
Allegations of FBI crypto backdoors in OpenBSD IPSEC - tptacek
http://marc.info/?l=openbsd-tech&m=129236621626462&w=2
======
olefoo
It looks like someone has figured out a way to get an absolutely free hostile
code audit of their IPSEC implementation. Hundreds of the smartest people in
the field will be looking at the code with a critical eye; a process that
would cost millions if they were paid for their time, and all for the chance
to put their name on the discovery of the backdoor.

Yay for Open Source!

~~~
ams6110
Crypto implementations have a history of vulnerabilities. Who's to say that
anything that anyone finds is proof one way or the other. It's not like you're
going to see:

    
    
      /* FBI side-channel */
    

in the source

~~~
olefoo
It's more likely to be something along the lines of skipping a crucial step in
adding entropy or subtly botching the rekey cycle so that it leaks session
information. If anything like that exists. This may all be a subtle troll of
Theo De Raadt, or of the internet at large.

~~~
copper
The mail Theo forwards has a vague description of what has been done (not that
I understand it, mind you):

"My NDA with the FBI has recently expired, and I wanted to make you aware of
the fact that the FBI implemented a number of backdoors and side channel key
leaking mechanisms into the OCF, for the express purpose of monitoring the
site to site VPN encryption system implemented by EOUSA, the parent
organization to the FBI."

------
bootload
_"... I have received a mail regarding the early development of the OpenBSD
IPSEC stack. It is alleged that some ex-developers (and the company they
worked for) accepted US government money to put backdoors into our network
stack, ... The mail came in privately from a person I have not talked to for
nearly 10 years. I refuse to become part of such a conspiracy ..."_

If like some you believe there are cyber skirmishes going on, it's also
possible PSYOPS are in operation ~
<http://en.wikipedia.org/wiki/Psychological_warfare> OBSD could be viewed as a
hardened OS and therefore a problem. I can't think of a better way to counter
Puffys reputation, than with unsubstantiated and difficult to verify
information.

~~~
rdtsc
It could also be a test to see how the community would react if such a thing
was attempted or became public.

------
jrockway
I kind of doubt this. Too much planning would be involved to:

    
    
      * pay people to add backdoors
      * tell DARPA
      * start a marketing arm to convince people to use it
    

Conspiracy stories very rarely turn out to be true; it's too hard to
coordinate all of these efforts.

If it is true, though, it will be interesting to see how much code Cisco
jacked from OpenBSD. (It's allowed by the license, but is probably a hard sell
when you tell your Fortune 100 clients that they are just running OpenBSD but
at 10000x the cost.)

Incidentally, I use OpenBSD for my VPN. But OpenVPN, not IPsec, as I could
never figure it out :)

~~~
binaryfinery
"Conspiracy stories very rarely turn out to be true;"

That's because when they are found out to be true, nobody calls them
"Conspiracy stories" any more. We call them "scandals". (ref: "Watergate
Scandal"). Note that the perpetrators were indited for _conspiracy_.

"it's too hard to coordinate all of these efforts."

You're doing it wrong.

~~~
ynniv
Every week you should be allowed to upvote something twice. Conspiracy is
pervasive in life. As far as I can tell (and I provide no evidence to back
this up), "conspiracy theories" are often correct but lacking the direct
evidence to do anything about. Those who discount something as a "conspiracy
theory" are usually (a) naive, (b) like being "right", (c) personally
benefiting from the situation, or (d) going to find a way to benefit from it.

 _pay people to add backdoors_

This is hard if you have the money? Done.

 _tell DARPA_

When the FBI spooks go to the military contrator parties, who else do you
think is there? If you know that something is tainted, you tell people who
might return the favor.

 _start a marketing arm to convince people to use it_

Why? It's free crypto. Done.

EDIT: A proper response to this kind of situation:
<http://news.ycombinator.com/item?id=2006694>

~~~
cafard
"Conspiracy is pervasive in life."

I think a definition of terms would be useful. Cooperation is necessary for
much of what one does. At what point does cooperation become conspiracy?

~~~
binaryfinery
When its criminal.

------
ceejayoz
I have a hard time imagining the FBI putting a crypto backdoor in and securing
it with an _expiring_ NDA.

~~~
tptacek
I have a hard time imagining the FBI putting a crypto backdoor in.

~~~
frisco
Why? As a professional security researcher, what makes you believe this is
unlikely? I'm not saying I disagree with you, but it seems like you have
additional context for an a priori belief that this isn't what happened.

~~~
tptacek
The FBI's level of security sophistication appears to end (normally) at
EnCase.

~~~
16s
That is hilarious, but very true.

~~~
borism
emphasis on "normally"

------
sedachv
Holy shit:

"This is also probably the reason why you lost your DARPA funding, they more
than likely caught wind of the fact that those backdoors were present and
didn't want to create any derivative products based upon the same."

At the time (2003) this was blamed on Theo criticizing the Iraq war in the
Canadian press.

The impact of this if true is going to be huge.

~~~
ceejayoz
"You are an alien consciousness in a robot body that looks like a human."

The impact of this if true is going to be huge.

~~~
wlangstroth
I call shenanigans. The alien robots of John McCain and Keith Richards have
had little to no impact whatsoever.

------
cperciva
Why would the FBI put a backdoor into an ipsec stack? That's the NSA's job.

~~~
tptacek
Pretty sure the NSA is content to sit back and watch people inadvertantly add
the backdoors for them.

~~~
cperciva
They do that too, of course. But I have trouble believing that they always
stop there. Look at their idiotic trojan PRNG, for instance (and if you
believe their "What? That curve was chosen completely randomly! Of course we
didn't construct it specially!" story, I have a bridge to sell you.)

~~~
jberryman
<http://www.schneier.com/essay-198.html>

~~~
tptacek
You wonder whether it was some kind of crazy NSA intern project.

------
m0nastic
After conferring with some folks, I will now say that the odds of this being
true are virtually nill.

This might not be helpful for people here, but the best advice I can give is
to "consider the source" (Greg Perry).

~~~
kenjackson
Who's Greg Perry? Is he a known liar? What about asking this Jason Wright who
apparently implemented some of this? Or is he also a known liar?

~~~
m0nastic
It's unfair of me to cast aspersions against Greg that the general public
wouldn't be in a position to back up; but I think you'd be hard pressed to
find anyone with knowledge of either him or the situation to not consider him
an untrustworthy source (about this, or really anything).

I can say I have no reason to doubt anything that Jason says (although if this
crazy accusation were true, logically, it would make sense for him to deny
it).

The good news is that this is something that is verifiable. If there is in
fact a backdoor in the code, someone should be able to find it.

~~~
bbatsell
> It's unfair of me to cast aspersions against Greg that the general public
> wouldn't be in a position to back up

Hasn't stopped you yetº. Why balk at the request to provide a little
substantiation?

º<http://news.ycombinator.com/item?id=2006352>

~~~
tptacek
Because he can't substantiate without breaking confidences. It's fine to ask
the question and fine to say you're not going to take him at his word, but
let's leave it there.

~~~
bbatsell
After seeing the post I linked, I searched the Googles in vain to find a wisp
of what he was referring to. It's perfectly fine to not break confidences, but
you can't call someone "bat-shit insane" and then demurely say you won't cast
aspersions on him; that horse has left the barn.

~~~
tptacek
He didn't say he wouldn't; he acknowledged that it was unfair. It is. That
doesn't make him wrong. _Please_ can we drop it? You raised the point. We get
it.

------
Xk
> My NDA with the FBI has recently expired [...]

Sorry, but that kind of ends it for me. Either the FBI was so ignorant they
had him sign an NDA which they _knew_ would expire, and then told him to put
in backdoors; or he's lying.

~~~
Create
Expiration date on crypto makes sense: a crypto algo and more so the
implementation is only a timelock, at best, because they become increasingly
easy to attack with time.

He could have signed a stock sw dev NDA form that suited everybody.

~~~
Xk
But what doesn't make sense is that they would sign him on with an NDA that
expired, knowing full well that he could then go on and tell people that the
FBI had put a backdoor in something they helped to design.

~~~
malandrew
I would wager that they didn't know "full well" that they were going to
request a backdoor. Remember this is the US Government we're talking about.
That kind of foresight is rare and even when it does exist the left hand
doesn't know what the right is doing and expiring NDAs could occur. All it
takes is the person making the request to assume, "Hey, he's doing US Gov
crypto work so he much have a permanent NDA. I'll go ahead and request a back
door without double checking the terms of his NDA."

~~~
Xk
Yeah, that's entirely possible. I guess my argument made the assumption the
government would know what it was doing.

------
fluidcruft
Translation: plain-text email from the FBI says: "Please stop using IPSEC."

------
tptacek
Anyone want to start a pool? I'm definitely a "no".

~~~
dfranke
That depends. Do we just have to find a vuln somewhere in one of NETSEC's
check-ins, or do we have to prove it was put there deliberately?

~~~
tptacek
Vulns are disqualified if a similar vuln was check in to an analogous crypto
product within a 5 year window.

~~~
pbhjpbhj
Wouldn't that be a great way to hide it though, insert a vulnerability that
you've seen elsewhere and know how to exploit rather than inserting something
completely unfamiliar. Indeed if it's been in some other app and not
discovered then it's unlikely to get noticed quickly.

------
firemanx
The work described here isn't something that would be classified FOUO, or
likely even just "secret". This would be at a minimum TS or most likely SCI.
As such, you don't just sign an NDA to do work on a project like this - you go
through an extensive background check process, get interviewed, and sign a
bunch of paperwork that lasts the rest of your life regarding the criminal
penalties of disclosure (at least until the underlying project goes through
the declassification process).

To use the term "NDA" in such a context belies a general ignorance of how
projects like this work in the government intelligence field. I suspect a
hoax.

------
there
a response from greg perry:

<http://blogs.csoonline.com/1296/an_fbi_backdoor_in_openbsd>

 _I was the lead architect for the site-to-site VPN project developed for
Executive Office for United States Attorneys, which was a statically keyed VPN
system used at 235+ US Attorney locations and which later proved to have been
backdoored by the FBI so that they could recover (potentially) grand jury
information from various US Attorney sites across the United States and
abroad._

he mentions pf, but also that he left the company in 2000. pf wasn't even
created until 2001.

and now jason wright (the developer in question) has responded:

[http://marc.info/?l=openbsd-
tech&m=129244045916861&w...](http://marc.info/?l=openbsd-
tech&m=129244045916861&w=2)

------
hillad
The more famous (with VMware) Scott Lowe rarely writes about BSD and has
denied any sort of involvement.
[http://blog.scottlowe.org/2010/12/14/allegations-
regarding-f...](http://blog.scottlowe.org/2010/12/14/allegations-regarding-
fbi-involvement-with-openbsd/)

------
pilif
This reminds me of a brilliant april fools joke the german Linux Magazin
pulled off back in 2001 where they suggested that a backdoor was added to the
Linux networking stack disguised in many harmless looking patches

[http://www.linux-magazin.de/Heft-Abo/Ausgaben/2001/04/Big-
Br...](http://www.linux-magazin.de/Heft-Abo/Ausgaben/2001/04/Big-Br0ther-
liest-mit)

if you can read german.

~~~
shadowpwner
Can't read German, but this sounds like the DirectTV(right company?) updates
to stop hackers from getting free TV. Pretty ingenious if you ask me.

/offtopic

------
shin_lao
Anything classified is classified until the government decides otherwise.

There's no such thing as a "NDA" when working with the government.

This story doesn't make sense.

------
peterbotond
a binary driver blob can do a better job at backdooring. or even dare to say,
the hardware, network card, may have already had one built into it at the
factory. i vote for a mostly fudd value of this info.

~~~
sedachv
Which is why OpenBSD does not come with _any_ binary drivers.

~~~
there
but it (and every other operating system) still has drivers for network cards
that use binary, closed-source firmware that operates on the network card's
own processor.

which can be backdoored, and would then be impossible to detect from the
operating system.

[http://esec-lab.sogeti.com/dotclear/index.php?post/2010/11/2...](http://esec-
lab.sogeti.com/dotclear/index.php?post/2010/11/21/Presentation-at-
Hack.lu-:-Reversing-the-Broacom-NetExtreme-s-firmware)

------
wlangstroth
I thought this was hacker news. Are we going to yammer or are we going to look
at the code?

Anyone familiar with the code in question? Even the neighbourhood would be
helpful.

<http://www.openbsd.org/cgi-bin/cvsweb/src/>

~~~
there
to feed your paranoia:

[http://marc.info/?l=openbsd-
tech&m=129237675106730&w...](http://marc.info/?l=openbsd-
tech&m=129237675106730&w=2)

~~~
smallblacksun
>We have never allowed US citizens or foreign citizens working in the US to
hack on crypto code

This is hilarious logic, because no other country could _possibly_ want to
have a backdoor, and the NSA/CIA couldn't _possibly_ hire a foreign national
working in another country.

~~~
Malus
It has nothing to do with that. The rationale for this is to avoid any
problems with US law regarding the exporting of cryptographic software:

[http://en.wikipedia.org/wiki/Export_of_cryptography_in_the_U...](http://en.wikipedia.org/wiki/Export_of_cryptography_in_the_United_States)

------
mwg66
Has anybody come up with a plausible motive to lie about this? Shouldn't there
be an audit of the relevant source tree _at the time_ rather than now?

------
Create
smells like déjà vu (synæsthesia:
<http://news.ycombinator.com/item?id=188792>)

------
runjake
Could this be a psyops operation regarding Wikileaks mirrors?

/tinfoil

~~~
gasull
What's the interest in spying such connections? We all know what is going to
be the content in all those mirrors.

~~~
runjake
If this was actually in response to my psyops comment, I didn't reference
spying, I referenced psychological operations. It was just a not-necessarily-
plausible thought I tossed out there, hoping for discussion.

If a large group of US nationals were mirroring Wikileaks content, and
happened to be using OpenBSD for their infrastructure, it might be an
interesting "warning".

------
abraham
> Merry Christmas...

------
hackermom
What is this... christmas trolling? This whole story sounds so unlikely: a
definite rather than infinite NDA, and in an open-sourced project of this
magnitude which welcomes an infinite number of people to peer through it
(don't respond to this with "the best place to hide something is in plain
sight", please...)

There should be a thousand pairs of eyes going through the current OCF and its
historical states by now, so I guess the answer will be out in the blink of an
eye.

~~~
tptacek
A hundred thousand pairs of eyes might not spot a deliberate side channel
inserted in a crypto implementation.

~~~
hackermom
Yes, obviously. And given the OBSD team's track record on meticulousness and
attention to detail in ironing out these specific creases, I think I know what
the majority of bets on this one will be.

~~~
tptacek
The OpenBSD team's track record has very little to do with intricate crypto
vulnerabilities. This is a different kind of vulnerability research.

~~~
olefoo
So what will find and fix vulnerabilities in crypto implementations?

~~~
tptacek
Nothing we know of. Sleep tight!

------
lhnn
The CEO of a consulting firm with government funding just told you there is
very likely a set of backdoors in a crypto stack that will be increasingly
relied on in coming years.

Theo's lack of concern is unsettling.

"Meh, if it's there, someone who cares will look for it and find it."

~~~
m0nastic
To be more accurate:

"The ex-CTO of a government contractor with a history of being bat-shit insane
just told you there is very likely a set of backdoors in a crypto stack"...

~~~
bmastenbrook
You left out the bit where it was his company that he claimed added the
alleged backdoors. If he's as untrustworthy as you've hinted at, I expect that
those with authoritative knowledge will speak to that soon enough, but it
seems like it will take more than just evidence of past lying to put this one
to rest. Even liars tell truths.

