PDA

View Full Version : Backdoors in OpenBSD



publius
2010-Dec-16, 03:52 AM
With all the buzz over Stuxnet, now this comes out:

http://www.theregister.co.uk/2010/12/15/openbsd_backdoor_claim/

http://news.cnet.com/8301-31921_3-20025767-281.html

A former contractor claims the US government paid developers to insert backdoors in the OpenBSD IPSec code.


-Richard

Solfe
2010-Dec-16, 05:05 AM
I can't help but notice, most "security features" are already riddled with so many issues, that the security is non-existent to the devious minded. I don't entirely believe that a designed backdoor is any better than just getting "enough" access to the computer in question even if it has security.

A good example is my school has Windows 7 and some nifty software that automatically "restores" the computer to preselected setting, which prevents people from saving data or permanently installing software. Nice in theory, but I once left my key chain drive plugged in accidentally booted the computer with the Ubuntu live disc from the USB. It appears I could save all I liked to the hard drive at that point and it remained after a couple of reboots.

Adobe has a password protect feature in nearly all of its offerings, but there are ways to get past the password using nothing but Adobe software and no special knowledge or talent is required. Oddly, there does not seem to be a way to bypass the password once and restore it later, which would be even more nasty that accessing the password protected info in the first place.

Not having admin access under XP/Vista in theory stops edits to the windows directory, but in some cases you can access a file, make changes and save it elsewhere. Once that it done, you can copy paste it back into the window directory without doing anything special.

I happened to list Windows issues, but it seems to be a pretty common theme to all operating systems. OS X can be factory defaulted with a key stroke which blows away the password (and sometimes files and programs).

It think the biggest impediment to the Stuxnet software was physically getting to those machines in the first place. Once a devious person gets anywhere near your machine, all the security in the world won't help.

Just my two cents.

slang
2010-Dec-16, 12:15 PM
A former contractor claims the US government paid developers to insert backdoors in the OpenBSD IPSec code.

But what is the actual claim? That they were successful or just that they were paid for the attempt? Apparently this happened 10 years ago, relevance for the current OpenBSD code will have to be shown.


I can't help but notice, most "security features" are already riddled with so many issues, that the security is non-existent to the devious minded.

No offense, but I take it you're not very familiar with OpenBSD?

Solfe
2010-Dec-16, 12:58 PM
You are right, I have only read about OpenBSD and it sounds very interesting, but I committed to Ubuntu a couple of years ago. My primary machines are a iBook with OS 9.2 (It has OS X but I like to ignore it) and Asus and Compaq running Ubuntu.

My wife keeps her Vista and I don't know why. I wish we could get rid of that one. Its what I am using now.

kamaz
2010-Dec-16, 05:04 PM
Contrary to the popular belief, a backdoor may indeed be hidden in open source code, as repeatedly evidenced by the Underhanded C Contest: http://underhanded.xcott.com/

A further complication here is that the allegation concerns cryptography code, which is difficult to analyze for non-specialists and may contain non-obvious weaknesses. For example, the OpenSSL bug in Debian (which caused the generated SSL/SSH keys to have only 16 random bits, which was practical to brute force) was introduced in September 2006 and detected in May 2008, only because someone has compared Debian and stock versions of OpenSSL. OpenBSD crypto framework was the first such open framework, so it got copied into other products -- so there may be nothing to check against.

publius
2010-Dec-16, 11:49 PM
One of the lead developers at the time is strongly denying this, and there's some other things that question it as well. But any rate, they are going to audit the devil out of all the code and we'll soon learn if there are any backdoors hidden therein. And there should be an audit trail with the version control system used that can pinpoint who put them in if they exist.

Solfe, as Kamaz pointed out, OpenBSD's claim to fame is security, and further, a lot of the revelant code, the crypto framework is used in a lot of commercial applications for secure internet stuff like VPNs and other things.


-Richard

slang
2010-Dec-17, 12:04 AM
To be honest, I'd be surprised if not one US agency would have at least tried to pull something like this off. Maybe the claim is true, in so far that an attempt was made. I can't help but wonder which big company's bottom line might profit from news reports like this one.. Somehow the lyrics of "Rudolph the Redmond Reindeer" come to mind but maybe that's just the season... :)

Solfe
2010-Dec-17, 02:48 AM
Interesting. How many people use this system? Or is it more correct to say, how many systems are directly impacted to owe their existence to OpenBSD?

Right now I am doing a mental inventory of the boxes I have the basement and have two that could run this system and may be doing that by Jan 1. :)

Do you think I could tri-boot my ibook with OpenBSD, OS 9.2 and OS X? It seems to meet the specs required and it would get used on that machine.

slang
2010-Dec-17, 08:41 AM
I'm not sure I would recommend OpenBSD as a desktop OS, it's mainly designed to be a server OS and it's at its best in a security role. The learning curve is quite steep, but if you're a UNIX lover it's well worth the effort and you'll learn a lot. If you're going to give it a shot, do read every applicable README, and browse the FAQ at www.openbsd.org before you start. It's certainly not an easy "click-click-click" install like windows or ubuntu. If you're not going to use the X windows system, it will run easily even on a Pentium with 16 or 32 Mb RAM. You might need a bit more to run the graphical environment comfortably. I have no experience whatsoever with any Apple hardware, but information on tri-booting should not be very difficult to find. But if you have a spare machine, play with that one first.

ETA: seconding the VMWare suggestion. It r00lz, so to speak. :)

publius
2010-Dec-17, 08:59 AM
One word if you want to play with all the various OSes: VMWare (or equivalent).

As for Redmond, the operating assumption should be that it has backdoors galore, and probably from multiple sources. The NSA, Mossad, China, and everybody probably has agents working for them whose job is to do such mischief. You should never trust big closed source products. Take Stuxnet for example. Four previously unknown holes in Windows were used. My guess is those holes weren't just accidents discovered by whatever Spook group authored Stuxnet, but were put there on purpose for just such projects.


-Richard

Solfe
2010-Dec-17, 03:24 PM
Those dang Cylons. :)

I may give it a shot after exams are over. I do have a very old machine that may be able to come back to life with those low spec requirements.

kamaz
2010-Dec-22, 04:17 PM
Mr. OpenBSD himself has a say on the matter:



(g) I believe that NETSEC was probably contracted to write backdoors
as alleged.
(h) If those were written, I don't believe they made it into our
tree. They might have been deployed as their own product.


Source: http://marc.info/?l=openbsd-tech&m=129296046123471&w=2

On the other hand, he notes in the same post that there were some bugs found in the code in question, so if you are into conspiracy theory...