Come on, Marsh. How many people at INL have worked on SCADA security research? There's a lot of them.
Furthermore, your premise is incoherent. There hasn't been a backdoor identified in OpenBSD IPSEC. The "bugs" that have been found (scare-quotes because all of them had been fixed already) weren't usable as backdoors.
Were commits to IPSEC laundered via Canada? Yes. The reason? Because Theo believed that a US commit tainting the IPSEC source code could subject IPSEC to US export controls.
SCADA isn't exactly mainstream technology. It's used primarily in factories. Having worked in industrial automation areas for quite a while I'd estimate that the number of people doing security testing on Siemens PLCs is a very small community.
It was big in 2008, Marsh. We're not a SCADA specialty firm, and we ended up doing SCADA-related work in 2008, and in 2007, and in 2006. One of my BigCo enterprise clients hired a network security guy --- network security, not software --- from a pure-play SCADA software security consultancy.
That's interesting. I'm not sure exactly how critical the absolute size of SCADA security in 2006 is in the question of evaluating the magnitude of the coincidence. It almost seems like something @alexhutton's could plug into one of his Bayesian models.
Yes, this very much a "conspiracy coincidence" thing.
But I wouldn't have posted about it if I'd thought it was just crazy or just coincidence.
Pose the questions this way and it looks a little different:
How many people were fingered by name by Gregory Perry in the allegation of code tampering in 2000-2001? One: Jason Wright
How many people did significant work on the OpenBSD IPsec stack and crypto stack in 2000-2001: maybe half a dozen, including JW.
Seriously, how many people were pentesting SCADA security in 2006-2008?
What does OpenBSD network code maintenance have in common with the stated mission of INL in 2006? I.e., if you drew a circle which contained all the professionals with relevant experience to hire for the public cyber security projects of INL, what is the probability you'd pick JW at random? Probably somewhat low. Did he have unique qualifications that INL wanted?
It's an interesting enough coincidence to mention, that's all I'm saying.
FWIW, there's other things that I haven't mentioned because I didn't feel that they passed the test. Do some digging yourself and tell me if what you find makes things seem weirder or less weird over time.
Since Greg Perry worked at the same firm as Jason Wright, it's not particularly hard to see how he might opt to "finger" him.
Plenty of people were pentesting SCADA in 2006. Are you kidding? Robert Graham and David Maynor (!) gave a SCADA talk as ISS at Black Hat in 2006. Trust me, you haven't found much of a coincidence with the SCADA angle.
This guy sure seems to have a talent for coincidences
With a limited number of people and places involved in a scene, such 'coincidences' are inevitable. It'd be more surprising if no such connection could be found. Any evidence is lacking.
"... meanwhile in calgary... wasting no time netsec was secretly funnelling "security fixes" through mr.t that he was committing "stealth" into openbsd tree. (this i only knew years later when i was telling mr.t over a beer about the funny people i met on a west-coast trip (see later)). "stealth" means that purpose of the diffs was not disclosed in the commit messages or the private openbsd development forums except with a few "trusted" developers. ..." ~ http://mickey.lucifier.net/b4ckd00r.html
what you say is understandable, but there appeared to be a lot of subterfuge going on.
I hope the author of this post thought pretty carefully about posting that.
There have already been a number of people associated with Stuxnet and/or the Iranian nuclear program who have gone missing/died from strange accidents/been assassinated. [1][2]
In simple terms, claiming someone possibly wrote Stuxnet puts their life in danger.
I hope the author of this post thought pretty carefully about posting that
Keep in mind, the NYT is publishing a four page Sunday article here and serving up the INL slideshow document with all these names in it.
I am simply pointing out the connection to the other weird scandal of the year, the OpenBSD thing. I doubt "and you backdoored our VPN too!" is going to be the thing to push the Iranians over the edge.
I love how he uses recent example of US citizens being hassled at the border to imply that it happened well into the past (a time when the borders were a lot more open).
Sure: you didn't say anything in your comment. You intimated that Marsh Ray was perpetrating a false and puffed-up attempt at (your scare-quotes) "journalism". You ought to have supported that argument with evidence.
For what it's worth: if you're following the story closely enough to have an educated opinion about it, the name "Marsh Ray" means something to you.
I'm sorry, I didn't know that I had to :) But, alright, for one, I think it serves no use other than bringing false attention to the topic when introducing the Stuxnet/SCADA angle in the discussion. There's no juicy coincidence of any kind to take note of. "Coincidence? I think not!".
Furthermore, your premise is incoherent. There hasn't been a backdoor identified in OpenBSD IPSEC. The "bugs" that have been found (scare-quotes because all of them had been fixed already) weren't usable as backdoors.
Were commits to IPSEC laundered via Canada? Yes. The reason? Because Theo believed that a US commit tainting the IPSEC source code could subject IPSEC to US export controls.
What's the "coincidence" you think you've found?