BSD Coder Denies Adding FBI Backdoor 239
jfruhlinger writes "Theo de Raadt has made the shocking claim that OpenBSD includes a backdoor that the FBI paid coders to build. Brian Proffitt has tracked down one of the programmers named as being on the FBI payroll (actually, he tracked down two programmers with the same name). Both deny working with the FBI."
Please correct. (Score:5, Informative)
Re: (Score:3, Insightful)
I would go on a rant about how anyone who wants to post main stories should really be forced to attend at least a half-day seminar on basic journalistic essentials.
But considering how an entire degree in journalism does not seem to have helped the professional media....
Re: (Score:2)
Re: (Score:2)
It works for the MOB and gangs... want a rival killed? start rumors they are working for the cops, fbi, are dirty and skimming from the boss, etc.. Keep it up and word wil spread and get back to his guys who end up "fixing the problem".
Works in the non-cime world as well. Sysadmin acting like a BOFH? start planting small rumors he is stealing or hacking from work. Want to put questions in the minds of people who might switch from windows? put out there a "rumor" that it has Government backdoors in i
Re: (Score:2)
It works for the MOB and gangs... want a rival killed? start rumors they are working for the cops, fbi, are dirty and skimming from the boss, etc.. Keep it up and word wil spread and get back to his guys who end up "fixing the problem".
Interestingly, I was reading this morning about the FBI in the 70s spreading false claims that members of radical groups were actually FBI informants in the hope of disrupting said radical groups.
Re: (Score:3)
'Want to put questions in the minds of people who might switch from windows? put out there a "rumor" that it has Government backdoors in it.'
Actually, if it is in OpenBSD, then you can be damn sure it is Windows too.
Re:Please correct. (Score:5, Informative)
I'm the one who submitted it to Slashdot, and it's totally my fault, not a mistake in TFA. Apologies.
Re:Please correct. (Score:5, Insightful)
It isn't totally your fault. It is also the fault of the Slashdot editor who didn't bother to read the article.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
O CRUEL REMINDER! *sobs*
Re:Please correct. (Score:5, Insightful)
Re: (Score:2)
Damn, what a misleading title. Thanks for explanation.
Re:Please correct. (Score:5, Informative)
Re: (Score:3)
You mean they believe things like "I have received a mail" and "It is alleged..."? How horrible.
Or do you mean that CmdrTaco being who he is, people believe what he says Theo has to say.
Re: (Score:2)
Or do you mean that CmdrTaco being who he is, people believe what he says Theo has to say.
Well, some people are new here...
Re: (Score:2)
After reading TFA, I came to the conclusion that Theo believes it is true. He used the excuse that exposing the dastardly FBI shenanigans justified the posting of a private email. If you don't think the FBI did it, you can't use it as the excuse for posting the email.
It would have been nice if the claim came with a ref
Re: (Score:3, Informative)
a private email
It was his e-mail, because it was sent to him. He’s the one who gets to decide whether it’s private or not.
There is someone else’s private e-mail, and then there is my e-mail. Whether or not I want my e-mail to be private is my decision. If you send me an e-mail, unless you specifically request otherwise, assume I can do whatever I want with it. Including post it online.
The whole story seemed a bit off (Score:4, Interesting)
I mean the idea that this person would still be alive when "the NDA expired..." was odd.
Why would the FBI make any NDA on something as shameful as this that would expire during one's lifetime?
Well it might (Score:5, Insightful)
The normal length for classified material is 50 years. That isn't to say it can't last longer or be declassified earlier, but 50 years is the normal NDA length. Why would this be any different? In particular there was the implication that they'd been heavily pushing it because of the backdoor. Ok but they had to know that the NDA was about to expire and thus the jig would be up and it would be, if anything, harmful.
Makes no sense. I am not buying this in the slightest without some proof. Some guy claiming something in an e-mail isn't proof, that is Internet nuttery as normal.
Re: (Score:2)
The normal length for classified material is 50 years. That isn't to say it can't last longer or be declassified earlier, but 50 years is the normal NDA length. Why would this be any different?
FTA -
"...sent to him by Gregory Perry, who worked on the OpenBSD crypto framework a decade ago."
I think that 50 years sounds normal for an agency whose job has become protecting secrets. A decade does not sound like something that would benefit them at all. That's what seemed strange to me about the original article.
Re: (Score:2)
Wrong summary (Score:3, Informative)
Oh please, de Raadt didn't claim shit. Here's the original mail [marc.info].
Theo seems skeptical himself, he just didn't want to hold back a potential security issue.
Re: (Score:3)
Well heck, I thought they'd fess up right away. (Score:2, Funny)
NOT!
Funny... (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
How do you know they're planted by the DOD, rather than simply programming mistakes that no one caught?
Re: (Score:3)
Re: (Score:3)
More like, you KNOW there are backdoors in Windows, Mac OS X, iOS, and all the other products they have. But don't switch to open-source purely because it's open-source and therefore, backdoors can't be hidden in the code. Even very careful audits can still miss cleverly hidden backdoors.
The silly thing about this issue is that no one can confirm or deny it, short of a full on hard core code review. The people who did it cer
Re: (Score:3)
OF course not. such a coder would be easily spotted because they know what they are doing and produce clean code that works... This will stand out BIG TIME at Microsoft.
Re: (Score:2)
tlhIngan hit it on the head. I figured they were there for Microsoft and Apple. I just liked screwing with Linux guys who were insisting they were perfectly secure because they used an open source OS.
As I said, I use Linux, so I don't have any axe to grind against open source. I'm just suspicious of pretty much everything.
BSD coder? (Score:2)
Both deny being BSD coders too!
Re: (Score:2)
Exactly. In the email sent to Theo, Scott Lowe isn't identified as one of the OpenBSD contributors accused of inserting the alleged backdoor.
He is "accused" of advocating OpenBSD while being on the FBI payroll. Which shouldn't matter anyway since that alone does not confirm a backdoor was actually inserted.
The first sentence of the summary is false. (Score:3)
Theo did no such thing. Perry did.
What the hell? (Score:5, Insightful)
There was never any OpenBSD contributor named Scott Lowe. Did anyone actually bother to read the source material or check facts, before claiming as such?
The finger was being pointed at Scott Lowe FOR HIS Virtualization BLOG, which are merely articles that discuss the use of OpenBSD.
The mailing list author, was making a totally reckless claim with no proof shown that He was advocating OpenBSD for the benefit of the FBI which is downright ludicrous attention whoring attempt on the part of someone reposting that claim without corroboration.
A mailing list posting by one person is not a credible source to be taken at face value. Information needs to be corroborated. Posting some random person's vague accusations as front page news borders on gross negligence.
Re: (Score:3)
> There was never any OpenBSD contributor named Scott Lowe.
I don't see where Perry claimed that there was.
Re: (Score:2)
There was never any OpenBSD contributor named Scott Lowe.
I don't see where Perry claimed that there was.
He didn't. But TFA does...
Re: (Score:2)
Actually, not even TFA does, only the Slashdot summary... which shouldn't surprise anyone...
Re: (Score:2)
Exactly, the article author should contact Jason Wright and his associates for comment.
Theo didn't make the claim (Score:5, Insightful)
Re: (Score:3)
Re: (Score:2)
Is the auditing being done by a completely seperate, unrelated, and independent group?
Re: (Score:2)
Slashdot: "News" (Score:3)
Because it's too much trouble to quote or reproduce Theo's brief email and people wouldn't know what to make of it anyway.
Bump (Score:5, Interesting)
The raw and cold truth is that contributors to all the open OSs can't really be vetted. Not in a meaningful way. And the number of people who are deep low level 'hackers' capable of writing the code is relatively small. The numbers able to code audit to a level of examination are even fewer. So yes, the code is open, the code is visible, the code can and could be audited. But here is the thing, being auditable is not the same as being audited. And personally, I would not be shocked if a full audit was run if something might be found.
That being said, this is one step better than closed source, where some of the above is not possible or viable, and in cases where money crosses palms, may in fact be unwanted.
Further to this though, I personally don't expect government to simply roll over and die. I expect them to take steps to try and stay one step ahead of bad things, and the relaxing of technology limits has benefitted people across the world, even if I were to make a case that the cost is that at the point of a pyramid - the goves can hunt down the world culprits and suspects. In some cases - releasing the tech in fact has your enemy using that tech after some time and you get to tap into it.
At least its an interesting story :)
Re: (Score:3)
Indeed. However, the raw truth is that open source contributions can be vetted in a meaningful way.
Don't fool yourself into believing that there are no backdoors in closed-source software.
Re:Bump (Score:4, Interesting)
So yes, the code is open, the code is visible, the code can and could be audited. But here is the thing, being auditable is not the same as being audited.
Except this is OpenBSD we're talking about, where code audits happen frequently and often.
And personally, I would not be shocked if a full audit was run if something might be found.
A full audit would be run repeatedly over the course of this coming year even if this accusation had not come out. After all, we are talking about OpenBSD.
Theo did not make the claim.. (Score:3)
Unlikely... (Score:2)
It seems unlikely that someone could hide one or more backdoors in such a ubiquitous piece of code without _anyone_ else ever spotting it.
It also seems unlikely because Perry didn't share actual technical details of the backdoor(s) so their existence can be proven. Surely when making such a radical claim its just human nature to also justify it with all the evidence you have.
Re: (Score:2)
Case in point, I literally just spotted a bug in python's socket recv call (as of yet unreported) which leaks memory given the right error conditions. The code hasn't been modified for seven months and the file has existed for many, many years. The only reason I spotted it is because I was looking for very specific but unrelated behavior. Regardless, subtle errors and by association, malicious code, can easily exist for very long times, even surviving multiple code reviews.
The most important thing to rememb
Is (was) the FBI ever working w/ OpenBSD -AT ALL-? (Score:2)
If so, where’s this NDA that Theo claims just expired? Surely he didn’t run it through the shredder already.
Re: (Score:2)
Correction, Gregory Perry claimed to have an NDA with the FBI. Theo was just the messenger. Damn, this is confusing...
This is why I only use windows. (Score:2, Funny)
I only use OSes I can trust!
Re: (Score:2)
Sorry, but I can't figure out whether that's a joke, you're a troll, or you're really that stupid. (I figure that if you're on /., you can't really be too ignorant to just be uninformed.)
My bet is that it's a joke, but I sure wish the odds were better.
Oh yeah - because they'd admit it... (Score:2)
Like they'd come out and admit it if it IS true.
time to call Ponderosa Puff (Score:2)
Re: (Score:2)
lies, damn lies and statistics (Score:2)
But did they deny working for the FBI, directly or indirectly?
Re:Oh come on (Score:5, Insightful)
Re:Oh come on (Score:4, Funny)
Who's this "kdawson" you speak of?
Re: (Score:3)
Kdawson is just an internet myth, long ago disproven by snopes.
Re:Oh come on (Score:4, Insightful)
Funnily, that's exactly what happened to me - I wondered what people were talking about when they said it was a dupe. This is the only website I've ever had to block a submitter on, and kdawson the ONLY author I've ever had to block on any website because every submission I read from them annoyed me or was blatantly complete bollocks.
Re: (Score:2)
'This is the only website I've ever had to block a submitter on, and kdawson the ONLY author I've ever had to block on any website because every submission I read from them annoyed me or was blatantly complete bollocks.'
You must be new here:
http://www.theobvious.com/archive/1999/03/25.html [theobvious.com]
Re: (Score:2)
Wait, no I don't.
Although I'd like to see a follow-up on how Junis is faring in Afghanistan these days.
Re: (Score:2)
And then there is this post from CmdrTaco that utterly misinterprets what happened.
Why do I come here? I'm slowly coming less and less and shit like this doesn't help.
Re: (Score:2)
So slashdot gets a twofor.
BTW the Indian extremists have been infiltrating Microsoft for years and have places many back doors into Windows so they can shutdown all our systems. Their main target is the thought control experiments based in Montauk NY at the secret underground base their. They are hoping that they can remotely activate it and then while we are under their control gain access to the secret base under the new Denver Airport.
Re: (Score:2)
Re: (Score:2)
Whatever happened to John Katz?
Re: (Score:2)
I thought /. was a labor of love. How can you let go someone who works for free?
Re: (Score:2)
Re: (Score:2)
No, I don’t think so, because they do sometimes edit the stories. I know they edited one that I posted, they converted it from a logically divided 3-paragraph submission into a single glob of text, just like any other story.
Re:Oh come on (Score:4, Funny)
Re: (Score:2)
It's worse than you imagine. It's a Visual Basic program.
Re: (Score:2)
I thought blonde socialites were defenceless pets. I certainly haven't seen a practical reason for their domestication...
Re: (Score:3)
Can't say I have. The last joke I made about bestial dwarf porn got modded up pretty quickly.
Re:Oh come on (Score:4, Informative)
You didn't get that this was a follow-up story, then, huh?
Re: (Score:2)
Have these two deniers stated whether they are under NDA still? Why would they admit to it when doing so would brand them?
Even though I think it is tough to miss something like that in the code it is still possible. Everyone should look to ensure that removal is performed.
If they could do that then they'd do it in Windows. Windows is closed source and easily altered. If it is verified in BSD you can be guaranteed it's in Windows.
Though this is likely true (that the code is there), it is difficult for me
Re: (Score:3)
Depending on the situation, they might not legally be able to admit it. If your work was Classified, you might be prohibited by law from admitting to it.
Not saying that is true or even likely in this case, but it is possible. I wouldn't want to run afoul of a government NDA.
Re: (Score:3)
Re: (Score:2)
Well, I have a robot vacuum, so I'm not going to deny their existence.
However, I can neither confirm nor deny that I am a robot.
Re: (Score:2)
Not to mention being required to admit to it would probably contradict the 5th amendment.
Re: (Score:2)
Here you go: The Code [openbsd.org].
Re: (Score:2)
I'm sorry, but I'm prohibited by an NDA from discussing any work I may have done for any government organization on that project.
captcha: confuses
Re: (Score:3)
> If you made a deal to keep a secret you keep that secret.
If I made a deal to keep a secret for five years I keep it for five years.
Re:NDA (Score:4, Informative)
No.
But that's because they're bound by patient confidentiality, and not a boilerplate 10 year "don't talk about anything you learned at work" NDA.
So the two cases don't really compare. At all.
Re: (Score:3, Funny)
Re: (Score:2)
Don't be an ass. Professional confidentiality is not the same as an NDA contract, and he didn't claim that all such agreements expire after ten years in any case.
Re: (Score:2)
So when you go to your doctor or shrink can they say hey its been ten year I can blab about so and so's mental problems
If you signed a contract saying after 10 years the doctor can blab all he wants, sure.
Re: (Score:2)
What backdoor? Nobody has found ANYTHING yet. They just have a rumour, duly propogated onwards because of its *potential* security applications, that someone may have once been paid to do such a thing. Doesn't mean it's true, that they succeeded, or that it hasn't been removed since.
It's impossible to prove something *isn't* there, of course, but it would be a cinch to prove it *was*. Nobody has yet stepped forward with anything even approaching a slight vulnerability in their IPSec implementation that
Re:No BBlobs? (Score:5, Interesting)
You dont realize how it is possible to hide evil code in front of someone's face..
http://underhanded.xcott.com/ [xcott.com]
go there and read, look at the winning and runner up entries... If you are a competent coder you can hide things right in front of someone and they will not spot it. It's scary as hell what some of these guys can do.
Re: (Score:2)
If you are a competent coder you can hide things right in front of someone and they will not spot it. It's scary as hell what some of these guys can do.
Which is why I think the best solution would be to rewrite the module from scratch and then do the audit on that version of it. Preferably developed by people who have never touched that part prior and written to spec without referencing the original code. After all, this is probably the most paranoid group in all of open source. Although speculation of a potential exploit might not be enough to drive all that.
The whole thing does smell very fishy though.
Re: (Score:2)
If you are a competent coder you can hide things right in front of someone and they will not spot it. It's scary as hell what some of these guys can do.
If you're a competent coder you can make what looks like obvious mistakes that any proper editor should be able to distinguish as an error. (The top two runner ups on that page are obvious coding errors that any code review should pick up. The third is something that testing and a good code review should catch.)
Now, all of that said, I had a hojillion code reviews working for A Very Large Multinational Computer Operating System Company that came back with the only comment being: "looks good". I caught at
Re: (Score:2)
The allegation is inclusion of a side-channel in the crypto algorithm for leakage of key bits.
If you know about crypto coding, you'll know instantly why that would be easy to hide and hard to find.
If you don't, then any explanation is likely to be as much gibberish to you as the code would be.
Re: (Score:3)
The allegation is inclusion of a side-channel in the crypto algorithm for leakage of key bits.
If you know about crypto coding, you'll know instantly why that would be easy to hide and hard to find.
IPSEC is a well-documented standard: you can't just stick 'random numbers' which happen to contain parts of the key in the data stream as you could with some home-grown crypto system. The fact that it is a standard which has to interoperate with other implementations of the standard eliminates most of the usual methods of deliberately leaking keys.
Certainly there could be deliberate timing effects, etc, but everyone these days should be using crypto implementations which protect against such things.
Re: (Score:2)
padding, back then it was random in OpenBSD, hard to verify, never looked at by software. Now it's speced in a verifiable manner. Either nobody knew or nobody was forth coming with the information that it was a useful side channel back then.
Re: (Score:2)
Does IPSEC really allow random padding? If so, the design is even worse than I imagined... I thought people figured out that non-deterministic padding was bad well over 10 years ago.
However, if i's padded pre-encryption it's far less useful for an attacker since either it would have to somehow leak key bits into the encrypted data (which would require code that was obviously monumentally broken) or it would only leak key information to the system on the other end of the IPSEC link.
Re:Smells like FUD to me (Score:5, Insightful)
This means that a code audit would find this so-called back door, yes?
Nope. OpenBSD is audited, but the auditors are human (well, some aren't, but they can only spot categories of bug that are well documented). The code is not formally, mathematically verified (doing so for nontrivial C code is basically impossible), so there's always the possibility of a bug and, as the OpenBSD team says, the only difference between a bug and a vulnerability is the intelligence of the attacker.
Regular code audits increase the probability that a backdoor would be found, but they don't guarantee it. That's why this is such effective FUD: it's basically impossible to prove that it's not true.
Re: (Score:2)