Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > macOS > Did the FBI Plant Backdoors in OpenBSD?

Did the FBI Plant Backdoors in OpenBSD?
Thread Tools
angelmb
Addicted to MacNN
Join Date: Oct 2001
Location: Automatic
Status: Offline
Reply With Quote
Dec 15, 2010, 09:01 AM
 
A disturbing report has been made public regarding the possibility of backdoors in the IPsec stack of OpenBSD having been inserted by people working for the FBI. For now, there is one allegation of this, in an e-mail from Gregory Perry, who has worked as an FBI consultant, to Theo de Raadt, the founder of OpenBSD. He says:

My NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI.

Another claim, made via Twitter, suggests that attempts were made to implement these backdoors but that they were not successful. An audit of the code is underway, and those working on the audit point out that the “Backdoor is NOT confirmed.”

Perry’s e-mail mentions Scott Lowe as being a booster for OpenBSD and “advocating the use of OpenBSD for VPN and firewalling implementations in virtualized environments.” However, Mr. Lowe, who works for EMC, denies any involvement in this affair, and points out that there is another Scott Lowe who writes about virtualization, and who may be the person that Perry meant.

IPsec, or Internet Protocol Security, is a protocol suite used for securing VPNs. IPsec stacks used in Mac OS X (Darwin, based on FreeBSD) were partly taken from this code, and there is a possibility that, if such backdoors are present, Mac OS X may be affected. In addition, parts of this code may be found in other security suites and frameworks on a variety of operating systems.

There is, as yet, no confirmation of this allegation. Nevertheless, it is being taken very seriously by the security community, and many people have launched audits and investigations of the code in question. It may take some time to confirm or refute this allegation.

We will be following up on this, and, naturally, if Mac OS X is affected, we will apprise our readers of this problem as soon as possible. There is no reason to not use a VPN on Mac OS X in the meantime; if such backdoors exist, they are likely only accessible by the FBI (or other US security agencies), and, unless you are worried about such agencies getting information that you are sending over a VPN, you are probably safe.

Source: Intego Blog
     
Person Man
Professional Poster
Join Date: Jun 2001
Location: Northwest Ohio
Status: Offline
Reply With Quote
Dec 15, 2010, 11:42 AM
 
"Who cares if the FBI has access to my encrypted transmissions? I have nothing to hide" is an EXTREMELY DANGEROUS statement to make, which is what the last sentence of the article implies. If this is true then it should be considered a security hole and be fixed.
     
OreoCookie
Moderator
Join Date: May 2001
Location: Hilbert space
Status: Offline
Reply With Quote
Dec 15, 2010, 11:51 AM
 
Well, it is a security hole, because as soon as someone other than the FBI figures out that this hole exists, it can be exploited by that person as well.
I don't suffer from insanity, I enjoy every minute of it.
     
Person Man
Professional Poster
Join Date: Jun 2001
Location: Northwest Ohio
Status: Offline
Reply With Quote
Dec 15, 2010, 01:25 PM
 
Originally Posted by OreoCookie View Post
Well, it is a security hole, because as soon as someone other than the FBI figures out that this hole exists, it can be exploited by that person as well.
Definitely. I just took exception to the line in the original article that said "if such backdoors exist, they are likely only accessible by the FBI (or other US security agencies), and, unless you are worried about such agencies getting information that you are sending over a VPN, you are probably safe."

Which is the wrong way to look at it.
     
jmiddel
Grizzled Veteran
Join Date: Dec 2001
Location: Land of Enchantment
Status: Offline
Reply With Quote
Dec 15, 2010, 10:17 PM
 
US Constitution 4th Amendment: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

If the FBI have a warrant, hey, they can simply come to our front door and sieze our computers. Any sneaking in through backdoors is illegal. IMHO
     
ghporter
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Dec 16, 2010, 07:35 AM
 
Does this "backdoor" actually exist, or is this simply a claim? What a great way to spread FUD-claim to have worked for the FBI and that you've done something that exposes traffic to being read by third parties." I don't buy it.

Working for a federal law enforcement agency would not require a "non-disclosure agreement." At this level, it would require a security clearance-and when one stops working on classified material they are STILL bound by the FEDERAL LAW that prohibits disclosing classified information.

I don't buy it. I don't think this is actually an issue-except that it's scaring people.

Glenn -----OTR/L, MOT, Tx
     
Person Man
Professional Poster
Join Date: Jun 2001
Location: Northwest Ohio
Status: Offline
Reply With Quote
Dec 16, 2010, 09:28 AM
 
Well, security audits of the code are underway to try and find this "backdoor," if it in fact exists.
     
ghporter
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Dec 16, 2010, 10:35 PM
 
Originally Posted by Person Man View Post
Well, security audits of the code are underway to try and find this "backdoor," if it in fact exists.
If there is some backdoor, it would show up in the source code. Since OpenBSD is so open, much is contributed by an enormous number of coders. On the other hand, if they do even the simplest of tracking of who contributed what code, that coder will be identified. Undercover FBI plant? Sneaky black hat with connections? Something else? Whatever is found, it will help illuminate this issue. My money is on "no backdoor at all."

Glenn -----OTR/L, MOT, Tx
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Dec 16, 2010, 11:15 PM
 
Originally Posted by ghporter View Post
On the other hand, if they do even the simplest of tracking of who contributed what code, that coder will be identified. Undercover FBI plant? Sneaky black hat with connections?
Someone pretending to be someone else on the Internet?
     
ghporter
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Dec 17, 2010, 07:40 AM
 
Originally Posted by subego View Post
Someone pretending to be someone else on the Internet?
Would a large, organized development effort for any sort of practical software actually allow "just anyone" online to submit unvetted code and actually incorporate it into their product? Really, I don't see the BSD organization being that trusting. I know it's Berkley, but I still do not see that it's possible to get code with malicious qualities (or even simply hidden qualities) past any real review process. OpenBSD didn't get to be a hugely adopted OS by being slipshod or poorly organized in its code.

Glenn -----OTR/L, MOT, Tx
     
flmiller
Fresh-Faced Recruit
Join Date: Mar 2010
Location: Somewhere in Time
Status: Offline
Reply With Quote
Dec 17, 2010, 01:36 PM
 
MacOS is based on FreeBSD and NetBSD, not OpenBSD, I believe. Might this make a difference?

Frank
     
Rainy Day
Grizzled Veteran
Join Date: Nov 2001
Location: Oregon
Status: Offline
Reply With Quote
Dec 18, 2010, 01:45 AM
 
Originally Posted by flmiller View Post
MacOS is based on FreeBSD and NetBSD, not OpenBSD, I believe. Might this make a difference?
Yes, it might, as OpenBSD was forked from NetBSD in 1995. However Mac OS X does use certain elements from OpenBSD, such as OpenSSH. There’s a certain degree of cross-pollination among the BSDs in general, and even with Linux.

That said, for IPsec, i believe Mac OS X, NetBSD & FreeBSD all use the KAME stack, whereas OpenBSD uses home-grown code. So regarding this particular allegation, it wouldn’t impact Mac OS X directly. Of course if the FBI did try to infiltrate the OpenBSD project, wouldn’t they likely try to affect the KAME codebase as well?

"Just because you’re paranoid, it doesn’t mean the aren’t out to get you!"
     
DougJ
Fresh-Faced Recruit
Join Date: Sep 2007
Status: Offline
Reply With Quote
Dec 18, 2010, 08:02 PM
 
I would think such a backdoor in an open source project would have been noticed and removed long ago, so I do question this. Still, the source code should be reviewed.
     
ghporter
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Dec 19, 2010, 12:26 AM
 
Originally Posted by DougJ View Post
I would think such a backdoor in an open source project would have been noticed and removed long ago, so I do question this. Still, the source code should be reviewed.
Yeah. Open source projects typically have a few people dedicated to vetting the code that's submitted simply to ensure that it's all above board. And there are also people who ensure that there aren't compiler hiccups in any of the code as well. A security-oriented part of such a project should also have plenty of extra "let's see if they built it strong enough" testing.

A review of the source code of ANY project is a very good thing, even/especially after it's been out on the street for quite a while.

Glenn -----OTR/L, MOT, Tx
     
JBracy
Fresh-Faced Recruit
Join Date: Aug 2000
Location: Clifton, VA
Status: Offline
Reply With Quote
Dec 20, 2010, 11:52 AM
 
Originally Posted by angelmb View Post
A disturbing report has been made public regarding the possibility of backdoors in the IPsec stack of OpenBSD having been inserted by people working for the FBI. For now, there is one allegation of this, in an e-mail from Gregory Perry, who has worked as an FBI consultant, to Theo de Raadt, the founder of OpenBSD. He says:

My NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI.
...
I hate to say it, but contractors working for the FBI don't sign an NDA they are given a Top Secret security clearance. The NDA associated with a security clearance does not expire - EVER. If the information that they have is classified then they are bound by their NDA until the information is declassified, not when their clearance expires. This sounds completely bogus to me.
     
kamina
Dedicated MacNNer
Join Date: Jun 2006
Status: Offline
Reply With Quote
Dec 23, 2010, 05:43 PM
 
Originally Posted by DougJ View Post
I would think such a backdoor in an open source project would have been noticed and removed long ago, so I do question this. Still, the source code should be reviewed.
Cryptography can get quite complicated, and the backdoor would not have to be very obvious. The backdoor does not have to be obvious, it could just be a number with a slightly wrong value that can be caused to fail if you now how. It could be so subtle that finding it would be extremly hard.

Then again, I think the info supplied was not sufficient. Nothing at all from what was claimed has been proven true yet (as far as I know). IF the FBI really do make 10 year NDA's (instead of life) I think the person could show some related document, he would surely have kept it...

This would really be the perfect way to try to disrupt some old software project, it could be that openbsd can never surely say there is no problem if they just can't find one, and users might never fully trust the rest of the code either if one is found.
     
ghporter
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Dec 23, 2010, 08:14 PM
 
Originally Posted by kamina View Post
Cryptography can get quite complicated, and the backdoor would not have to be very obvious. The backdoor does not have to be obvious, it could just be a number with a slightly wrong value that can be caused to fail if you now how. It could be so subtle that finding it would be extremly hard.

Then again, I think the info supplied was not sufficient. Nothing at all from what was claimed has been proven true yet (as far as I know). IF the FBI really do make 10 year NDA's (instead of life) I think the person could show some related document, he would surely have kept it...

This would really be the perfect way to try to disrupt some old software project, it could be that openbsd can never surely say there is no problem if they just can't find one, and users might never fully trust the rest of the code either if one is found.
As I said earlier, if you're doing work for the FBI that is at all sensitive, it's not covered by an NDA, it's CLASSIFIED. That is the biggest sign that this is more hoax than anything else. Further, while cryptography can indeed be arcane and convoluted in code, that's what the people organizing this code would be looking at-with an expert's eye.

Glenn -----OTR/L, MOT, Tx
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 04:45 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,