ie8 fix
madison

Hardware 2.0

Adrian Kingsley-Hughes
Home / News & Blogs / Hardware 2.0

Does the "many eyes on the code" approach to open source development work?

By | December 15, 2010, 5:18am PST

Summary: Does the “many eyes on the code” approach that the open source community takes to software development, a process that is supposed to result in safer, more secure code, work? A recent post over on the OpenBSD mailing list casts some doubt over the effectiveness of the mechanism.

Does the “many eyes on the code” approach that the open source community takes to software development, a process that is supposed to result in safer, more secure code, work? A recent post over on the OpenBSD mailing list casts some doubt over the effectiveness of the mechanism.

Here’s a very interesting post over on the OpenBSD mailing forum where OpenBSD project chief Theo de Raadt publishes an email he received from a former OpenBSD developer [emphasis added]:

I have received a mail regarding the early development of the OpenBSD IPSEC stack.  It is alleged that some ex-developers (and the company they worked for) accepted US government money to put backdoors into our network stack, in particular the IPSEC stack.  Around 2000-2001.

Since we had the first IPSEC stack available for free, large parts of the code are now found in many other projects/products.  Over 10 years, the IPSEC code has gone through many changes and fixes, so it is unclear what the true impact of these allegations are. The mail came in privately from a person I have not talked to for nearly 10 years.  I refuse to become part of such a conspiracy, and will not be talking to Gregory Perry about this.  Therefore I am making it public so that
    (a) those who use the code can audit it for these problems,
    (b) those that are angry at the story can take other actions,
    (c) if it is not true, those who are being accused can defend themselves.

Of course I don’t like it when my private mail is forwarded.  However the “little ethic” of a private mail being forwarded is much smaller than the “big ethic” of government paying companies to pay open source developers (a member of a community-of-friends) to insert privacy-invading holes in software.

—-

From: Gregory Perry <Gregory.Perry@GoVirtual.tv>
To: “deraadt@openbsd.org” <deraadt@openbsd.org>
Subject: OpenBSD Crypto Framework
Thread-Topic: OpenBSD Crypto Framework
Thread-Index: AcuZjuF6cT4gcSmqQv+Fo3/+2m80eg==
Date: Sat, 11 Dec 2010 23:55:25 +0000
Message-ID: <8D3222F9EB68474DA381831A120B1023019AC034@mbx021-e2-nj-5.exch021.domain.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Status: RO

Hello Theo,

Long time no talk.  If you will recall, a while back I was the CTO at NETSEC and arranged funding and donations for the OpenBSD Crypto Framework.  At that same time I also did some consulting for the FBI, for their GSA Technical Support Center, which was a cryptologic reverse engineering project aimed at backdooring and implementing key escrow mechanisms for smart card and other hardware-based computing technologies.

My NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI.  Jason Wright and several other developers were responsible for those backdoors, and you would be well advised to review any and all code commits by Wright as well as the other developers he worked with originating from NETSEC.

This is also probably the reason why you lost your DARPA funding, they more than likely caught wind of the fact that those backdoors were present and didn’t want to create any derivative products based upon the same.

This is also why several inside FBI folks have been recently advocating the use of OpenBSD for VPN and firewalling implementations in virtualized environments, for example Scott Lowe is a well respected author in virtualization circles who also happens top be on the FBI payroll, and who has also recently published several tutorials for the use of OpenBSD VMs in enterprise VMware vSphere deployments.

Merry Christmas…

Gregory Perry
Chief Executive Officer
GoVirtual Education

“VMware Training Products & Services”

540-645-6955 x111 (local)
866-354-7369 x111 (toll free)
540-931-9099 (mobile)
877-648-0555 (fax)

http://www.facebook.com/GregoryVPerry
http://www.facebook.com/GoVirtual

We don’t get any code examples, or details, so I have to admit that I’m more than a little skeptical. However, now with this allegation out in the open I’m certain that those in the development community will be taking a closer look at the code, looking for evidence of such backdoors.

follow Adrian Kingsley-Hughes on TwitterAnd that’s the advantage of open source over closed source. The code is there for everyone to look at. And while there aren’t anywhere near the number of people looking over the code as there should be, when an allegation is made, the code is there to either back that up, or refute it. With closed source code, we (as the consumers of the code) don’t have the freedom to take a look for ourselves.

If this allegation turns out to be true (and to reiterate, I’m not convinced), then it has widespread implications given how much of the OpenBSD code is used in both open and closed source products.

What do you make of this?

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Hardware 2.0”

Topics

FBI, OpenBSD, UNIX, Operating Systems, Open Source, Software, Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology.

Disclosure

Adrian Kingsley-Hughes

All opinions expressed on Hardware 2.0 are those of Adrian Kingsley-Hughes. Every effort is made to ensure that the information posted is accurate. If you have any comments, queries or corrections, please contact Adrian via the email link here. Any possible conflicts of interest will be posted below. [Updated: February 23, 2010] - Adrian Kingsley-Hughes has no business relationships, affiliations, investments, or other actual/potential conflicts of interest relating to the content posted so far on this blog.

Biography

Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.

Adrian has authored/co-authored technical books on a variety of topics, ranging from programming to building and maintaining PCs. His most recent books include "Build the Ultimate Custom PC", "Beginning Programming" and "The PC Doctor's Fix It Yourself Guide". He has also written training manuals that have been used by a number of Fortune 500 companies.

Adrian also runs a popular blog under the name The PC Doctor, where he covers a range of computer-related topics -- from security to repairing and upgrading.

42
Comments
Add Your Opinion

Join the conversation!

Just In

please study your history
erik.soderquist 16th Dec 2010
@skris88@...

... study your history please

every time the equivalents of some sort of back door have been given to government (or taken in secret by government), they have been abused

mankind is such that power corrupts, the more power, the more severe the corruption.
View in thread
0 Votes
+ -
It will be very interesting after we hear the rest of the story, but, in
DonnieBoy 15th Dec 2010
any case, would a proprietary company make a letter like this public, and would the public be able to look at the code and verify what happened? What guarantee do we have that code similar to this is not in Windows or OSX right now?
0 Votes
+ -
That guarantee could well go the opposite direction...
jasonp@... 15th Dec 2010
"The National Security Agency (NSA) worked with Microsoft on the development of Windows 7, an agency official acknowledged yesterday during testimony before Congress." - http://www.computerworld.com/s/article/9141105/NSA_helped_with_Windows_7_development
0 Votes
+ -
RE: Does the
odubtaig 15th Dec 2010
Thankyou Jason, this means precisely nothing as it is well known that the NSA has contributed code to every O/S under the sun including SELinux for the Linux kernel in an attempt to bolster national security and this issue is about the FBI, who are not the NSA.
0 Votes
+ -
because they have no finacial incentive to put it in
Ron Bergundy 15th Dec 2010
@DonnieBoy. open source needs money because they don't charge for the software so your more likely to have some poor developer pocket a boatload of change to add stuff like this in.

M$ and Apple make TONS of money from selling their products they don't need to accept any money like this in order to survive
0 Votes
+ -
RE: Does the
AndyPagin 15th Dec 2010
@cyberspammer2
Plenty of hugely well paid people take bribes and stitch up their employers in other ways. Greed is more often a motive than poverty.
0 Votes
+ -
Well, in any case, if a proprietary company decided to put in code like
DonnieBoy Updated - 15th Dec 2010
this, it would be much harder to figure out given that we do not have access to the code, and it would be much easier to move people around and put a person in place to do the dirty work.

But, in any case, many open source programmers are paid very well, and would never participate in anything like this.

We do need to wait and see just what really happened here.
0 Votes
+ -
It seems to me that you are missing the point...
Solid Water 15th Dec 2010
@cyberspammer2
Please, enlighten us how MS or Apple can say "NO" to FBI.

You story will make a furor. wink
0 Votes
+ -
huge financial incentive in closed source
erik.soderquist 15th Dec 2010
@cyberspammer2

a very simple "if you want your new product to be on the approved list for purchasing at all, you *will* put this back door in for us an not tell anyone" message from FBI/NSA/etc would likely do it for Microsoft.

how much bad PR would Microsoft take if the FBI refused to approve Windows 7 for any internal deployment due to "security deficiencies" ?
0 Votes
+ -
RE: Does the
Badgered 15th Dec 2010
@DonnieBoy What guarantee do we have that code similar to this is not in Windows or OSX right now?

Absolutely none. But the issue becomes, how am I better off using Linux if this IS true? It would basically mean Linux is no different than Microsoft or Apple... is that a sales pitch you would want to deliver?
0 Votes
+ -
likelyhood and remedy
rarsa 16th Dec 2010
@Badgered How are you better?
- There is at least some likelihood that someone could have found it.
- Once these news came out people will be able to verify.

I have some others but long replies bore me.
0 Votes
+ -
RE: Does the
daengbo 16th Dec 2010
@Badgered "how am I better off using Linux if this IS true?"

Because this is about OpenBSD, not Linux.
0 Votes
+ -
RE: Does the
DannyO_0x98 15th Dec 2010
@DonnieBoy
There are no guarantees about anything. At some point we trust. Security is cost and friction. It is risk management.

Want to be absolutely secure? Develop 99th percentile code chops, understand everything about the internals, and then audit everything you use every time you use it after something has been saved, deleted, or moved. (Wait, how do I know that something isn't in the graphic card's rom?)

So, everyone of us, no matter whose flag we're waving as we daily play King-of-the-OS-Hill, has invested trust in a company, a process, software, framework, security team, or a statistic. We have to, we're here to get some work done.
0 Votes
+ -
What guarantee do we have that code similar to this is not in Windows or OS
wkulecz 15th Dec 2010
If this story is true, you can bet it is, as there is US Treasury code in scanner drivers and Photoshop to inhibit scans of US currency.
0 Votes
+ -
this is the reason why people should demand FOSS
Linux Geek 15th Dec 2010
M$ and other goons are secretly monitoring people without their consent.
0 Votes
+ -
RE: Does the
rtk 15th Dec 2010
@Linux Geek

Wow, did you read the story?
0 Votes
+ -
RE: Does the
erik.soderquist 15th Dec 2010
@Linux Geek

...?

what story did you read?

this story is about gov't back doors in open source code
0 Votes
+ -
RE: Does the
Loverock Davidson 15th Dec 2010
I love how Theo de Raadt openly admits there might be a problem and calls on the community to fix it. That is the sign of a good leader and true open source. They actually work as a community just like all components of their OS works together. You wouldn't find something like this in the linux community, oh no, they would start arguing with each other about who's to blame and who should have audited the code then the name calling would begin. Since this happened 10 years ago, I highly doubt any of that code is still left in the IPSEC stack. OpenBSD will always have a place in my heart as being THE most secure OS.
0 Votes
+ -
The most secure OS....
storm14k 15th Dec 2010
@Loverock Davidson ....except for those pesky backdoors.
0 Votes
+ -
Is that you?
AndyCee 16th Dec 2010
@Loverock Davidson
A sign of a good leader is that they don't sell out their product. I've never heard you allow a bad word to be said about the BSD's. No-one's even confirmed it yet. Perhaps your account has somehow been hacked?
0 Votes
+ -
Having the source does not mean it is reviewed
oldsysprog 15th Dec 2010
There are plenty of instances where backdoors have been in code that was available in source for years without anyone notificing. The famous dritchie login is a classic where Denis did not like having to enter a password then logging on to as superuser to get full priveledges so most Unixes had a simple backdoor that the login of dritchie took you straight to superuser with no password.

The claims of open source being better than proprietary has problems, beside the cases like above, open source is relying on people who are mostly unpaid to review the source and find the bugs. There are a number of firms that partner with Microsoft who do get there sources and have folks reviewing them.

There are good arguents for both models, but which one is better can be argued forever. I do have to agree with the posters who point out that OpenBSD has the best track record of security, since its development model from day one worked on security.
0 Votes
+ -
RE: Does the
odubtaig 15th Dec 2010
@oldsysprog

Your argument might work a weeny bit better if you had any idea who actually develops most open source software. Morese than ever, Open Source is business that pays, and it pays its developers.

I really hate these arguments that read as perfectly reasonable until you realise that they're based on entirely false premises and myths that have been laid to rest for some time.
0 Votes
+ -
Economic incentives
Lester Young 15th Dec 2010
@odubtaig

Businesses developing open-source code for their own purposes have economic incentive to review and tweak code in a way that yields a return. If the reviewing and tweaking is for adding some economically beneficial functionality, the incentive is clear. If it is for hypothetical or unspecified security issues, the incentive is nebulous. A commercial software developer has an incentive to review code for security under competitive pressure. The hit Microsoft's reputation for security took in the late 1990s would have finished a lot of companies not in Microsoft's dominant position. We have competition from the *n*x world, including OSX, to thank for finally forcing Microsoft to get its act together on security.
0 Votes
+ -
RE: Does the
tonymcs@... 15th Dec 2010
@oldsysprog

Enthusiastic and committed is not the same as talented. In fact most talented programmers and analysts have JOBS and therefore get paid to review code. You could multiply all the people who bother to look at OSS code (I'm one of them) by a factor of 10 and it still wouldn't approach the people reviewing MS's systems and code.

There's also the other side of OSS - anyone seeing the code can detect vulnerabilities and the result will depend on whether they're wearing a black or white hat.
0 Votes
+ -
RE: Does the
DannyO_0x98 Updated - 15th Dec 2010
You pose a few questions. Is "Many eyes make bugs shallow" still true as a generalizing aphorism. Well, sure, as true as generalizations may be.

But code auditing is not a mechanical process. It takes people who get tired, who don't look carefully at areas they inspected carefully last time, and who rely on reputation and past performance in order to prioritize where to audit.

It's not as though the aphorism is a thousand pair of eyes finds all bugs; there is no magic number that makes code perfect.

In this case, allegedly, a trusted committer, for financial gain, sense of duty, or maybe "cooperating" to stay out of jail for something the FBI discovered - time will tell - slips something in and, if his code doesn't get the attention that my code would, it's understandable.

Crack-enabling bad code is also revealed with the cracking of systems. So, I gather no OpenBSD administrator had to solve how someone got unauthorized access to the server.

Well, the audits are starting today in full-attention mode. The auditing is made easier by the public nature of the source tree, i.e., it's open and all the security mavens can get involved. I also suspect that other operating systems will get audited for a similar backdoor in their code.
0 Votes
+ -
RE: Does the
erik.soderquist 15th Dec 2010
@DannyO_0x98

quote: I also suspect that other operating systems will get audited for a similar backdoor in their code.

especially systems that copied the OpenBSD stack
0 Votes
+ -
RE: Does the
james347 15th Dec 2010
Yes.
0 Votes
+ -
Transparency is a cornerstone of Open Source
Dietrich T. Schmitz, ~ Your Linux Advocate 15th Dec 2010
Proprietary=Exploitation.
0 Votes
+ -
RE: Does the
aep528 15th Dec 2010
@Dietrich T. Schmitz, Your Linux Advocate

Really? The issue under discussion says that non-proprietary software could have been used for exploitation for 10 years.

You can't have it both ways.
0 Votes
+ -
Any time you want to know something about open source
Dietrich T. Schmitz, ~ Your Linux Advocate 15th Dec 2010
@aep528

just go look it up yourself. The issue is who is minding the shop on BSD code maintenance and how can one 'allegedly' insert 'backdoor' code and go unnoticed for such an extended period of time, unless possibly the code was so thoroughly obfuscated that it would make understanding it's purpose difficult.

Still, open is open and someone should have seen and reviewed (peer) and validated the project's source code.

We'll wait and see if the story holds true and go from there.
0 Votes
+ -
RE: Does the
erik.soderquist 15th Dec 2010
@Dietrich T. Schmitz, Your Linux Advocate

what article did you read? this one is about a possible back door in open source software
0 Votes
+ -
RE: Does the
tonymcs@... 15th Dec 2010
@Dietrich T. Schmitz, Your Linux Advocate

Damn DTS - you turning socialist now?

and the irony (which would escape most Americans) is that I don't view that as an insult wink
0 Votes
+ -
RE: Does the
sysop-dr 15th Dec 2010
You guys do remember that Apple OS/X and all of the iOs versions are built off of BSD right. And BSD license allows for people like Microsoft to use their code free, and they do use it, so the FBI didn't even have to ask them to put it in Apple or Microsoft code, it is already there.
And I suspect that it's so obfuscated that finding it will be difficult at best.
But is it in all other stacks? Nope.
0 Votes
+ -
Whatever.
Socratesfoot 15th Dec 2010
Just a convenient opportunity for ZDNet to take a stab at open source. Even if the FBI riddled BSD with numerous vulnerabilities that somehow survived years of scrutiny. It's still nothing compared to Microsoft whom is still patching 11 year old exploits and creating new ones in the interest of creative marketing.
0 Votes
+ -
Open source and security are different concepts.
PassingWind 15th Dec 2010
Open source does not guarantee code integrity, it merely changes the balance between the opportunity to deceive and the likelihood of being found out.

Long term neither model can be more secure - if one were, it would become a more valuable target and therefore be subject to more determined attacks.
0 Votes
+ -
OSX runs a bsd kernel
pillbox1234567 15th Dec 2010
nt
0 Votes
+ -
RE: Does the
Altotus 15th Dec 2010
Ok so in fact the tin hat is as effective a device for computer security as anything yet invented by man there is effectively no such thing as security when the best is an open book. The best security is in fact compromised for the last 10 years. Now you might have one small clue but the big picture is so much more.
0 Votes
+ -
RE: Does the
jurgen.manycolored@... 15th Dec 2010
In response to Loverock Davidson, what you say about the Linux community is nonsense. Any code problem like the one discussed would be immediately labelled as a bug and fixed. The type of finger-pointing you refer to occurs when a group of developers in a distribution have an issue with the rest in terms of philosophy. Linux is as transparent as OpenBSD.
0 Votes
+ -
Back doors for police use?
skris88@... 15th Dec 2010
I'd rather there be back doors that the government can use to check my innocent use of software and would help trap the guilty (such as terrorists) than not having any.

Of course it needs the whole democratic judicial system of innocence-until-proven-guilty-without-doubt and honest policing, both of which could be abused.

But it is the overall benefit to society as a whole that I look at something to do, not just my personal benefit; bring on the police back-doors (and a strong justice system).
0 Votes
+ -
please study your history
erik.soderquist 16th Dec 2010
@skris88@...

... study your history please

every time the equivalents of some sort of back door have been given to government (or taken in secret by government), they have been abused

mankind is such that power corrupts, the more power, the more severe the corruption.
0 Votes
+ -
RE: Does the
bflochip 15th Dec 2010
they would have to "control" many programmers for this to occur. And all the programmers that come and go in 10 years. Open source they can't control who looks at it from the outside
0 Votes
+ -
RE: Does the
bflochip 15th Dec 2010
@bflochip
sorry there is no delete. keep going. sorry
0 Votes
+ -
Your article proves FLOSS works!
rarsa 16th Dec 2010
Do you know if there are such back doors on the Cisco implementation? Will you even know?

Maybe it is the confusion between "we can see the code" and "we will see the code". It is impossible to read every single line of code out there, but the possibility is there for cases like this.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix