Announcement

Collapse
No announcement yet.

FBI bought back door into OpenBSD's IPSEC stack

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    FBI bought back door into OpenBSD's IPSEC stack

    What do you think? Could a back door in the IPSEC exist for 10 years without anyone seeing it?

    I have my doubts. IF it exists it has to be some of the most clever, obtuse code ever made. Sort of like StuxNet or the pipeline controller software the Russians stole back in the 80s. There aren't as many working on OpenBSD as there are on Linux, so maybe they don't have "1,000 eyes"...

    The EOUSA is
    Executive Office for United States Attorneys (EOUSA)
    , so the FBI was spying on the big boys at the executive off of the US Attorneys! This is going to cause a big stink!

    Also, if true, and they still exist, its time for OpenBSD users to reconsider their use of VMware.

    http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

    List: openbsd-tech
    Subject: Allegations regarding OpenBSD IPSEC
    From: Theo de Raadt <deraadt () cvs ! openbsd ! org>
    Date: 2010-12-14 22:24:39
    Message-ID: 201012142224.oBEMOdWM031222 () cvs ! openbsd ! org
    [Download message RAW]

    I have received a mail regarding the early development of the OpenBSD
    IPSEC stack.
    It is alleged that some ex-developers (and the company
    they worked for) accepted US government money to put backdoors into
    our network stack, in particular the IPSEC stack. Around 2000-2001.

    Since we had the first IPSEC stack available for free, large parts of
    the code are now found in many other projects/products. Over 10
    years, the IPSEC code has gone through many changes and fixes, so it
    is unclear what the true impact of these allegations are.

    The mail came in privately from a person I have not talked to for
    nearly 10 years. I refuse to become part of such a conspiracy, and
    will not be talking to Gregory Perry about this. Therefore I am
    making it public so that
    (a) those who use the code can audit it for these problems,
    (b) those that are angry at the story can take other actions,
    (c) if it is not true, those who are being accused can defend themselves.

    Of course I don't like it when my private mail is forwarded. However
    the "little ethic" of a private mail being forwarded is much smaller
    than the "big ethic" of government paying companies to pay open source
    developers (a member of a community-of-friends) to insert
    privacy-invading holes in software.

    ----

    From: Gregory Perry <Gregory.Perry@GoVirtual.tv>
    To: "deraadt@openbsd.org" <deraadt@openbsd.org>
    Subject: OpenBSD Crypto Framework
    Thread-Topic: OpenBSD Crypto Framework
    Thread-Index: AcuZjuF6cT4gcSmqQv+Fo3/+2m80eg==
    Date: Sat, 11 Dec 2010 23:55:25 +0000
    Message-ID: <8D3222F9EB68474DA381831A120B1023019AC034@mbx021-e2-nj-5.exch021.domain.local>
    Accept-Language: en-US
    Content-Language: en-US
    X-MS-Has-Attach:
    X-MS-TNEF-Correlator:
    Content-Type: text/plain; charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable
    MIME-Version: 1.0
    Status: RO

    Hello Theo,

    Long time no talk. If you will recall, a while back I was the CTO at
    NETSEC and arranged funding and donations for the OpenBSD Crypto
    Framework. At that same time I also did some consulting for the FBI,
    for their GSA Technical Support Center, which was a cryptologic
    reverse engineering project aimed at backdooring and implementing key
    escrow mechanisms for smart card and other hardware-based computing
    technologies.

    My NDA with the FBI has recently expired, and I wanted to make you
    aware of the fact that the FBI implemented a number of backdoors and
    side channel key leaking mechanisms into the OCF, for the express
    purpose of monitoring the site to site VPN encryption system
    implemented by EOUSA, the parent organization to the FBI.
    Jason
    Wright and several other developers were responsible for those
    backdoors, and you would be well advised to review any and all code
    commits by Wright as well as the other developers he worked with
    originating from NETSEC.

    This is also probably the reason why you lost your DARPA funding, they
    more than likely caught wind of the fact that those backdoors were
    present and didn't want to create any derivative products based upon
    the same.

    This is also why several inside FBI folks have been recently
    advocating the use of OpenBSD for VPN and firewalling implementations
    in virtualized environments,
    for example Scott Lowe is a well
    respected author in virtualization circles who also happens top be on
    the FBI payroll, and who has also recently published several tutorials
    for the use of OpenBSD VMs in enterprise VMware vSphere deployments.

    Merry Christmas...

    Gregory Perry
    Chief Executive Officer
    GoVirtual Education

    "VMware Training Products & Services"

    540-645-6955 x111 (local)
    866-354-7369 x111 (toll free)
    540-931-9099 (mobile)
    877-648-0555 (fax)

    http://www.facebook.com/GregoryVPerry
    http://www.facebook.com/GoVirtual
    PS. - The subsequent comments in the thread make for some interesting reading and history...
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    #2
    Re: FBI bought back door into OpenBSD's IPSEC stack

    Originally posted by GreyGeek
    What do you think? Could a back door in the IPSEC exist for 10 years without anyone seeing it?

    I have my doubts. IF it exists it has to be some of the most clever, obtuse code ever made. Sort of like StuxNet or the pipeline controller software the Russians stole back in the 80s. There aren't as many working on OpenBSD as there are on Linux, so maybe they don't have "1,000 eyes"...
    Yes it is possible, and highly probable. To be honest, it just makes the case that open source people auditing source really doesn't amount to much. It is another example of OSS not being as secure as it is sold as being. There is no telling what else there is in the code. By the way this post validates several of my earlier arguments.
    Don&#39;t blame me for being smarter than you, that&#39;s your parent&#39;s fault.

    Comment


      #3
      Re: FBI bought back door into OpenBSD's IPSEC stack

      http://www.itworld.com/open-source/1...ed-participant

      Apparently the only two KNOWN "Lowe"'s associated with IPsec have denied any involvement

      "I am not, nor have I ever been, on the FBI's payroll, nor do I use or advocate the use of OpenBSD either personally or in my writing," Lowe of Missouri replied.
      .

      Scott Lowe, VMWare-Cisco Solutions Principal at EMC responded via e-mail his denial:

      "Mr. Perry is mistaken. I am not, nor have I ever been, affiliated with or employed by the FBI or any other government agency. Likewise, I have not ever contributed a single line of code to OpenBSD; my advocacy is strictly due to appreciation of the project and nothing more," Lowe replied.
      So, why has Perry made the allegations, and are they even true? He hasn't responded to questions since he emailed Theo de Raadt with the accusations. Maybe one of the "Lowe"s is under an FBI NDA?

      "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
      – John F. Kennedy, February 26, 1962.

      Comment


        #4
        Re: FBI bought back door into OpenBSD's IPSEC stack

        @zlow:

        Some people here like the company, others are here to help or be helped. There is a general feeling of concern for Linux and open source in general. However, I'm having a difficult time figuring out your particular connection. With all due respect, I'm sure you have your reasons for talking the way you do. Perhaps I'm not as smart as you, or we come from different backgrounds, but I can't figure it out. Perhaps it is obvious to others but I, for one, would like to know.

        Comment


          #5
          Re: FBI bought back door into OpenBSD's IPSEC stack

          Originally posted by Ole Juul
          @zlow:

          Some people here like the company, others are here to help or be helped. There is a general feeling of concern for Linux and open source in general. However, I'm having a difficult time figuring out your particular connection. With all due respect, I'm sure you have your reasons for talking the way you do. Perhaps I'm not as smart as you, or we come from different backgrounds, but I can't figure it out. Perhaps it is obvious to others but I, for one, would like to know.

          I have helped a few people since I have been here. It is a bad assumption to make to assume I do not care, I just think about things from a different perspective than others do.
          Don&#39;t blame me for being smarter than you, that&#39;s your parent&#39;s fault.

          Comment


            #6
            Re: FBI bought back door into OpenBSD's IPSEC stack

            Originally posted by GreyGeek
            http://www.itworld.com/open-source/1...ed-participant

            Apparently the only two KNOWN "Lowe"'s associated with IPsec have denied any involvement

            "I am not, nor have I ever been, on the FBI's payroll, nor do I use or advocate the use of OpenBSD either personally or in my writing," Lowe of Missouri replied.
            .


            Scott Lowe, VMWare-Cisco Solutions Principal at EMC responded via e-mail his denial:

            "Mr. Perry is mistaken. I am not, nor have I ever been, affiliated with or employed by the FBI or any other government agency. Likewise, I have not ever contributed a single line of code to OpenBSD; my advocacy is strictly due to appreciation of the project and nothing more," Lowe replied.
            So, why has Perry made the allegations, and are they even true? He hasn't responded to questions since he emailed Theo de Raadt with the accusations. Maybe one of the "Lowe"s is under an FBI NDA?

            Wait, someone denied working for the government? You don't say.
            Don&#39;t blame me for being smarter than you, that&#39;s your parent&#39;s fault.

            Comment


              #7
              Re: FBI bought back door into OpenBSD's IPSEC stack

              Ya, total shock, isn't it?
              "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
              – John F. Kennedy, February 26, 1962.

              Comment


                #8
                Re: FBI bought back door into OpenBSD's IPSEC stack

                Greg Perry has elaborated on the back door in IPSEC (if there is one) but in doing so seems, IMO, to incriminate himself:

                The project involved was the GSA Technical Support Center, a circa 1999 joint research and development project between the FBI and the NSA; the technologies we developed were Multi Level Security controls for case collaboration between the NSA and the FBI due to the Posse Commitatus Act, although in reality those controls were only there for show as the intended facility did in fact host both FBI and NSA in the same building.
                "We" = folks working for the GSA Technical Support Center

                He goes on to say:
                I was the lead architect for the site-to-site VPN project developed for Executive Office for United States Attorneys, which was a statically keyed VPN system used at 235+ US Attorney locations and which later proved to have been backdoored by the FBI so that they could recover (potentially) grand jury information from various US Attorney sites across the United States and abroad.
                So, Perry claims that Wright and Lowe worked for the FBI and put back doors into OpenBSD's IPSEC code, which Perry used while HE was building the VPN at the OUSA site. He goes on to state:
                The person I reported to at EOSUA was Zal Azmi, who was later appointed to Chief Information Officer of the FBI by George W. Bush, and who was chosen to lead portions of the EOUSA VPN project based upon his previous experience with the Marines (prior to that, Zal was a mujadeen for Usama bin Laden in their fight against the Soviets, he speaks fluent Farsi and worked on various incursions with the CIA as a linguist both pre and post 911, prior to his tenure at the FBI as CIO and head of the FBI’s Sentinel case management system with Lockheed).
                Wow! It gets deeper and deeper and deeper. I beginning to suspect that the claims about IPSEC in OpenBSD are merely to lead the reader to the other, more astounding claims. The FISA court he is referring to is a sordid piece of work greatly enhanced by Clinton Executive Order 12949 that completely destroyed the 4th Amendment:
                http://kubuntuforums.net/forums/inde...;num_replies=6
                Notice in that link who introduced the bill and who supported it. Before FISA, in 1967, the Supreme Court of the United States held that the requirements of the Fourth Amendment applied equally to electronic surveillance and to physical searches. But, it seems, the Supremes are a very fickle group. Add to FISA the PATRIOT and RICO acts and you understand why many believe that the Constitution is dead. I find it odd that some folks, while claiming to protect "freedom" actually destroy it, and cannot see the fruit of their work for what it is.

                http://en.wikipedia.org/wiki/United_...eillance_Court
                http://mediafilter.org/caq/Caq53.court.html

                "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                – John F. Kennedy, February 26, 1962.

                Comment

                Working...
                X