Bonum Certa Men Certa

Edward Brockelsby: how expelled hacker took over Debian's SSH2 package

posted by Roy Schestowitz on Jun 08, 2024

Reprinted with permission from Daniel Pocock.

Here is the list of changelog entries for the ssh2 package.

Here is the first upload from Edward Brocklesby after he takes over the package. Chilling.

Format: 1.6
Date: Fri, 26 Nov 1999 20:29:30 +0000
Source: ssh2
Binary: ssh2
Architecture: source i386
Version: 2.0.13-4
Distribution: unstable
Urgency: low
Maintainer: Edward Brocklesby <ejb@debian.org>
Description: 
 ssh2       - a secure replacement for rlogin, rsh, and rcp
Closes: 38705 39993 41100 46708 47030 47364
Changes: 
 ssh2 (2.0.13-4) unstable; urgency=low
 .
   * New Maintainer.
   * Suggest ssh-nonfree, not ssh.
   * Change 2222 to 22 in README.Debian (closes: #46708).
   * Don't link ssh against xlib6g.
   * Don't use ssh's own zlib, link with libz1 (closes: #39993).
   * Fix type in /etc/init.d/ssh2 (closes: #41100).
   * Change default $PATH to /bin:/usr/bin (closes: #47364).
   * Add a note about using ssh-keygen2 -r to the manpage (closes: #47030).
   * Suggests ssh-socks as well as ssh.
   * Prints a connection closed message when you log off (closes: #38705).

This was a long time before the Reproducible Builds project started. We have no idea if the binaries uploaded by Brocklesby correspond to the source code. At the time, people were simply trusted to compile the binaries on their home PC and upload them to the archive for everybody else to use. Scary, but true.

More scary, when they realized he was up to something they made no investigation into these binaries whatsoever. Looking at their discussions in hindsight, it didn't even occur to them, Debian people are so mediocre about security. They are obsessed with looking down their noses at people but don't understand what they see in front of them.

It looks like he was simply watching for other maintainers to lose interest and then he would take over their packages. Not every package though, only the packages that were really security critical like SSH, compilers and shells.

The rogue elements of Debian spent over $120,000 to attack me with lawyers after my father died. They made no credible inquiry into the activities of real hackers. They only care about making political attacks on volunteers. Security is above their pay grade.

It is now more than 48 hours after my first disclosure about the Edward Brocklesby affair and there is no comment whatsoever from the Debian security team. The only comments they make are to attack me personally, a reprisal for raising another serious security concern.

Read more articles about the mysterious Edward Brocklesby & Debian affair.

Other Recent Techrights' Posts

Three Months
Next week on Tuesday our sister site turns 20.5
Links 06/12/2024: Promotion of Fake and Illegal Patent 'Court' (UPC), South Korean Strikes, and More Bailouts at Taxpayers' Expense
Links for the day
All the Red Flags in New Linux Foundation Report
How telling...
 
Links 07/12/2024: DEI Chopped by University of Michigan, French and South Korean Governments in Turmoil
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, December 06, 2024
IRC logs for Friday, December 06, 2024
Links 06/12/2024: Meal Changes and Internet Nostalgia
Links for the day
Brittany Day (linuxsecurity.com) Reposing Linux Foundation/Microsoft FUD Using LLMs, Probably Controlled by Microsoft
Plagiarised FUD by LLMs
Links 06/12/2024: Alarm Raised in EU Over Meddling and Destabilisation by TikTok, Strong Criticism of 'Open'AI
Links for the day
In France, Android Skyrockets to 52%, Windows Falls to 26%
even in rich countries across Europe Windows is rapidly losing "market share"
When News Sites Become Shopping Catalogues Disguised as 'Reviews' or 'Articles'
Sometimes Fagioli uses HEY HI (AI, LLMs actually) to make 'articles' about HEY HI
[Meme] Hit and Run with SLAPP
Microsoft staff versus Techrights
[Meme] When You Go Against Corporate Front Groups and Shills of Moneyed Interests (EDRi is Microsoft-Compromised Now)
The "golden rule" is, follow the gold
The Register Exposed Many IBM Scandals, Lawsuits, and Secret Layoffs. Now IBM Pays The Register.
Hush money?
IBM Told the Media the Secret Mass Layoffs Would Carry on Till End of November, But They Still Happen This Month
"My team of 9 people had 4 regulars and 5 contractors. All contractors gone."
Gemini Links 06/12/2024: Shrinkflation and Working at Google
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, December 05, 2024
IRC logs for Thursday, December 05, 2024
[Meme] Shooting the Messenger
"you needn't refute the message, just take out the messengers"
Software Freedom Conservancy (SFC) Associate Sued Us for Publishing Perfectly Accurate Article About SFC; We Sued Them for Harassment
SFC and its associates aren't nice people
Fantastic Journalism by Brian Fagioli
A lot of today's Web, even "news" sites, is spam
Techrights Does Not Forget
Techrights has many anti-censorship mechanisms
Windows Has Fallen to All-Time Low in India
In India, only about 1 in 8 Web requests comes from Windows
Microsoft Criminals: Law Enforcement is the Real Problem
deflecting the issue and resorting to projection
[Meme] They Dropped the L (Libre and Law)
SFLC, could I borrow 75% of your letters?
Companies That the Software Freedom Conservancy (SFC) Will Censor the Community for, Using Their Very Large CoC
also exploiting poor (and sexually abused) women from eastern Europe
Software Freedom Conservancy (SFC) Has Asked a Blogger to Delete This Page About the SFC, So We Reproduce It in Full Here
Censored article
The Free Software Foundation (FSF) Has Raised More Than Three Times More Money Than the Software Freedom Conservancy (SFC), Which Mostly Gets Money From Corporations, Including Microsoft
Do not donate any money to copycat organisations. It's worse than money down the river because your money might get spent attacking and even defaming the originals.
Increasing Productivity With Less Hardware, Little Power, and Fewer CPU Cycles (and Far Less Digital Waste in General)
A lot of people who glance at our PCs (as they visit us) act a bit baffled, as much of what we're using is a bunch of terminals and some text editors
Gemini Protocol Keeps Getting Better (Less and Less Reliance on Centralised Certificate Authorities)
Reliable systems do not depend on third parties, only themselves
Why We Moved to Perl and Dumped PHP Last Year
Elongating the lifetime of the underlying stack
Links 05/12/2024: Explaining the South Korea Chaos and French PM Barnier's Government Already Disintegrating
Links for the day
Gemini Links 05/12/2024: Domain Changes, Griping With Haskell
Links for the day
Links 05/12/2024: Mass Layoffs at Microsoft's PR (Bribery of Media) Agency, UnitedHealthcare CEO Shot Dead
Links for the day
GNU/Linux news for the past day
GNU/Linux news for the past day
IRC Proceedings: Wednesday, December 04, 2024
IRC logs for Wednesday, December 04, 2024
Links 05/12/2024: Formaldehyde and Cancer, US and China Boycotting One Another
Links for the day
Gemini Links 05/12/2024: Hermeticism, Living in the Shell, and More
Links for the day
At the OSI, Microsoft Operative (Funded by Microsoft) Promotes Proprietary Software of Microsoft
The OSI is deeply corrupt. The good news is, it's barely hiding it anymore.