OpenBSD IPSec backdoor allegations: triple $100 bounty

In case you hadn’t heard: Gregory Perry alleges that the FBI paid OpenBSD contributors to insert backdoors into OpenBSD’s IPSec stack, with his (Perry’s) knowledge and collaboration.

If that were true, it would also be a concern for FreeBSD, since some of our IPSec code comes from OpenBSD.

I’m having a hard time swallowing this story, though. In fact, I think it’s preposterous. Rather than go into further detail, I’ll refer you to Jason Dixon’s summary, which links to other opinions, and add only one additional objection: if this were true, there would be no “recently expired NDA”; it would be a matter of national security.

I’ll put my money where my mouth is, and post a triple bounty:

  1. I pledge USD 100 to the first person to present convincing evidence showing:
    • that the OpenBSD Crypto Framework contains vulnerabilities which can be exploited by an eavesdropper to recover plaintext from an IPSec stream,
    • that these vulnerabilities can be traced directly to code submitted by Jason Wright and / or other developers linked to Perry, and
    • that the nature of these vulnerabilities is such that there is reason to suspect, independently of Perry’s allegations, that they were inserted intentionally—for instance, if the surrounding code is unnecessarily awkward or obfuscated and the obvious and straightforward alternative would either not be vulnerable or be immediately recognizable as vulnerable.
  2. I pledge an additional USD 100 to the first person to present convincing evidence showing that the same vulnerability exists in FreeBSD.
  3. Finally, I pledge USD 100 to the first person to present convincing evidence showing that a government agency successfully planted a backdoor in a security-critical portion of the Linux kernel.

Additional conditions:

  • In all three cases, the vulnerability must still be present and exploitable when the evidence is assembled and presented to the affected parties. Allowances will be made for the responsible disclosure process.
  • Exploitability must be demonstrated, not theorized.
  • I will not evaluate the evidence myself, but rely on the consensus of the OpenBSD, FreeBSD, Linux and / or infosec communities.
  • Primacy will be determined in a similar manner.
  • The evidence must be presented, and the bounty claimed, no later than 2012-12-31 23:59:59 UTC—a little more than two years from today.
  • The bounty will, at the claimant’s discretion, either be transferred to the claimant by PayPal—no cash, checks, direct deposits or wire transfers—or donated directly to a non-profit of his or her choice.

[2010-12-16 fixed link]

92 thoughts on “OpenBSD IPSec backdoor allegations: triple $100 bounty

  1. I’d say Perry got what he wanted, free advertising for his company. He also got OpenBSD some free advertising and managed to get some publicity for the fact that the code base originated with OpenBSD. If you want a real conspiracy ;-) let’s discuss the possibility that the same code base made it into Micro$oft’s overpriced products.

  2. The pfSense team will match DES’s offer for 100$ * 3 if the conditions are met that DES outlined.

    We also agree that the situation is a bit preposterous.

  3. The unfortunate thing is that every bug from now on will be clouded in, “Ahhhh hA! Its the back door!!!! Its the back door!!!”

  4. Theo isn’t stupid. What does he gain by exposing this? This is a pretty big hornets nest to kick for a little free advertising.

  5. @mike: To make this even funnier, if there’s a real backdoor, it will never be found, since it probably would be inside of some expensive crypto accelerator’s firmware.

  6. It might just be me, but a few hundred bucks just doesn’t seem like enough to warrant potentially receiving a visit from the men in black… :)

  7. “That’s what Julian Assange too thought…”

    ooops: Aren’t you getting into some conspiracy theory here? He’s now wanted by Sweden (one of the least corrupt, most lawful countries in the world) on suspicion of a common crime.

  8. I find it funny how there’s a heavy nerd contingent that is pro-DoD, pro-DARPA, pro-Defense establishment, pro-alphabet soup agencies, and will rebuke any and all allegations of wrongdoing as being ‘conspiracy theories’.

    It’s such a lazy cop-out. Just admit you want a nice job at those same agencies and this is your way of being an opportunist and a social climber.

    BTW, your $100 bounty offer – no serious auditor in the world is going to even take the effort to as much as ‘sneeze’ at the code for that pitiful amount of money.

    You must not be serious really…

    I really have to wonder how smart some nerds really think they are. You certainly think you are, yet you’re horribly dumb in most areas that require knowledge – and that’s just where it REALLY matters.

    Newsflash – just like you have design patterns in software engineers, so politicians and oligarchs have ‘design patterns’ on how to control massive amounts of crowds. You – the nerd counterculture – are part of an easily conquered crowd – you’re not smart for knowing something about coding – you’re easily understood by these same oligarchs.

  9. [quote]He’s now wanted by Sweden (one of the least corrupt, most lawful countries in the world)
    [/quote]

    Not sure if serious… go tell that to millions of prisoners who were experimented on without their consent.

    Oh sorry, you don’t know anything about that. Brb at allegations of that being a ‘conspiracy theory’ as well.

    So in essence -the usage of the term ‘conspiracy theory’ is an ad-hominem strawman argument to be used when you want to cover up the fact that you’re terribly uninformed or illiterate about the given subject?

  10. My intention was not to compensate or reward anyone for the undoubtedly huge amount of work required to uncover such a vulnerability. My intention was to underline how confident I am by putting money on the line—enough to smart, but not to hurt, because I’m a wimp—because I do not expect anyone to succeed.

    However, with all the people who have now pledged to match my bounty, it’s beginning to look like serious money for, say, a skilled second-world CS student—and believe me, there are plenty of those to go around.

  11. Calling your hypothesis a conspiracy theory is neither a strawman nor an ad hominem fallacy—it’s a characterization of your hypothesis.

    Calling people who disagree with you a “nerd counterculture” who is “uninformed and illiterate” (do you even know what illiterate means?), on the other hand, is an ad hominem attack.

    We might be more inclined to take you seriously if you provided evidence of the millions of prisoners whom you claim were experimented on in Swedish prisons.

  12. [quote]We might be more inclined to take you seriously if you provided evidence of the millions of prisoners whom you claim were experimented on in Swedish prisons.[/quote]

    If I did that, you would have another strawman to fall back on – namely, that I verge off-topic.

    [quote]
    Calling people who disagree with you a “nerd counterculture” who is “uninformed and illiterate” (do you even know what illiterate means?), on the other hand, is an ad hominem attack.
    [/quote]

    I probably know better what ‘illiteracy’ means then some guy in Norway to be sure. The things you’re illiterate about concerns the following:

    1 – History
    2 – Human nature
    3 – Class consciousness
    4 – Philosphy

    Your entire grasp of philosophy can be best described as mutilated Marxism – that is what most open-source zealots really amount to.

    [quote]
    We might be more inclined to take you seriously if you provided evidence of the millions of prisoners whom you claim were experimented on in Swedish prisons.
    [/quote]

    This would be as ridiculous as having to prove to you that Hitler killed Jews. Seriously – the information is out there – the burden of proof is not on me to provide you with Cliff notes on documented facts that you’re ignorant about.

    Have a nice day otherwise – I hope some serious auditor will respond to that $100 bounty of yours.

    BTW – being an OpenBSD committer yourself – would it be remiss of me to assume there’s some bias involved here, and it might be possible you’re acting a bit butthurt over the news?

  13. Oh sorry – just saw that you’re a FreeBSD committer. Anyway, the spiel is basically the same – you think your holy sacred cow (open-source) just got desecrated, and you’re butthurt all the same.

    See how easy it is to decipher nerds and their basic primal motivations?

  14. I promise you that if you provide evidence showing that millions of prisoners have been experimented on in Swedish prisons, I will take you seriously. I will not complain about going off topic, because this is a blog, not a mailing list; there is no such thing as “off topic”.

    I am even willing to post a USD 1000—one thousand United States Dollars—bounty for credible evidence supporting your claim. That’s how confident I am that you won’t find any. Before you start looking, I should inform you that the total population of Sweden is slightly less than nine million, and its prison population is less than a thousandth of that, according to the 2007 World Prison Population List published by the International Centre for Prison Studies at King’s College London.

    Sweden is also one of the least corrupt countries in the world, according to Transparency International‘s 2010 Corruption Perceptions Report. Sweden was also the first country in the world to legislate freedom of the press, in 1776. The Swedish Freedom of the Press Act, which is now part of the constitution of Sweden, embodies what is known as the Principle of Public Access and is considered one of the strongest freedom-of-information laws in the world.

    You see, we are neither illiterate nor uninformed, we’re just skeptical of undocumented claims. This is why unlike you, and unlike Gregory Perry, I have taken the trouble to find reliable sources which support my argument, and to provide references to those sources so you can check them yourself. Judging by your behavior so far, though, I suspect that you will either evade the issue or accuse the King’s College London and Transparency International of collusion with the establishment.

    And yes, the burden of proof does rest on you, since you are the one proposing a hypothesis which is contrary to the established consensus (not to mention plainly impossible).

    I will wrap up by addressing your initial claim that I am “pro-DoD, pro-DARPA, pro-Defense establishment, pro-alphabet soup agencies, and will rebuke any and all allegations of wrongdoing as being ‘conspiracy theories’”. Your apparent instinctive antipathy towards me and others who—based on our extensive knowledge of the software in question and the processes that surround it—reject Perry’s claims is based on a false dichotomy. Just because we believe that this particular accusation of wrongdoing is false does not mean that we believe that every accusation of wrongdoing is false, or that we support a hypothetical New World Order. Unlike you, we are capable of critical rather than just contrarian thinking.

  15. huxwelliantimes: “prisoners who were experimented on without their consent.”

    Every country in the world has darker cards in its history and Sweden is no exception here. However, it is 2010 and experiments you are referring to were performed decades ago. Can we talk about today’s Sweden and not its past sins?

    And please, do not try anymore to assign any statement I have not said myself to me.

    I sustain my previous statement that Sweden is one of the world most lawful and least corrupt countries, and that suggesting that charges to be brought against Assange are a kind of setup on behalf of US government, amount to a conspiracy theory, especially since there is no evidence backing such claim.

    ps. I’ll answer to geir’s comment later.

  16. [quote]
    accuse the King’s College London and Transparency International of collusion with the establishment.
    [/quote]

    Nice false dichotomy there. Transparency International is a NGO whose facts may be accepted or thrown out of hand by default. They are certainly not an unquestionable source of information.

    Strong unawares about Sweden BTW. You do know they pursued a heavy policy of racial hygiene back during the Nazi-era years, right? Where were all those ‘freedom-loving’ laws and principles to be found when they were forcibly sterilizing people, eh? They were even on the same page as the Nazis, dude – really – this is what you like to hold up as an utopian society?

    [quote]
    And yes, the burden of proof does rest on you, since you are the one proposing a hypothesis which is contrary to the established consensus (not to mention plainly impossible).
    [/quote]

    ‘Millions of prisoners’ was maybe an unfortunate choice of words – however, you’re falling back on technicalities here.

    Point is, what I stated is well known, and all it would take you to verify what I stated would be a couple of searches on the issue of ‘mind control’ and ‘electrodes’ to verify that I’m right.

    I see a couple of issues here –

    1) You are lazy
    2) You presume that you ‘know-it-all’ when you don’t
    3) You like to fall back on generalizations and you like to pigeonhole everyone you don’t agree with. I dislike your attitude already – especially when combined with 2
    4) You fail to recognize that you, as a nerd promoting open source, have unwittingly become a dupe of guys like Soros who promote the ‘Open Society’ on one hand but don’t believe in any of the utopian claptrap they espouse. George Soros’ bank account will never become ‘open’ and neither will all of the fake opposition NGOs he sets up worldwide that all promote overthrows of current governments in the name of ‘colour revolutions’.

    So, please dude, get off your liberal geek high horse and realize there’s a bigger, vaster world out there.

  17. See bubba – DES – even this poster acknowledges it happened.

    [quote]
    Every country in the world has darker cards in its history and Sweden is no exception here. However, it is 2010 and experiments you are referring to were performed decades ago. Can we talk about today’s Sweden and not its past sins?
    [/quote]

    Like I told you – you portrayed your own ignorance by even ‘doubting’ what I told you from the get-go. I offered you the opportunity to not make yourself look like a fool, but see, this is what you get when you try to don those geek sandals for too long.

    Nice try though trying to denigrate this and pooh-poohing this as if it was a’ conspiracy theory’. Idiot.

  18. So if you don’t mind DES – you’ve clearly illustrated to everyone right now that you didn’t have a clue about Sweden’s experimentations with prisoners. You’ve illustrated you’re very back to fall back on name-calling and putting people into a box when the facts don’t fit your basic, childlike elementary worldview.

    You think that a serious auditor will come along for the sum of 3x$100 bucks. So really, you’re just an attention-whore blogger with an attitude. Angry butthurt geek with an attitude – that’s all to see here folks.

    I did laugh a bit at you singing the praises of Sweden though – really, how deluded can one become? LOL.

  19. I do want that USD 1000 though from you – since it’s been established by now I was right.

    Now, you can talk the talk, but can you walk the walk?

    You promised me 1000 USD for ‘credible evidence’ that what I said was real. Another poster has acknowledged that such things happened. Therefore, no further proof is necessary – it’s an admitted, documented fact – one you were completely ignorant about.

    If you fail to deliver on this right here, then why would anyone take you seriously with your 100×3 bounty?

    This is put-up-or-shut-up time.

  20. ‘In Sweden, Prime Minister Olof Palme gave permission in 1973 to implant prisoners, and Data Inspection’s ex-Director General Jan Freese revealed that nursing-home patients were implanted in the mid- 1980’s. The technology is revealed in the 1972:47 Swedish state report, STATENS OFFICIELLA UTRADNINGER (SOU).’

  21. huxwelliantimes: Please note that while I elected to ignore your claim about numbers, because I believe that they were not as important as the fact that such experiments had indeed been performed, DES challenged you obviously on the numbers alone, and the numbers are obviously absurd. Therefore I’d be glad if you abstained from using my comment in this way in your discussion with DES.

  22. cutugno: No, he didn’t challenge me on the numbers alone – he called the entire story into question.

    It’s clear that DES did not know what the hell he is talking about – and he has a rather sugar-coated view of Sweden’s history.

    In any case, I find it funny how both of you are now falling back on a ‘technicality’ (the numbers – which is obviously a technicality) and not the story itself.

    It’s clear that DES was speaking out of ignorance and did not even know about it – yet it’s ‘convenient’ to fall back on – ‘oh you stated millions, it was only thousands – hundreds – blahblah’.

    Well, whatever. Butthurt geek who lost the argument is butthurt. I’ll try not to butt into this conversation anymore, and I know the 1000 USD offer was bullshit anyway – just like the triple $100 bounty will be.

    I also find it funny that people want to ‘believe’ this story by Gregory is not true – while falling back on their wanton desire for the story to be false to be ‘grounded in facts’. Really, you’re just deluding yourself – you start with the operating premise that it can’t be true, and then comes the entire reasoning behind it.

    I use open-source software myself almost predominantly, but seriously, the open source community is in danger of becoming a real zealot community – you have to accept that your basic software model is not immune and can be compromised in this manner.

    Also, I find anyone who finds it hard to believe that the FBI plants backdoors into software to be of such childlike naivety that I almost feel the need to scold them for it. Seriously, in what Disneyland version of reality do you live in where these agencies are staffed full of virgins that only do good in the world? You pretty much fail at epistemology if you think that’s the case. Or you swallowed too many movies – all filled with propaganda, as Jacques Ellul would tell you in his book Propaganda.

    Geeks/nerds are really not that smart as they think themselves to be. You are still very easily herded – you follow certain ‘leaders’ who you believe in. You don’t think for yourself – you think Google is instantly good because they make an open-source OS and some open-source tools.

    You people cannot think beyond basic problem-reaction-solution. You follow any company that basically starts an open-source project and then you follow it like sheep. Where is the individuality in that?

  23. cutugno: It’s obvious DES does not know what the hell he is talking about when he is talking about Sweden.

    His claims that Sweden is a beacon for press freedom and democracy are almost laughable to the nth degree. This is the same country that followed Adolf Hitler’s race hygiene insanity to the letter and forcibly sterilized people.

    Try actually talking to people in Sweden that don’t fit into the collectivized system – you will see how good it is over there. You’re seriously deluding yourself if you think Sweden is the least corrupt country in existence. Like, it’s ROFL-copter hilarious – it shows you don’t know anything.

  24. Neither offer is bullshit, but you will not get the $1000 because you can not show that millions of prisoners were experimented upon in Swedish prisons. I’m pretty sure I repeated the word “millions” enough times that even a lamppost would understand that I was reacting to the number. Hell, I even told you in advance why I knew you could not win.

    For the record, I am very well aware of a number of atrocities committed in the name of science in Sweden, Norway and many other countries. I can tell you stories of forced lobotomization of psychiatric patients and of the systematic abduction and forced sterilization of Traveller children in Norway. But it does not make sense to single out Sweden or Norway or any other country, because these things (and worse) happened all around the world at the time, and I’m sure there are places where they still do. This does not excuse these acts, but it does mean there’s nobody left to cast the first stone.

    In any case, the issue is orthogonal to those of freedom of the press or Sweden’s level of corruption.

    As for the rest—it’s a mish-mash of ad hominem attacks and strawmen, and I won’t bother to argue any further. I’m sure you’ll manage to construe this as some sort of moral victory…

  25. geir: The entire article of Ms. Wolf appeals to anecdotal claims or her own experience. While I’m pretty sure that rapists in countries like Sierra Leone, Sudan or Congo, especially at wartime are hardly ever prosecuted, Western Europe should be, and is different. As for her claims regarding Sweden, while there’s indeed much left to do, Sweden is certainly not a country where every rapist can be sure of impunity; Sweden convicts more rapists (per 100k pop) than any EU country. As well, rapists are chased crossborder, e.g. in 2009 Ireland alone extradited 12 people accused of sexual offences (out of 91 extraditions from Ireland on EAW total).

    I fail to see any ‘special treatment’ of Mr. Assange. Well, maybe one: I find it hard to believe that an ordinary suspect, unknown to the public, if wanted for extradition, had no address in UK, were not a EU citizen and already had criminal record in his home country, would have any chance to get released on bail, as Assange was today.

  26. [quote]
    Oh, wait, mind control implants… thanks for a good laugh :)
    [/quote]

    Thanks for reaffirming that for all your feigned intellectual kudos, you’re really just an ignorant retard all the same.

    I guess those documentaries I watched on BBC were all ‘conspiracy theory’-esque in nature as well? The Living Dead by Adam Curtis ring a bell? You even know the clout of said documentary maker?

    I guess Ewen Cameron and MKULTRA is all lulz-esque? Even though that shit is all documented?

    I guess Jose M. Delgado did not make brain implants and use it on animals all throughout the ’60s, 70s and 80s at the behest of the CIA?

    Really – how much of a thick ignorant moron do you have to dispute all of that?

    MKULTRA is admitted to be real – you understand that, bubba? You realize you get a physical copy of ‘Physical Control Of The Mind’ by Jose M. Delgado? It’s required reading for anyone into neuroscience.

  27. You did not previously dispute just the ‘numbers’ figure that I quoted – it was not even meant to be taken figuratively.

    No, you DISPUTED the entire story – you just did a quick Wikipedia search and found out about it after it was revealed that other people were aware of it as well.

    Simply put, you have no intent to follow through on any of the ‘bounty’ figures you put up. You use that ‘bounty’ there just as part of your rhetoric/spiel as to why you believe that it’s not likely that there are any FBI backdoors in OpenBSD code.

    Your position on this is very clear –

    butthurt geek is butthurt – feels the whole world has turned against his open-source sacred cow. Surely, this is an evil conspiracy by closed-source zealots that have taken it upon themselves to defame poor little BSD.

    Feeling he has to prove to the world that open-source is still by far the de-facto, unquestionable model for software development, he creates a blog post, tries to make his ‘butthurt’ emotional feelings seem like actual deductive reasoning, and then uses as part of the rhetoric ‘I will give 300 bucks to anyone who can prove there is a FBI backdoor in there’.

    That, if anything, is ‘FUD’.

  28. Even if true it’s hard to imagine a delibrate side channel leak could be distingushed from an accidental one. I mean even if it was a particularly unlucky one there are just so many types of side channel attacks….

    I mean just consider the original S-BOX design for DES done by IBM. By accident they happened to hit on S-BOXes particularly susceptible to differential cryptanalysis and w/o the little NSA hint to use something else it would be indistinguishable from a deliberate vulnerability.

    Ultimately though this suggestion seems pretty ridiculous. Not only would it require a substantial conspiratorial effort to keep quiet (someone would have dropped hints without revealing classified info) it’s not something the government would desire.

    The US government has more to lose if say China can read US company’s communications than it does to gain by monitoring them themselves in this fashion. The clipper chip was different b/c it required a special key only the government would have. Nothing like that seems at all possible here unless the design of the psuedo-random number generator is VERY weird.

  29. Agreed, no one’s getting into an OpenBSD system through an FBI-funded backdoor. I don’t think Theo could live with himself. $100 from me if we’re wrong.

Leave a Reply

Your email address will not be published. Required fields are marked *

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.