lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 16 Dec 2010 18:57:01 -0600
From: "J. Oquendo" <sil@...iltrated.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Allegations regarding OpenBSD IPSEC


I can only speculate the following with regards to Perry coming out
of the blue with this news and it obviously means nothing as I'm not
a profiler, psychologist, etc. and even if I were, who cares at the
end of the day.

There is probably some form of credibility to perhaps the government
wanting to backdoor OpenBSD or any other operating system but that
obviously does not mean this occurred.

What I think about his disclosure is, Perry sought to make something
known to Theo which took Theo by surpise and Theo being who he is
disclosed it to the public. The following strike me as odd though:

I have never seen Theo come out of the blue publicly for something
non-BSD related. I never struck him as the type to put his business
out there especially in a case like this.

My thoughts are: If he DID know something, why would he PUBLICLY out
himself like that. It would have made more sense for him to keep
that conversation private and lie enough to dissuade this Perry go
to hush/think about things differently, etc.

I'm think if it were me, I would have done the same had I no
knowledge. Had I knowledge, my first thought would be: "By publicly
disclosing anything, the people I report(ed) to will be pissed and
it'll kick up a firestorm" (this is for those who speculate Theo
had something to do with this).

So I think, what does this Perry guy have against the others. Are
there any documented exchanges or disagreements between Perry,
Wright or Lowe? For someone to come out of the blue, name names 10
years later makes little sense. It must have been a hell of a bone
to grind to wait 10 years once an NDA has expired to "out" someone.
For that, an anonymous email to a mailing list would have sufficed
as opposed to waiting 10 years.

I then think, wait a minute, something like this (backdooring
anything) must go beyond a 10 year NDA. Even if it didn't, the
potential blowback Perry could face would be so enormous, it would
not only be insane to come out of the woodworks, but likely career
suicide as well. The 'bone to pick' doesn't sound realistic. After
all, he could have submitted an anonymous email years ago to
air his dirt.

What I believe happened is an iteration of rumors. Perhaps there
came a time when an agency in government wanted to place backdoors,
maybe even approached BSD developers [1]. Did it fly? Only three
people would completely know at the end of the day: Perry, Scott
Lowe (whomever he is) Jason Wright.

"Would you like to help the government... We need you to ..." which
after time became "the government placed a backdoor." Ten years is
an awful long time to sit around with whiffs of news like this. I
doubt a secret like that could have been kept secret for 10 long
years. At the same time though, I doubt there is reason for Perry
to outright make this up. I think maybe he heard a rumor and
rolled with it.

I've re-read Perry's email to Theo and another response. His
initial e-mail didn't impose a sense of "payback is a bitch"
but more of a "I think you should know" so for those claiming "he
wanted to get back at Theo" you may be oblivious to the fact that
he sent the email to Theo in private, not to a mailing list. That
debunks any notion to me that he was trying to hurt Theo. He
would have had to have known 100% that Theo would disclose the
email. So the point of him coming out of the closet to hurt Theo
is weak and moot if you ask me.

As for the credibility of a former agent saying "we tried it
didn't work" sounds fishy as well. I don't know about anyone else
but I can't imagine him admitting to anything "sure we backdoored
it" That wouldn't make any sense and would likely make him a few
enemies both on and off that agency.

At the end of the day though, I could honestly care less if
they backdoored my VPN. They'd be might bored wondering why
terminals are always tail -f'ing, and how the hell I manage to
type so much without shutting up ;)


[1] https://twitter.com/ejhilbert/status/14891845825863680


-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ