This is more of a rootkit than a backdoor, since you have to replace the OpenSSH binary with a trojaned version. A backdoor usually implies that it was there from the start, which is exactly the opposite of what the guy says (he reports having to fight OpenSSH hard to let him have the backdoor).<p>Title should be "NSA Employee Reports Developing OpenSSH Rootkit".
The thing that strikes me from this report is that he or she (and most of these programmer types working for NSA groups) are just like many of the HN/tech crowd, except they're working for "the other side". Heck, many of them probably read HN every day.<p>> New Zealand was incredible! I wish I’d had more time there, but I did pretty well. I saw a handful of LOTR sights, Mount Cook, a number of gorgeous lakes, snow-capped mountains everywhere ... I absolutely loved my time in Australia, both in terms of work and travel, but I’m also looking forward to returning to the land of Chick-fil-A, college athletics, BBQ pork, and real bacon. Oh, and good beer.<p>It's great that they love their work, but it's too bad so many smart people are going to work on projects that violate so many people's rights.
> SSH has a <i>lot</i> of checks to make sure you can't switch usernames in the middle of a login (go figure) so this was a bit tricky to bypass.<p>Go figure.
On debian/ubuntu you can detect modified packages with `debsums` - but the signatures seem to be MD5, for which it's possible to generate collisions with e.g. something like <a href="http://www.bishopfox.com/resources/tools/other-free-tools/md4md5-collision-code/" rel="nofollow">http://www.bishopfox.com/resources/tools/other-free-tools/md...</a> .
> Currently DSD uses authorized_keys as a quick-and-easy method for persistence against certain *nix targets.<p>Good to know.
Time for a security audit of every authorized_keys file I maintain.