Edward Brocklesby (ejb) & Debian: Hacking expulsion cover-up in proximity to Oxford and GCHQ

posted by Roy Schestowitz on Jun 06, 2024,
updated Jun 24, 2024

Reprinted with permission from Daniel Pocock.

As written previously, I don't believe that Debian Developers can be expelled as such because the relationship between us is a relation of joint authorship.

Nonetheless, from time to time it is necessary to remove somebody's access to Debian infrastructure due to concerns about their integrity and other poor behavior. The first case of this was Shaya Potter, for WaReZ operations.

There is a pattern that has become very easy to see: if somebody is expelled in a very public manner then it is due to backstabbing by the corrupt leadership. The expulsion of Jacob Appelbaum based on falsified harassment claims was the most prominent example of backstabbing. On the other hand, when the leadership has failed to protect the security of the Debian distribution, the whole affair gets covered up. The expelled person is free to go elsewhere.

The most dramatic case that has been hidden from the public is that of Edward Brocklesby (ejb). Looking at Shaya Potter, we could follow his career path after his departure from Debian. Edward Brocklesby simply disappeared into obscurity. Did he even exist at all or was Edward Brocklesby a fake name for somebody who we don't really know?

The second notable point about the case of Edward Brocklesby is the list of packages he was maintaining. His package list was discussed after his exclusion:

Subject: Re: ejb's old packages--who want to adopt them?
Date: Tue, 25 Apr 2000 10:05:15 +0100
From: Steve McIntyre <stevem@chiark.greenend.org.uk>
To: Anthony Fok <foka@ualberta.ca>
CC: debian-private@lists.debian.org


On Tue, Apr 25, 2000 at 09:14:42AM +0100, Anthony Fok wrote:
>
>According to Joey's earlier post, here are the packages that ejb left
>behind:
>
>    archie, csh, eggdrop, gcc-m68k-gnu, hx, mh, mh-paper, mig-m68k-gnu,
>    pmake, sac, simh, simh-rsts-images, simh-unix-images, ssh2
>
>Hope we can all pitch in and pick up one or two of them.  Otherwise,
>they'd have to be orphaned -> debian-qa, definitely before potato is
>out, otherwise the bug reports would be unattended to.


I'll take pmake; we occasionally use it at work and it would be
painful to lose it.


-- 
Steve McIntyre, Allstor Software         smcintyr@allstor-sw.co.uk
My PC page
"Can't keep my eyes from the circling sky,                 "Tongue-tied & twisted, Just an earth-bound misfit, I..."  

While discussing ejb's packages, nobody seemed to notice that these are just the packages that a serious bad guy would want to put backdoors into: shells, compilers and even the ssh2 package. There was incredible complacency about this.

In hindsight, it seems even more odd that the person maintaining those packages has simply vanished. In other words, the person maintaining those packages for a number of years may have been using a fake name.

This is the reality of security on Debian: the package maintainers may be fast at copying security patches from upstream and getting them released but they can't really understand what they are looking at. By excluding talented developers and dumbing down with groupthink, they reduce the amount of adult scrutiny on situations like this.

The failure of anybody to notice the risk of backdoors in those binaries is one of many glaring oversights in the EJB case.

Another thing people failed to notice is that Brocklesby was living in close proximity to the A40, that is the road from Oxford to the GCHQ office at Cheltenham. GCHQ doesn't publish a list of their employees in the free and open source software space, nonetheless, it is widely accepted that such people exist.

The IETF records show us he was interested in the development of standards for IRC.

His interest in standards or any other public activity seems to cease completely within a short time of the discovery of his activities around Debian.

The next big red flag in the way Debian handled the Edward Brocklesby affair is that they failed to immediately restrict his access to Debian infrastructure. For some weeks they engaged in a debate with him on the debian-private (widely leaked) secret cubby house. He almost fooled them to allow him to keep his access privileges.

The BBC obtained a secret tape recording of Kim Philby talking to Stasi agents.

In 1963, an MI6 colleague came to confront him with new evidence pointing to his work for the Soviets.

Philby bluffed and stalled.

...

Philby finishes with one piece of advice to the spies gathered before him that had served him well: never confess.

"If they confront you with a document with your own handwriting then it's a forgery - just deny everything…

"They interrogated me to break my nerve and force me to confess.

"And all I had to do really was keep my nerve. So my advice to you is to tell all your agents that they are never to confess."

Looking through debian-private, we can see Edward Brocklesby buying time. Philby was not the only one to use these tactics.

Ireland needs a high-level expert on cybersecurity in the European Parliament. Please see my nomination and promote it as widely as possible as we count down to the vote this Friday, 7 June. █