The fox in the henhouse, cyberspace edition

Again, before I get into discussing exactly what this email is about, I need to lay down the background on who’s who and what’s what. Otherwise, it’s easy for one to gloss over all of this and assume it doesn’t affect oneself, when in reality this potentially affects or could affect a large chunk of the users of the Internet.

In the beginning, there was the original Unix, AT&T Unix. The University of California at Berkeley made their own version of Unix based on AT&T’s code and called it BSD. There exist today several different operating systems that came from the original BSD code; FreeBSD, NetBSD, OpenBSD, DragonFly BSD, etc. Due to its liberal license, code from BSD was used in many places; instead of writing their own software for Internet connectivity (the TCP/IP stack, for those who know what that is), Microsoft adapted the one from BSD. Apple Mac OS X also uses software adapted from FreeBSD and NetBSD, which also traces its lineage back to the original BSD. Many GNU/Linux distributions also use software which came from BSD. Put simply, it is likely somewhere your computer has some software on it somewhere which originally came from BSD.

Of particular note in the BSD-derived operating systems is OpenBSD. The OpenBSD project was started by Theo de Raadt as a fork of NetBSD originally due to conflicts with the latter project’s leadership back in 1995. The focus of OpenBSD became security, and today many consider it the most secure operating system on the planet.

OpenBSD has software built into it to implement IPsec, which appears to have been started in the latter half of 1997. Theo de Raadt recently received an email from Gregory Perry. Gregory was working with a company called NETSEC and helped arrange funding for the OpenBSD Crypto Framework, upon which the IPsec software is based. The email, which Theo forwarded to the tech@openbsd.org mailing list, contains a rather direct accusation that developers accepted money from the FBI to weaken the IPsec software in OpenBSD (specifically, to add “backdoors” to it intended for FBI use).

The full email is archived on marc.info, and also implies that this sabotage of the IPsec software in OpenBSD is the reason that the OpenBSD project lost its DARPA funding suddenly and unexpectedly. Now, back in 2003, sources such as ComputerWorld reported on Theo’s no-nonsense comments against the war on Iraq (such as the often-quoted “I try to convince myself that our grant means a half of a cruise missile doesn’t get built”) and it was suggested these were DARPA’s motivation.

First, Theo is to be commended for, as he states, “refus[ing] to become part of… a conspiracy.” It is not an easy decision for anyone, let alone someone of Theo’s stature, to decide to publish a private email. It involves a careful consideration of the consequences of violating a social norm for the greater good, and he acknowledges this:

Of course I don’t like it when my private mail is forwarded. However the “little ethic” of a private mail being forwarded is much smaller than the “big ethic” of government paying companies to pay open source developers (a member of a community-of-friends) to insert privacy-invading holes in software.

(I’ll get back to this decision Theo had to make in a bit.)

Gregory also deserves some recognition here, for blowing the whistle as soon as he was legally permitted to. This email serves as a prime example of the kind of damage a non-disclosure agreement (NDA) can do to the public good. I don’t think all NDAs are bad, and it’s way too easy to see why the FBI wouldn’t want the news of backdoors in OpenBSD’s IPsec software getting out. And, to be fair about it, I honestly think Gregory expected his email to become public; had he wanted this to truly remain a secret, he would have told no one. This almost certainly weighed into Theo’s decision as well.

This news has anywhere from annoying to disastrous consequences to users of OpenBSD’s IPsec software, and products derived from it. The latter half of this is the most troubling, as Theo wrote in his email:

Since we had the first IPSEC stack available for free, large parts of the code are now found in many other projects/products. Over 10 years, the IPSEC code has gone through many changes and fixes, so it is unclear what the true impact of these allegations are.

However inconvenient it may be for law enforcement agencies such as the FBI, back doors in security software are still weaknesses. It is easy to forget sometimes that computers are pretty stupid; they do what humans tell them to do. Exactly what humans tell them to do. A computer cannot, by itself, tell the difference between honest, largely law-abiding citizens such as me and the vast majority of you out there reading, someone acting with criminal intent, someone representing the FBI or another law enforcement agency, or someone working with a group like al Qaeda or the Taliban. As an example, anyone who knows my password on any of my computers, can type in the username (which is usually not intended to be kept secret; mine is normally “skquinn”) followed by that password (which is intended to be kept secret), and will be logged in as me. It does not matter to the computer one bit if it really is me; a police officer who wound up with one of my computers somehow, legally or not (and who as a rule, I would not want just going through the stuff on my computer; I value my Fourth Amendment rights), or an al Qaeda operative who somehow has access to my computer. (Sidenote: Biometric devices such as fingerprint scanners can be fooled as well, and in fact are in some cases more dangerous than a password typed in via the keyboard, as once compromised changing one’s fingerprints is impossible for all practical purposes.)

So it follows, the same “backdoors” the FBI put in, will work for anyone who knows about them, regardless of their good or evil intent. Such “backdoors,” as well as unintentional security holes which stem from bugs (programming errors) in the software, get found without the help of the source code (a human-readable form of the computer’s instructions) all the time. It was and is incredibly naive and stupid of the FBI and like-minded law enforcement agencies to assume that these “backdoors” would never be found.

We may not know for several more years just how much damage has been done by developers bribed by the FBI. This is but one small example of why I tend not to trust law enforcement agencies. Shame on the FBI for weakening the security of computers worldwide, including those outside of US jurisdiction. I hope restitution is made that involves fixing the intentionally broken software made fraudulently by programmers on the take from the FBI. That, and a pledge never to violate our privacy and peace of mind in such a fashion again, would be the minimum needed for me personally to start trusting the FBI again. Sadly, I don’t see that coming.