| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Dec 2010 14:23:55 -0500
From: "J. Oquendo" <sil@...iltrated.net>
To: bk <chort0@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Allegations regarding OpenBSD IPSEC
On 12/15/2010 1:55 PM, bk wrote:
> On Dec 15, 2010, at 10:32 AM, Paul Schmehl wrote:
>
>> --On December 14, 2010 8:40:14 PM -0500 bugs@....dhs.org wrote:
>>> http://www.downspout.org/?q=node/3
>>>
>>> Seems IPSEC might have a back door written into it by the FBI?
>>>
>> So for 10 years IPSEC has had a backdoor in it and not one person examining
>> the code has noticed it? <snip>
>>
>> Read The Cathedral and The Bazaar.
>>
>> --
>> Paul Schmehl, Senior Infosec Analyst
> I call bullshit on all the people claiming this couldn't possibly have existed because "anyone can read the source." How many of you understand crypto. OK, now how many of you _actually_ understand crypto? And of those, how many look at *BSD?
>
> There have been plenty of recent examples of Open Source projects that have had undetected security flaws for multiple years. It's not difficult to believe a relatively uncommon OS could have a subtle weakness in a difficult-to-understand part of the code.
>
> In this particular case, it looks to be total FUD by some lunatic with an axe to grind, but we shouldn't be so arrogant to assume that such a flaw _could not_ exist.
>
> BTW I actually use OpenBSD on many of my systems and I happen to think it's a very simple and practical OS, but I'm not blind to potential problems.
>
> --
> chort
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
<2cents>
I take the Devil's Advocate approach here: We "assume" all the code in
OpenBSD is audited for one. Secondly I quote Juvenal: "*/Quis custodiet
ipsos custodes" /*Who is to say the person auditing the code wasn't the
one who backdoored the code, this assuming there is or was a backdoor.
Thirdly, by Theo "coming clean" and offering disclosure to the public,
it could remove the potential of being exposed via pre-emptive strike.
If he stays shut and is exposed further down the road, it leads to more
questioning. Again, this is assuming that 1) there is a backdoor 2) Theo
somehow knew.
Furthermore, to think along the lines of "So for 10 years IPSEC has had
a backdoor in it and not one person examining the code has noticed it",
I too concur with the fact that crypto is a very specific and
specialized area which many would not have the capabilities to audit.
Because open source projects like OpenBSD are built around trust, there
is no way to validate who is working on what. What does one propose in
an area like an OpenBSD project? Background checks for all their
developers, this would not solve the problem.
I personally don't believe based on Theo's demeanor and approach to
security that he would have allowed this let alone KNOWN that it
occurred. However, the reality is, "who is watching the watchers"
</2cents>
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT
"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett
227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists