lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 16 Dec 2010 07:54:06 -0500
From: Larry Seltzer <larry@...ryseltzer.com>
To: Abuse007 <abuse007@...il.com>, mark seiden <mis@...den.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Allegations regarding OpenBSD IPSEC

Interesting. Abuse007's observations make me think that maybe the
"backdoor" was a vulnerability that was patched sometime in the past. Time
to scan the CVE list for OpenBSD...

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Abuse007
Sent: Thursday, December 16, 2010 7:26 AM
To: mark seiden
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Allegations regarding OpenBSD IPSEC

Binaries can be (and are) analysed just like source code can. That's how a
lot of bugs have been found in Windows for example.

A lot of open source software has bugs that have gone unnoticed for years.
A backdoor can be in the form of an innocent looking programming error
(which gives a plausible excuse and therefore deniability).

In my opinion it is possible to hide a back door in open source software.
Whether it's probable is a different question.

Changing the s-boxes in DES (and therefore Triple DES as well) would break
comparability with other implementations as it would no longer decrypt the
same as a standard implementation.

Why purposely program a backdoor when there are already probably already a
latent vulnerability in it already? Then there is no deniability concerns
and no audit trail of the source code.

My 2 cents

On 16/12/2010, at 1:04 PM, mark seiden <mis@...den.com> wrote:

>
> On Dec 15, 2010, at 5:23 PM, Graham Gower wrote:
>
>> On 16 December 2010 09:50, Larry Seltzer <larry@...ryseltzer.com>
wrote:
>>>> Has anyone read this yet?
>>>>
>>>> http://www.downspout.org/?q=node/3
>>>>
>>>> Seems IPSEC might have a back door written into it by the FBI?
>>>>
>>> Surely the thing to do now is not to audit *your own* OpenBSD code,
but to
>>> audit the OpenBSD code from about 8 years ago. If there's nothing
there,
>>> then the claim is BS.
>>>
>>> LJS
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>> Or get hold of the old version of OpenBSD used at EOUSA and compare it
>> to the OpenBSD code from the same time.
>>
>> __
>
> why should anyone other than a us attorney or perhaps an asst us
attorney give a rat's ass
> what may have been going on in their govt issue vpn some years ago?
>
> but, as they prosecute federal crimes, if anyone committed a federal
crime within
> their office due to this they are certainly equipped to go after them.
>
> these guys have nothing to do with the fbi (they are familially one of
the fbi's little
> first cousins within justice dept) and also have nothing to do with the
openbsd
> distribution.
>
> justice and fbi and darpa barely talk with each other about technology
is my very
> strong impression.
>
> this whole story makes very little sense to anyone who was at all
acquainted with this
> scene at the time.
>
> unless you control the compiler (see ken thompson's turing award
lecture) it's a
> fanciful idea that you could successfully plant a backdoor in an open
source OS and
> expect it to survive.  why even bother?
>
> (now, watering down the s boxes in single des, that might be
feasible...)
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ