.

The most important thing to rememb

Is (was) the FBI ever working w/ OpenBSD -AT ALL-?

[clone52431]

If so, where’s this NDA that Theo claims just expired? Surely he didn’t run it through the shredder already.

Re:

[clone52431]

Correction, Gregory Perry claimed to have an NDA with the FBI. Theo was just the messenger. Damn, this is confusing...

This is why I only use windows.

[Anonymous Coward]

I only use OSes I can trust!

Re:

[HiThere]

Sorry, but I can't figure out whether that's a joke, you're a troll, or you're really that stupid. (I figure that if you're on /., you can't really be too ignorant to just be uninformed.)

My bet is that it's a joke, but I sure wish the odds were better.

Oh yeah - because they'd admit it...

[moxley]

Like they'd come out and admit it if it IS true.

time to call Ponderosa Puff

[Spy Handler]

and tan his hide!

Re:

[account_deleted]

Comment removed based on user account deletion

lies, damn lies and statistics

[slick7]

Both denied working with the FBI.
But did they deny working for the FBI, directly or indirectly?

Re:Oh come on

[TheRaven64]

The difference is that the original story is posted by kdawson, so no registered users will see it, because we've all blocked him from the front page. This one is posted by Taco, so we'll see it.

Re:Oh come on

[Jurily]

Who's this "kdawson" you speak of?

Re:

[elrous0]

Kdawson is just an internet myth, long ago disproven by snopes.

Re:Oh come on

[ledow]

Funnily, that's exactly what happened to me - I wondered what people were talking about when they said it was a dupe. This is the only website I've ever had to block a submitter on, and kdawson the ONLY author I've ever had to block on any website because every submission I read from them annoyed me or was blatantly complete bollocks.

Re:

[RDW]

'This is the only website I've ever had to block a submitter on, and kdawson the ONLY author I've ever had to block on any website because every submission I read from them annoyed me or was blatantly complete bollocks.'

You must be new here:

http://www.theobvious.com/archive/1999/03/25.html [theobvious.com]

Re:

[Thud457]

I miss JonKaz.

Wait, no I don't.


Although I'd like to see a follow-up on how Junis is faring in Afghanistan these days. /. really should have a telethon to upgrade him to an Amiga.

Re:

[aztektum]

And then there is this post from CmdrTaco that utterly misinterprets what happened.

Why do I come here? I'm slowly coming less and less and shit like this doesn't help.

Re:

[LWATCDR]

So slashdot gets a twofor.

BTW the Indian extremists have been infiltrating Microsoft for years and have places many back doors into Windows so they can shutdown all our systems. Their main target is the thought control experiments based in Montauk NY at the secret underground base their. They are hoping that they can remotely activate it and then while we are under their control gain access to the secret base under the new Denver Airport.

Re:

[mr.dne]

I've been following slashdot for over 10 years and I finally registered an account just a few weeks ago. Why? Because I got so sick of kdawson's inflammatory Fox-news-esque junk articles that I finally decided to register just for the sole purpose of kill-filing him.

Re:

[Jay Tarbox]

Whatever happened to John Katz?

Re:

[Gilmoure]

I thought /. was a labor of love. How can you let go someone who works for free?

Re:

[alphax45]

You made me choke on my lunch!

Re:

[clone52431]

No, I don’t think so, because they do sometimes edit the stories. I know they edited one that I posted, they converted it from a logically divided 3-paragraph submission into a single glob of text, just like any other story.

Re:Oh come on

[eln]

Nonsense. Nobody working for this site has ever been a good enough perl coder to pull that off.

Re:

[Quiet_Desperation]

It's worse than you imagine. It's a Visual Basic program.

Re:

[Farmer Tim]

I thought blonde socialites were defenceless pets. I certainly haven't seen a practical reason for their domestication...

Re:

[Farmer Tim]

Can't say I have. The last joke I made about bestial dwarf porn got modded up pretty quickly.

Re:Oh come on

[Scutter]

You didn't get that this was a follow-up story, then, huh?

Re:

[HermMunster]

Have these two deniers stated whether they are under NDA still? Why would they admit to it when doing so would brand them?

Even though I think it is tough to miss something like that in the code it is still possible. Everyone should look to ensure that removal is performed.

If they could do that then they'd do it in Windows. Windows is closed source and easily altered. If it is verified in BSD you can be guaranteed it's in Windows.

Though this is likely true (that the code is there), it is difficult for me

Re:

[gstoddart]

even if it was you, would you admit to it?

Depending on the situation, they might not legally be able to admit it. If your work was Classified, you might be prohibited by law from admitting to it.

Not saying that is true or even likely in this case, but it is possible. I wouldn't want to run afoul of a government NDA.

Re:

[mark72005]

Warning: People denying the existence of robots may be robots themselves.

Re:

[gstoddart]

Warning: People denying the existence of robots may be robots themselves

Well, I have a robot vacuum, so I'm not going to deny their existence.

However, I can neither confirm nor deny that I am a robot.

Re:

[shentino]

Not to mention being required to admit to it would probably contradict the 5th amendment.

Re:

[just_another_sean]

Here you go: The Code [openbsd.org].

Re:

[PPH]

I'm sorry, but I'm prohibited by an NDA from discussing any work I may have done for any government organization on that project.

captcha: confuses

Re:

[John Hasler]

> If you made a deal to keep a secret you keep that secret.

If I made a deal to keep a secret for five years I keep it for five years.

Re:NDA

[zn0k]

No.

But that's because they're bound by patient confidentiality, and not a boilerplate 10 year "don't talk about anything you learned at work" NDA.

So the two cases don't really compare. At all.

Re:

[JonJ]

It's no wonder you smell poop, it's coming straight out of your mouth.

Re:

[John Hasler]

Don't be an ass. Professional confidentiality is not the same as an NDA contract, and he didn't claim that all such agreements expire after ten years in any case.

Re:

[Qzukk]

So when you go to your doctor or shrink can they say hey its been ten year I can blab about so and so's mental problems

If you signed a contract saying after 10 years the doctor can blab all he wants, sure.

Re:

[ledow]

What backdoor? Nobody has found ANYTHING yet. They just have a rumour, duly propogated onwards because of its *potential* security applications, that someone may have once been paid to do such a thing. Doesn't mean it's true, that they succeeded, or that it hasn't been removed since.

It's impossible to prove something *isn't* there, of course, but it would be a cinch to prove it *was*. Nobody has yet stepped forward with anything even approaching a slight vulnerability in their IPSec implementation that

Re:No BBlobs?

[Lumpy]

You dont realize how it is possible to hide evil code in front of someone's face..

http://underhanded.xcott.com/ [xcott.com]

go there and read, look at the winning and runner up entries... If you are a competent coder you can hide things right in front of someone and they will not spot it. It's scary as hell what some of these guys can do.

Re:

[ifrag]

If you are a competent coder you can hide things right in front of someone and they will not spot it. It's scary as hell what some of these guys can do.

Which is why I think the best solution would be to rewrite the module from scratch and then do the audit on that version of it. Preferably developed by people who have never touched that part prior and written to spec without referencing the original code. After all, this is probably the most paranoid group in all of open source. Although speculation of a potential exploit might not be enough to drive all that.

The whole thing does smell very fishy though.

Re:

[snowgirl]

If you are a competent coder you can hide things right in front of someone and they will not spot it. It's scary as hell what some of these guys can do.

If you're a competent coder you can make what looks like obvious mistakes that any proper editor should be able to distinguish as an error. (The top two runner ups on that page are obvious coding errors that any code review should pick up. The third is something that testing and a good code review should catch.)

Now, all of that said, I had a hojillion code reviews working for A Very Large Multinational Computer Operating System Company that came back with the only comment being: "looks good". I caught at

Re:

[ray-auch]

The allegation is inclusion of a side-channel in the crypto algorithm for leakage of key bits.

If you know about crypto coding, you'll know instantly why that would be easy to hide and hard to find.

If you don't, then any explanation is likely to be as much gibberish to you as the code would be.

Re:

[0123456]

The allegation is inclusion of a side-channel in the crypto algorithm for leakage of key bits.

If you know about crypto coding, you'll know instantly why that would be easy to hide and hard to find.

IPSEC is a well-documented standard: you can't just stick 'random numbers' which happen to contain parts of the key in the data stream as you could with some home-grown crypto system. The fact that it is a standard which has to interoperate with other implementations of the standard eliminates most of the usual methods of deliberately leaking keys.

Certainly there could be deliberate timing effects, etc, but everyone these days should be using crypto implementations which protect against such things.

Re:

[mzs]

padding, back then it was random in OpenBSD, hard to verify, never looked at by software. Now it's speced in a verifiable manner. Either nobody knew or nobody was forth coming with the information that it was a useful side channel back then.

Re:

[0123456]

Does IPSEC really allow random padding? If so, the design is even worse than I imagined... I thought people figured out that non-deterministic padding was bad well over 10 years ago.

However, if i's padded pre-encryption it's far less useful for an attacker since either it would have to somehow leak key bits into the encrypted data (which would require code that was obviously monumentally broken) or it would only leak key information to the system on the other end of the IPSEC link.

Re:Smells like FUD to me

[TheRaven64]

This means that a code audit would find this so-called back door, yes?

Nope. OpenBSD is audited, but the auditors are human (well, some aren't, but they can only spot categories of bug that are well documented). The code is not formally, mathematically verified (doing so for nontrivial C code is basically impossible), so there's always the possibility of a bug and, as the OpenBSD team says, the only difference between a bug and a vulnerability is the intelligence of the attacker.

Regular code audits increase the probability that a backdoor would be found, but they don't guarantee it. That's why this is such effective FUD: it's basically impossible to prove that it's not true.

Re:

[socz]

Yeah either way, this is a tiny blow to the BSD's just because it's something one could say against them. All these years of pushing BSD out to everyone and now this! Boy, am I gonna hear it today! Or tomorrow if they don't keep up with the news.