Re: [Full-disclosure] OpenBSD Smoking Gun

[Jeffrey Walton <noloader@xxxxxxxxx>]

On Thu, Dec 23, 2010 at 8:46 AM, Blank Reg <blankreg@xxxxxxxxxxxxxxx> wrote:
>> Musntlive has warned you all about
>> OpenB(ackdoored)S(oftwared)D(istrobution) for is some time and is all
>
> At risk of feeding the troll, this whole business has a positive side
> that no-one seems to have mentioned:
http://www.collegehumor.com/video:1926079

> 1> The seeding of "evil" developers into large software projects by The
> Man(tm) has now shifted from conspiracy theory to conspiracy in many
> peoples minds.
Spies are as old as war itself.

> 2> OpenBSD is the only project *we currently know of* that has been
> infiltrated. It seems highly likely that other projects/OS's will have
> been similarly treated.
The end game is a broken implementation. I have not seen any C code
flagged as defective (but have not looked too hard). Has anyone
produced such code? Otherwise, a weak or broken implementation might
have been weeded out before being distributed (assuming it was checked
in).

> 3> As a result of being Open Source, the damage to OpenBSD's IPSec
> stack was pretty pathetic, and is now subject to scrutiny. In the end
> this will lead to the OpenBSD IPSec being the *only* trustworthy
> implementation.
"Only" is a little strong.

> 4> A big questionmark now hangs over the security of closed-source crypto
> implementations. Seriously, can anyone really trust Windows IPSec after
> this incident? Do you trust your Apple AES-128 encrypted dmg
> files?
I still remember the NSAKEY and Microsoft. http://en.wikipedia.org/wiki/NSAKEY.

Jeff.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/