NSA, backdoors & pfSense



  • Hi,

    Read this article :
    http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html

    As you can see, these are LEGITIMATE questions that ANYONE should ask BEFORE installing pfSense:

    1. I believe it would be surprising if the NSA didn't look into pfSense… don't you think so?
    2. Are the ISOs binaries versions available to download exactly the same as the sources?
    3. Who creates the ISO? Names of the persons in charge, please. (They should have nothing to hide, right?)
    4. Can I compile pfSense myself and obtain the same ISOs? If yes, what is the procedure?
    5. Electric Sheep Fencing LLC. is a commercial company located in the US. Austin, Texas. which supports pfSense.
        If the NSA asks this small company to introduce backdoors into pfSense, do you believe one minute it could refuse?
    6. How can we be sure that the NSA hasn't introduced backdoors into pfSense?

    I hope this post won't be censored, if it is, I will post it on another forum.

    Thank you,

    Ben Drummond
    (I know, I may be put under surveillance after this post but I don't care, American freedom of speech, where are you?).


  • Banned

    Its in Pfsense as well. Dont worry.

    But that said, then your code on your websites is a lot easier to access and penetrate. When you use RDP to connect to servers, then they can listen in.

    If you want to be secure, you need to set the hosting site in your bedroom and stay there forever!


  • Netgate Administrator

    Some discussion on this here:
    http://forum.pfsense.org/index.php/topic,70887.0.html

    Steve


  • Rebel Alliance Developer Netgate

    We have already been over all of these here on the forum and mailing list. Please look around before posting the same things over and over.



  • I strongly DISAGREE with you, you're not telling the truth. You're all clearly evading the issue for some reason.

    If you don't want to answer to these questions, just say it, but don't make me believe they've already been answered!

    None of these questions have been answered precisely, I've just browsed the forum threads.



  • You don't have to use the official binaries/ISOs created by the ESF guys. You can build our own from the FreeBSD+pfSense source code. That ensures that the result is what is in the source code - maybe, but…
    You yourself (or with trusted friends) have to read every line of source code from both FreeBSD and pfSense and satisfy yourself that there are no backdoors inserted in it - particularly spend a few evenings reading through every line of the encryption libraries just to make sure nothing was snuck in.
    To build, you have to have a known-good build platform, otherwise someone might have put some bonuses in the compiler/s the build uses which create binaries that do not do just what the source says. But initially you need a working FreeBSD to use as the build platform - if you use a pre-built FreeBSD ISO from their official site then maybe it has non-standard compilers on it, and those compilers will insert backdoors when you use them to attempt to build yourself a known-trustworthy FreeBSD and then use it to build pfSense...
    Then again, there was another recent thread about hardware backdoors builtin to BIOS or actual hardware. So really, you need your own chip-foundry and build your own boards. And don't use any third-party chip-design software, because that probably has backdoors in it somewhere that will design more into the chip than what the user specifies...
    Good luck making yourself a completely trusted system  :)


  • Netgate Administrator

    Ok. Here goes. I'm not a developer and don't have access to any ESF servers etc….

    1. I would not be surprised to find that many NSA techs were running pfSense at home, they are probably familiar with it. As it's install base grows it only becomes more likely.

    2. I've never checked but feel free to because....

    4. You can build your own ISOs from the source and build tools which are all freely available.
        https://devwiki.pfsense.org/DevelopersBootStrapAndDevIso
        That said I read that it's difficult to produce an identical image because the build tools are not branched in the same way as the source (could be wrong about that). Edit: http://forum.pfsense.org/index.php/topic,70780.msg387014.html#msg387014

    3. The snapshots are built by an automated build system, on a daily basis towards the end of the development cycle. Of course that machine and it's build scripts are under someone's control, I would assume Chris, Jim and other ESF employees.

    5. This is a more interesting question and probably the crux of the matter. The NSA (through some related agency!) probably have the power to force US citizens residents to do whatever they want. However we have at least two things on our side here. pfSense is open source software built on FreeBSD which is open source. We can inspect the source and the commit history which makes it far far more difficult to insert a backdoor without anyone noticing. At least some of the pfSense dev team (and many FreeBSD devs) are not US residents making them far more difficult to coerce.

    6. You cannot be sure. Unless you have inspected all the source code that goes into pfSense and the FreeBSD base code personally and then built it yourself on a machine you trust implicitly. Then there is the prospect that whatever hardware you run it on may have been compromised already as JimP mentioned. At least with pfSense you can run on anything you like so that tips the odds in your favour massively.

    In the end it's all relative. Compared to a commercial firewall appliance it's far far more difficult to compromise but still possible.

    Steve


  • Rebel Alliance Developer Netgate

    @bendrum:

    I strongly DISAGREE with you, you're not telling the truth. You're all clearly evading the issue for some reason.

    If you don't want to answer to these questions, just say it, but don't make me believe they've already been answered!

    None of these questions have been answered precisely, I've just browsed the forum threads.

    Note that I didn't just say the forum, but the mailing list as well.
    http://lists.pfsense.org/pipermail/list/2013-October/thread.html

    We aren't evading anything, people will see whatever conspiracy they want no matter what answers they get. Read every message in all of the related threads from October and you'll see why we're tired of having the same discussion over and over.


  • LAYER 8 Global Moderator

    Someone's tinfoil hat is a bit too tight I think and its cutting off blood flow to the brain ;)


  • Rebel Alliance Developer Netgate

    @johnpoz:

    Someone's tinfoil hat is a bit too tight I think and its cutting off blood flow to the brain ;)

    I wouldn't say that. They are valid concerns, but the problem here is the accusatory manner in which they were presented. You could tell from the tone that they probably wouldn't have believed a word anyone said anyhow and were looking to stir up trouble, but we've already trampled down that road on the mailing list. No need for a repeat.


  • LAYER 8 Global Moderator

    Tone - what tone? ;)

    I strongly DISAGREE with you, you're not telling the truth. You're all clearly evading the issue for some reason.



  • @bendrum:

    I strongly DISAGREE with you, you're not telling the truth. You're all clearly evading the issue for some reason.

    If you don't want to answer to these questions, just say it, but don't make me believe they've already been answered!

    None of these questions have been answered precisely, I've just browsed the forum threads.

    Forgive me for saying so, please do take into account that I am Dutch and we are like this by nature ( ;D), but: I think you might appear a little rude to some people. On average, it doesn't exactly help to pour acid when you want to catch a flie (bad-ly translated Dutch saying  ;D ;D ;D).



  • @jimp:

    @johnpoz:

    Someone's tinfoil hat is a bit too tight I think and its cutting off blood flow to the brain ;)

    I wouldn't say that. They are valid concerns, but the problem here is the accusatory manner in which they were presented. You could tell from the tone that they probably wouldn't have believed a word anyone said anyhow and were looking to stir up trouble, but we've already trampled down that road on the mailing list. No need for a repeat.

    I don't agree that they're valid concerns.  (How would ESF control the activities of its two main developers, neither of whom are US Citizens, and neither of whom live in the US?)

    I agree that they were just looking to stir up trouble.

    Don't feed the troll.



  • @bendrum:

    1. Electric Sheep Fencing LLC. is a commercial company located in the US. Austin, Texas. which supports pfSense.
        If the NSA asks this small company to introduce backdoors into pfSense, do you believe one minute it could refuse?

    Yes.  Like a mother-fucking riot.

    You obviously don't know me well.


Log in to reply