lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 17 Dec 2010 11:12:06 -0600
From: Paul Schmehl <pschmehl_lists@...rr.com>
To: Larry Seltzer <larry@...ryseltzer.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: Allegations regarding OpenBSD IPSEC

--On December 16, 2010 7:47:36 PM -0500 Larry Seltzer 
<larry@...ryseltzer.com> wrote:

> Instead of an overt back-door, is it possible that Theo's old friend (;))
> is referring to exploitable vulnerabilities. These vulnerabilities may or
> may not have been found in the interim and fixed, but not recognized as
> backdoors.
>
> As you said, it's impossible to prove a negative (prove to me that you
> haven't read Moby Dick), but the scenario above sounds kind of reasonable
> to me.
>

If you work in security (I mean professionally - dealing day to day with 
the problems that arise - not the wannabes who post to lists and act like 
know-it-alls), you quickly learn to cast a jaundiced eye on unsubstantiated 
claims made on the internet.  You begin to ask, what is the poster's 
motive?  What's the goal of publicizing this?  What is he not saying?

In the case of Mr. Perry, he has made claims that have proven to be untrue 
(or at least been categorically denied by the persons supposedly involved), 
and he has thrown out some big names as if those substantiate his claims. 
(Shades of the common trait of internet myths.)

The one thing Mr. Perry has not done, and which, if his claims have any 
merit at all, he could easily do, since he claims he's no longer under NDA, 
is post the code that proves that there is a backdoor.  After all, he 
supposedly wrote it, along with others.  He must know precisely what and 
where it is.  At a minimum he could say that Theo needs to closely audit 
netif.h or crypto.c or des_setkey.c or something similar.

So why hasn't he posted the code?  I can think of some plausible reasons. 
(There may be others.)  Perhaps he wants to create FUD around OpenBSD for 
some reason.  (Note to musnt live: I don't use OpenBSD.  If you had a clue 
how to read mail headers you would know that or if you had the simple 
skills to do a Google search, you would know that I'm a port maintainer for 
FreeBSD.  Oh, I've installed and run OpenBSD in the past.  But I haven't 
used it in years.  And I don't give a hoot about it or about Theo, one way 
or the other.  And the thought of smelling his crotch has never once 
crossed my mind - but it did yours - which leads to some interesting 
questions about your proclivities.)

Perhaps he wants to gain some notoriety.  He's certainly done that.

Perhaps he really doesn't know anything at all about a backdoor and is 
simply blowing smoke.

Perhaps he is aware of rumors about a backdoor but has no proof and is 
hoping Theo will do the hard work of auditing the code for him.

Perhaps he thinks there's a backdoor but he hasn't the coding skills to 
confirm it or even to audit the code.

Only Mr. Perry knows the truth.  But one thing is certain.  He could easily 
end the controversy if he wanted to but he hasn't.  And that says a great 
deal more about him and his motives than it does about the integrity of the 
OpenBSD code or the possibility of a backdoor existing in it.

The fact that I have to write all this irritates me.  It's a waste of my 
time.  But that's the price you pay for being on the internet, which 
abounds with idiots who will swallow every wild and unsubstantiated claim 
without question and who live in a world of paranoia where Big Brother is 
always right around the corner.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ