[SLL] Fedora project lead seems to have played role in installing malware for FBI

Bradley Willson bradley.j.willson at gmail.com
Mon Apr 20 14:01:39 PDT 2009 

It smacks of about half of the facts are there and all of the supposition is
present.


On Mon, Apr 20, 2009 at 1:40 PM, Phil Mocek <pmocek-sll at mocek.org> wrote:

> Christopher Soghoian (of online fake boarding pass generator fame,
> former ACLU of Northern California intern, and fellow at the
> Harvard Berkman Center for Internet & Society) writes:
>
> <
> http://paranoia.dubfire.net/2009/04/current-red-hat-linux-employee-fedora.html
> >
>
> > Did a current Red Hat employee and the project leader for Red Hat's
> > Fedora free Linux distribution previously install and support
> > government surveillance spyware onto the (Windows) computers of
> > suspects while a FBI employee back in 2005?
> >
> > Based on publicly available documents, it appears so.
> >
> > [...]
> >
> > Based on [information on the MIT Public PGP server], it would appear
> > that someone claiming to be Paul W. Frields with an email address at
> > fbi.gov is now using the same public key as someone signing emails as
> > Paul W. Frields with a redhat.com email address. Based on documents
> > from a PGP keysigning party in January of this year, this collection
> > of email addresses appear to have been verified by other members of
> > the Linux community.
> >
> > Finally, a configuration file in a web-accessible subversion
> > repository on Paul Frields' own webserver mention the fbi.gov email
> > address, which seems to be a pretty solid link confirming that the
> > Linux developer is a former FBI employee.
> >
> > [...]
> >
> > I suspect that many users of the Fedora Linux distribution,
> > particularly those outside of the United States, might be shocked to
> > find out this news, just as many Americans might be shocked if they
> > learned that a former KGB agent was now in charge of keeping their
> > computers secure.
> >
> > Given that a select few members of the Fedora project likely have
> > access to the private keys necessary to sign and release automatic
> > updates to the operating system, the fact that one of these persons
> > has in the past been involved with the insertion of spyware onto the
> > computers of individuals without their knowledge or permission might
> > be something that many Fedora users might be concerned about.
> >
> > It's not that former government employees - even those in charge of
> > installing spyware - should be excommunicated from the rest of the
> > development community (after all -- there are former NSA engineers who
> > have done amazing work on the SE Linux project). It's just that we
> > should think twice before placing them into the open source
> > community's most sensitive positions - just as the FBI would never
> > grant the highest security clearances to a former hacker.
> >
> > As of press time (2AM on Saturday morning), Paul Frields had yet to
> > respond to queries submitted via email or twitter. If he does respond
> > at a later date, this blog post will be updated to reflect his
> > comment.
>
> I think this is a valid concern.
>
> --
> Phil Mocek
>



-- 
Best regards,
Brad Willson
http://www.linkedin.com/in/bradleywillson

More information about the linux-list mailing list