FBI Outed Breaking Into The US Internet?
The Market Ticker - Commentary on The Capital Markets
Logging in or registering will improve your experience here
Main Navigation
Sarah's Resources You Should See
Full-Text Search & Archives
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions. For investment, legal or other professional advice specific to your situation contact a licensed professional in your jurisdiction.


Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility; author(s) may have positions in securities or firms mentioned and have no duty to disclose same.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

Considering sending spam? Read this first.

2010-12-15 15:23 by Karl Denninger
in Liberty , 2 references Ignore this thread
FBI Outed Breaking Into The US Internet?

Oh boy....

Of course I don't like it when my private mail is forwarded.  However the "little ethic" of a private mail being forwarded is much smaller than the "big ethic" of government paying companies to pay open source developers (a member of a community-of-friends) to insert privacy-invading holes in software.

I have no way to vet or verify this.

However, be aware that a sizable number of implementations of internet security systems are based on the OpenBSD framework, as OpenBSD has been widely regarded for a very long time as one of the more-secure reference implementations.

There have been persistent rumors on The Internet for years that back doors have existed in various vendor's firmware that would allow the US Government to log in undetected and redirect data streams to places they desire.  The latter - redirection and "mirroring" is a common and legitimate diagnostic function.  The ability to use it without generating any sort of log with a "back door" password is not!

Again, these rumors have been persistent for years and have implicated a number of vendors.  I have not published them in the past primarily because I have not been able to vet them nor get anyone to admit "on the record" in a form that I can reproduce that the back doors are there. 

Some of these rumors date back to when I ran my ISP.  I can tell you that if they existed in the firmware at that time, my diligent attempts to detect it being used (yes, real people have packet capture hardware as well as spooks) failed to do so.  That doesn't mean it didn't exist - it only means that on my network it was not activated to direct traffic to "somewhere else."  In fact, I had a rather sophisticated surveillance system looking for evidence of exactly that for several months at one point.  None was found.

But this is a very specific allegation.  If it's present then one must assume that the key is not in fact secret and any encrypted traffic using these facilities, which implicates SSH, IPSEC and other similar things, such as VPN sessions, has been compromised.

Note that this likely means that the majority of so-called "secure" credit card validation transactions that run over networks without an "air gap" are also likely insecure.

It probably doesn't implicated SSL web sessions.


The person "fingered" has vehemently denied involvement with the FBI:

Lets get right to the point and set the record straight: I am not, nor have I ever been, affiliated with or employed by the FBI or any other government agency.

The truth will come out when the code and all prior commits are audited, and it will be.  One of the nice things about open source is that the CVS trees, containing the entire commit history related to the particular software in question, remain available with all previous edits able to be discerned.

If there's something to this, we'll know quite soon.

In the meantime it is my position that one must treat all allegedly-secured communication channels that cannot be verified as "clean" as if they are "contaminated" or "breached" and this is not limited to OpenBSD as this code, if it was compromised, must be assumed compromised everywhere else it has been used until proved otherwise.