[NickDMax]

According to this article:

The FBI Paid OpenBSD Developers For Backdoors

The FBI has had backdoors into FreeBSD servers for at least 10 years. This confirms one of my central distrusts of OSS -- anyone can put anything into the code so long as it technically works. There is all this talk about how OSS gets reviewed and is more secure than proprietary code because of its transparency. While that may be philosophically true, the reality is that there is little chance of anyone paying particular attention to any area of code that seems to function as it should.

Of course... the question is: If government agencies can influence open source projects -- what is going on behind proprietary walls? Have they also purchased a backdoor to Windows? (well that is ridiculous, why pay for something you get for free right?).

I personally find this to be... while not particularly surprizing, to be particularly scary.

THEN AGAIN

It may all be a Hoax -- I suppose the only way we will know is to review the code in the IPSEC.


It can be hard to tell if you are falling for internet BS.

[no2pencil]

I would have an incredibly difficult time believing such a story. People use the BSD Operating Systems based on security alone. Someone would have seen it, & someone would have fixed it, & someone would have reported it. If this story were on Ubuntu, then I would be convinced, that isn't a stretch.

Not to mention, if you think about the strides that any Operating System has made in 10 years.... that's quite a hidden back door to still be around

[NickDMax]

Yes I went though several stages similar to the "stages of grief"

At first I was shocked, then I was mad, then I was confused, then I was pretty sure this was BS, then I googled for more information.

I too had a very hard time believing that a "VPN backdoor" could exist in code for 10 years when the technologies have changed so much in the last 10 years. But not knowing much about Linux or networking I didn't have enough information to throw the BS-flag.


But I think it does open a discussion on how secure is OSS -- could something like this be possible. I mean there is transparency, but is anyone really using it. Are people making the assumption that certain areas of code are good simply because they were submitted by a trusted committer? Who really has the time to do a code review on this stuff, and who really has the expertise. Could you pay 3-4 people off because those are the only 3-4 people who will ever really understand that bit of code?

[NickDMax]

The CNET article does point out that the government does have a long history of such practices.

[no2pencil]

NickDMax, on 17 December 2010 - 09:21 AM, said:

But not knowing much about Linux or networking I didn't have enough information to throw the BS-flag.

For one, OpenBSD is Unix, & not Linux. For two, VPN code would be an add-on software, & not part of the Operating System.

I can only say this for certain, pertaining to FreeBSD, but I know there are a few other BSD users that actively post here & maybe they will agree. With FreeBSD, there is a team of hundreds, if not thousands that make the decision to add code to the core of the Operating System. This could be from an individual that fixes a bug, or a company or group that releases a piece of software that gets put into the ports repository.

The BSD Operating Systems all pride themselves on security. I would find a very, very hard time believing that anyone on their code acceptance teams would be bought off. Even if they were, organizations that use their Operating System for security reasons would certainly find it. That's quit different than the scenario of a home Linux enthusiast finding a back door that was secretly added.

Anything is possible, sure. But based on the history of the Operating System, I doubt it would happen to a BSD, from the FBI.

[NickDMax]

sorry for the Linux/Unix confusion. I will be sure to expect your slap across the face in the mail any day now. The comment just lends credence to the the notion that I don't know enough to really comment on the possible authenticity of the claims.

[skyhawk133]

Thanks for sharing Nick. Good topic... up voted

[NickDMax]

Here is a question though: If the accusations are so totally ridiculous; why did Theo de Raadt post in public without comment on the ridiculousness of the accusations.

I guess he answers that himself:

Quote

Therefore I am making it public so that

• those who use the code can audit it for these problems,
  
• those that are angry at the story can take other actions,
  
• if it is not true, those who are being accused can defend themselves.

But he does not offer any comment one way or the other.

(part of the reason of this post was to put a link to the original source)

[NickDMax]

Well OF COURSE the developers would deny it. They would probably feel obligated to. Rule #1 of being naughty: deny deny deny!

I found it suspicious that many of the denials took on the same basic phrasing. As if they had all be told how to answer the question.

I didn't get the same read from the sources I have found so far. To me it looked like there was enough speculation to warrant actually looking into this farther.

[drhowarddrfine]

NickDMax, on 17 December 2010 - 09:54 AM, said:

Well OF COURSE the developers would deny it. They would probably feel obligated to. Rule #1 of being naughty:

There are two problems with that thought: 1) this is a small enough group of developers that can keep such a secret and that the same group is together after all these years. Both are not true. And, 2) OpenBSD is a group of contributors and that the organization gains by being on the take but the truth is this group of individuals would all mostly have to be on the take. Not likely at all without someone finding out rather quickly.

[no2pencil]

It doesn't matter if there is only one individual writing, releasing, or even single handled doing both, of the source code for OpenBSD.

The difference between the BSD's, & Linux are the kernels. Everything else is open source GNU software. With this in mind, any back door is going to be in a network module. Though modules can be compiled into the kernel, they still are not part of it. This makes the story complete bunk to me.

Even though one can argue that most individuals won't eye-comb the source code, organisations & governments that use OpenBSD (or any OS) specifically for the security that it offers will spend the time to go over the source code. If such a back door did exist, How would anyone know it was put in place by the FBI? It would have been outed, the developers & maintainers of the Operating System shamed, & every user of the Operating System would lose faith, the Operating System would lose backing, & that's how we'd hear about it. Not by naming the source of the back door 1st.

Granted I've done zero research into this story myself, but it just speaks volumes of Hollywood bunk to me. Just thinking about it on a technical level, I don't buy it. There are too many specifics that share common ground with other Operating Systems that would easily out the back door through standard checks such as MD5 check sums on the source code &/or Operating System iso's.

[g-weebens]

Whatever code that there was had already been checked and corrected years ago.
Update your news sources and look at the repositories/CVS for changes.
The only real crime here is one of non-disclosure.