| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 Dec 2010 22:24:20 -0500 From: The Sp3ctacle <sp3ctacle@...il.com> To: mrx <mrx@...pergander.org.uk> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo It shouldn't be that hard to bindiff the code compiled with with the shipped compiler with the code from a compiler that predates the latest backdoor shenanigans. You could decompile the binary code and then ask a cryptographer to audit. On Wed, Dec 22, 2010 at 7:36 PM, mrx <mrx@...pergander.org.uk> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 23/12/2010 00:00, Dan Kaminsky wrote: >> On Wed, Dec 22, 2010 at 3:47 PM, Dave Nett <dave.nett@...oo.com> wrote: >> >>> http://marc.info/?l=openbsd-tech&m=129296046123471&w=2 >>> >>> Long mail which just admit has backdoor, poor Theo. >>> >> >> >> (g) I believe that NETSEC was probably contracted to write backdoors >> as alleged. >> (h) If those were written, I don't believe they made it into our >> tree. They might have been deployed as their own product. >> >> You had only one more sentence to read! Just one! >> > > > > "> where would you start auditing the code? It's just too much. > > Actually, it is a very small part of the tree..." > > > I am aware that compilers can be coded to introduce "features" into binaries that are not in the actual source code itself. > So with all due respect and possibly much ignorance on my part, what is a code audit going to achieve if one uses the shipped compiler to > compile the source? Unless one codes ones own compiler can any binary be trusted? > > Would not reversing the compiled code lead to a proper insight? Are the compiled binaries that handle these crypto functions so complex that > they cannot be reversed by a skilled assembly coder? I guess that such a coder would have to be an expert cryptographer too, or at least > collaborate with one. > > My curiosity is genuine, I am trying to educate myself about such things. > > regards > Dave > > > - -- > Mankind's systems are white sticks tapping walls. > Thanks Roy > http://www.propergander.org.uk > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQEVAwUBTRKZc7Ivn8UFHWSmAQIL9Af/e4HawFmXZc2zIHqEz1mah5+NuNiAH6o2 > VJkPiC955moZ5L07rKtfSsV8ktDYUw6EczmPQI5UWFrFsu5SON2LPHkh2ifSrzMS > Y5fj+Qjg7BWiamO3iDklJS50x1rEVTSAT6ErydKNGFHkQqieTgjAfemhRQBrjQuo > IYQtF3Ij3v0+gIx+mhQ5mEsxLqKST5Gz6M45VZ9MtfX8fUMkBIQoRBNTHv10oqP+ > pMsQD+M/UG+cCWd+8DuKmvRCHnhIsJPnZqxQZ5b5P0ZVgSx3XbrTB2+st1+B5xNQ > LI57VElZWEmNVcEAYZ+5T5AG3tJonjCBtwg832fXuk3pHq62C06uag== > =qHih > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists