December 17th, 2010, 05:20 PM
Did the FBI hack OpenBSD?
OpenBSD lauds itself as one of the most secure OS's on the market. Now news
comes that a couple of ex-developers helped the FBI engineer some hacks to the
crypto code ten years ago. Allegedly the backdoor is or was in the OpenBSD IPsec
VPN stack. This is being revealed now by developer Theo de Raadt, who has come
out with this news now that his non-disclosure agreement has expired. The OpenBSD
project has implemented an audit of the cryptographic code.
“Everybody is ignorant, only on different subjects.” — Will Rogers
December 18th, 2010, 02:54 AM
Well, how that lot reads to me is that the FBI were spying on the DoJ?
Why? I thought they were supposed to be on the same side? Also, isn't the FBI answerable to the DoJ? if so, that would be spying on your bosses........."not a career enhancing activity" IMO
December 18th, 2010, 01:50 PM
I'm calling Bullshit here. You can download the Source Code for this stuff, and look yourself, SOMEONE would have noticed. If this was a year earlier maybe, but 10? I'm pretty sure someone would have saw it. And if not, the people who contribute or even just WATCH that portion of the mailing list would have seen this.
Of course, not announcing it and someone finding the changes made to OpenBSD that aren't talked about, would cause a WAY bigger splash.
December 18th, 2010, 02:50 PM
Maybe and maybe not, it would depend on how subtle the sabotage was. If you mess with the underlying crypto logic then it may well not be, as so few people would understand it enough?I am afraid I have a few more basic questions:
I'm calling Bullshit here. You can download the Source Code for this stuff, and look yourself, SOMEONE would have noticed.
1. Is deliberately undermining the security of DoJ communications systems legal in the USA?
2. Given that the FBI is an organisation supposedly tasked with enforcing and upholding the law, how come someone didn't quietly blow the whistle to the DoJ? OK you may be able to keep the original development quiet, but what when it gets rolled out to the rank and file?
3. Who authorised it, who held the budget, and who checked the end product?
4. If you employ somebody to do something that is certainly covert if not even illegal, are you really going to tell them why you want it done and who the target is? hell, they are on a needs to know basis, and they don't need to know?
5. Who believes that you would demand a 10 year non-disclosure clause. 30 years perhaps but not 10............the people involved are most likely still going to be alive and in employment.
6. Where's the evidence? there would have to be something documented, or your non-disclosure agreement goes out the window? after all this is Pennsylvania Avenue, not Langley. Also this would have to involve more than one developer and I can't see them achieving this without communication and documentation. And please don't suggest that it was all destroyed...............people cover their arses
Still looks like BS to me too
December 18th, 2010, 04:21 PM
Yea, I know there isn't a 100% chance someone would have picked up on it, but I still stand by my comment that this is totally bullshit.
You brought up some more points that further make it seem like Theo is yet again talking out his ass (Which is fairly common from what I've seen of that bastard) and he seems like the type to me who'd do this for hype.
I don't know him personally, I admit, but every time I read anything about him, or something written by him, I can't help but think "Wow, seriously?" because he just seems like his ego gets in the way of what could be a GREAT OS.
I don't use OpenBSD, and it's not because I think it's crap or anything, I actually think any BSD is probably useful for something, since it's awesome. But I just can't stand someone who I once saw blasting one of the FreeBSD Security guys because they released a statement that "Someone from OpenBSD found a security flaw in such and such product, so we're releasing a fix" and so on, and that guy actually replied saying "Oh bullshit blah blah blah I'm an ******* Blah Blah Blah you don't know what you're talking about" and then the guy from FreeBSD copied and pasted the message from OpenBSD, and he just never replied.
He called someone out, was in the wrong, and then just didn't reply. And he was just totally harsh about it. I was like **** this guy makes ME look like a a Sunshine on a cloudy day type thing.
It was nuts.
I also find it hard to Believe the FBI OR the DOJ uses OpenBSD. I know the Govt uses BSD, in fact, they were one of the main funders of it back when it was a "Research project" or "toy" at the University of California, Berkeley.
And I also know they run a lot of BSD stuff in the govt, but, I have not ONCE heard of it being OpenBSD. Ever.
Of course, him saying that his AMAZINGLY short 10 year "Shut up" contract is up, is going to generate a LOT of buzz about OpenBSD, and in general, people are going to read this crap and think "Wow! Well if the govt and the DOJ and FBI all use OpenBSD then it MUST be good!"....
Get my drift? I think it's buzz. If he makes a statement that the FBI tried this with OpenBSD, for the DOJ, those are REALLY high profile "Clients" for ANY OS, and, well, it'll make it pretty popular pretty quick.
OpenBSD could be super popular if they weren't so damn anal about the whole "Open Drivers" bullshit too.
I Love BSD; I Love what Marshall Kirk McKusick, Bill Joy, Keith Bostick, and all of them did at Berkeley, I really do. I think it's amazing that they took something Ken and Dennis were doing and made it BETTER. But I don't like OpenBSD.
Trying to come off as the ONLY people who do full on code audits is stupid. SUSE Linux had been doing this for YEARS. They don't talk about it every day though. Saying "Well we go line by line through EVERY section of the Operating System, and do security audits, line by line, and fix things before others even know it exists".... Yea? So does SUSE, so does almost every other BSD.....
I just think personally, my feelings about that guy and his massive ego aside, that he's doing this for either press, or boredom. I don't know if any of you have seen this guy before, but he's REALLY proud of himself. Now, he should be proud of the fact that he's designed an OS that's cool, but, acting like he's the only one to ever do it, is a little ****ing obnoxious.
Anyway, that's my 2 cents and 20 dollars.
December 19th, 2010, 01:56 PM
It looks the same to me, coming from a non-technical viewpoint.
I still stand by my comment that this is totally bullshit.
Your last post raises yet another interesting question:
Nice one!!!! Either:
They don't talk about it every day though. Saying "Well we go line by line through EVERY section of the Operating System, and do security audits, line by line, and fix things before others even know it exists"
1 They are lying about it.
2. The people doing the audits are incompetent.
Whilst it might be possible for an inadvertent or accidental back door to pass this scrutiny, I do not see how a deliberate one could.
OK, I am certainly not an OS coder, but based on my applications experience I would have thought that deliberate backdoors would involve additional or at least unusual code? That should have been spotted?
I see your point about govt. usage of BSD. If your lot are anything like ours they may well use it, but it will be their custom version, not the one off the shelf?
I still can't see a motive, as I would read this as "FBI have backdoored OpenBSD" and avoid it like the plague? In fact, the very suggestion that the open source community would participate in such a thing, undermines the community as a whole.
It would tend to lead one to favour proprietary solutions, on the grounds that they rely on selling their products, and bad publicity hits them in the wallet?
It will be interesting to see how this one develops?
Which goes back to my question of why would they do such a thing. I haven't seen anything to suggest that OpenBSD is favoured by criminals or terrorists?
December 20th, 2010, 01:55 AM
Hehehe, Thanks for catching that Nihil I was wondering like "OK, SOMEONE other than me MUST have heard these guys go on and on about how they do these source code audits and look at EVERY line of code.... How could they miss this?"... Lol.
December 20th, 2010, 02:36 AM
I am sure that lots of people have heard about it, as it is why OpenBSD is supposed to be more secure than other offerings, or so they would have us believe?
I guess a lot of people just haven't made the connection and seen the contradiction?
Basically if you are trying to build a "secure" system you don't put backdoors in it, because they make it fundamentally insecure, and sooner or later someone will find them?
I would say that would take some pretty far-fetched or imaginative conspiracy theory.
How could they miss this?
The reason that most conspiracy theories fail is because it is not plausible to expect everyone who would need to know about it to keep quiet about it.
In this case we are dealing with an open source community where there is little or no leverage over its members. That makes it even less likely?
December 20th, 2010, 03:19 AM
Yea, more or less, I called it bullshit from the first post I made, because it seemed fairly unlikely already, and now, with what you and I have posted, I REALLY doubt it.
As for OpenBSD being the "Most Secure OS on the Planet".... I think that's a crock too. Anyone, and I mean ANYONE, who has the proper Programming and or Coding Ninja Skills needed, could take BSD, and basically put their own OS based on BSD together, and make it so that EVERY service, is by default, not only turned off, but crippled.
This is why I've always been biased towards FreeBSD, I mean, it's BSD, which is wonderful software, and on top of that, they actually care about making it something you can install.
Have you ever seen a DVD called "20 Years of Berkeley Unix" ? It's an amazing thing to watch really. Basically, it's Marshal Kirk McKusick, who's one of the originals from Berkeley, who helped get BSD going.
Most people know of Bill Joy, and how he was at Berkeley doing a lot of things that became what BSD is now, and Kirk was one of the people working with him.
Bill also was one of the main people behind TCP/IP when DARPA wanted that done, and they fought for their version of it, because that company BBN or whatever, had won the contract to create what was going to become TCP/IP, and when Bill Joy saw the Code they had started, he didn't like it.
In fact, he took it, and made it better, and after 3rd party tests that DARPA had done, they realized that the one Berkeley did was far superior.
Anyway, Kirk was one of the original BSD people, and he was one of the main forces behind making it along with Bill Joy.
Kirk's Boyfriend / Partner, is Eric Allman. The guy who made Sendmail. So yea, these are some really oldschool Hackers.
Anyway, the DVD is Kirk doing an amazing speech at a FreeBSD convention, and not only does he do this like, amazing Speech, which is VERY informative, but it's FUNNY!
He talks about the very beginning of Multi User systems, like the Manchester Project in England, and a lot of other things that have shaped what we use today.
He's awesome, and I would recommend really anyone, to give it a shot.
You can buy the DVD from the FreeBSDmall, or, you can just order it from Kirk's Website.
Anyway, BSD in general, can be made where everything is shut off. That's what OpenBSD seems to be from the point of view of someone like me who doesn't give a damn how out of the box looks, because I'll customize it anyway.
FreeBSD comes out of the box in a usable state. OpenBSD comes out of the box in a manner in which you have to enable EVERYTHING to use it, because they seem to think that turning everything off by default, is a great way to say there aren't many exploits in the default installation.....
This is bullshit to me too. I mean if I install Windows NT, and use a knife to cut the network cable, it's secure too, and it's a lot like what they seem to do.
On the DVD, Kirk talks about how FreeBSD has actually put effort into making their OS something you can actually install, where OpenBSD has this attitude that if you aren't smart enough to get it installed they don't want you as a user anyway.
That's stupid I think.
Now, I know a few people on AO use OpenBSD, and I am NOT saying it's just totally ****. It's not. It's still BSD. However, the attitude of Theo, is more than obnoxious, and on top of that, he isn't doing a THING that hasn't already been done.
If I won the Lotto or something and had a HUGE chunk of Cash I could use for anything I wanted, AFTER I finished buying ALL the rights to Unix from SCO, and giving them away, I'd also pay to have OpenBSD Certified.
I want to know what kind of rating it would get.
I like how Apple paid to have OS X certified Unix, and they got that from FreeBSD, yet somehow people can't call FreeBSD Unix lol.
I'd be very curious as to what rating OpenBSD would receive compared to other systems.
Also, I'd like to see what the Secure FreeBSD OS would get. Anyway, I'd Love to know the rating of OpenBSD. They go on and on and on about how it's the most secure OS out there, yet Trusted Solaris and TrustedBSD, don't talk about it? Lol.
December 20th, 2010, 07:57 PM
Da Rat isn't very involved here IMO............he got an e-mail from some scroat who worked on the project way back then (Greg Perry) and quite cleverly made it public............Christmas is not the appropriate time really, as I would say Easter.............that's when Pontius Pilate washed his hands?
The potential problem is that this code is very much shared..........certainly by FreeBSD
By slackwarelinux in forum *nix Security Discussions
Last Post: October 22nd, 2002, 04:19 PM
By Lone1337 in forum AntiOnline's General Chit Chat
Last Post: August 23rd, 2002, 04:16 PM
By zigar in forum AntiOnline's General Chit Chat
Last Post: February 22nd, 2002, 01:24 PM
By NUKEM6 in forum Non-Security Archives
Last Post: February 3rd, 2002, 10:28 PM
By cgkanchi in forum Security Archives
Last Post: January 15th, 2002, 08:52 PM