An FBI backdoor in OpenBSD?

Newsletters Dashboard RSS Solution Centers White Papers Webcasts Podcasts Video Events Magazine

Blogs

Data Protection Identity & Access Business Continuity Physical Security Security Leadership Basics Tools & Templates Security Jobs Blogs

Blog Topics Data Protection Identity Management Business Continuity Physical Security Leadership Career

An FBI backdoor in OpenBSD? RECENT COMMENTS

by Robert McMillan , Security Blanket May god help us if such an
1 week 5 days ago

Murder, mayhem, Orwellian

4 weeks 19 hours ago

Wed, 2010-12-15 09:06 Murder, mayhem, Orwellian

Topic(s): Data Protection 4 weeks 19 hours ago

You have to give Theo de Raadt credit: he's into openness. What other software product would take serious, what exactly are you suggesting?
but questionable allegations about an FBI-planted back door in its code and just go public with them? 4 weeks 6 days ago

That's what OpenBSD's de Raadt did Tuesday after a former government contractor named Gregory Perry Illegal
came forward and told him that the FBI had put a number of back doors in OpenBSD's IPsec stack, 5 weeks 20 hours ago

used by VPNs to do cryptographically secure communications over the Internet.

The allegations could make many people think twice about the security of OpenBSD, but the way de Raadt
handled the matter will probably have the opposite effect -- giving them another reason to trust the software.
RECENT POSTS » more posts
Here's what de Raadt said:
Patch Tuesday panic not necessary. Or is it?
I refuse to become part of such a conspiracy, and
will not be talking to Gregory Perry about this. Therefore I am Siberian exploit kit circumvents traditional
making it public so that security
(a) those who use the code can audit it for these problems,
(b) those that are angry at the story can take other actions, An FBI backdoor in OpenBSD?
(c) if it is not true, those who are being accused can defend themselves. Sixth Circuit Makes it Harder to Get Cloud E-
mail
I contacted Perry about his email, and while I couldn't get him on the telephone, he confirmed that his letter to
de Raadt was published without his consent. He gave a few more details on his involvement with the FBI Gawker fallout: Mel Brooks warned us
(which, by the way, has no immediate comment on this).

Hello Robert,
WEBCASTS
 

I did not really intend for Theo to cross post that message to the rest of the Internet, but I stand by my 60 Minutes: The Future of the Perimeter
original email message to him in those regards.

  Smart Techniques for Application Security

The OCF was a target for side channel key leaking mechanisms, as well as pf (the stateful inspection
packet filter), in addition to the gigabit Ethernet driver stack for the OpenBSD operating system; all of The Business Case for Data Protection
those projects NETSEC donated engineers and equipment for, including the first revision of the OCF
hardware acceleration framework based on the HiFN line of crypto accelerators.
Utility Mandate: Software Security for the Smart
  Grid

The project involved was the GSA Technical Support Center, a circa 1999 joint research and
development project between the FBI and the NSA; the technologies we developed were Multi Level CyberAttacks ... Are you protected or prepared to
Security controls for case collaboration between the NSA and the FBI due to the Posse Commitatus pay?
Act, although in reality those controls were only there for show as the intended facility did in fact host
both FBI and NSA in the same building. » View All Webcasts
 
WHITE PAPERS
We were tasked with proposing various methods used to reverse engineer smart card technologies,
including Piranha techniques for stripping organic materials from smart cards and other embedded
systems used for key material storage, so that the gates could be analyzed with Scanning Electron and The Business Case for a Next-Generation SIEM:
Scanning Tunneling Microscopy.  We also developed proposals for distributed brute force key cracking Delivering operational efficiency and lower costs
systems used for DES/3DES cryptanalysis, in addition to other methods for side channel leaking and through an integrated approach to network
covert backdoors in firmware-based systems.  Some of these projects were spun off into other sub security management
projects, JTAG analysis components etc.  I left NETSEC in 2000 to start another venture, I had some
fairly significant concerns with many aspects of these projects, and I was the lead architect for the site- IDC Technology Spotlight: Leveraging the Benefits
to-site VPN project developed for Executive Office for United States Attorneys, which was a statically of Cloud Computing with Specialized Security

http://blogs.csoonline.com/1296/an_fbi_backdoor_in_openbsd[12/15/2010 9:43:20 AM]

An FBI backdoor in OpenBSD?

keyed VPN system used at 235+ US Attorney locations and which later proved to have been
backdoored by the FBI so that they could recover (potentially) grand jury information from various US
Attorney sites across the United States and abroad.  The person I reported to at EOSUA was Zal Azmi, Strong Authentication for the Here and Now
who was later appointed to Chief Information Officer of the FBI by George W. Bush, and who was
chosen to lead portions of the EOUSA VPN project based upon his previous experience with the
Addressing the Grand Challenge of Cloud Security
Marines (prior to that, Zal was a mujadeen for Usama bin Laden in their fight against the Soviets, he
speaks fluent Farsi and worked on various incursions with the CIA as a linguist both pre and post 911,
prior to his tenure at the FBI as CIO and head of the FBI’s Sentinel case management system with Securing Virtualization In Real World
Lockheed).  After I left NETSEC, I ended up becoming the recipient of a FISA-sanctioned investigation, Environments
presumably so that I would not talk about those various projects; my NDA recently expired so I am free
to talk about whatever I wish.
Business Resilience: The Best Defense is a Good
  Offense
Here is one of the articles I was quoted in from the NY Times that touches on the encryption export
issue:
» View All White Papers

In reality, the Clinton administration was very quietly working behind the scenes to embed backdoors in CSO Corporate Partners
many areas of technology as a counter to their supposed relaxation of the Department of Commerce
encryption export regulations – and this was all pre-911 stuff as well, where the walls between the FBI
and DoD were very well established, at least in theory.

Some people have decided that Perry's claims are not credible, and at least one person named in his email
has come forward to say it's not true.   But at this point, it seems that nobody but Perry really knows what's
going on.

It's hard to really know what to say at this point. We're talking about backdoors that probably just look like
regular old bugs in code that was written 10 years ago.

» read more from Robert McMillan | post a comment

POST A COMMENT

Subject:

Username: Anonymous

E-mail:
The content of this field is kept private and will not be shown publicly.

Homepage:

Body: *

Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
Lines and paragraphs break automatically.

* Denotes a required field

Preview comment

WHITEPAPER WHITEPAPER

3 Strategies to Protect Endpoints Guide to Proactive Threat

from Risky Applications Protection

http://blogs.csoonline.com/1296/an_fbi_backdoor_in_openbsd[12/15/2010 9:43:20 AM]

An FBI backdoor in OpenBSD?

Learn three This IDC

strategies to Executive brief
effectively take examines the
control of narrowed focus
organizational endpoints and mitigate the rising and increased sophistication of cyber attacks
risk from these applications. and discusses the value of integrated threat
intelligence.
» View this Webcast
» Read More!

SPONSORED LINKS RESOURCE CENTER

Best practices in email security and security RSA Archer gives you one smart choice for security, buy a link »
software as a service. Read more >> risk & compliance
Download the Forrester Study to learn how 305 IT
decision makers are protecting their corporate
secrets

Home | About | Privacy Policy | Terms of Service | Subscription Service | Advertising | Events | Site Map

THE IDG NETWORK

CIO | Computerworld | CSO | DEMO | GamePro | Games.net | IDC | IDG | IDG Connect | IDG Knowledge Hub |
IDG TechNetwork | IDG Ventures | InfoWorld | ITwhitepapers | ITworld | JavaWorld | LinuxWorld | Macworld |
Network World | PC World

© 1994 - 2010 CXO Media Inc. a subsidiary of IDG Enterprise

http://blogs.csoonline.com/1296/an_fbi_backdoor_in_openbsd[12/15/2010 9:43:20 AM]