Hello Chris,
Thank you for your unemotional, factual statement!
On 2013-10-10 03:17, Chris Buechler wrote:
On Wed, Oct 9, 2013 at 9:20 AM, Thinker Rix <[email protected]> wrote:
today I posted the following on your blog at http://blog.pfsense.org/?p=712
################################################
“Worried User Says: Your comment is awaiting moderation.
October 9th, 2013 at 7:55 am
Hi guys,
I want to ask if you have been approached by any US government officials,
such as NSA, FBI, etc. and been asked/ forced to include any backdoors,
spyware, loggers, etc. into pfsense and if you did so.
Thank you
Worried User”
################################################
Some minutes later I could see that my entry was not released to the public
- but deleted by the moderator, without any further comment.
Not true, the comment was moderator approved. The only reason we have
moderation at all is because spam significantly outnumbers legit
comments and we don't want any spam on any of our sites, there isn't
some vast conspiracy going on.
I see. Well, it was pending moderator approval for an hour or so and
then suddenly appeared to me as being removed. Maybe it was just because
of some browser issue over here, i don't know. Today I see the posting
being published and also your answer to it. Thank you for that!
No, we have not been approached by anyone to backdoor or otherwise
compromise security of the project, at any point during our 9 year
history.
Thank you for this unambiguous, precise answer.
That is the kind of answer, that I was hoping for.
I have indeed met with the NSA in person related to the product of one
of our rebrand customers a couple years back, one of their groups was
interested in evaluating the product. It survived their security
analysis quite well (at least from what they declassified and
released), and better than most things that come into their lab from
what I understand. At no point did any discussion happen related to
back doors or other means of compromising security for them. I wasn't
under NDA nor do I have a security clearance.
Thank you for this additional, very valuable information, too.
It is effectively a moot question to ask, given if we were, there's no
way we could disclose that.
Well, sometimes you get the most interesting information out of simple,
straightforward questions. By my comprehension this whole thread is a
vivid proof for that.
And given that you where bound to a nondisclosure-dictate by your
government; you would have only three choices:
a) "We don't want to say"
b) <no answer> or awkward answer
c) Lying
a) and b) are a clear "yes" and given that not everybody is comfortable
lying, chances exist that you might feel it.
Evidence suggests a number of huge tech
companies have complied. There hasn't been any evidence to date that
any open source projects were approached.
Well, there is some evidence to suggest that Linus/Linux has been
approached.
http://linux.slashdot.org/story/13/09/19/0227238/linus-torvalds-admits-hes-been-asked-to-insert-backdoor-into-linux
http://www.theregister.co.uk/2013/09/19/linux_backdoor_intrigue/
A number of widely-respected
security people have come out and said that open source solutions are
better in the aftermath of the recent revelations. One example:
"My guess is that most encryption products from large US companies
have NSA-friendly back doors, and many foreign ones probably do as
well. It's prudent to assume that foreign products also have
foreign-installed backdoors. Closed-source software is easier for the
NSA to backdoor than open-source software." -Bruce Schneier
https://www.schneier.com/blog/archives/2013/09/how_to_remain_s.html
Well yes, the publication of the source code allows others to review it,
and given that the code is being maintained in a public revision control
repository increases chances, that malicious changes are identified
quickly. These are advantages that cloused source projects do not have a
priori, I agree.
But in practice open source projects are no universal remedy to
malicious influences. Take for example the transition from the publicly
revised source code to the binary versions. Chances are extremely high
that no one will ever notice any last-minute changes to the local source
code, such as adding some surveillance "features", prior compiling the
binaries out of it and releasing them to the public, or am I mistaking?
So at the end everything stands or falls with the trust that you have in
a project, i.e. the key people of the project. So what was more obvious
than just asking them directly and see what they have to say about that
topic..
So, since we cleared that out, please allow me to ask some continuative
questions:
Has the project pfSense (i.e. it's leaders) ever thought about what
it/they would do if the day should come where those NSA-people (or
others) knock the door and demand infiltration, as they did e.g. with
Lavabit? Is there some way that the project and it's leaders can protect
themselves of getting into such a catch-22 situation? Could a project
such as pfSense be immunized against such inquires, e.g. by technical
measures concerning the code base, the download repositories, etc.? Or
do you think that currently everything is perfectly arranged already so
that no further action is needed, etc.?
Best regards
Thinker Rix
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
