Yay for Open Source!
/* FBI side-channel */
"My NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI."
Being able to find a particular commit, made by the people previously accused during the correct time-period, and showing how what they did was subtlety broken? Sure, that's very possible. Proof of mal-intent is hardly necessary.
If like some you believe there are cyber skirmishes going on, it's also possible PSYOPS are in operation ~ http://en.wikipedia.org/wiki/Psychological_warfare OBSD could be viewed as a hardened OS and therefore a problem. I can't think of a better way to counter Puffys reputation, than with unsubstantiated and difficult to verify information.
* pay people to add backdoors
* tell DARPA
* start a marketing arm to convince people to use it
If it is true, though, it will be interesting to see how much code Cisco jacked from OpenBSD. (It's allowed by the license, but is probably a hard sell when you tell your Fortune 100 clients that they are just running OpenBSD but at 10000x the cost.)
Incidentally, I use OpenBSD for my VPN. But OpenVPN, not IPsec, as I could never figure it out :)
That's because when they are found out to be true, nobody calls them "Conspiracy stories" any more. We call them "scandals". (ref: "Watergate Scandal"). Note that the perpetrators were indited for conspiracy.
"it's too hard to coordinate all of these efforts."
You're doing it wrong.
pay people to add backdoors
This is hard if you have the money? Done.
When the FBI spooks go to the military contrator parties, who else do you think is there? If you know that something is tainted, you tell people who might return the favor.
start a marketing arm to convince people to use it
Why? It's free crypto. Done.
EDIT: A proper response to this kind of situation: http://news.ycombinator.com/item?id=2006694
I think a definition of terms would be useful. Cooperation is necessary for much of what one does. At what point does cooperation become conspiracy?
"It's a conspiracy, of course there is no evidence!"
3 MILLION people have access to the docs Bradley Manning leaked. ONE leaked it. I think you're overstating the difficulty of coordinating activities.
3 million people didn't leak it because there was no compelling reason to leak them.
The best analogy I could come up with is if someone leaked all the private Facebook messages from all the students at a high school. Sure, feelings would be hurt, but at the end of the day it's really no big deal.
To argue otherwise is anti-democratic.
My guess it's because the cables regarding Russia are ridiculous beyond any recognition, they don't have ANY hard data and consist mostly of hoax and whatnot, there isn't anything there what you couldn't read in opposition media.
Public reaction here is more like:
Cable: Russian government is mafia
Russian citizen: ha-ha, oh wow
Of course none of this applies to people like Assange because they don't have any money or come from countries the US doesn't like.
Or more likely dozens of people leaked them, but they weren't made publicly available until WikiLeaks got them.
While we're at it: here's the legal definition of conspiracy: http://www.lectlaw.com/def/c103.htm
WikiLeaks documents many such conspiracies.
I'll admit this is probably the closest item I've seen to passing the test of something that might actually be worth whistle-blowing on. To fully pass the test, I'd need to see something that detailed who from Dyncorp was involved and to what extent.
My main complaint with the leaked cables, and the reason I have zero qualms about Manning being court marshaled (or even tried for treason) is that he in no way was discriminant about what he released. A whistle-blower needs clear concise evidence of real wrongdoing. Manning lazily dumped a huge archive of classified information without any real item to point to say this is wrong.
Yes, thats where the "conspiracy" bit comes in. We know these things are happening. We know they are being funded by Dynocorp which is itself funded 95% by US tax dollars. But who exactly organized it, well, gosh, nobody actually wrote it down. Yet we are to believe that nobody knew. Like, "who could have imagined people would fly planes into buildings?", as our Secretary of State blathered. (Answer: NORAD. http://www.usatoday.com/news/washington/2004-04-18-norad_x.h...)
Don't discount the (admittedly unlikely) possibility that there was some cooperation in making sure that any /possible/ backdoors were done by people with REAL knowledge of how to get it done.
I'm still not convinced that the original Pentium Floating Point Bug wasn't a (mishandled) intentional corruption for crypto-backdoor purposes. Anyone who has heard the rumors about the POPCNT instruction would understand that the government is capable of making all sorts of deals with equipment and software vendors. Very few companies will decline such requests when received with "critical to National Security" assurances.
They probably outsourced it to disconnect it from them, same as subcontractors doing things the state can't like operate drones on the border without massive outcry. Also it makes it less easy to pin on anyone at the agency/state and makes the individual(s) that put it in seem wacko if they stated that independently. You can just deny, deny, plausible deniability. It is easy to play the psychological reactions this way.
If the FBI, NSA, and others aren't doing stuff like this then I wonder how they are thinking they can hang with the Chinese, Russian, etc hackers of the state.
It's so funny, people believe in their own tribe/country that the authority would never do this but you think of it happening in China or Russia and you think, 'of course they are doing that!'. It is a problem of relativity/trust. Wikileaks put evidence of our very own State Department and Hilary Clinton bugging the United Nations but we aren't doing this across the internet/software landscape? hrm. Algorithms are hard to put trapdoors in, but the software that wraps them can help make it easier...
"This is also probably the reason why you lost your DARPA funding, they
more than likely caught wind of the fact that those backdoors were
present and didn't want to create any derivative products based upon
At the time (2003) this was blamed on Theo criticizing the Iraq war in the Canadian press.
The impact of this if true is going to be huge.
Outrageous, who ever heard of such a thing ;)
Seriously, though, there are something like two dozen intelligence services [edit: Wiki says 16 big ones] in the US federal government.
here's the leader:
The top-secret world the government created in response to the terrorist attacks of Sept. 11, 2001, has become so large, so unwieldy and so secretive that no one knows how much money it costs, how many people it employs, how many programs exist within it or exactly how many agencies do the same work.
It's a harrowing read.
This might not be helpful for people here, but the best advice I can give is to "consider the source" (Greg Perry).
I can say I have no reason to doubt anything that Jason says (although if this crazy accusation were true, logically, it would make sense for him to deny it).
The good news is that this is something that is verifiable. If there is in fact a backdoor in the code, someone should be able to find it.
Hasn't stopped you yetº. Why balk at the request to provide a little substantiation?
The problem with that statement is that from what I can see, no one who meets that criteria is commenting in this article. I am aware of no public record that he is a liar; but if someone asked if my Aunt Verna is crazy I would want to respond "oh yes, absolutely).
Sorry, but that kind of ends it for me. Either the FBI was so ignorant they had him sign an NDA which they knew would expire, and then told him to put in backdoors; or he's lying.
He could have signed a stock sw dev NDA form that suited everybody.
Either case, its all speculation. Hopefully this isn't a stunt to discredit oBSD. Some serious combing will be done in the code, I trust the oBSD team will do their best to clean up any mess that exists. We will all have a better oBSD after this.
"The recent incident of "backdoors" in Microsoft software is indicative of a fundamental problem that electronic commerce will need to address very soon," Jerry Harold, president & co-founder of NetSec [...] Even if Microsoft has stringent internal requirements for software assurance, it's very difficult to catch a backdoor that may be hidden by a single coder deep inside hundreds of thousands of lines of code," said Harold
"This is why NetSec builds its products on an operating system (OpenBSD) that has made security its number one goal," Harold told SOURCES. "The source for the operating system was re-built from the ground up for security and is publicly available. As a result, it is continuously subjected to rigorous security review by independent software engineers around the world. This has additional benefits because secure code often tends to be well designed, stable, and efficient."
(netsec being the company that worked with the fbi and employed the developer that wrote the openbsd ipsec code in question)
I don't expect other people to take that as evidence of anything (because who the hell am I), but thankfully, this isn't the kind of thing that has to be wondered about for eternity (if his claim is true, it should be able to be verified).
edit: Oh look, HD Moore just posted this link on Twitter about the guy who sent the original email: http://www.bop.gov/iloc2/InmateFinderServlet?Transaction=IDS...
To use the term "NDA" in such a context belies a general ignorance of how projects like this work in the government intelligence field. I suspect a hoax.
I was the lead architect for the site-to-site VPN project developed for Executive Office for United States Attorneys, which was a statically keyed VPN system used at 235+ US Attorney locations and which later proved to have been backdoored by the FBI so that they could recover (potentially) grand jury information from various US Attorney sites across the United States and abroad.
he mentions pf, but also that he left the company in 2000. pf wasn't even created until 2001.
and now jason wright (the developer in question) has responded:
if you can read german.
There's no such thing as a "NDA" when working with the government.
This story doesn't make sense.
which can be backdoored, and would then be impossible to detect from the operating system.
Anyone familiar with the code in question? Even the neighbourhood would be helpful.
This is hilarious logic, because no other country could possibly want to have a backdoor, and the NSA/CIA couldn't possibly hire a foreign national working in another country.
The link for this thread states it may have happened in 2000-2001 around the time of the terror frenzy which is possible. But BSD has gotten more corporate, and with that backdoors usually such as NSA/Windows in the late 90's (http://www.heise.de/tp/r4/artikel/5/5263/1.html).
If a large group of US nationals were mirroring Wikileaks content, and happened to be using OpenBSD for their infrastructure, it might be an interesting "warning".
There should be a thousand pairs of eyes going through the current OCF and its historical states by now, so I guess the answer will be out in the blink of an eye.
Theo's lack of concern is unsettling.
"Meh, if it's there, someone who cares will look for it and find it."
"The ex-CTO of a government contractor with a history of being bat-shit insane just told you there is very likely a set of backdoors in a crypto stack"...
Disclosing the allegations so those with a reasonable chance of finding the thing if it exists is, basically, the responsible thing to do here.