Forgot your password?
typodupeerror
Government Security BSD

BSD Coder Denies Adding FBI Backdoor 239

Posted by CmdrTaco
from the not-gonna-quote-the-doors dept.
jfruhlinger writes "Theo de Raadt has made the shocking claim that OpenBSD includes a backdoor that the FBI paid coders to build. Brian Proffitt has tracked down one of the programmers named as being on the FBI payroll (actually, he tracked down two programmers with the same name). Both deny working with the FBI."
This discussion has been archived. No new comments can be posted.

BSD Coder Denies Adding FBI Backdoor

Comments Filter:
  • Please correct. (Score:5, Informative)

    by santax (1541065) on Wednesday December 15, 2010 @12:03PM (#34561528)
    It was not Theo that made that claim. It was Theo that released the email he got from the guy making that claim! Big big difference!
    • Re: (Score:3, Insightful)

      by skids (119237)

      I would go on a rant about how anyone who wants to post main stories should really be forced to attend at least a half-day seminar on basic journalistic essentials.

      But considering how an entire degree in journalism does not seem to have helped the professional media....

    • by delt0r (999393)
      So instead of Some guys found something, its I know a guy who think he found something.... Yea really credible.
      • by Lumpy (12016)

        It works for the MOB and gangs... want a rival killed? start rumors they are working for the cops, fbi, are dirty and skimming from the boss, etc.. Keep it up and word wil spread and get back to his guys who end up "fixing the problem".

        Works in the non-cime world as well. Sysadmin acting like a BOFH? start planting small rumors he is stealing or hacking from work. Want to put questions in the minds of people who might switch from windows? put out there a "rumor" that it has Government backdoors in i

        • by 0123456 (636235)

          It works for the MOB and gangs... want a rival killed? start rumors they are working for the cops, fbi, are dirty and skimming from the boss, etc.. Keep it up and word wil spread and get back to his guys who end up "fixing the problem".

          Interestingly, I was reading this morning about the FBI in the 70s spreading false claims that members of radical groups were actually FBI informants in the hope of disrupting said radical groups.

        • by Lennie (16154)

          'Want to put questions in the minds of people who might switch from windows? put out there a "rumor" that it has Government backdoors in it.'

          Actually, if it is in OpenBSD, then you can be damn sure it is Windows too.

    • Re:Please correct. (Score:5, Informative)

      by jfruhlinger (470035) on Wednesday December 15, 2010 @12:24PM (#34561910) Homepage

      I'm the one who submitted it to Slashdot, and it's totally my fault, not a mistake in TFA. Apologies.

    • Re:Please correct. (Score:5, Insightful)

      by tenchikaibyaku (1847212) on Wednesday December 15, 2010 @12:35PM (#34562068)
      Even if there's no truth whatsoever behind the initial claim, I suspect we'll be seeing this pop up in various more and less accurate forms for several years to come.
    • Damn, what a misleading title. Thanks for explanation.

  • by Fibe-Piper (1879824) on Wednesday December 15, 2010 @12:05PM (#34561570) Journal

    I mean the idea that this person would still be alive when "the NDA expired..." was odd.

    Why would the FBI make any NDA on something as shameful as this that would expire during one's lifetime?

    • Well it might (Score:5, Insightful)

      by Sycraft-fu (314770) on Wednesday December 15, 2010 @12:20PM (#34561848)

      The normal length for classified material is 50 years. That isn't to say it can't last longer or be declassified earlier, but 50 years is the normal NDA length. Why would this be any different? In particular there was the implication that they'd been heavily pushing it because of the backdoor. Ok but they had to know that the NDA was about to expire and thus the jig would be up and it would be, if anything, harmful.

      Makes no sense. I am not buying this in the slightest without some proof. Some guy claiming something in an e-mail isn't proof, that is Internet nuttery as normal.

      • The normal length for classified material is 50 years. That isn't to say it can't last longer or be declassified earlier, but 50 years is the normal NDA length. Why would this be any different?

        FTA -

        "...sent to him by Gregory Perry, who worked on the OpenBSD crypto framework a decade ago."

        I think that 50 years sounds normal for an agency whose job has become protecting secrets. A decade does not sound like something that would benefit them at all. That's what seemed strange to me about the original article.

      • by Locutus (9039)
        this reminds me of how the CEO of Green Hills was spreading FUD saying how insure Linux was because anyone could embed backdoors in not only Linux but into gcc. He was trying to say how much better their software was because it was not open source. Some of this stuff just doesn't add up when you look at the bigger picture and what the motivation behind the info often tells the real story. For Green Hills, Linux is a threat to their business model so they wanted to spread FUD to limit its effects. I wonder w
  • Wrong summary (Score:3, Informative)

    by Anonymous Coward on Wednesday December 15, 2010 @12:08PM (#34561622)

    Oh please, de Raadt didn't claim shit. Here's the original mail [marc.info].

    Theo seems skeptical himself, he just didn't want to hold back a potential security issue.

  • Back before I used Linux (in college), I made a habit out of making all Linux users paranoid by saying if I were the CIA / FBI / NSA / other TLA, I would worm somebody in as a contributor and do my best to put hidden backdoors into all open source operating systems. I know if I were in any of said agencies and had no respect for privacy, I would.
    • by BESTouff (531293)
      Whereas you can be sure no one at Microsoft or Apple is coding backdoors for a TLA ?
      • Actually I use the DOD back door in EFS all the time. I found it while tracing EFS in IDA Pro for an exercise.
        • by gknoy (899301)

          How do you know they're planted by the DOD, rather than simply programming mistakes that no one caught?

          • Hard-coded secondary keys are pretty big programming mistakes. Maybe for debugging, or an old recovery mechanism that was disabled?
      • by tlhIngan (30335)

        Whereas you can be sure no one at Microsoft or Apple is coding backdoors for a TLA ?

        More like, you KNOW there are backdoors in Windows, Mac OS X, iOS, and all the other products they have. But don't switch to open-source purely because it's open-source and therefore, backdoors can't be hidden in the code. Even very careful audits can still miss cleverly hidden backdoors.

        The silly thing about this issue is that no one can confirm or deny it, short of a full on hard core code review. The people who did it cer

      • by Lumpy (12016)

        OF course not. such a coder would be easily spotted because they know what they are doing and produce clean code that works... This will stand out BIG TIME at Microsoft.

      • by cobrausn (1915176)

        tlhIngan hit it on the head. I figured they were there for Microsoft and Apple. I just liked screwing with Linux guys who were insisting they were perfectly secure because they used an open source OS.

        As I said, I use Linux, so I don't have any axe to grind against open source. I'm just suspicious of pretty much everything.

  • Both deny being BSD coders too!

    • by Java Pimp (98454)

      Exactly. In the email sent to Theo, Scott Lowe isn't identified as one of the OpenBSD contributors accused of inserting the alleged backdoor.

      He is "accused" of advocating OpenBSD while being on the FBI payroll. Which shouldn't matter anyway since that alone does not confirm a backdoor was actually inserted.

  • by John Hasler (414242) on Wednesday December 15, 2010 @12:28PM (#34561970) Homepage

    Theo de Raadt has made the shocking claim that OpenBSD includes a backdoor that the FBI paid coders to build.

    Theo did no such thing. Perry did.

  • What the hell? (Score:5, Insightful)

    by mysidia (191772) on Wednesday December 15, 2010 @12:28PM (#34561978)

    There was never any OpenBSD contributor named Scott Lowe. Did anyone actually bother to read the source material or check facts, before claiming as such?

    The finger was being pointed at Scott Lowe FOR HIS Virtualization BLOG, which are merely articles that discuss the use of OpenBSD.

    The mailing list author, was making a totally reckless claim with no proof shown that He was advocating OpenBSD for the benefit of the FBI which is downright ludicrous attention whoring attempt on the part of someone reposting that claim without corroboration.

    A mailing list posting by one person is not a credible source to be taken at face value. Information needs to be corroborated. Posting some random person's vague accusations as front page news borders on gross negligence.

    • > There was never any OpenBSD contributor named Scott Lowe.

      I don't see where Perry claimed that there was.

      • by Java Pimp (98454)

        There was never any OpenBSD contributor named Scott Lowe.

        I don't see where Perry claimed that there was.

        He didn't. But TFA does...

        • by Java Pimp (98454)

          Actually, not even TFA does, only the Slashdot summary... which shouldn't surprise anyone...

    • by mzs (595629)

      Exactly, the article author should contact Jason Wright and his associates for comment.

  • by 7x7 (665946) on Wednesday December 15, 2010 @12:35PM (#34562078)
    Someone sent an email to Theo making the claim. Theo put it on the internet. Now it's true.
    • It looks to me like de Raadt received an email from this Perry saying that he had some kind of NDA with the FBI that was part of a project the FBI hired Perry to do to add a back door to the OBSD ipsec stack, and the tone *seems* to be "ha ha ha, I screwed you" a little bit, shown by his comment about OBSD's DARPA funding. de Raadt isn't confirming or denying, he's simply saying "Look, this asshole is making claims." Claims that should be easily refuted if the OBSD stack is as heavily audited as the group c
  • by BitHive (578094) on Wednesday December 15, 2010 @12:38PM (#34562122) Homepage

    Because it's too much trouble to quote or reproduce Theo's brief email and people wouldn't know what to make of it anyway.

  • Bump (Score:5, Interesting)

    by AdmV0rl0n (98366) on Wednesday December 15, 2010 @12:41PM (#34562174) Homepage Journal

    The raw and cold truth is that contributors to all the open OSs can't really be vetted. Not in a meaningful way. And the number of people who are deep low level 'hackers' capable of writing the code is relatively small. The numbers able to code audit to a level of examination are even fewer. So yes, the code is open, the code is visible, the code can and could be audited. But here is the thing, being auditable is not the same as being audited. And personally, I would not be shocked if a full audit was run if something might be found.

    That being said, this is one step better than closed source, where some of the above is not possible or viable, and in cases where money crosses palms, may in fact be unwanted.

    Further to this though, I personally don't expect government to simply roll over and die. I expect them to take steps to try and stay one step ahead of bad things, and the relaxing of technology limits has benefitted people across the world, even if I were to make a case that the cost is that at the point of a pyramid - the goves can hunt down the world culprits and suspects. In some cases - releasing the tech in fact has your enemy using that tech after some time and you get to tap into it.

    At least its an interesting story :)

    • by Xemu (50595)

      The raw and cold truth is that contributors to all the open OSs can't really be vetted. Not in a meaningful way.

      Indeed. However, the raw truth is that open source contributions can be vetted in a meaningful way.

      Don't fool yourself into believing that there are no backdoors in closed-source software.

    • Re:Bump (Score:4, Interesting)

      by snowgirl (978879) on Wednesday December 15, 2010 @01:20PM (#34562760) Journal

      So yes, the code is open, the code is visible, the code can and could be audited. But here is the thing, being auditable is not the same as being audited.

      Except this is OpenBSD we're talking about, where code audits happen frequently and often.

      And personally, I would not be shocked if a full audit was run if something might be found.

      A full audit would be run repeatedly over the course of this coming year even if this accusation had not come out. After all, we are talking about OpenBSD.

  • by TheNinjaroach (878876) on Wednesday December 15, 2010 @12:46PM (#34562256)
    He simply released the email that was sent to him.
  • It seems unlikely that someone could hide one or more backdoors in such a ubiquitous piece of code without _anyone_ else ever spotting it.

    It also seems unlikely because Perry didn't share actual technical details of the backdoor(s) so their existence can be proven. Surely when making such a radical claim its just human nature to also justify it with all the evidence you have.

    • by GooberToo (74388)

      Case in point, I literally just spotted a bug in python's socket recv call (as of yet unreported) which leaks memory given the right error conditions. The code hasn't been modified for seven months and the file has existed for many, many years. The only reason I spotted it is because I was looking for very specific but unrelated behavior. Regardless, subtle errors and by association, malicious code, can easily exist for very long times, even surviving multiple code reviews.

      The most important thing to rememb

  • If so, where’s this NDA that Theo claims just expired? Surely he didn’t run it through the shredder already.

    • Correction, Gregory Perry claimed to have an NDA with the FBI. Theo was just the messenger. Damn, this is confusing...

  • by Anonymous Coward

    I only use OSes I can trust!

    • by HiThere (15173)

      Sorry, but I can't figure out whether that's a joke, you're a troll, or you're really that stupid. (I figure that if you're on /., you can't really be too ignorant to just be uninformed.)

      My bet is that it's a joke, but I sure wish the odds were better.

  • Like they'd come out and admit it if it IS true.

  • and tan his hide!
  • Can Theo de Raadt prove the email he received is from Gregory Perry? And then can Gregory Perry prove his claims about Scott Lowe?

    I think Theo is pulling the trigger too soon or drumming up exposure. Because this reads like a school yard rumor mill.
  • Both denied working with the FBI.
    But did they deny working for the FBI, directly or indirectly?

The end of labor is to gain leisure.

Working...