[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1848637950.1494221292439916038.JavaMail.root@plumbob.merit.edu>
Date: Wed, 15 Dec 2010 14:05:16 -0500 (EST)
From: Ryan Sears <rdsears@....edu>
To: Paul Schmehl <pschmehl_lists@...rr.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Allegations regarding OpenBSD IPSEC
Hey all,
Lots of interesting points so far. I have to respectfully dis-agree with those saying 'NO POC, NO FOUL' (or however you put it).
Think carefully about the way in which one would go about back-dooring something like IPSEC under such a scrupulous public eye. You have *very* intelligent developers constantly looking at almost every aspect of the code. You obviously can't backdoor something like this like the idiots who backdoored the proftpd (strcmp for ACIDBITCHEZ, really?), you have to use *a lot* more finesse.
The best way to actually pull this off is to purposely screw up parts of the code, use common programming bugs in conjunction with one another, along with very rare edge cases to subtly reduce the crypto keyspace in any ways possible, be it through reducing OS-level entropy, or by some other means. This gives you a backdoor that not only might pass the eyes of the developers, the public, and anyone else trying to find weaknesses in the code, but it would (more then likely) also thwart any fuzzing techniques people employ against IPSEC to discover your backdoor. It also has the added advantage of plausible deniability ("Oh I can't be blamed for mistyping that, or leaving that particular part not 100% guarded."), and in that way it's impossible to sort out malicious intent. Then only one group knows how to trigger the edge case that leads to the compromised keyspace.
People who architect things like the crypto stack for openBSD don't exactly have a huge amount of eyes on them, as the code is quite complex, so it's plausible that these subtle bugs could have been introduced on purpose, with malicious intent.
Do similar techniques to those above in enough clever ways and you have a VPN tunnel that the FBI (or some other 3-letter agency) can reverse, and since BSD has such a reputation for security, chances are high-profile targets have optioned that for secure communications. You see where I'm going.
I'm not saying this IS what happened, just simply a scenario that I've been thinking about (or how I'd go about it :-P).
Next think about the kind of stuff Microsoft and OSX has potentially built into the low-level windows kernel. They don't even really need to be subtle if their pockets are deep enough. Scary. :-/
::takes off tin-foil hat::
Ryan Sears
----- Original Message -----
From: "Paul Schmehl" <pschmehl_lists@...rr.com>
To: bugs@....dhs.org, full-disclosure@...ts.grok.org.uk
Sent: Wednesday, December 15, 2010 1:32:47 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Full-disclosure] Allegations regarding OpenBSD IPSEC
--On December 14, 2010 8:40:14 PM -0500 bugs@....dhs.org wrote:
> Hi,
>
> Has anyone read this yet?
>
> http://www.downspout.org/?q=node/3
>
> Seems IPSEC might have a back door written into it by the FBI?
>
So for 10 years IPSEC has had a backdoor in it and not one person examining
the code has noticed it? Or even questioned it? That's a bit hard to
believe. It's along the same lines as the stories that Microsoft captures
all your packets and harvests your personal information.
Read The Cathedral and The Bazaar.
--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists