lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 16 Dec 2010 23:26:25 +1100
From: Abuse007 <abuse007@...il.com>
To: mark seiden <mis@...den.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Allegations regarding OpenBSD IPSEC

Binaries can be (and are) analysed just like source code can. That's how a lot of bugs have been found in Windows for example.

A lot of open source software has bugs that have gone unnoticed for years. A backdoor can be in the form of an innocent looking programming error (which gives a plausible excuse and therefore deniability).

In my opinion it is possible to hide a back door in open source software. Whether it's probable is a different question.

Changing the s-boxes in DES (and therefore Triple DES as well) would break comparability with other implementations as it would no longer decrypt the same as a standard implementation.

Why purposely program a backdoor when there are already probably already a latent vulnerability in it already? Then there is no deniability concerns and no audit trail of the source code.

My 2 cents

On 16/12/2010, at 1:04 PM, mark seiden <mis@...den.com> wrote:

> 
> On Dec 15, 2010, at 5:23 PM, Graham Gower wrote:
> 
>> On 16 December 2010 09:50, Larry Seltzer <larry@...ryseltzer.com> wrote:
>>>> Has anyone read this yet?
>>>> 
>>>> http://www.downspout.org/?q=node/3
>>>> 
>>>> Seems IPSEC might have a back door written into it by the FBI?
>>>> 
>>> Surely the thing to do now is not to audit *your own* OpenBSD code, but to
>>> audit the OpenBSD code from about 8 years ago. If there's nothing there,
>>> then the claim is BS.
>>> 
>>> LJS
>>> 
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>> 
>> 
>> Or get hold of the old version of OpenBSD used at EOUSA and compare it
>> to the OpenBSD code from the same time.
>> 
>> __
> 
> why should anyone other than a us attorney or perhaps an asst us attorney give a rat's ass
> what may have been going on in their govt issue vpn some years ago?
> 
> but, as they prosecute federal crimes, if anyone committed a federal crime within
> their office due to this they are certainly equipped to go after them.
> 
> these guys have nothing to do with the fbi (they are familially one of the fbi's little
> first cousins within justice dept) and also have nothing to do with the openbsd 
> distribution.
> 
> justice and fbi and darpa barely talk with each other about technology is my very
> strong impression.
> 
> this whole story makes very little sense to anyone who was at all acquainted with this
> scene at the time.
> 
> unless you control the compiler (see ken thompson's turing award lecture) it's a 
> fanciful idea that you could successfully plant a backdoor in an open source OS and 
> expect it to survive.  why even bother?
> 
> (now, watering down the s boxes in single des, that might be feasible...)
> 
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ