The Altruist

The Altruist’s position presents him with opportunities not normally present. He shares the benefits, so that the lives of those whom he protects will be enriched.

Written by Adrian Goins on Dec 15, 2010 in Security

This email was published to the OpenBSD mailing list earlier today.  Although being reported elsewhere, it has not been vetted, and may very well be a joe job.  It needs to be discussed, and if true, the ramifications are staggering.  If the FBI paid open source developers to install backdoors into the OpenBSD crypto layer as far back as 2000 and 2001, then it's possible that those leaks have spread to all areas of cryptographic security through derivative products.

I have received a mail regarding the early development of the OpenBSD
IPSEC stack. It is alleged that some ex-developers (and the company
they worked for) accepted US government money to put backdoors into
our network stack, in particular the IPSEC stack. Around 2000-2001.

Since we had the first IPSEC stack available for free, large parts of
the code are now found in many other projects/products. Over 10
years, the IPSEC code has gone through many changes and fixes, so it
is unclear what the true impact of these allegations are.

The mail came in privately from a person I have not talked to for
nearly 10 years. I refuse to become part of such a conspiracy, and
will not be talking to Gregory Perry about this. Therefore I am
making it public so that
(a) those who use the code can audit it for these problems,
(b) those that are angry at the story can take other actions,
(c) if it is not true, those who are being accused can defend themselves.

Of course I don't like it when my private mail is forwarded. However
the "little ethic" of a private mail being forwarded is much smaller
than the "big ethic" of government paying companies to pay open source
developers (a member of a community-of-friends) to insert
privacy-invading holes in software.

----

From: Gregory Perry <Gregory.Perry@GoVirtual.tv>
To: "deraadt@openbsd.org" <deraadt@openbsd.org>
Subject: OpenBSD Crypto Framework
Thread-Topic: OpenBSD Crypto Framework
Thread-Index: AcuZjuF6cT4gcSmqQv+Fo3/+2m80eg==
Date: Sat, 11 Dec 2010 23:55:25 +0000
Message-ID: <8D3222F9EB68474DA381831A120B1023019AC034@mbx021-e2-nj-5.exch021.domain.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Status: RO

Hello Theo,

Long time no talk. If you will recall, a while back I was the CTO at
NETSEC and arranged funding and donations for the OpenBSD Crypto
Framework. At that same time I also did some consulting for the FBI,
for their GSA Technical Support Center, which was a cryptologic
reverse engineering project aimed at backdooring and implementing key
escrow mechanisms for smart card and other hardware-based computing
technologies.

My NDA with the FBI has recently expired, and I wanted to make you
aware of the fact that the FBI implemented a number of backdoors and
side channel key leaking mechanisms into the OCF, for the express
purpose of monitoring the site to site VPN encryption system
implemented by EOUSA, the parent organization to the FBI. Jason
Wright and several other developers were responsible for those
backdoors, and you would be well advised to review any and all code
commits by Wright as well as the other developers he worked with
originating from NETSEC.

This is also probably the reason why you lost your DARPA funding, they
more than likely caught wind of the fact that those backdoors were
present and didn't want to create any derivative products based upon
the same.

This is also why several inside FBI folks have been recently
advocating the use of OpenBSD for VPN and firewalling implementations
in virtualized environments, for example Scott Lowe is a well
respected author in virtualization circles who also happens top be on
the FBI payroll, and who has also recently published several tutorials
for the use of OpenBSD VMs in enterprise VMware vSphere deployments.

Merry Christmas...

Gregory Perry
Chief Executive Officer
GoVirtual Education

"VMware Training Products & Services"

540-645-6955 x111 (local)
866-354-7369 x111 (toll free)
540-931-9099 (mobile)
877-648-0555 (fax)

http://www.facebook.com/GregoryVPerry
http://www.facebook.com/GoVirtual

While everyone is thinking about how far a security compromise such as this may extend in the open source cryptographic software stack, there are other questions which one might ask, questions which actually lead back to the viability of the source:

  1. Why was the code not audited before being accepted by the maintainers?  Are the backdoors so slick and fancy that they look like normal software routines?
  2. Why has no subsequent code derived from the OpenBSD crypto layer been audited or otherwise revealed the backdoors in the 10 years since?

All of the places where these questions end are bad.  Either the source is lying (which isn't so bad) or people haven't paid attention, and the latter of these painfully highlights one of the great shortcomings of open source community programming in general.  If the community can be infiltrated by those with nefarious intent, then the community can't be trusted.  If the community can't be trusted, then it's not a community.

This software used to be on the Department of Defense export restrictions list.  It's not restricted anymore, which means that the trojaned code could be deployed in secure areas used by other countries.  VPNs are secure, right?  TrueCrypt?  IPSec?  SSL?  If you consider the cost of someone watching the traffic flowing through any of these supposedly-safe technologies, and add to that the known processing power of systems like Echelon, then you can imagine just what the FBI has been hanging out and reading for a decade.

Does this count as espionage?  If you're spying on your enemies, then you're doing good.  What about when you're spying on your friends, or worse, just spying on everyone?

What happened to the concept of privacy, or the right to be excluded from onerous law enforcement scrutiny until you've actually come under suspicion for doing something wrong?  Oh snap!  I forgot - we're all under suspicion by default now.

Written by Adrian Goins on Mar 10, 2010 in Security

Researchers at the University of Michigan have devised a clever way to crack secure RSA public key encryption used in SSL and other security media.  The implications are staggering.

Written by Adrian Goins on Jul 24, 2009 in Security

SSH is an important part of Internet communication for system administrators.  It does a good job of being secure out of the box, but left unattended, future changes in the system configuration might open unwanted access.  Read on for information on how to secure your SSH servers.

Written by Adrian Goins on Jun 2, 2009 in Security

The Register is running an article today about how ISPs in the UK are resistant to legislation which will require them to track all user activity and link web browsing to email, storing such data for delivery to the UK Government.  While on the one hand it sounds great that ISPs are resisting, the resistance appears to only be with regard to the costs associated for installing and maintaining such equipment, with no one screaming about what a gross violation of privacy this is.

"The networked databases - which officials want ISPs to process, so that an individual customer's email activity is linked to their web browsing history - would then be available to law enforcement and intelligence officers as required, without a warrant under part 1 of the Regulation of Investigatory Powers Act (RIPA)."

Without a warrant. Without any accusation or formal charge of wrongdoing.

Once upon a time, in a land far away known as The Free World, people were safe from the prying eyes of their elected leaders.  It seems that in our advanced, modern society, if they don't have any actual proof of you doing something wrong, they'll just sift through ALL of your Internet activity until they find something that they might be able to use.  Maybe they'll just sift through it for fun - there's no history or chance of abuse with other monitoring programs already in place.

It's time for people to stand up and say no.  No terrorist threat is so severe that a populace should lie down and allow their government to watch every waking instant of their lives.  No program which claims to help should do so by hurting those it is intended to protect.

Written by Adrian Goins on May 11, 2009 in Security

I read an article today that scared me.   In it Bruce Scheier reported that the US Law Enforcement community needs to have a search warrant to read the data on your personal computers (or a business's computers), but that if the data is stored elsewhere and you've already granted someone else (like Google) the right to hold that data, then they don't need a warrant.

Written by Adrian Goins on May 2, 2009 in Security

Facebook came under attack this week, with phishing scams going after users.  Users were directed to one of two domains which coerced them to log in with their Facebook account information.  This is phishing, plain and simple, the same sort of phishing that we've been seeing for years with banks, PayPal, Ebay, MySpace, and other places where personal information abounds.  It's no surprise that Facebook users are a target as well, and Facebook seems to have responded well, hiring San Francisco's MarkMonitor to address the issue.  As I'm reading about it, I'm surprised at the response that people have to the situation.

"I tell you what it did do for me -- it put Facebook in a different light for me than other social-network tools," Andy Cutler is quoted as saying. "I'm pretty active in Twitter and Facebook has been a way to keep up with people in my networks, but I have to say I was disappointed in Facebook that this can get through their security system."

Nothing "got through" Facebook's security system.  Users responded to a message appearing to be from a friend.  That message directed them to a non-facebook.com domain, where they logged in with their Facebook account information.  At that point their accounts were compromised, but it's not Facebook's fault.  It's the fault of the users.