An oldie but it's evergreen, especially in light of recent supply chain atack.

These are slides for a talk by Poul-Henning Kamp (FreeBSD developer) @ FOSDEM '14:
NSA operation ORCHESTRA: Annual Status Report
https://www.youtube.com/watch?v=fwcl17Q0bpk

Slides describe a fictitious (?) NSA operation for taking over security critical open source projects with minimal budget, just using social engineering, patience and goodwill.

excerpts:

"FOSS projects are based on trust, merit

• No formal vetting, weak validation of evidence
• Submit good patches for some years
• Trust building exercise
• Gradually eliminates code review
• Collect SOCINT on project personel
• Once trust is in place
• Affect code direction & quality"

"BOYS A special gift

• Perception:
• ”I'm sysad for a this non-profit org”
• ”As long as OutLook works, they don't care...”
• ”I'm not doing squat, it's all humming...”
• Reality:
• Org is NEIGHBOR shop-front
• They need: Personel for credibility, Non-shop IT support
• Our man needs: Chair, desk and ethernet; A cover story
• Don't: Obvious vulnerabilities
• Would be found
• Would blow cover
• Do: Programming ”mistakes”
• Self created
• Accepted as patches from 3rd parties
• Do: General Code obfuscation
• Do: Misleading docs
• Do: Deceptive defaults

BOYS A special gift

• Poster boy: Debian random
• ”This code makes Valgrind complain”
• ”doesn't seem to do anything”* Commented out* only 64k different random states for two years
• Brute-forcing OpenSSL generated keys = trivial

BOYS A special gift‒

• Crown jewel: OpenSSL
• Go-to library for crypto services
• API is a nightmare
• Documentation is deficient and misleading
• Defaults are deceptive

Operation ORCHESTRA current status

• Fantastic value for money
• Less than 0.003% of COMINT budget
• Have kept InterNet traffic in plaintext
• No action ever exposed or traced back to us"