[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Allegations regarding OpenBSD IPSEC
- To: mark seiden <mis@xxxxxxxxxx>
- Subject: Re: [Full-disclosure] Allegations regarding OpenBSD IPSEC
- From: Abuse007 <abuse007@xxxxxxxxx>
- Date: Thu, 16 Dec 2010 23:26:25 +1100
Binaries can be (and are) analysed just like source code can. That's how a lot
of bugs have been found in Windows for example.
A lot of open source software has bugs that have gone unnoticed for years. A
backdoor can be in the form of an innocent looking programming error (which
gives a plausible excuse and therefore deniability).
In my opinion it is possible to hide a back door in open source software.
Whether it's probable is a different question.
Changing the s-boxes in DES (and therefore Triple DES as well) would break
comparability with other implementations as it would no longer decrypt the same
as a standard implementation.
Why purposely program a backdoor when there are already probably already a
latent vulnerability in it already? Then there is no deniability concerns and
no audit trail of the source code.
My 2 cents
On 16/12/2010, at 1:04 PM, mark seiden <mis@xxxxxxxxxx> wrote:
>
> On Dec 15, 2010, at 5:23 PM, Graham Gower wrote:
>
>> On 16 December 2010 09:50, Larry Seltzer <larry@xxxxxxxxxxxxxxxx> wrote:
>>>> Has anyone read this yet?
>>>>
>>>> http://www.downspout.org/?q=node/3
>>>>
>>>> Seems IPSEC might have a back door written into it by the FBI?
>>>>
>>> Surely the thing to do now is not to audit *your own* OpenBSD code, but to
>>> audit the OpenBSD code from about 8 years ago. If there's nothing there,
>>> then the claim is BS.
>>>
>>> LJS
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>> Or get hold of the old version of OpenBSD used at EOUSA and compare it
>> to the OpenBSD code from the same time.
>>
>> __
>
> why should anyone other than a us attorney or perhaps an asst us attorney
> give a rat's ass
> what may have been going on in their govt issue vpn some years ago?
>
> but, as they prosecute federal crimes, if anyone committed a federal crime
> within
> their office due to this they are certainly equipped to go after them.
>
> these guys have nothing to do with the fbi (they are familially one of the
> fbi's little
> first cousins within justice dept) and also have nothing to do with the
> openbsd
> distribution.
>
> justice and fbi and darpa barely talk with each other about technology is my
> very
> strong impression.
>
> this whole story makes very little sense to anyone who was at all acquainted
> with this
> scene at the time.
>
> unless you control the compiler (see ken thompson's turing award lecture)
> it's a
> fanciful idea that you could successfully plant a backdoor in an open source
> OS and
> expect it to survive. why even bother?
>
> (now, watering down the s boxes in single des, that might be feasible...)
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/