[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] OpenBSD has Open Backdoored Software Distribution - admitted by Theo
- To: mrx <mrx@xxxxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] OpenBSD has Open Backdoored Software Distribution - admitted by Theo
- From: The Sp3ctacle <sp3ctacle@xxxxxxxxx>
- Date: Wed, 22 Dec 2010 22:24:20 -0500
It shouldn't be that hard to bindiff the code compiled with with the
shipped compiler with the code from a compiler that predates the
latest backdoor shenanigans. You could decompile the binary code and
then ask a cryptographer to audit.
On Wed, Dec 22, 2010 at 7:36 PM, mrx <mrx@xxxxxxxxxxxxxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 23/12/2010 00:00, Dan Kaminsky wrote:
>> On Wed, Dec 22, 2010 at 3:47 PM, Dave Nett <dave.nett@xxxxxxxxx> wrote:
>>
>>> http://marc.info/?l=openbsd-tech&m=129296046123471&w=2
>>>
>>> Long mail which just admit has backdoor, poor Theo.
>>>
>>
>>
>> (g) I believe that NETSEC was probably contracted to write backdoors
>> as alleged.
>> (h) If those were written, I don't believe they made it into our
>> tree. They might have been deployed as their own product.
>>
>> You had only one more sentence to read! Just one!
>>
>
>
>
> "> where would you start auditing the code? It's just too much.
>
> Actually, it is a very small part of the tree..."
>
>
> I am aware that compilers can be coded to introduce "features" into binaries
> that are not in the actual source code itself.
> So with all due respect and possibly much ignorance on my part, what is a
> code audit going to achieve if one uses the shipped compiler to
> compile the source? Unless one codes ones own compiler can any binary be
> trusted?
>
> Would not reversing the compiled code lead to a proper insight? Are the
> compiled binaries that handle these crypto functions so complex that
> they cannot be reversed by a skilled assembly coder? I guess that such a
> coder would have to be an expert cryptographer too, or at least
> collaborate with one.
>
> My curiosity is genuine, I am trying to educate myself about such things.
>
> regards
> Dave
>
>
> - --
> Mankind's systems are white sticks tapping walls.
> Thanks Roy
> http://www.propergander.org.uk
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEVAwUBTRKZc7Ivn8UFHWSmAQIL9Af/e4HawFmXZc2zIHqEz1mah5+NuNiAH6o2
> VJkPiC955moZ5L07rKtfSsV8ktDYUw6EczmPQI5UWFrFsu5SON2LPHkh2ifSrzMS
> Y5fj+Qjg7BWiamO3iDklJS50x1rEVTSAT6ErydKNGFHkQqieTgjAfemhRQBrjQuo
> IYQtF3Ij3v0+gIx+mhQ5mEsxLqKST5Gz6M45VZ9MtfX8fUMkBIQoRBNTHv10oqP+
> pMsQD+M/UG+cCWd+8DuKmvRCHnhIsJPnZqxQZ5b5P0ZVgSx3XbrTB2+st1+B5xNQ
> LI57VElZWEmNVcEAYZ+5T5AG3tJonjCBtwg832fXuk3pHq62C06uag==
> =qHih
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/