12 Replies - 7154 Views - Last Post: 28 December 2010 - 10:51 PM

#1 NickDMax  Icon User is offline

  • Can grep dead trees!
  • member icon

Reputation: 2250
  • View blog
  • Posts: 9,245
  • Joined: 18-February 07

The FBI Paid For Backdoor in OpenBSD

Post icon  Posted 17 December 2010 - 07:54 AM

*
POPULAR

According to this article:

The FBI Paid OpenBSD Developers For Backdoors

The FBI has had backdoors into FreeBSD servers for at least 10 years. This confirms one of my central distrusts of OSS -- anyone can put anything into the code so long as it technically works. There is all this talk about how OSS gets reviewed and is more secure than proprietary code because of its transparency. While that may be philosophically true, the reality is that there is little chance of anyone paying particular attention to any area of code that seems to function as it should.

Of course... the question is: If government agencies can influence open source projects -- what is going on behind proprietary walls? Have they also purchased a backdoor to Windows? (well that is ridiculous, why pay for something you get for free right?).

I personally find this to be... while not particularly surprizing, to be particularly scary.

THEN AGAIN

It may all be a Hoax
-- I suppose the only way we will know is to review the code in the IPSEC.


It can be hard to tell if you are falling for internet BS.

Is This A Good Question/Topic? 7
  • +

Replies To: The FBI Paid For Backdoor in OpenBSD

#2 no2pencil  Icon User is offline

  • Admiral Fancy Pants
  • member icon

Reputation: 5388
  • View blog
  • Posts: 27,384
  • Joined: 10-May 07

Re: The FBI Paid For Backdoor in OpenBSD

Posted 17 December 2010 - 08:04 AM

I would have an incredibly difficult time believing such a story. People use the BSD Operating Systems based on security alone. Someone would have seen it, & someone would have fixed it, & someone would have reported it. If this story were on Ubuntu, then I would be convinced, that isn't a stretch.

Not to mention, if you think about the strides that any Operating System has made in 10 years.... that's quite a hidden back door to still be around ;)
Was This Post Helpful? 0
  • +
  • -

#3 NickDMax  Icon User is offline

  • Can grep dead trees!
  • member icon

Reputation: 2250
  • View blog
  • Posts: 9,245
  • Joined: 18-February 07

Re: The FBI Paid For Backdoor in OpenBSD

Posted 17 December 2010 - 08:21 AM

Yes I went though several stages similar to the "stages of grief"

At first I was shocked, then I was mad, then I was confused, then I was pretty sure this was BS, then I googled for more information.

I too had a very hard time believing that a "VPN backdoor" could exist in code for 10 years when the technologies have changed so much in the last 10 years. But not knowing much about Linux or networking I didn't have enough information to throw the BS-flag.


But I think it does open a discussion on how secure is OSS -- could something like this be possible. I mean there is transparency, but is anyone really using it. Are people making the assumption that certain areas of code are good simply because they were submitted by a trusted committer? Who really has the time to do a code review on this stuff, and who really has the expertise. Could you pay 3-4 people off because those are the only 3-4 people who will ever really understand that bit of code?
Was This Post Helpful? 0
  • +
  • -

#4 NickDMax  Icon User is offline

  • Can grep dead trees!
  • member icon

Reputation: 2250
  • View blog
  • Posts: 9,245
  • Joined: 18-February 07

Re: The FBI Paid For Backdoor in OpenBSD

Posted 17 December 2010 - 08:28 AM

The CNET article does point out that the government does have a long history of such practices.
Was This Post Helpful? 0
  • +
  • -

#5 no2pencil  Icon User is offline

  • Admiral Fancy Pants
  • member icon

Reputation: 5388
  • View blog
  • Posts: 27,384
  • Joined: 10-May 07

Re: The FBI Paid For Backdoor in OpenBSD

Posted 17 December 2010 - 08:29 AM

View PostNickDMax, on 17 December 2010 - 09:21 AM, said:

But not knowing much about Linux or networking I didn't have enough information to throw the BS-flag.


For one, OpenBSD is Unix, & not Linux. For two, VPN code would be an add-on software, & not part of the Operating System.

I can only say this for certain, pertaining to FreeBSD, but I know there are a few other BSD users that actively post here & maybe they will agree. With FreeBSD, there is a team of hundreds, if not thousands that make the decision to add code to the core of the Operating System. This could be from an individual that fixes a bug, or a company or group that releases a piece of software that gets put into the ports repository.

The BSD Operating Systems all pride themselves on security. I would find a very, very hard time believing that anyone on their code acceptance teams would be bought off. Even if they were, organizations that use their Operating System for security reasons would certainly find it. That's quit different than the scenario of a home Linux enthusiast finding a back door that was secretly added.

Anything is possible, sure. But based on the history of the Operating System, I doubt it would happen to a BSD, from the FBI.
Was This Post Helpful? 1
  • +
  • -

#6 NickDMax  Icon User is offline

  • Can grep dead trees!
  • member icon

Reputation: 2250
  • View blog
  • Posts: 9,245
  • Joined: 18-February 07

Re: The FBI Paid For Backdoor in OpenBSD

Posted 17 December 2010 - 08:36 AM

:D sorry for the Linux/Unix confusion. I will be sure to expect your slap across the face in the mail any day now. The comment just lends credence to the the notion that I don't know enough to really comment on the possible authenticity of the claims.
Was This Post Helpful? 0
  • +
  • -

#7 skyhawk133  Icon User is offline

  • Head DIC Head
  • member icon

Reputation: 1877
  • View blog
  • Posts: 20,284
  • Joined: 17-March 01

Re: The FBI Paid For Backdoor in OpenBSD

Posted 17 December 2010 - 08:40 AM

Thanks for sharing Nick. Good topic... up voted :)
Was This Post Helpful? 0
  • +
  • -

#8 NickDMax  Icon User is offline

  • Can grep dead trees!
  • member icon

Reputation: 2250
  • View blog
  • Posts: 9,245
  • Joined: 18-February 07

Re: The FBI Paid For Backdoor in OpenBSD

Posted 17 December 2010 - 08:59 AM

Here is a question though: If the accusations are so totally ridiculous; why did Theo de Raadt post in public without comment on the ridiculousness of the accusations.

I guess he answers that himself:

Quote

Therefore I am making it public so that
  • those who use the code can audit it for these problems,
  • those that are angry at the story can take other actions,
  • if it is not true, those who are being accused can defend themselves.


But he does not offer any comment one way or the other.

(part of the reason of this post was to put a link to the original source)
Was This Post Helpful? 1
  • +
  • -

#9 Guest_Michael Jessop*


Reputation:

Re: The FBI Paid For Backdoor in OpenBSD

Posted 17 December 2010 - 09:29 AM

I think the concensus has become that it is a hoax. It has been denied outright by developers from the old team and the wording of the claim has been called into question. There would not be an NDA, it has a different name, and it would have been clear that the person could NEVER talk about it if it were true. At this point in time said person should be watching for G-Men out his front window.

View PostNickDMax, on 17 December 2010 - 06:54 AM, said:

According to this article:

The FBI Paid OpenBSD Developers For Backdoors

The FBI has had backdoors into FreeBSD servers for at least 10 years. This confirms one of my central distrusts of OSS -- anyone can put anything into the code so long as it technically works. There is all this talk about how OSS gets reviewed and is more secure than proprietary code because of its transparency. While that may be philosophically true, the reality is that there is little chance of anyone paying particular attention to any area of code that seems to function as it should.

Of course... the question is: If government agencies can influence open source projects -- what is going one behind proprietary walls? Have they also purchased a backdoor to Windows? (well that is ridiculous, why pay for something you get for free right?).

I personally find this to be... while not particularly surprizing, to be particularly scary.

THEN AGAIN

It may all be a Hoax
-- I suppose the only way we will know is to review the code in the IPSEC.


It can be hard to tell if you are falling for internet BS.

Was This Post Helpful? 0

#10 NickDMax  Icon User is offline

  • Can grep dead trees!
  • member icon

Reputation: 2250
  • View blog
  • Posts: 9,245
  • Joined: 18-February 07

Re: The FBI Paid For Backdoor in OpenBSD

Posted 17 December 2010 - 09:54 AM

Well OF COURSE the developers would deny it. They would probably feel obligated to. Rule #1 of being naughty: deny deny deny!

I found it suspicious that many of the denials took on the same basic phrasing. As if they had all be told how to answer the question.

I didn't get the same read from the sources I have found so far. To me it looked like there was enough speculation to warrant actually looking into this farther.
Was This Post Helpful? 0
  • +
  • -

#11 drhowarddrfine  Icon User is offline

  • D.I.C Regular

Reputation: 39
  • View blog
  • Posts: 275
  • Joined: 28-July 10

Re: The FBI Paid For Backdoor in OpenBSD

Posted 18 December 2010 - 07:40 AM

View PostNickDMax, on 17 December 2010 - 09:54 AM, said:

Well OF COURSE the developers would deny it. They would probably feel obligated to. Rule #1 of being naughty:
There are two problems with that thought: 1) this is a small enough group of developers that can keep such a secret and that the same group is together after all these years. Both are not true. And, 2) OpenBSD is a group of contributors and that the organization gains by being on the take but the truth is this group of individuals would all mostly have to be on the take. Not likely at all without someone finding out rather quickly.
Was This Post Helpful? 0
  • +
  • -

#12 no2pencil  Icon User is offline

  • Admiral Fancy Pants
  • member icon

Reputation: 5388
  • View blog
  • Posts: 27,384
  • Joined: 10-May 07

Re: The FBI Paid For Backdoor in OpenBSD

Posted 19 December 2010 - 10:40 PM

It doesn't matter if there is only one individual writing, releasing, or even single handled doing both, of the source code for OpenBSD.

The difference between the BSD's, & Linux are the kernels. Everything else is open source GNU software. With this in mind, any back door is going to be in a network module. Though modules can be compiled into the kernel, they still are not part of it. This makes the story complete bunk to me.

Even though one can argue that most individuals won't eye-comb the source code, organisations & governments that use OpenBSD (or any OS) specifically for the security that it offers will spend the time to go over the source code. If such a back door did exist, How would anyone know it was put in place by the FBI? It would have been outed, the developers & maintainers of the Operating System shamed, & every user of the Operating System would lose faith, the Operating System would lose backing, & that's how we'd hear about it. Not by naming the source of the back door 1st.

Granted I've done zero research into this story myself, but it just speaks volumes of Hollywood bunk to me. Just thinking about it on a technical level, I don't buy it. There are too many specifics that share common ground with other Operating Systems that would easily out the back door through standard checks such as MD5 check sums on the source code &/or Operating System iso's.
Was This Post Helpful? 0
  • +
  • -

#13 g-weebens  Icon User is offline

  • New D.I.C Head
  • member icon

Reputation: 2
  • View blog
  • Posts: 39
  • Joined: 28-December 10

Re: The FBI Paid For Backdoor in OpenBSD

Posted 28 December 2010 - 10:51 PM

Whatever code that there was had already been checked and corrected years ago.
Update your news sources and look at the repositories/CVS for changes.
The only real crime here is one of non-disclosure.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1