Edward Brocklesby: how expelled hacker took over Debian's SSH2 package


Here is the list of changelog entries for the ssh2 package.

Here is the first upload from Edward Brocklesby after he takes over the package. Chilling.

Format: 1.6
Date: Fri, 26 Nov 1999 20:29:30 +0000
Source: ssh2
Binary: ssh2
Architecture: source i386
Version: 2.0.13-4
Distribution: unstable
Urgency: low
Maintainer: Edward Brocklesby <ejb@debian.org>
Description: 
 ssh2       - a secure replacement for rlogin, rsh, and rcp
Closes: 38705 39993 41100 46708 47030 47364
Changes: 
 ssh2 (2.0.13-4) unstable; urgency=low
 .
   * New Maintainer.
   * Suggest ssh-nonfree, not ssh.
   * Change 2222 to 22 in README.Debian (closes: #46708).
   * Don't link ssh against xlib6g.
   * Don't use ssh's own zlib, link with libz1 (closes: #39993).
   * Fix type in /etc/init.d/ssh2 (closes: #41100).
   * Change default $PATH to /bin:/usr/bin (closes: #47364).
   * Add a note about using ssh-keygen2 -r to the manpage (closes: #47030).
   * Suggests ssh-socks as well as ssh.
   * Prints a connection closed message when you log off (closes: #38705).

This was a long time before the Reproducible Builds project started. We have no idea if the binaries uploaded by Brocklesby correspond to the source code. At the time, people were simply trusted to compile the binaries on their home PC and upload them to the archive for everybody else to use. Scary, but true.

More scary, when they realized he was up to something they made no investigation into these binaries whatsoever. Looking at their discussions in hindsight, it didn't even occur to them, Debian people are so mediocre about security. They are obsessed with looking down their noses at people but don't understand what they see in front of them.

It looks like he was simply watching for other maintainers to lose interest and then he would take over their packages. Not every package though, only the packages that were really security critical like SSH, compilers and shells.

The rogue elements of Debian spent over $120,000 to attack me with lawyers after my father died. They made no credible inquiry into the activities of real hackers. They only care about making political attacks on volunteers. Security is above their pay grade.

It is now more than 48 hours after my first disclosure about the Edward Brocklesby affair and there is no comment whatsoever from the Debian security team. The only comments they make are to attack me personally, a reprisal for raising another serious security concern.

Read more articles about the mysterious Edward Brocklesby & Debian affair.