

Developer responds to allegations of FBI backdoor in OpenBSD IPSec - there
http://marc.info/?l=openbsd-tech&m=129244045916861&w=2

======
3dFlatLander
The accusation came at a really strange time. I'm inclined to think more
people jumped on the government conspiracy bandwagon because of the recent
release of the diplomatic cables via wikileaks.

Incidentally, I thought I had seen Mr. Perry someplace on TV, and then I
remembered he was on an episode of Penn and Tellers "Bullsh*t" a while back.
Link for the interested: <http://www.youtube.com/watch?v=DT2YET6sg5I>

~~~
mikedouglas
Many of the commenters in the last thread admitted to this, which made it all
the more irrational. There was even a debate about whether, in general,
'conspiracy theories' were more or less common than the public perception. As
if that had any bearing on these specific allegations.

With the strange claims made in the email (outsourcing, expired NDAs, DARPA
knew), I wish Theo would've thought twice before publicizing this guy's name.
At least the extra eyes on IPSEC might catch something else.

~~~
tedunangst
Not publishing the email opens the door to "6 months ago, I emailed Theo about
a backdoor, but he's trying to cover it up."

~~~
tbrownaw
Isn't there a third possibility, "I received an email claiming that there's a
backdoor" without publicizing all the additional details?

~~~
tedunangst
First question: "Who says?" Answer: "I can't say."

Second question: "Is it credible?" Option 1: "Yes" => panic ensues. Option 2:
"No" => "Liar!" Option 3: There is no option 3, you must pick 1 or 2.

~~~
colanderman
Why is there no option 3?

"I am looking into the matter; more details will be forthcoming."

~~~
tedunangst
Third question: "Did you find anything?" Option 1: "Yes" => panic. Option 2:
"No" => "Liar!".

You have to release all the details sometime, but the longer you wait, the
more people suspect they aren't getting all the details (even if they are) and
the larger the drama whirlpool becomes. Did "Kaminsky found a DNS bug, details
will be forthcoming" accomplish anything? No, it was a giant clusterfuck.

As a side note, I think it's weird that in a "post-wikileaks" era people are
arguing that an _open_ source project named _open_ bsd be less transparent.

------
dwc
Jason L. Wright is known by many as "Wookiee" for reasons that may be obvious
to many of you. Now I realize that it's been done before, but would it be too
much to ask that we consider the term Wookieeleaks when referring to this
matter? ;-)

~~~
sitmack
Chewie was a female and being pregnant most of the time from her incessant
whoring resulting in the hairy toe head always putting pressure on her bladder
... did cause a leak or two.

------
kenjackson
If Jason didn't put in the backdoors, then who did? :-)

~~~
Zak
As far as I am aware, no actual backdoors have been discovered. This has a
high probability of being a hoax.

~~~
mwg66
It just seems odd to me that a seemingly well respected engineer would
fabricate allegations using his corporate e-mail (VMWare). We should remember
it was not he who posted them publicly.

I'm not saying it's true but only that I don't see any more evidence that it
isn't true than that it is - yet.

~~~
bmastenbrook
Perry doesn't work for VMware. He has his own business that offers training on
VMware products.

~~~
mwg66
Right, sorry, I missed that. It still seems odd.

------
drawkbox
Not sure what to believe here but we do know that the NSA and authorities do
need to have access to data for security. If there are systems that aren't apt
to putting in backdoors or trapdoors then they treat you like Phil Zimmerman
in the 90's by dropping the DOJ on you:
<http://www.philzimmermann.com/EN/faq/index.html> \+
<http://en.wikipedia.org/wiki/Phil_Zimmermann> or at least that was the MO at
that time.

But the DOJ and US Customs dropped the case against Zimmerman in '96.
Obviously they would need to go with a new plan of attack after that method
failed for intercepting messages in algorithms and software that is closed or
running new algorithms like PGP. Backdoors and trapdoors in software that
wraps crypto algorithms is one prong in that attack. The NSA neither confirms
nor denies trapdoors, backdoors, etc but DOES employ some of the top
cryptographers in the world.

In 2000, the U.S. government lifted the export controls on strong crypto, so
(pure speculation) other methods to intercept communications were/are needed.
The alleged event here happened in 2000/2001 which might fit with a new MO.

------
motters
Fortunately there's a way to resolve whether this is whistle blowing or mud
slinging. Someone with some expertise in that area should audit the code to
check whether the allegations have any basis. The original email makes some
fairly specific claims, at least some of which are probably verifiable.

~~~
gnaffle
The code has probably already been audited, but of course, more audits might
reveal more problems. However, there might be non-obvious ways to make the
code vulnerable to side-channel/timing attacks, and if you don't know what
you're looking for, the only thing you can really do is to take as many
precautions as you can.

For how many years did the NSA know about timing attacks before they became
public knowledge and fixes were incorporated into code? Impossible to know.
Code audits certainly didn't spot timing attack problems before people knew to
look for them.

It's also impossible to know what other unknown attacks are available to NSA
and the likes.

Of course, this is completely irrelevant to 99% of us, since anyone with
knowledge of these unknown attacks would use them very sparingly in order to
keep them secret.

------
slim
I can't believe Perry don't have proofs of what he's saying in the form of
code. I bet we won't wait for audit to see the code.

We're talking about code guys. It's not accusation of rape or broken condom.

------
tedunangst
I submitted this a little while ago, but it's scrolled off the new submissions
page while this story seems to be hanging on, so reposting here. Sorry for the
submission pimping.

<http://news.ycombinator.com/item?id=2010606>

[http://marc.info/?l=openbsd-
cvs&m=129245633605693&w=...](http://marc.info/?l=openbsd-
cvs&m=129245633605693&w=2)

------
davidj
The reason OpenBSD was thought of so secured is because they audited the
entire code at one time and continuously audit code for new holes. The reason
they audited the code in the first place was because way back in the day the
main OpenBSD server was compromised and backdoors were placed in the code.
They do not like people to know this.

~~~
piotrSikora
Source?

~~~
davidj
<http://www.cert.org/advisories/CA-2002-24.html> I am still looking for the
break-in that predates this breakin, my memory is fucking horrible. I
apologize. It will take me a while for me to find it.

~~~
piotrSikora
Thanks for the advisory, but you've got the facts wrong:

1) Main OpenBSD server wasn't compromised, main FTP server ("ftp.openbsd.org")
was.

2) Source code (the one in CVS) wasn't compromised, only .tar.gz packages
placed on the FTP server were.

3) They did want people to know about this, that's why they released security
advisory [1].

On top of that, at the time "ftp.openbsd.org" wasn't even running OpenBSD, the
FTP server was part of SunSITE powered by Solaris [2].

[1] [http://marc.info/?l=openbsd-
misc&m=102821528812161&w...](http://marc.info/?l=openbsd-
misc&m=102821528812161&w=2)

[2] [http://www.openbsd.org/cgi-
bin/cvsweb/www/faq/faq8.html.diff...](http://www.openbsd.org/cgi-
bin/cvsweb/www/faq/faq8.html.diff?r1=1.53;r2=1.54;f=h)

~~~
davidj
This wasn't in 2002, this was back in the 90s, I want to say 1996 or 1997. The
source code was back-doored. The advisory you found was for completely
different break-in in 2002.

~~~
piotrSikora
I found? You linked to this incident in your previous comment.

------
Flemlord
Knowing nothing about the issue at hand or how many
flavors/components/frameworks of OpenBSD exist, this struck me as some careful
parsing:

> I will state clearly that I did not add backdoors to the OpenBSD operating
> system or the OpenBSD crypto framework (OCF).

~~~
tvon
I take it as someone trying to be extremely clear that they did not do what
they are being accused of doing.

------
geekinthecorner
In the 9 or 10 years since I first heard about OpenBSD, it has never come up
in conversation without the related scene drama also popping up.

------
grandalf
It's really funny how there is so much indignation about this. What difference
does it make whether it's true or false, there should be an audit of the code.

It's this sort of emotional, knee-jerk response that leads to irrational
behavior.

~~~
frisco
It's a big allegation. This email didn't strike me as an overly emotional
response. It was a very firm refutation from a respected member of the
community about a hefty accusation.

~~~
chubs
I think his refutation was quite calm, solid, and respectable.

~~~
grandalf
Well, it was focused mostly on his reputation, not on the code. If he had been
involved in writing a back door, this is precisely the kind of response he'd
write. It makes it personal, etc.

Someone who hadn't written a back door would simply say: "That is crazy, I had
nothing to do with a back door and none exists to my knowledge. I welcome a
thorough audit of the code".

~~~
SwellJoe
"That is crazy, I had nothing to do with a back door and none exists to my
knowledge. I welcome a thorough audit of the code".

That's pretty much exactly what he said, in more verbose form.

~~~
grandalf
The idea that it's preposterous that there would have been exploits is part of
the knee-jerk reaction. If the FBI will try to infiltrate (and nearly entrap)
muslim immigrants, why is it so farfetched that it would hire very bright
cryptographers to infiltrate an open source community that is developing its
own military grade crypto and giving it away free?

~~~
SwellJoe
I'm not saying it's far-fetched. I think our government _is_ crooked, and
probably do make an effort to insure they have access to citizens encrypted
communications.

But, let's be fair here: A well-respected developer involved in security
projects has been declared untrustworthy. He has a right to be angry, and a
right to defend himself. Just because the federal government does nasty
things, doesn't mean we should just accept unbacked accusations about the
integrity of someone, particularly when it seems the guy actually didn't have
much to do with the code in question.

~~~
grandalf
True, he does have the right to be angry, but unless he's an uncommonly
egotistical person I find it hard to believe that he'd react quite that
strongly to an allegation that was completely false, unless he was
deliberately trying to leverage his perceived reputation and personal pride to
allay suspicion.

Consider an FBI informant who has penetrated a terrorist cell. Suppose one of
the actual terrorists suspects him and accuses him of being a traitor in front
of the rest. What will he do to save his skin? He'll be indignant, he'll try
to tug on any personal ties he has with the other members, he'll cite his
reputation, he'll potentially attack the accuser.

Why? Because he feels that in order to be perceived as telling the truth he
has to "leak" raw human emotion. He has to communicate that his rational mind
is not in control b/c he feels that others will doubt him if they don't see
that human emotion.

If he's innocent on the other hand, he'd laugh and say f __* you and assume
nobody would take it all that seriously, since he would not assume that
anybody would listen to such a ludicrous allegation, and if he started to
actually worry that the accusation was believable to others, he'd think quite
rationally and demand that his accuser produce more evidence, since he has the
information advantage about his own actions and could easily refute false
charges.

~~~
SwellJoe
Circular logic. You're saying someone would act this way in order to appear
innocent. But, this is the way someone who is _actually_ innocent, and angry
at the accusation, would act. There is no one true way a human being, with
actual emotions, responds to being accused, falsely or truthfully, of deceit.

Honestly, your explanation of why he sounds guilty to you reminds me of the
paranoid ramblings of, well, paranoid people. Again, it's entirely possible
the FBI (though this isn't their jurisdiction really) could be trying to
subtly shape free software to their bidding, but this is a baseless, and
pretty shaky, claim by someone that allegedly has a commercial incentive in
stirring up this shitstorm. I think the accused has every right to be mad as
hell about the accusation, _especially_ if he did no such thing.

~~~
grandalf
My logic isn't circular. The second part describes how someone who did nothing
wrong typically acts. My point is that people are not very good liars and
often fail to accurately act the part.

In any case, I have no clue whether he had anything to do with any backdoor,
just trying to make the point that his response is not what I'd expect from
someone who had nothing to do with it -- possible exceptions: If he's an
unusually egotistical person or if he has significant financial interests
which the perception that he was involved could disrupt.

~~~
SwellJoe
"If he's an unusually egotistical person or if he has significant financial
interests which the perception that he was involved could disrupt."

Or, if he is passionate about the software he is involved in building...which
Open Source developers generally are. Reputation is the only currency that
matters in the Open Source world, and someone has attempted to destroy this
guys reputation. (Or any number of other reasons why someone might be bothered
by such an accusation. Your assertion that there are only two "possible
exceptions" is just ridiculous. Speaking in such certainties about the human
brain and human emotions is simply nonsensical.)

Frankly, I think you're talking out of your ass here, with very little
understanding of the people you're talking about, or the psychology you seem
to believe you know so much about. Do you have no exposure at all to the Open
Source community? That's the only way I can imagine you would consider
reputation to be something a normal person doesn't have every right to care
about and defend from accusations.

Honestly, this developer responded far more politely than I would have in
similar circumstances.

------
peterbotond
a socially engineered email to exploit the idea of sheeple do not think, just
follow with the parrots. at the cost of the innocent.

