[SLL] Fedora project lead seems to have played role in installing malware for FBI

Mon Apr 20 13:40:24 PDT 2009

Christopher Soghoian (of online fake boarding pass generator fame,
former ACLU of Northern California intern, and fellow at the
Harvard Berkman Center for Internet & Society) writes:

<http://paranoia.dubfire.net/2009/04/current-red-hat-linux-employee-fedora.html>

> Did a current Red Hat employee and the project leader for Red Hat's
> Fedora free Linux distribution previously install and support
> government surveillance spyware onto the (Windows) computers of
> suspects while a FBI employee back in 2005? 
> 
> Based on publicly available documents, it appears so.
> 
> [...]
> 
> Based on [information on the MIT Public PGP server], it would appear
> that someone claiming to be Paul W. Frields with an email address at
> fbi.gov is now using the same public key as someone signing emails as
> Paul W. Frields with a redhat.com email address. Based on documents
> from a PGP keysigning party in January of this year, this collection
> of email addresses appear to have been verified by other members of
> the Linux community.
> 
> Finally, a configuration file in a web-accessible subversion
> repository on Paul Frields' own webserver mention the fbi.gov email
> address, which seems to be a pretty solid link confirming that the
> Linux developer is a former FBI employee.
> 
> [...]
> 
> I suspect that many users of the Fedora Linux distribution,
> particularly those outside of the United States, might be shocked to
> find out this news, just as many Americans might be shocked if they
> learned that a former KGB agent was now in charge of keeping their
> computers secure.
> 
> Given that a select few members of the Fedora project likely have
> access to the private keys necessary to sign and release automatic
> updates to the operating system, the fact that one of these persons
> has in the past been involved with the insertion of spyware onto the
> computers of individuals without their knowledge or permission might
> be something that many Fedora users might be concerned about.
> 
> It's not that former government employees - even those in charge of
> installing spyware - should be excommunicated from the rest of the
> development community (after all -- there are former NSA engineers who
> have done amazing work on the SE Linux project). It's just that we
> should think twice before placing them into the open source
> community's most sensitive positions - just as the FBI would never
> grant the highest security clearances to a former hacker.
> 
> As of press time (2AM on Saturday morning), Paul Frields had yet to
> respond to queries submitted via email or twitter. If he does respond
> at a later date, this blog post will be updated to reflect his
> comment.

I think this is a valid concern.

-- 
Phil Mocek