lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 16 Dec 2010 13:58:57 -0700
From: "John Horn" <John.Horn@...sonaz.gov>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Re: Allegations regarding OpenBSD IPSEC

Don't forget that the Apollo program was filmed on a sound stage... 

On a more serious note, every point you've made is valid. 
Anyone who's ever met Theo would be hard put to believe such a claim anyway. 




--
John Horn
City of Tucson, IT Department
Network Services (Network security)
Phone: (520) 837-6036
--------------------------------------------------------------
CONFIDENTIALITY NOTICE: If you have received this email in error, please immediately notify
the sender by e-mail at the address shown.  This email transmission may contain confidential information. 
This information is intended only for the use of the individual(s) or entity to whom it is intended even if addressed incorrectly.  
Please delete it from your files if you are not the intended recipient.  Thank you for your compliance, time and attention to this matter.






>>> On Thu, Dec 16, 2010 at  1:50 PM, in message <426E9C71C99E6DB13E125C0D@...71538.local>, Paul Schmehl <pschmehl_lists@...rr.com> wrote:

There are several problems with this story that seem to have been
overlooked.

First, if someone was able to alter the crypto source code 10 years ago,
you have to assume that in the following 10 years not one person reviewing
or editing that code would have noticed a thing.  So, the person who did
the altering has to be smarter than every other crypto guy who worked on
the code.  Smart enough that nobody would even notice what he did and smart
enough that nothing would be noticed operationally.  Not one entity, with
all the security personnel those entities employed, would have ever noticed
or even inadvertently stumbled across any traffic going to an unexpected
place.

Second, no one editing the crypto code after the alteration would have ever
made a single change to the code that would affect the alteration in an
adverse way, either rendering it inoperable or causing it to generate
traffic that would be unexpected and noticed by watchful eyes.

Now we're talking a genius on the level of Einstein, at least.  Of all the
code in use, crypto is probably the most scrutinized and is scrutinized by
the smartest guys.  All of whom were apparently too dumb to notice
*anything* unusual in the code at all, if this story is to be believed.
And he was able to alter it in a way that made it completely resistant to
any future changes in the code.

Finally, the guy who sent Theo the email obviously lied, or else there's a
third Scott Lowe that hasn't yet been unearthed.

It's impossible to prove a negative.  So, if you want to hurt or get back
at Theo for some reason, the easiest way to do it is claim there's a
supersekrit backdoor in the code that no one has noticed for ten years.
Now Theo gets to go on a wild goose chase that has no resolution, because
you cannot prove there is no backdoor.  The best you can do is claim to
have thoroughly audited the code and not found one.

Conspiracy theorists thrive on claims that can never be disproven.  A
hundred years from now, people will still be whispering that there's a
backdoor in the crypto supplied by OpenBSD.  Just like they claim that
Oswald didn't act alone and the government blew up the twin towers.  Common
sense and the preponderance of the evidence tell you otherwise, but all
that is ignored in favor of the grand theory that big brother is watching.

Rational people don't fall for this stuff.

Should the code be audited?  Of course!  Auditing is always useful and
often productive.  Should we assume the worst?  Not without better evidence
than what we have before us now.

--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Notice of Confidentiality: This communication may contain confidential and/or proprietary information and may not be disclosed to anyone other than the intended addressee.  Any other disclosure is strictly prohibited by law.  If you are not the intended addressee, you have received this communication in error.  Please notify the sender immediately and destroy the communication, including all content and any attachments.  Thank you.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ