Hacker News new | past | comments | ask | show | jobs | submit login
Developer responds to allegations of FBI backdoor in OpenBSD IPSec (marc.info)
235 points by there on Dec 15, 2010 | hide | past | web | favorite | 51 comments

The accusation came at a really strange time. I'm inclined to think more people jumped on the government conspiracy bandwagon because of the recent release of the diplomatic cables via wikileaks.

Incidentally, I thought I had seen Mr. Perry someplace on TV, and then I remembered he was on an episode of Penn and Tellers "Bullsh*t" a while back. Link for the interested: http://www.youtube.com/watch?v=DT2YET6sg5I

Many of the commenters in the last thread admitted to this, which made it all the more irrational. There was even a debate about whether, in general, 'conspiracy theories' were more or less common than the public perception. As if that had any bearing on these specific allegations.

With the strange claims made in the email (outsourcing, expired NDAs, DARPA knew), I wish Theo would've thought twice before publicizing this guy's name. At least the extra eyes on IPSEC might catch something else.

Not publishing the email opens the door to "6 months ago, I emailed Theo about a backdoor, but he's trying to cover it up."

Isn't there a third possibility, "I received an email claiming that there's a backdoor" without publicizing all the additional details?

First question: "Who says?" Answer: "I can't say."

Second question: "Is it credible?" Option 1: "Yes" => panic ensues. Option 2: "No" => "Liar!" Option 3: There is no option 3, you must pick 1 or 2.

Why is there no option 3?

"I am looking into the matter; more details will be forthcoming."

Third question: "Did you find anything?" Option 1: "Yes" => panic. Option 2: "No" => "Liar!".

You have to release all the details sometime, but the longer you wait, the more people suspect they aren't getting all the details (even if they are) and the larger the drama whirlpool becomes. Did "Kaminsky found a DNS bug, details will be forthcoming" accomplish anything? No, it was a giant clusterfuck.

As a side note, I think it's weird that in a "post-wikileaks" era people are arguing that an open source project named openbsd be less transparent.

Only if he kept it to himself and didn't mention it to anybody - I don't think that's what the OP meant.

You're only making the conspiracy bigger. :)

You'll have a hard time gathering a small circle of people willing to state, for the record, "We reviewed the code and the invisible bug doesn't exist." Personally, I would want no part in an audit like that.

For a concrete threat, yeah, you fix it first. But the thing about scandals is that delay only incubates a bigger scandal.

I think Theo de Raadt is right to make the accusation open, because it is quite a serious thing.

On the other hand, I know that such an accusation can have a devastating effect on the live of the accused developer. So the principle of _in dubio pro reo_ should be applied faithfully.

This should be the instinctive reaction of a democratic society. It does seem to be quite hard to have this collective routine work reliably nowadays, which is sad.

Totally agree. I guess the point that gets me is that the NDA had an expire time. Makes no sense at all. Show me the commits.

Jason L. Wright is known by many as "Wookiee" for reasons that may be obvious to many of you. Now I realize that it's been done before, but would it be too much to ask that we consider the term Wookieeleaks when referring to this matter? ;-)

Chewie was a female and being pregnant most of the time from her incessant whoring resulting in the hairy toe head always putting pressure on her bladder ... did cause a leak or two.

If Jason didn't put in the backdoors, then who did? :-)

As far as I am aware, no actual backdoors have been discovered. This has a high probability of being a hoax.

Of course it does.

But I do think it's worthwhile to take measure of how important a particular piece of software is to our collective security and privacy. It's not necessarily a bad thing for interested parties to not completely trust their systems. Risk mitigation is all about quantifying probable events relative to their damage.

I think a lot of people will take a look at the IPSEC code and that can't be a bad thing.

Backdoors need not be literal. A well-misplaced if will go a long way in leaking a key information. Hardly a "backdoor" in a more common sense of the word, but an exploitable weakness nonetheless.

It just seems odd to me that a seemingly well respected engineer would fabricate allegations using his corporate e-mail (VMWare). We should remember it was not he who posted them publicly.

I'm not saying it's true but only that I don't see any more evidence that it isn't true than that it is - yet.

Perry doesn't work for VMware. He has his own business that offers training on VMware products.

Right, sorry, I missed that. It still seems odd.

I'm fairly certain that kenjackson was being ironic.

Not sure what to believe here but we do know that the NSA and authorities do need to have access to data for security. If there are systems that aren't apt to putting in backdoors or trapdoors then they treat you like Phil Zimmerman in the 90's by dropping the DOJ on you: http://www.philzimmermann.com/EN/faq/index.html + http://en.wikipedia.org/wiki/Phil_Zimmermann or at least that was the MO at that time.

But the DOJ and US Customs dropped the case against Zimmerman in '96. Obviously they would need to go with a new plan of attack after that method failed for intercepting messages in algorithms and software that is closed or running new algorithms like PGP. Backdoors and trapdoors in software that wraps crypto algorithms is one prong in that attack. The NSA neither confirms nor denies trapdoors, backdoors, etc but DOES employ some of the top cryptographers in the world.

In 2000, the U.S. government lifted the export controls on strong crypto, so (pure speculation) other methods to intercept communications were/are needed. The alleged event here happened in 2000/2001 which might fit with a new MO.

Fortunately there's a way to resolve whether this is whistle blowing or mud slinging. Someone with some expertise in that area should audit the code to check whether the allegations have any basis. The original email makes some fairly specific claims, at least some of which are probably verifiable.

The code has probably already been audited, but of course, more audits might reveal more problems. However, there might be non-obvious ways to make the code vulnerable to side-channel/timing attacks, and if you don't know what you're looking for, the only thing you can really do is to take as many precautions as you can.

For how many years did the NSA know about timing attacks before they became public knowledge and fixes were incorporated into code? Impossible to know. Code audits certainly didn't spot timing attack problems before people knew to look for them.

It's also impossible to know what other unknown attacks are available to NSA and the likes.

Of course, this is completely irrelevant to 99% of us, since anyone with knowledge of these unknown attacks would use them very sparingly in order to keep them secret.

It can be tricky to find purposefully subtle bugs: http://underhanded.xcott.com/

I can't believe Perry don't have proofs of what he's saying in the form of code. I bet we won't wait for audit to see the code.

We're talking about code guys. It's not accusation of rape or broken condom.

I submitted this a little while ago, but it's scrolled off the new submissions page while this story seems to be hanging on, so reposting here. Sorry for the submission pimping.



The reason OpenBSD was thought of so secured is because they audited the entire code at one time and continuously audit code for new holes. The reason they audited the code in the first place was because way back in the day the main OpenBSD server was compromised and backdoors were placed in the code. They do not like people to know this.


http://www.cert.org/advisories/CA-2002-24.html I am still looking for the break-in that predates this breakin, my memory is fucking horrible. I apologize. It will take me a while for me to find it.

Thanks for the advisory, but you've got the facts wrong:

1) Main OpenBSD server wasn't compromised, main FTP server ("ftp.openbsd.org") was.

2) Source code (the one in CVS) wasn't compromised, only .tar.gz packages placed on the FTP server were.

3) They did want people to know about this, that's why they released security advisory [1].

On top of that, at the time "ftp.openbsd.org" wasn't even running OpenBSD, the FTP server was part of SunSITE powered by Solaris [2].

[1] http://marc.info/?l=openbsd-misc&m=102821528812161&w...

[2] http://www.openbsd.org/cgi-bin/cvsweb/www/faq/faq8.html.diff...

This wasn't in 2002, this was back in the 90s, I want to say 1996 or 1997. The source code was back-doored. The advisory you found was for completely different break-in in 2002.

I found? You linked to this incident in your previous comment.

Knowing nothing about the issue at hand or how many flavors/components/frameworks of OpenBSD exist, this struck me as some careful parsing:

> I will state clearly that I did not add backdoors to the OpenBSD operating system or the OpenBSD crypto framework (OCF).

I take it as someone trying to be extremely clear that they did not do what they are being accused of doing.

In the 9 or 10 years since I first heard about OpenBSD, it has never come up in conversation without the related scene drama also popping up.

It's really funny how there is so much indignation about this. What difference does it make whether it's true or false, there should be an audit of the code.

It's this sort of emotional, knee-jerk response that leads to irrational behavior.

It's a big allegation. This email didn't strike me as an overly emotional response. It was a very firm refutation from a respected member of the community about a hefty accusation.

I think his refutation was quite calm, solid, and respectable.

Well, it was focused mostly on his reputation, not on the code. If he had been involved in writing a back door, this is precisely the kind of response he'd write. It makes it personal, etc.

Someone who hadn't written a back door would simply say: "That is crazy, I had nothing to do with a back door and none exists to my knowledge. I welcome a thorough audit of the code".

"That is crazy, I had nothing to do with a back door and none exists to my knowledge. I welcome a thorough audit of the code".

That's pretty much exactly what he said, in more verbose form.

The idea that it's preposterous that there would have been exploits is part of the knee-jerk reaction. If the FBI will try to infiltrate (and nearly entrap) muslim immigrants, why is it so farfetched that it would hire very bright cryptographers to infiltrate an open source community that is developing its own military grade crypto and giving it away free?

I'm not saying it's far-fetched. I think our government is crooked, and probably do make an effort to insure they have access to citizens encrypted communications.

But, let's be fair here: A well-respected developer involved in security projects has been declared untrustworthy. He has a right to be angry, and a right to defend himself. Just because the federal government does nasty things, doesn't mean we should just accept unbacked accusations about the integrity of someone, particularly when it seems the guy actually didn't have much to do with the code in question.

True, he does have the right to be angry, but unless he's an uncommonly egotistical person I find it hard to believe that he'd react quite that strongly to an allegation that was completely false, unless he was deliberately trying to leverage his perceived reputation and personal pride to allay suspicion.

Consider an FBI informant who has penetrated a terrorist cell. Suppose one of the actual terrorists suspects him and accuses him of being a traitor in front of the rest. What will he do to save his skin? He'll be indignant, he'll try to tug on any personal ties he has with the other members, he'll cite his reputation, he'll potentially attack the accuser.

Why? Because he feels that in order to be perceived as telling the truth he has to "leak" raw human emotion. He has to communicate that his rational mind is not in control b/c he feels that others will doubt him if they don't see that human emotion.

If he's innocent on the other hand, he'd laugh and say f* you and assume nobody would take it all that seriously, since he would not assume that anybody would listen to such a ludicrous allegation, and if he started to actually worry that the accusation was believable to others, he'd think quite rationally and demand that his accuser produce more evidence, since he has the information advantage about his own actions and could easily refute false charges.

Circular logic. You're saying someone would act this way in order to appear innocent. But, this is the way someone who is actually innocent, and angry at the accusation, would act. There is no one true way a human being, with actual emotions, responds to being accused, falsely or truthfully, of deceit.

Honestly, your explanation of why he sounds guilty to you reminds me of the paranoid ramblings of, well, paranoid people. Again, it's entirely possible the FBI (though this isn't their jurisdiction really) could be trying to subtly shape free software to their bidding, but this is a baseless, and pretty shaky, claim by someone that allegedly has a commercial incentive in stirring up this shitstorm. I think the accused has every right to be mad as hell about the accusation, especially if he did no such thing.

My logic isn't circular. The second part describes how someone who did nothing wrong typically acts. My point is that people are not very good liars and often fail to accurately act the part.

In any case, I have no clue whether he had anything to do with any backdoor, just trying to make the point that his response is not what I'd expect from someone who had nothing to do with it -- possible exceptions: If he's an unusually egotistical person or if he has significant financial interests which the perception that he was involved could disrupt.

"If he's an unusually egotistical person or if he has significant financial interests which the perception that he was involved could disrupt."

Or, if he is passionate about the software he is involved in building...which Open Source developers generally are. Reputation is the only currency that matters in the Open Source world, and someone has attempted to destroy this guys reputation. (Or any number of other reasons why someone might be bothered by such an accusation. Your assertion that there are only two "possible exceptions" is just ridiculous. Speaking in such certainties about the human brain and human emotions is simply nonsensical.)

Frankly, I think you're talking out of your ass here, with very little understanding of the people you're talking about, or the psychology you seem to believe you know so much about. Do you have no exposure at all to the Open Source community? That's the only way I can imagine you would consider reputation to be something a normal person doesn't have every right to care about and defend from accusations.

Honestly, this developer responded far more politely than I would have in similar circumstances.

He also said, "I was not heavily involved in the code in question. Look at the commit logs."

If it is a lie, is it not slander/libel? That would be a really big deal. Tarnishing a devs reputation and the OBSD project is not cool.

If you're the one being accused, you have to worry about the accusation coloring other people's judgement of you. Most people really aren't logical creatures. People tend to not remember the source or veracity of things they know. So even if you're innocent, others may automatically assume you're a jerk.

a socially engineered email to exploit the idea of sheeple do not think, just follow with the parrots. at the cost of the innocent.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact