

Report of an NSA Employee about a Backdoor in the OpenSSH Daemon (2012) [pdf] - Audiophilip
http://www.spiegel.de/media/media-35663.pdf

======
toyg
This is more of a rootkit than a backdoor, since you have to replace the
OpenSSH binary with a trojaned version. A backdoor usually implies that it was
there from the start, which is exactly the opposite of what the guy says (he
reports having to fight OpenSSH hard to let him have the backdoor).

Title should be "NSA Employee Reports Developing OpenSSH Rootkit".

~~~
huhtenberg
No, it's not a rootkit. Rootkit it not something that grants root access, it
something that runs with root privileges and uses them to conceal its own
existence.

This one is just a custom OpenSSH version with a backdoor.

~~~
smtddr
[http://en.wikipedia.org/wiki/Rootkit](http://en.wikipedia.org/wiki/Rootkit)

 _" A rootkit is a stealthy type of software, typically malicious, designed to
hide the existence of certain processes or programs from normal methods of
detection and enable continued privileged access to a computer"_

...continued privileged access. In the *nix world, this is understood to mean
root.

~~~
AnIrishDuck
> A rootkit is a stealthy type of software, typically malicious, designed to
> hide the existence of certain processes or programs from normal methods of
> detection

These are the primary characteristic of a rootkit. To wit, from that same
article:

> Rootkit detection is difficult because a rootkit may be able to subvert the
> software that is intended to find it. Detection methods include using an
> alternative and trusted operating system, behavioral-based methods,
> signature scanning, difference scanning, and memory dump analysis. Removal
> can be complicated or practically impossible, especially in cases where the
> rootkit resides in the kernel; reinstallation of the operating system may be
> the only available solution to the problem.[2] When dealing with firmware
> rootkits, removal may require hardware replacement, or specialized
> equipment.

These problems are what rootkits are associated with. The backdoored SSH
described in the paper does not qualify. Detecting it is fairly
straightforward, and on its own it makes no attempt to hide any programs that
it spawns. EDIT: further, as described it makes no efforts to avoid removal.

> enable continued privileged access to a computer

If you strip away the rest of the definition and only look at this part, then
by your definition the vanilla SSH server is a rootkit.

------
clamprecht
The thing that strikes me from this report is that he or she (and most of
these programmer types working for NSA groups) are just like many of the
HN/tech crowd, except they're working for "the other side". Heck, many of them
probably read HN every day.

> New Zealand was incredible! I wish I’d had more time there, but I did pretty
> well. I saw a handful of LOTR sights, Mount Cook, a number of gorgeous
> lakes, snow-capped mountains everywhere ... I absolutely loved my time in
> Australia, both in terms of work and travel, but I’m also looking forward to
> returning to the land of Chick-fil-A, college athletics, BBQ pork, and real
> bacon. Oh, and good beer.

It's great that they love their work, but it's too bad so many smart people
are going to work on projects that violate so many people's rights.

~~~
CHY872
But how is this particular guy in the wrong?

This exploit is something that needs to be specifically installed by someone -
it's not something you'd use to exploit the masses, it's something you'd use
to monitor a target further once you already had (perhaps temporary) root
access.

In that sense, it's basically just bread-and-butter spy work. It's hard to
accept that the government has any reason to monitor the population to the
extent that the NSA does - but it would be conversely completely foolish to
say that they have no business developing attacks for computers - it would be
like saying they have no business developing lock pick tools or electronic
bugs.

History has shown that a strong nation has at least some need for intelligence
and counter-intelligence, and the US has historically had incredibly poor
capabilities for both, which has lead to the deaths of thousands (thinking
about Vietnam intelligence specifically).

It thus seems at least foolish to criticise what's clearly an impressive
targeted exploit - which to some extent demonstrates the US' dominance in the
field.

This isn't something that the public has any business knowing - this is just
plain espionage.

~~~
clamprecht
You're right, I shouldn't single this one person out. I'm thinking of the many
who knowingly work on technologies or exploits that are being used to spy on
their own citizens.

------
tedunangst
> SSH has a _lot_ of checks to make sure you can't switch usernames in the
> middle of a login (go figure) so this was a bit tricky to bypass.

Go figure.

------
mappu
On debian/ubuntu you can detect modified packages with `debsums` - but the
signatures seem to be MD5, for which it's possible to generate collisions with
e.g. something like [http://www.bishopfox.com/resources/tools/other-free-
tools/md...](http://www.bishopfox.com/resources/tools/other-free-
tools/md4md5-collision-code/) .

~~~
tedunangst
With an unmodified `debsums`, of course.

------
click170
> Currently DSD uses authorized_keys as a quick-and-easy method for
> persistence against certain *nix targets.

Good to know. Time for a security audit of every authorized_keys file I
maintain.

------
dorafmon
If they developed an alternative version of OpenSSH with backdoor how can they
distribute it so that people will actually use it?

~~~
manicdee
Crowbar attack versus the distribution maintainer.

Physical access to the target's system.

Control the network upstream of the target so that the modified checksum and
package can be delivered during package upgrades.

Compromise the mirror used by the target to provide the modified checksum and
package.

Hide the code changes in a series of semi-related ostensibly legitimate pull
requests. Legitimise your pull requests by developing corner cases which
expose "bugs" in the software you wish to attack.

Crowbar attack against the upstream maintainer.

"USB key in the carpark" attack.

Those are some ideas. I don't claim to be an expert in the area.

------
thrill
It's good to see a man who enjoys his work.

~~~
mappu
They're not necessarily male. </flamebait>

