| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <83C8897F-4569-4B49-8459-9B1E02BC3E3B@gmail.com> Date: Thu, 16 Dec 2010 23:26:25 +1100 From: Abuse007 <abuse007@...il.com> To: mark seiden <mis@...den.com> Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: Re: Allegations regarding OpenBSD IPSEC Binaries can be (and are) analysed just like source code can. That's how a lot of bugs have been found in Windows for example. A lot of open source software has bugs that have gone unnoticed for years. A backdoor can be in the form of an innocent looking programming error (which gives a plausible excuse and therefore deniability). In my opinion it is possible to hide a back door in open source software. Whether it's probable is a different question. Changing the s-boxes in DES (and therefore Triple DES as well) would break comparability with other implementations as it would no longer decrypt the same as a standard implementation. Why purposely program a backdoor when there are already probably already a latent vulnerability in it already? Then there is no deniability concerns and no audit trail of the source code. My 2 cents On 16/12/2010, at 1:04 PM, mark seiden <mis@...den.com> wrote: > > On Dec 15, 2010, at 5:23 PM, Graham Gower wrote: > >> On 16 December 2010 09:50, Larry Seltzer <larry@...ryseltzer.com> wrote: >>>> Has anyone read this yet? >>>> >>>> http://www.downspout.org/?q=node/3 >>>> >>>> Seems IPSEC might have a back door written into it by the FBI? >>>> >>> Surely the thing to do now is not to audit *your own* OpenBSD code, but to >>> audit the OpenBSD code from about 8 years ago. If there's nothing there, >>> then the claim is BS. >>> >>> LJS >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> Or get hold of the old version of OpenBSD used at EOUSA and compare it >> to the OpenBSD code from the same time. >> >> __ > > why should anyone other than a us attorney or perhaps an asst us attorney give a rat's ass > what may have been going on in their govt issue vpn some years ago? > > but, as they prosecute federal crimes, if anyone committed a federal crime within > their office due to this they are certainly equipped to go after them. > > these guys have nothing to do with the fbi (they are familially one of the fbi's little > first cousins within justice dept) and also have nothing to do with the openbsd > distribution. > > justice and fbi and darpa barely talk with each other about technology is my very > strong impression. > > this whole story makes very little sense to anyone who was at all acquainted with this > scene at the time. > > unless you control the compiler (see ken thompson's turing award lecture) it's a > fanciful idea that you could successfully plant a backdoor in an open source OS and > expect it to survive. why even bother? > > (now, watering down the s boxes in single des, that might be feasible...) > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists