Hacker News new | past | comments | ask | show | jobs | submit login
A Chapter from the FBI's History with OpenBSD and an OpenSSH Vuln (twitter.com/rooneymcnibnug)
127 points by signa11 on July 21, 2019 | hide | past | favorite | 23 comments

The link in the tweet is worth a read[1].

>My NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI. Jason Wright and several other developers were responsible for those backdoors, and you would be well advised to review any and all code commits by Wright as well as the other developers he worked with originating from NETSEC.


Nitpicking here, but the parent agency of the FBI is the Department of Justice. The EOUSA is the Executive Office of United States Attorneys, and is basically the back office support for the 93 US Attorney offices. It's parent organization is also the Department of Justice.

Basically, he is saying the DOJ planted a back door so that it could spy on its own internal network.

I was confused by this and it’s the first time I’ve heard of EOUSA.

What’s the real story here?

Factions in government are sometimes caught spying on gov organizations that have oversight/control athority over them. That was the real scandal of Edward Snowden's bombshell (that was quickly covered up).

That makes sense. There really is no reason the FBI would ever need backdoor access to EOUSA, let alone compromise open source VPN software in order to get it. There are much easier ways for them to get what they want.

> This is also probably the reason why you lost your DARPA funding

I remember this causing a huge stink at the time, with various petty reasons as the alleged cause (like Theo's less-than-friendly communication style).

The quote from Theo being

> I actually am fairly uncomfortable about it, even if our firm stipulation was that they cannot tell us what to do. We are simply doing what we do anyways — securing software — and they have no say in the matter. I try to convince myself that our grant means a half of a cruise missile doesn't get built.

I don't have a date at hand but it was around the time of the war in Iraq.

A while after the quote was made (IIRC in a newspaper) the DARPA funding was cut.

That’s almost 10 years ago. Was the backdoor ever found?


I am not sure id the implications.

a, there is nothing there to be found

b, being opensource is not enough to find security related bugs and backdoors

c, ?

Several people have looked into the issue over the years but so far no traces of malicious intent have been found.

FBI NDAs never expire...

‘one former FBI computer security agent has confirmed parts of Perry’s story. .. "I was one of the few FBI cyber agents when the coding supposedly happened. Experiment yes. Success No,"’ E J Hilbert FBI


There’s nothing that suggests that those experiments had anything to do with OpenBSD.

So, nothing about the 2010 claims, but something maybe, not sure what, back in 2002? Only two remote holes in a heck of a long time!

Indeed, IPsec isn't mentioned. (You can use WireGuard on OpenBSD nowadays.)

If you remember the OpenSSH Challenge Response vulnerability was found by ISS in 2002. OpenBSD's advisory can be found here [1]

This was the first remote vulnerability found in OpenBSD's default installation (which they used to advertise with). Back then, it was very normal to have all kind of bloated daemons enabled by default and vulnerabilities were found in C code and were easily exploited (no ASLR, on x86-32 for example).

Of particular interest is "section 6. Release Process" because it has details about how the OpenBSD team dealt with the situation at that time. Also, the patches are from 26 june 2002.

Now, if you look at [2] (source of FOIA documents), you can notice the date is 14 august 2002. This indicates the FBI's document is made after the vulnerability was known to the public.

What are the indications that the FBI knew about this beforehand? Is that the part listed on the bottom where they say contact X has administrative control over the internet host cvs.openbsd.org and Y has administrative control over the internet host ftp.openbsd.org? We don't know who these people were, who they worked for.

I remember there being some kind of feud between OpenBSD team and Grsecurity/PaX team (Brad Spengler aka Spender and a Hungarian I suppose by the nickname pipops). I always wondered about the relation of these, and the blackhat community. Who were these people with the gobble gobble memes, and the "Theo why is syslog running on port 514 I want to see SSH and nothing else"?

[1] https://www.openssh.com/txt/preauth.adv

[2] https://cdn.muckrock.com/foia_files/2019/07/19/Ecd74aeb090e0...

I remember ftp.openbsd.org being owned around 2002. Possibly this hostname was pointed to the www.openbsd.org machine, which was running Solaris. I have a vague memory that this machine also hosted something else in addition to the OpenBSD site, and that people managed to get root on it via two (chained) 0day exploits of which at least one involved a Solaris daemon related to printing services. (Feel free to correct me if I got it wrong.)

I also recall cvs.openbsd.org being owned but I no longer remember how that happened. There's a high chance it was made possible thanks to a remote CVS exploit that was making rounds in some hacker circles[1]. FWIW, cvs.openbsd.org is mentioned under "memorable places I've been" in the Phrack #65 prophile of the UNIX terrorist.

2002 was a particular bad year for OpenSSH and OpenBSD. In March, 2002, it was found that OpenSSH 2.x/3.0.1/3.0.2 had an exploitable (post-auth IIRC) integer overflow in its channels handling. In June, 2002 that preauth Challenge-Response vulnerability was made public and shortly afterwards GOBBLES Security made public an exploit (sshutuptheo) for the vulnerability that among other things targeted OpenBSD 3.1 default installations. Early August, 2002 it was discovered that several OpenSSH packages had been backdoored on ftp.openbsd.org on June 30th, 2002 (google: "openssh 3.4p1 trojan").

Incidently the sshutuptheo exploit was written by the Australia division of GOBBLES Security. Later postings on public mailing lists suggests that this division fell off the earth shortly afterwards (can't link).

Some of these things had ties to the community around #phrack and the autonomous Phrack High Council "movement". PHC had nothing to do with the official Phrack magazine and instead was similar (in actions) to the Global Hell (gH) movement that happened earlier (around 2000, I think). PHC kind of spun out of the anti-sec movement that existed at the time, but really it was just a setup to trick kids into thinking they have a common purpose and do damage for the lulz; think early "anonymous" or lulzsec and you'll get the idea.

I know FBI had at least one informant in the #phrack and PHC circles at the time: soupnazi a.k.a segvec a.k.a [2]. So perhaps those contacts mentioned in a child post aren't OpenBSD developers but.. other people?

The nickname of the Hungarian wasn't pipops but I'll leave it out since you got the reference right the first time: "PaX Team" ;) Regarding the feud, you can find some pointers in this poster defacement[3] attributed to the Micke Mouse Hacking Squadron. The picture is from the OpenBSD tent at the Chaos Communication Camp in Berlin, Germany in August of 2003. MMHS was one of several GOBBLES Security copycats. They generally lacked the effort but MMHS was the only one that, like GOBBLES, produced a few (arguably funny) comic strips.

Grsecurity/PaX team did a hell of a job identifying vulnerabilities and working around them or hardening code long before anyone else. It's not surprising that they would've mingled with others interested in that sort of things, possibly sharing hints of vulnerable code paths or having discussions around the vulnerabilities and/or workarounds.

[1] https://news.ycombinator.com/item?id=18179805

[2] https://en.wikipedia.org/wiki/Albert_Gonzalez

[3] https://web.archive.org/web/20060512113602/http://www.grsecu...

Probably Contact X is Theo, and Contact Y is Bob Beck. Or vice versa. There's no reason to think otherwise, unless of course we're going to revisit conspiracy theories like the bullshit claims about NSA backdoors from 2010. But OpenBSD has always been a magnet for trolls.

Isn’t it in the government’s best interests to have a non-adversarial relationship with a community?

The government does have plenty of tools for writing correct code. OpenSSH was written with available tools, if available tools to write correct code weren’t used, there’d be very little burden for anyone to make an accusation.

>Currently, most Commercial Off-the-Shelf (COTS) software contains about one to five bugs per thousand lines of code.

>DARPA created the Crowd Sourced Formal Verification (CSFV) program to overcome these challenges.

(The above was a project that led to formal verifications that wasn’t open sourced)

The government is not a monolithic entity, but a nexus of competing agendas, and not only does the right hand not know what the left hand is doing, but they may well be working at cross-purposes. This is true of any organization beyond a few dozen people.

Yes, inaction is only evidence of nonfeasance when a person fails to perform an action aligned with their duties or stated interests. The government does have competing duties and stated interests, so there is no evidence of nonfeasance or malfeasance on the part of OpenBSD or on the part of the government in this case.

OpenBSD is based in Canada. It ships with cryptography. It does not accept contributions to its cryptography code from Americans, specifically because of the ridiculous cryptography export ban the U.S. had in place in the 90s.


Of course, if that sort of thing is what you're looking for, there's always SELinux.


Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact