|
||
1 May 2011 Date: Sat, 30 Apr 2011 11:45:55 -0400 16 April 2011 Date: Sat, 16 Apr 2011 12:01:34 -0600 16 April 2011 Date: Mon, 11 Apr 2011 23:06:24 -0700 21 December 2010. A sends: Just to point out that one of the ex-developers involved in that period has posted some background info. You can contact Mickey yourself for more information: __________ 20 December 2010. Gregory Perry further responds with the truth about the FBI:
From: Gregory Perry <Gregory.Perry[at]GoVirtual.tv> The issue of retribution has been ongoing on for over a decade at this point, the FBI is a lawless and corrupt organization with little hope for rehabilitation. Maybe one day the Congress will issue a subpoena into their domestic ops and related skullduggery. _________
From: John Young <jya[at]pipeline.com> Thanks very much for responding. If you care to do so, we would like to hear of any retribution for dislosing the hole. Wikileaks we're not but quieter. Anonymous is our best source.
20 December 2010. Gregory Perry responds:
From: Gregory Perry <Gregory.Perry[at]GoVirtual.tv> To put things into perspective, the salient points to consider are: 1) I sent a private letter to Theo Deraadt, urging him to perform a source code audit of the OpenBSD Project based upon the allegations contained within the original email you referenced; 2) Theo then sent, without my permission and against my wishes, the entire contents of that email with my contact particulars to a public listserver, which ignited this firestorm of controversy that I am now seemingly embroiled in; 3) If I had this to do over again, I would have sent an anonymous postcard to Wikileaks probably; 4) I have absolutely, positively nothing to gain from making those statements to Theo, and only did so to encourage a source code audit of the OpenBSD Project based upon the expiry of my NDA with the FBI; and, 5) Being in any limelight is not my bag at all. I personally hired and managed Jason Wright as well as several other developers that were involved with the OpenBSD Project, I am intimately familiar with OpenBSD having used it for a variety of commercial products over the years, and I arranged the initial funding for the cryptographic hardware accelerated OCF and gigabit Ethernet drivers by way of a series of disbursements of equipment and development monies made available via NETSEC (as well as my own personal donations) to the OpenBSD Project. Although I don't agree with what Theo did last week, I will say that he is a brilliant and very respected individual in the computer security community and he would have in no way agreed to intentionally weaken the security of his project. Theo is an iron-fisted fascist when it comes to secure systems architecture, design, and development, and there is no better person than him and his team to get to the bottom of any purported issues with the OpenBSD security controls and its various internal cryptographic frameworks. Many, many commercial security products and real time embedded systems are derived from the OpenBSD Project, due to Theo's liberal BSD licensing approach contrasted with other Linux-based operating systems licensed under the GPL. Many, many commercial security products and embedded systems are directly and proximately affected by any lapse in security unintentional or otherwise by the OpenBSD Project. Almost every operating system on the planet uses the OpenSSH server suite, which Theo and his team created with almost zero remuneration from the many operating systems and commercial products that use it without credit to the OpenBSD Project. Given the many thousands of lines of code that the IPSEC stack, OCF, and OpenSSL libraries consist of, it will be several months before the dust settles and the true impact of any vulnerabilities can be accurately determined; it's only been about 96 hours since their source code audit commenced and your recent article points to at least two vulnerabilities discovered so far. I wish Theo and his team the best of success with their project and endeavors. Kind regards
Gregory Perry
GoVirtual® Education "VMware Training Products and Services" Subscribe to the GoVirtual® Newsletter
15 December 2010. A3 sends a link to a refutation of Perry's claims by Jason Wright, one accused by Perry: http://marc.info/?l=openbsd-tech&m=129244045916861&w=2 15 December 2010. A sends a link to a report on Perry's affirmation of his claims and new ones's well: http://blogs.csoonline.com/1296/an_fbi_backdoor_in_openbsd 15 December 2010. A1 and A2 send an account of denials by named participants and a fruitless effort to contact Perry: http://www.itworld.com/open-source/130820/openbsdfbi-allegations-denied-named-participant A pointer to any response from Perry would be appreciated. Send to: cryptome[at]earthlink.net. 15 December 2010. A sent the same URL. Cryptome response: Thanks for the pointer. Strong stuff, naming names, very unusual, likely to lead to professional suicide. Smells like a hoax or a competitor smear. We wrote last night the alleged author of the allegations for confirmation but have not received an answer. This is not to doubt that the TLAs do this regularly but to admit complicity is exceptional, and if genuine, an admirable public service. If the attribution is a hoax or a smear we'd like to make that known. Have you seen his confirmation or denial anywhere? He may be in hiding or a sweat hole. 14 December 2010
FBI OpenBSD IPSEC Backdoors or a Hoax?A sends: http://marc.info/?l=openbsd-tech&m=129236621626462&w=2 List: openbsd-tech Subject: Allegations regarding OpenBSD IPSEC From: Theo de Raadt <deraadt () cvs ! openbsd ! org> Date: 2010-12-14 22:24:39 Message-ID: 201012142224.oBEMOdWM031222 () cvs ! openbsd ! org [Download message RAW] I have received a mail regarding the early development of the OpenBSD IPSEC stack. It is alleged that some ex-developers (and the company they worked for) accepted US government money to put backdoors into our network stack, in particular the IPSEC stack. Around 2000-2001. Since we had the first IPSEC stack available for free, large parts of the code are now found in many other projects/products. Over 10 years, the IPSEC code has gone through many changes and fixes, so it is unclear what the true impact of these allegations are. The mail came in privately from a person I have not talked to for nearly 10 years. I refuse to become part of such a conspiracy, and will not be talking to Gregory Perry about this. Therefore I am making it public so that (a) those who use the code can audit it for these problems, (b) those that are angry at the story can take other actions, (c) if it is not true, those who are being accused can defend themselves. Of course I don't like it when my private mail is forwarded. However the "little ethic" of a private mail being forwarded is much smaller than the "big ethic" of government paying companies to pay open source developers (a member of a community-of-friends) to insert privacy-invading holes in software. ---- From: Gregory Perry <Gregory.Perry[at]GoVirtual.tv> To: "deraadt[at]openbsd.org" <deraadt[at]openbsd.org> Subject: OpenBSD Crypto Framework Thread-Topic: OpenBSD Crypto Framework Thread-Index: AcuZjuF6cT4gcSmqQv+Fo3/+2m80eg== Date: Sat, 11 Dec 2010 23:55:25 +0000 Message-ID: <8D3222F9EB68474DA381831A120B1023019AC034[at]mbx021-e2-nj-5.exch021.domain.local> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Status: RO Hello Theo, Long time no talk. If you will recall, a while back I was the CTO at NETSEC and arranged funding and donations for the OpenBSD Crypto Framework. At that same time I also did some consulting for the FBI, for their GSA Technical Support Center, which was a cryptologic reverse engineering project aimed at backdooring and implementing key escrow mechanisms for smart card and other hardware-based computing technologies. My NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI. Jason Wright and several other developers were responsible for those backdoors, and you would be well advised to review any and all code commits by Wright as well as the other developers he worked with originating from NETSEC. This is also probably the reason why you lost your DARPA funding, they more than likely caught wind of the fact that those backdoors were present and didn't want to create any derivative products based upon the same. This is also why several inside FBI folks have been recently advocating the use of OpenBSD for VPN and firewalling implementations in virtualized environments, for example Scott Lowe is a well respected author in virtualization circles who also happens top be on the FBI payroll, and who has also recently published several tutorials for the use of OpenBSD VMs in enterprise VMware vSphere deployments. Merry Christmas... Gregory Perry Chief Executive Officer GoVirtual Education "VMware Training Products & Services" 540-645-6955 x111 (local) 866-354-7369 x111 (toll free) 540-931-9099 (mobile) 877-648-0555 (fax) http://www.facebook.com/GregoryVPerry http://www.facebook.com/GoVirtual
|