Updated at 11AM on Saturday to provide a bit of clarity, and to define CIPAV
Did a current Red Hat employee and the project leader for Red Hat's Fedora free Linux distribution previously install and support government surveillance spyware onto the (Windows) computers of suspects while a FBI employee back in 2005?
Based on publicly available documents, it appears so.
Page 93 of the recent 153 page FOIA document dump (Warning: huge pdf) obtained by Wired News appears to be a ticket report from a 2005 surveillance request to the FBI's Cryptographic and Electronic Analysis Unit.
The document requests "CIPAV support as per discussion between EP [redacted]". The document also notes that the request is for a "Data/Voice Intercept with Encryption"
CIPAV ("computer and internet protocol address verifier") is, as Wired reports, a software tool designed to infiltrate a target's computer and gather a wide range of information, which it secretly sends to an FBI server in eastern Virginia.
As Professor Paul Ohm tweeted on Friday evening, it appears that the censors at the FBI forgot to remove the username of one of the engineers working on a case: 'pfrields'.
A bit of Googling reveals that pfrields is the handle used by Paul W. Frields, now an employee of Red Hat Linux. His blog also notes that he is currently the Fedora Project Leader.
Of course, there could be more than one pfrields on the Internet... which is where PGP keys come into play.
A quick query of the MIT Public PGP server reveals that the following email addresses are all using the same public key:
pub 1024D/BD113717 1997/09/19
Paul W. Frields <firstname.lastname@example.org>
Paul W. Frields <email@example.com>
Paul W. Frields <firstname.lastname@example.org>
Paul W. Frields <email@example.com>
Paul W. Frields <firstname.lastname@example.org>
Paul W. Frields <email@example.com>
Paul W. Frields <firstname.lastname@example.org>
Paul W. Frields <email@example.com>
Paul W. Frields <Paul.Frields@ic.fbi.gov>
Paul W. Frields <firstname.lastname@example.org>
Paul W. Frields <email@example.com>
Paul W. Frields <firstname.lastname@example.org>
Based on this information, it would appear that someone claiming to be Paul W. Frields with an email address at fbi.gov is now using the same public key as someone signing emails as Paul W. Frields with a redhat.com email address. Based on documents from a PGP keysigning party in January of this year, this collection of email addresses appear to have been verified by other members of the Linux community.
Finally, a configuration file in a web-accessible subversion repository on Paul Frields' own webserver mention the fbi.gov email address, which seems to be a pretty solid link confirming that the Linux developer is a former FBI employee.
Of course, even if the pfrields who worked for the FBI is the same pfrields who now leads Red Hat's free Linux distribution, there isn't necessarily any cause for concern.
After all, unlike the CIA agents who tortured prisoners, and the illegal wiretapping performed by NSA employees, the work of the FBI seems to be above board -- well, except for the FBI's misuse of National Security Letters, oh and the likely illegal backdoor the FBI has to Verizon Wireless's backbone network.
No need to worry though, since all of the CIPAV spyware requests do seem to have been accompanied by a court-approved search warrant.
Let us for the moment assume the best -- that Mr. Frields is a good patriotic American who has the deepest respect for civil liberties, and went to work for the FBI in order to help hunt down terrorists and evil-doers.
Even so, I suspect that many users of the Fedora Linux distribution, particularly those outside of the United States, might be shocked to find out this news, just as many Americans might be shocked if they learned that a former KGB agent was now in charge of keeping their computers secure.
Given that a select few members of the Fedora project likely have access to the private keys necessary to sign and release automatic updates to the operating system, the fact that one of these persons has in the past been involved with the insertion of spyware onto the computers of individuals without their knowledge or permission might be something that many Fedora users might be concerned about.
It's not that former government employees - even those in charge of installing spyware - should be excommunicated from the rest of the development community (after all -- there are former NSA engineers who have done amazing work on the SE Linux project). It's just that we should think twice before placing them into the open source community's most sensitive positions - just as the FBI would never grant the highest security clearances to a former hacker.
As of press time (2AM on Saturday morning), Paul Frields had yet to respond to queries submitted via email or twitter. If he does respond at a later date, this blog post will be updated to reflect his comment.
Disclosure: I've had my own fairly negative experience with armed FBI agents, who later raided my home at 2AM. Readers of this blog should consider that when evaluating this article w/regard to any bias I might have.
Hat Tip: Wired's Kevin Poulsen was the first to google pfrields and discover that he might be a Linux geek.