Saturday, April 18, 2009

Current Red Hat Linux employee & Fedora project lead may have played key role in use of government spyware in former job at FBI

Updated at 10PM on April 20: There has been a fantastic discussion of this issue on a Fedora related mailing list. The short version is that only three people have access to the secret key used to sign Fedora updates, and Mr. Frields is not one of them.

Updated at 11AM on Saturday to provide a bit of clarity, and to define CIPAV

Did a current Red Hat employee and the project leader for Red Hat's Fedora free Linux distribution previously install and support government surveillance spyware onto the (Windows) computers of suspects while a FBI employee back in 2005?

Based on publicly available documents, it appears so.

Page 93 of the recent 153 page FOIA document dump (Warning: huge pdf) obtained by Wired News appears to be a ticket report from a 2005 surveillance request to the FBI's Cryptographic and Electronic Analysis Unit.

The document requests "CIPAV support as per discussion between EP [redacted]". The document also notes that the request is for a "Data/Voice Intercept with Encryption"

(click on image to see a larger version)


CIPAV ("computer and internet protocol address verifier") is, as Wired reports, a software tool designed to infiltrate a target's computer and gather a wide range of information, which it secretly sends to an FBI server in eastern Virginia.

As Professor Paul Ohm tweeted on Friday evening, it appears that the censors at the FBI forgot to remove the username of one of the engineers working on a case: 'pfrields'.

A bit of Googling reveals that pfrields is the handle used by Paul W. Frields, now an employee of Red Hat Linux. His blog also notes that he is currently the Fedora Project Leader.

Of course, there could be more than one pfrields on the Internet... which is where PGP keys come into play.

A quick query of the MIT Public PGP server reveals that the following email addresses are all using the same public key:

pub 1024D/BD113717 1997/09/19

Paul W. Frields <pfrields@fbi.gov>
Paul W. Frields <paul@frields.com>
Paul W. Frields <paul@frields.org>
Paul W. Frields <stickstr@cox.net>
Paul W. Frields <pfrields@redhat.com>
Paul W. Frields <stickster@gmail.com>
Paul W. Frields <stickstr5@hotmail.com>
Paul W. Frields <pwfrields.cart@fbi.gov>
Paul W. Frields <Paul.Frields@ic.fbi.gov>
Paul W. Frields <stickstr@cyberrealm.net>
Paul W. Frields <stickstr@novacoxmail.com>
Paul W. Frields <pfrields@fedoraproject.org>


Based on this information, it would appear that someone claiming to be Paul W. Frields with an email address at fbi.gov is now using the same public key as someone signing emails as Paul W. Frields with a redhat.com email address. Based on documents from a PGP keysigning party in January of this year, this collection of email addresses appear to have been verified by other members of the Linux community.

Finally, a configuration file in a web-accessible subversion repository on Paul Frields' own webserver mention the fbi.gov email address, which seems to be a pretty solid link confirming that the Linux developer is a former FBI employee.

Of course, even if the pfrields who worked for the FBI is the same pfrields who now leads Red Hat's free Linux distribution, there isn't necessarily any cause for concern.

After all, unlike the CIA agents who tortured prisoners, and the illegal wiretapping performed by NSA employees, the work of the FBI seems to be above board -- well, except for the FBI's misuse of National Security Letters, oh and the likely illegal backdoor the FBI has to Verizon Wireless's backbone network.

No need to worry though, since all of the CIPAV spyware requests do seem to have been accompanied by a court-approved search warrant.

Let us for the moment assume the best -- that Mr. Frields is a good patriotic American who has the deepest respect for civil liberties, and went to work for the FBI in order to help hunt down terrorists and evil-doers.

Even so, I suspect that many users of the Fedora Linux distribution, particularly those outside of the United States, might be shocked to find out this news, just as many Americans might be shocked if they learned that a former KGB agent was now in charge of keeping their computers secure.

Given that a select few members of the Fedora project likely have access to the private keys necessary to sign and release automatic updates to the operating system, the fact that one of these persons has in the past been involved with the insertion of spyware onto the computers of individuals without their knowledge or permission might be something that many Fedora users might be concerned about.

It's not that former government employees - even those in charge of installing spyware - should be excommunicated from the rest of the development community (after all -- there are former NSA engineers who have done amazing work on the SE Linux project). It's just that we should think twice before placing them into the open source community's most sensitive positions - just as the FBI would never grant the highest security clearances to a former hacker.

As of press time (2AM on Saturday morning), Paul Frields had yet to respond to queries submitted via email or twitter. If he does respond at a later date, this blog post will be updated to reflect his comment.

Disclosure: I've had my own fairly negative experience with armed FBI agents, who later raided my home at 2AM. Readers of this blog should consider that when evaluating this article w/regard to any bias I might have.

Hat Tip: Wired's Kevin Poulsen was the first to google pfrields and discover that he might be a Linux geek.

8 comments:

Anonymous said...

I don't know Mr. Frields, but you've compared him to a KGB agent and hinted that he might willingly insert backdoors into the Fedora distribution. You've spread fear and uncertainty about an individual without citing specific concerns.

You've based this on nothing but him having provided tech support for the FBI. You don't know what his involvement was in the wiretapping incident and didn't bother to give him time to respond.

bbot said...

Shit, I use Fedora.

@Anonymous,
Sure thing, Bob Mueller.

Jarod Wilson said...

I *do* know Paul personally (I work at Red Hat as well), and yes, he did indeed come to Red Hat from the FBI, and has never made a secret of that fact -- it was even mentioned repeatedly to the Fedora community when he took over as project lead. There's nothing nefarious at all here.

Further, all Fedora code commits are 100% open to the public, reviewed by peers around the world, etc. Plus, Paul's focus isn't actually *on* code -- more in project leadership, planning, evangelism, etc., as well as documentation, which is the primary area in which he first became involved in the Fedora Project, while working at the FBI (which was not a secret at that time either).

Phil said...

I brought this up on a Linux mailing list I participate in. A couple people there work for Fedora. One of them is one of only three people who have the passphrase for the Fedora signing key. He says Paul Frields is not one of those three.

Anonymous said...

A great majority of public servants in the United States are dedicated US Constitutionalists of Libertarian ideals. One of the reasons the United States survives as a Democratic-Republic is not merely because of its Bill of Rights and its Checks'n Balances, but the type of people who are involved in many aspects of its operation. They swear to uphold the Constitution of the United States and do not waiver from its terms.

If people are going to question anyone involved with the US governments touched by various Executive Orders of Clinton, W. and now Obama, based merely on a "guilt-by-association," then they are going to blanket the overwhelming majority of citizens who make the US the free nation it is at the same time. In fact, it's all their duties as citizens of the US that are their main drive to uphold the rights of citizens, as much as people would argue they are "tainted" or "evil" just because they are associated with allegedly "wrong" people or administrations.

Phil said...

Anonymous person, at issue here is not questioning anyone involved with the US governments touched by various Executive Orders of Clinton, W. and now Obama, based merely on a "guilt-by-association," it's questioning anyone whose previous job involved installing malware to spy on people -- particularly if that job was held during the reign of an administration known to abuse its power, particularly in the area of surveillance of the public -- and whose job now might involve signing off on software that is automatically installed on people's computers via addition to trusted software repositories.

Nobody's suggesting hanging the guy based on all this suspicious previous behavior, just giving things a closer look. It seems that he doesn't have access to the signing keys. That's reassuring. Maybe this should have been publicized.

Someone who performed "harsh interrogation" under the Bush administration and moved on to a civilian job at a prison would probably raise suspicion until people found that the person does not hold the keys to the prison cells.

I'm not going to apologize for looking suspiciously at someone whose previous job involved spying on people by sneaking software onto their computers, whether or not his previous employer said what he did was legal, if his new job puts him in a position of automatically installing software on people's computers. That goes double for situations in which the previous employer is known to have authorized activities that are in blatant opposition to international treaty obligations.

Yes, if you choose to work with really nasty people, others may look at you with suspicion when you move on to something else.

Just because the Obama administration refuses to attempt to achieve justice doesn't mean the rest of us should refuse to look at the past for guidance with the future.

David Spalding said...

Interesting conspiracy theory, but you connect some pretty diverse and unrelated dots in order to give it heft.... Interrogations by CIA and FBI investigations ... aren't the same thing, so why mention it. Oh, it makes your post more prurient, that's why. I don't see where you confirm and document that the person you're talking about actually "spied," and "was involved with" sneaking software onto others' computers" as part of his work. Maybe I didn't read thoroughly enough. Please call that out if you do have evidence. Otherwise, your act of "raising concerns" appears libelous.

David

Christopher Meng said...

Agree with DAVID.