
A Chapter from the FBI's History with OpenBSD and an OpenSSH Vuln - signa11
https://twitter.com/RooneyMcNibNug/status/1152327783055601664
======
wil421
The link in the tweet is worth a read[1].

>My NDA with the FBI has recently expired, and I wanted to make you aware of
the fact that the FBI implemented a number of backdoors and side channel key
leaking mechanisms into the OCF, for the express purpose of monitoring the
site to site VPN encryption system implemented by EOUSA, the parent
organization to the FBI. Jason Wright and several other developers were
responsible for those backdoors, and you would be well advised to review any
and all code commits by Wright as well as the other developers he worked with
originating from NETSEC.

[1][https://marc.info/?l=openbsd-
tech&m=129236621626462](https://marc.info/?l=openbsd-tech&m=129236621626462)

~~~
ProCicero
Nitpicking here, but the parent agency of the FBI is the Department of
Justice. The EOUSA is the Executive Office of United States Attorneys, and is
basically the back office support for the 93 US Attorney offices. It's parent
organization is also the Department of Justice.

Basically, he is saying the DOJ planted a back door so that it could spy on
its own internal network.

~~~
wil421
I was confused by this and it’s the first time I’ve heard of EOUSA.

What’s the real story here?

~~~
equalunique
Factions in government are sometimes caught spying on gov organizations that
have oversight/control athority over them. That was the real scandal of Edward
Snowden's bombshell (that was quickly covered up).

------
Rastarbar
‘one former FBI computer security agent has confirmed parts of Perry’s story.
.. "I was one of the few FBI cyber agents when the coding supposedly happened.
Experiment yes. Success No,"’ E J Hilbert FBI

[https://web.archive.org/web/20170823064610/https://www.v3.co...](https://web.archive.org/web/20170823064610/https://www.v3.co.uk/v3-uk/news/1989462/contractor-
claims-fbi-installed-backdoors-openbsd-crypto)

~~~
sslalready
There’s nothing that suggests that those experiments had anything to do with
OpenBSD.

------
sverige
So, nothing about the 2010 claims, but something maybe, not sure what, back in
2002? Only two remote holes in a heck of a long time!

~~~
Fnoord
Indeed, IPsec isn't mentioned. (You can use WireGuard on OpenBSD nowadays.)

If you remember the OpenSSH Challenge Response vulnerability was found by ISS
in 2002. OpenBSD's advisory can be found here [1]

This was the first remote vulnerability found in OpenBSD's default
installation (which they used to advertise with). Back then, it was very
normal to have all kind of bloated daemons enabled by default and
vulnerabilities were found in C code and were easily exploited (no ASLR, on
x86-32 for example).

Of particular interest is "section 6. Release Process" because it has details
about how the OpenBSD team dealt with the situation at that time. Also, the
patches are from 26 june 2002.

Now, if you look at [2] (source of FOIA documents), you can notice the date is
14 august 2002. This indicates the FBI's document is made after the
vulnerability was known to the public.

What are the indications that the FBI knew about this beforehand? Is that the
part listed on the bottom where they say contact X has administrative control
over the internet host cvs.openbsd.org and Y has administrative control over
the internet host ftp.openbsd.org? We don't know who these people were, who
they worked for.

I remember there being some kind of feud between OpenBSD team and
Grsecurity/PaX team (Brad Spengler aka Spender and a Hungarian I suppose by
the nickname pipops). I always wondered about the relation of these, and the
blackhat community. Who were these people with the gobble gobble memes, and
the "Theo why is syslog running on port 514 I want to see SSH and nothing
else"?

[1]
[https://www.openssh.com/txt/preauth.adv](https://www.openssh.com/txt/preauth.adv)

[2]
[https://cdn.muckrock.com/foia_files/2019/07/19/Ecd74aeb090e0...](https://cdn.muckrock.com/foia_files/2019/07/19/Ecd74aeb090e009e1ede26e1a0fe860c184bb6797_Q52218_R348013_D2256726.pdf)

~~~
sverige
Probably Contact X is Theo, and Contact Y is Bob Beck. Or vice versa. There's
no reason to think otherwise, unless of course we're going to revisit
conspiracy theories like the bullshit claims about NSA backdoors from 2010.
But OpenBSD has always been a magnet for trolls.

~~~
ryacko
Isn’t it in the government’s best interests to have a non-adversarial
relationship with a community?

The government does have plenty of tools for writing correct code. OpenSSH was
written with available tools, if available tools to write correct code weren’t
used, there’d be very little burden for anyone to make an accusation.

>Currently, most Commercial Off-the-Shelf (COTS) software contains about one
to five bugs per thousand lines of code.

>DARPA created the Crowd Sourced Formal Verification (CSFV) program to
overcome these challenges.

(The above was a project that led to formal verifications that wasn’t open
sourced)

~~~
fmajid
The government is not a monolithic entity, but a nexus of competing agendas,
and not only does the right hand not know what the left hand is doing, but
they may well be working at cross-purposes. This is true of any organization
beyond a few dozen people.

~~~
ryacko
Yes, inaction is only evidence of nonfeasance when a person fails to perform
an action aligned with their duties or stated interests. The government does
have competing duties and stated interests, so there is no evidence of
nonfeasance or malfeasance on the part of OpenBSD or on the part of the
government in this case.

~~~
sverige
OpenBSD is based in Canada. It ships with cryptography. It does not accept
contributions to its cryptography code from Americans, specifically because of
the ridiculous cryptography export ban the U.S. had in place in the 90s.

[https://www.openbsd.org/crypto.html](https://www.openbsd.org/crypto.html)

Of course, if that sort of thing is what you're looking for, there's always
SELinux.

[https://selinuxproject.org/page/Main_Page](https://selinuxproject.org/page/Main_Page)

