An oldie but it's evergreen, especially in light of recent supply chain atack.
These are slides for a talk by Poul-Henning Kamp (FreeBSD developer) @ FOSDEM '14:
NSA operation ORCHESTRA: Annual Status Report
https://www.youtube.com/watch?v=fwcl17Q0bpk
Slides describe a fictitious (?) NSA operation for taking over security critical open source projects with minimal budget, just using social engineering, patience and goodwill.
excerpts:
"FOSS projects are based on trust, merit
- No formal vetting, weak validation of evidence
- Submit good patches for some years
- Trust building exercise
- Gradually eliminates code review
- Collect SOCINT on project personel
- Once trust is in place
- Affect code direction & quality"
"BOYS A special gift
- Perception:
- ”I'm sysad for a this non-profit org”
- ”As long as OutLook works, they don't care...”
- ”I'm not doing squat, it's all humming...”
- Reality:
- Org is NEIGHBOR shop-front
- They need: Personel for credibility, Non-shop IT support
- Our man needs: Chair, desk and ethernet; A cover story
- Don't: Obvious vulnerabilities
- Would be found
- Would blow cover
- Do: Programming ”mistakes”
- Self created
- Accepted as patches from 3rd parties
- Do: General Code obfuscation
- Do: Misleading docs
- Do: Deceptive defaults
BOYS A special gift
- Poster boy: Debian random
- ”This code makes Valgrind complain”
- ”doesn't seem to do anything”* Commented out* only 64k different random states for two years
- Brute-forcing OpenSSL generated keys = trivial
BOYS A special gift‒
- Crown jewel: OpenSSL
- Go-to library for crypto services
- API is a nightmare
- Documentation is deficient and misleading
- Defaults are deceptive
Operation ORCHESTRA current status
- Fantastic value for money
- Less than 0.003% of COMINT budget
- Have kept InterNet traffic in plaintext
- No action ever exposed or traced back to us"