lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <AANLkTimQPF6EREZs0xtB=gR7YKpmQQr2cAVfKq+3SfNc@mail.gmail.com>
Date: Thu, 23 Dec 2010 11:49:42 -0500
From: Jeffrey Walton <noloader@...il.com>
To: Blank Reg <blankreg@...khotmail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: OpenBSD Smoking Gun

On Thu, Dec 23, 2010 at 8:46 AM, Blank Reg <blankreg@...khotmail.com> wrote:
>> Musntlive has warned you all about
>> OpenB(ackdoored)S(oftwared)D(istrobution) for is some time and is all
>
> At risk of feeding the troll, this whole business has a positive side
> that no-one seems to have mentioned:
http://www.collegehumor.com/video:1926079

> 1> The seeding of "evil" developers into large software projects by The
> Man(tm) has now shifted from conspiracy theory to conspiracy in many
> peoples minds.
Spies are as old as war itself.

> 2> OpenBSD is the only project *we currently know of* that has been
> infiltrated. It seems highly likely that other projects/OS's will have
> been similarly treated.
The end game is a broken implementation. I have not seen any C code
flagged as defective (but have not looked too hard). Has anyone
produced such code? Otherwise, a weak or broken implementation might
have been weeded out before being distributed (assuming it was checked
in).

> 3> As a result of being Open Source, the damage to OpenBSD's IPSec
> stack was pretty pathetic, and is now subject to scrutiny. In the end
> this will lead to the OpenBSD IPSec being the *only* trustworthy
> implementation.
"Only" is a little strong.

> 4> A big questionmark now hangs over the security of closed-source crypto
> implementations. Seriously, can anyone really trust Windows IPSec after
> this incident? Do you trust your Apple AES-128 encrypted dmg
> files?
I still remember the NSAKEY and Microsoft. http://en.wikipedia.org/wiki/NSAKEY.

Jeff.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ