>My NDA with the FBI has recently expired, and I wanted to make you
aware of the fact that the FBI implemented a number of backdoors and
side channel key leaking mechanisms into the OCF, for the express
purpose of monitoring the site to site VPN encryption system
implemented by EOUSA, the parent organization to the FBI. Jason
Wright and several other developers were responsible for those
backdoors, and you would be well advised to review any and all code
commits by Wright as well as the other developers he worked with
originating from NETSEC.
Nitpicking here, but the parent agency of the FBI is the Department of Justice. The EOUSA is the Executive Office of United States Attorneys, and is basically the back office support for the 93 US Attorney offices. It's parent organization is also the Department of Justice.
Basically, he is saying the DOJ planted a back door so that it could spy on its own internal network.
> This is also probably the reason why you lost your DARPA funding
I remember this causing a huge stink at the time, with various petty reasons as the alleged cause (like Theo's less-than-friendly communication style).
‘one former FBI computer security agent has confirmed parts of Perry’s story. .. "I was one of the few FBI cyber agents when the coding supposedly happened. Experiment yes. Success No,"’ E J Hilbert FBI
Indeed, IPsec isn't mentioned. (You can use WireGuard on OpenBSD nowadays.)
If you remember the OpenSSH Challenge Response vulnerability was found by ISS in 2002. OpenBSD's advisory can be found here [1]
This was the first remote vulnerability found in OpenBSD's default installation (which they used to advertise with). Back then, it was very normal to have all kind of bloated daemons enabled by default and vulnerabilities were found in C code and were easily exploited (no ASLR, on x86-32 for example).
Of particular interest is "section 6. Release Process" because it has details about how the OpenBSD team dealt with the situation at that time. Also, the patches are from 26 june 2002.
Now, if you look at [2] (source of FOIA documents), you can notice the date is 14 august 2002. This indicates the FBI's document is made after the vulnerability was known to the public.
What are the indications that the FBI knew about this beforehand? Is that the part listed on the bottom where they say contact X has administrative control over the internet host cvs.openbsd.org and Y has administrative control over the internet host ftp.openbsd.org? We don't know who these people were, who they worked for.
I remember there being some kind of feud between OpenBSD team and Grsecurity/PaX team (Brad Spengler aka Spender and a Hungarian I suppose by the nickname pipops). I always wondered about the relation of these, and the blackhat community. Who were these people with the gobble gobble memes, and the "Theo why is syslog running on port 514 I want to see SSH and nothing else"?
[+] [-] wil421|6 years ago|reply
>My NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI. Jason Wright and several other developers were responsible for those backdoors, and you would be well advised to review any and all code commits by Wright as well as the other developers he worked with originating from NETSEC.
[1]https://marc.info/?l=openbsd-tech&m=129236621626462
[+] [-] ProCicero|6 years ago|reply
Basically, he is saying the DOJ planted a back door so that it could spy on its own internal network.
[+] [-] matthewbauer|6 years ago|reply
https://marc.info/?l=openbsd-tech&m=129244045916861&w=2
[+] [-] Tharkun|6 years ago|reply
I remember this causing a huge stink at the time, with various petty reasons as the alleged cause (like Theo's less-than-friendly communication style).
[+] [-] tinus_hn|6 years ago|reply
[+] [-] kilo_bravo_3|6 years ago|reply
[+] [-] Rastarbar|6 years ago|reply
https://web.archive.org/web/20170823064610/https://www.v3.co...
[+] [-] sslalready|6 years ago|reply
[+] [-] sverige|6 years ago|reply
[+] [-] Fnoord|6 years ago|reply
If you remember the OpenSSH Challenge Response vulnerability was found by ISS in 2002. OpenBSD's advisory can be found here [1]
This was the first remote vulnerability found in OpenBSD's default installation (which they used to advertise with). Back then, it was very normal to have all kind of bloated daemons enabled by default and vulnerabilities were found in C code and were easily exploited (no ASLR, on x86-32 for example).
Of particular interest is "section 6. Release Process" because it has details about how the OpenBSD team dealt with the situation at that time. Also, the patches are from 26 june 2002.
Now, if you look at [2] (source of FOIA documents), you can notice the date is 14 august 2002. This indicates the FBI's document is made after the vulnerability was known to the public.
What are the indications that the FBI knew about this beforehand? Is that the part listed on the bottom where they say contact X has administrative control over the internet host cvs.openbsd.org and Y has administrative control over the internet host ftp.openbsd.org? We don't know who these people were, who they worked for.
I remember there being some kind of feud between OpenBSD team and Grsecurity/PaX team (Brad Spengler aka Spender and a Hungarian I suppose by the nickname pipops). I always wondered about the relation of these, and the blackhat community. Who were these people with the gobble gobble memes, and the "Theo why is syslog running on port 514 I want to see SSH and nothing else"?
[1] https://www.openssh.com/txt/preauth.adv
[2] https://cdn.muckrock.com/foia_files/2019/07/19/Ecd74aeb090e0...