| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 23 Dec 2010 01:53:38 +0100
From: Carlos Alberto Lopez Perez <clopez@...lia.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: OpenBSD has Open Backdoored Software
Distribution - admitted by Theo
On 12/23/2010 01:36 AM, mrx wrote:
> On 23/12/2010 00:00, Dan Kaminsky wrote:
>> On Wed, Dec 22, 2010 at 3:47 PM, Dave Nett <dave.nett@...oo.com> wrote:
>
>>> http://marc.info/?l=openbsd-tech&m=129296046123471&w=2
>>>
>>> Long mail which just admit has backdoor, poor Theo.
>>>
>
>
>> (g) I believe that NETSEC was probably contracted to write backdoors
>> as alleged.
>> (h) If those were written, I don't believe they made it into our
>> tree. They might have been deployed as their own product.
>
>> You had only one more sentence to read! Just one!
>
>
>
>
> "> where would you start auditing the code? It's just too much.
>
> Actually, it is a very small part of the tree..."
>
>
> I am aware that compilers can be coded to introduce "features" into binaries that are not in the actual source code itself.
> So with all due respect and possibly much ignorance on my part, what is a code audit going to achieve if one uses the shipped compiler to
> compile the source? Unless one codes ones own compiler can any binary be trusted?
>
I am also aware that processors can have hidden "features" that make them
execute a sightly different program that the one you expect to be executed.
So, can we trust processors unless you make your own processor?
For example think about the new Intel processors that are shipped with the
AES-NI [1] instruction set. How difficult would be to governments and
powerful people/companies to hide a trojan horse in this processors? And
would you ever notice the existence of this hidden "feature"?
[1] http://en.wikipedia.org/wiki/AES_instruction_set
> Would not reversing the compiled code lead to a proper insight? Are the compiled binaries that handle these crypto functions so complex that
> they cannot be reversed by a skilled assembly coder? I guess that such a coder would have to be an expert cryptographer too, or at least
> collaborate with one.
>
> My curiosity is genuine, I am trying to educate myself about such things.
>
> regards
> Dave
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Download attachment "signature.asc" of type "application/pgp-signature" (263 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists