Involvement of FOX-IT in OpenVPN

[ComputerSaysNo]

https://forums.openvpn.net/topic10180.html

Hmmmm, some interesting points raised. What do you think

[luciddream]

A valid concern indeed... that's what I think.

[popcorn]

Quote:

So, in regards to guarantee that no "spy door" or "back door" feature got introduced via these PolarSSL changes, it is difficult to fully guarantee that. It all depends on how clever the developers behind the patches are. Having that said, these patches were not blindly added to the source tree. All of them (100+ patches) were reviewed by more people who can write and understand C code. In addition the most critical patches were also reviewed and ACKed by James Yonan. And if someone finds anything nasty,

So are we to understand that even though a program is Open source it still cannot be trusted ?

[FanJ]

I cannot and will not comment on involvement by Fox-IT on OpenVPN, if only because I don't know anything about OpenVPN.
I'm just only posting because Fox-IT is a respected security company. Several times and on different occasions I have given links to their site and/or blog, for example about their forensic research.
Blog: http://blog.fox-it.com/
Site: http://www.fox-it.com/en/

[luciddream]

Quote:

Originally Posted by popcorn

So are we to understand that even though a program is Open source it still cannot be trusted ?

Like it says in the thread, if the person/team is "crafty" enough, they can hide things in plain site just like happens all the time in other endeavors in life from "the bad guys". That code can be right in front of your face, but in a way that is so elaborately and cleverly written that a backdoor could elude your sight. Who is really combing through all this stuff? Or are they putting a level of trust in the person(s) where they maybe aren't going through it with a fine tooth comb? I think I even saw in there that at times, with things considered more trivial, that they just kind of "slap a sticker on it", not in those words, and push it through without much scrutiny.

Unless you are personally able to make heads or tails of every single bit of source code, you can never truly be sure. The logic is that since it's out there, enough people ARE doing just that. But in reality, if everybody thinks that way, then nobody actually does the work. Or a select few, who are only human and fallible.

So to make a long story short... yes.

And reading all that stuff is making me seriously consider either reverting back to v 2.2.1, or using the custom clients from my providers, provided they aren't based on OpenVPN 2.2.2 or later. Or... what other options are there?

[popcorn]

Quote:

Originally Posted by luciddream

And reading all that stuff is making me seriously consider either reverting back to v 2.2.1, or using the custom clients from my providers, provided they aren't based on OpenVPN 2.2.2 or later. Or... what other options are there?

I was thinking the exact same thing
I would like to think that with something like OpenVPN the source code would be scrutinized and then scrutinized some more.
we are probably just been overly paranoid...aren't we ?

[luciddream]

Quote:

Originally Posted by popcorn

we are probably just been overly paranoid...aren't we ?

We wouldn't be here unless the answer to that was a resounding "yes", lol. But that paranoia has helped keep me safe over time. If I wasn't paranoid and running Pidgin in a restricted sandbox, with D+ rules as tight as spandex, I may have gotten nailed with an exploit last week. And/or if they hadn't added DEP & ASLR support to the latest version of OTR.

But part of it seemed the person may have been over-reacting a bit too, and was overly sensitive about an email... and may have as a result blown some stuff out of proportion. But then again, what they said regarding the same people that helped work on the last 2 versions of OpenVPN also developing backdoors, etc... for the govt. is indisputable fact. And in light of it, can you help but take it heed to it?

I mean just imagine all the green that would be offered up to them by big wigs on Pennsylvania Ave. if they could get a backdoor inserted into OpenVPN...

I'd say the cause for paranoia is quite warranted. If I were doing anything uber sensitive, to downright shady/highly illegal... I'd be downgrading to 2.2.1

[linp]

Quote:

Originally Posted by FanJ

because Fox-IT is a respected security company.

I personally wouldn't call it respectable, Whenever our minister of justice has another hairbrained idea ( like: let's get some spyware and infect dutch citizens with it so we can see what is on their pc, and while weré at it,let's infect pc's in other nations as well!
Minister: Dutch police should be allowed to hack and eavesdrop
Then Fox-it thinks it is a good idea ,
this company is a front, posing as a private company ;they work for the AIVD, (General Intelligence and Security Service)
Fox-IT is a regular partner of the Dutch government on data interception and IT-security
SO, if these guys are providing new code in the latest OpenVPN versions,i would be suspicious.....

[mirimir]

Quote:

Originally Posted by luciddream

And reading all that stuff is making me seriously consider either reverting back to v 2.2.1, or using the custom clients from my providers, provided they aren't based on OpenVPN 2.2.2 or later. Or... what other options are there?

Yes, that's the answer. Until someone credible vouches for the security of 2.2.2 and later, it's prudent to assume that they're vulnerable. Of course, earlier versions may be vulnerable for other reasons, but this is what we know about now.

So, now I gotta find out which versions of OpenVPN are in pfSense 2.0.0-2.0.2. Maybe I need to downgrade a bunch of VMs. Damn

[happyyarou666]

let me know once you find out , i think its 2.2.1 thou

[FanJ]

Hi linp,

I hear you and understand what you're saying.
I too am not happy about what our Minister (Secretary) of Justice did propose about that hacking. I did post in that thread. I did post in that thread about the comment from christinekarman, and actually I do agree with her. Please make no mistake, I do like my privacy. Remember, there were some threads by me about "The Netherlands, what digital country is this". But let's not get this into politics.
About Fox-IT: I do consider them as respectable, mostly from their forensic research.
Anyways, I should have been out of this thread.

[mirimir]

Quote:

Originally Posted by happyyarou666

let me know once you find out , i think its 2.2.1 thou

I asked on the pfSense forum.

[happyyarou666]

Quote:

Originally Posted by mirimir

I asked on the pfSense forum.

[mirimir]

Quote:

Originally Posted by happyyarou666

let me know once you find out , i think its 2.2.1 thou

Upon reflection, in pfSense 2.0.2-RELEASE ...

> $ openvpn --version
> OpenVPN 2.2.0 amd64-portbld-freebsd8.1 ...

So there's no problem, yet.

Edit: The Ubuntu 12.04.1 repository provides OpenVPN 2.2.1.

I recall reading that Ubuntu 12.10 has 2.2.2.

[happyyarou666]

great news indeed , hell im still using your recommended release the pfSense-2.0.1-RELEASE-amd64.iso.gz ,lols, anyhow this is some crazy sht , so now that they cant defeat aes256 encrypted openvpn encrypted connections to get into peoples data , they simply go for planting in spyware that does the work for them , damn times are gettin tighter and tighter by the minute its sad really

[luciddream]

It's gotten to a point, here on XP, where hardly any updates are ever beneficial to me anymore for one reason or another. Either the new versions are bloated & convoluted (Comodo). Or at least, major overhauls, and the prior versions just as secure, but more usable & familiar... even SBIE has gone this route. And I didn't expect it, figured it for a (don't fix what isn't broken), simple/intuitive app that would never have dramatic changes. Or the new installers have added ad/crapware the older ones didn't. And the new versions never have changes that affect me, only Win7/8 users (compatibility). And now we have this debacle.

... I may just never update anything ever again as long as I'm on XP, other than the OS to it's EOL. Everything is working great as is, and I'm perfectly secure. And I really can't see that not being the case anytime soon. Unless the nature of packet filtering/app control (HIPS) changes, or SBIE v3 becomes inadequate, etc... And again, don't see it happenin.

[PaulyDefran]

Before anyone asks

http://openvpn.net/index.php/open-so...-releases.html

PD

[happyyarou666]

lols , yeah xD

update , ok did some asking around and this is what i got


https://airvpn.org/index.php?option=...070&Itemid=142


so apparently 2.3.0 or 2.2.2 for that fact arent a threat as where thought of 4 months ago

[mirimir]

Yes, that seems so.

Except: Palatinux didn't say that he'd release proof, but rather that he'd sell exploits

But, on the other hand, FUD is good for Fortress Linux sales

[happyyarou666]

lols , yeah but since its been reviewed and the code been checked by the openvpn team i dont think this is an issue or was it ever , kinda sounds like a bad case of FUD after all hmmm....maybe somebody is trying to increase those linux fortress sales afterall xD, if you have any concrete evidence id like to see it thou

[popcorn]

Ok so the consensus is the current version is good to go ?
Out of interest has anyone re-installed a previous version ?

[happyyarou666]

i tried it out just for fun , previous versions like 2.2.1. work just fine but after confirming this topic being FUD and proven so by the openvpn devs , well id say go with the latest and greatest stable build 2.3.0 or whatever it currently is

[popcorn]

Quote:

Originally Posted by happyyarou666

i tried it out just for fun , previous versions like 2.2.1. work just fine but after confirming this topic being FUD and proven so by the openvpn devs , well id say go with the latest and greatest stable build 2.3.0 or whatever it currently is

Thanks - good to know
I suppose if it's good enough for the dev's and auditors it's good enough for me
It just goes to show how little we trust the state surveillance company's... not one of us doubted for a second that they would do something like this, in fact I would go as far as to say we expect it

[mirimir]

It's funny, though.

On the Tor Project blog, arma complements the Dutch national police

-https://blog.torproject.org/blog/trip-report-tor-trainings-dutch-and-belgian-police

[luciddream]

Quote:

Originally Posted by happyyarou666

confirming this topic being FUD and proven so by the openvpn devs

I see no such proof... nor any proof that there is any issue at all on the other hand either. In fact I'd say it's unlikely because since the insinuations the code has probably been scrutinized. But as was stated, if deployed in a clever enough manner... it's possible it's eluded everyone. But unlikely. And I would think that if this person could prove their insinuations, they would, to publicly save face... as opposed to selling them privately to the highest bidder.

So probably a non-issue. However... just seeing what this person has done in the past makes it a legit concern. And if 2.2.1/prior are working just fine for you... you may just figure, why even take the risk, however unlikely it may be? I think it's a matter of risk/reward assessment. What would you have to lose "if" it were actually true? If the answer is "a lot", and the newer versions provide you no real benefit, why take that risk? If you're just using your VPN for P2P on the other hand and no men in black will be knocking at your door over anything you're doing, and older versions present problems to you (driver issues/BSOD's), then you probably just wanna upgrade to 2.3.