lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4D129973.3020201@propergander.org.uk>
Date: Thu, 23 Dec 2010 00:36:03 +0000
From: mrx <mrx@...pergander.org.uk>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: OpenBSD has Open Backdoored Software
 Distribution - admitted by Theo

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 23/12/2010 00:00, Dan Kaminsky wrote:
> On Wed, Dec 22, 2010 at 3:47 PM, Dave Nett <dave.nett@...oo.com> wrote:
> 
>> http://marc.info/?l=openbsd-tech&m=129296046123471&w=2
>>
>> Long mail which just admit has backdoor, poor Theo.
>>
> 
> 
>     (g) I believe that NETSEC was probably contracted to write backdoors
>         as alleged.
>     (h) If those were written, I don't believe they made it into our
>         tree.  They might have been deployed as their own product.
> 
> You had only one more sentence to read!  Just one!
> 



"> where would you start auditing the code? It's just too much.

Actually, it is a very small part of the tree..."


I am aware that compilers can be coded to introduce "features" into binaries that are not in the actual source code itself.
So with all due respect and possibly much ignorance on my part, what is a code audit going to achieve if one uses the shipped compiler to
compile the source? Unless one codes ones own compiler can any binary be trusted?

Would not reversing the compiled code lead to a proper insight? Are the compiled binaries that handle these crypto functions so complex that
they cannot be reversed by a skilled assembly coder? I guess that such a coder would have to be an expert cryptographer too, or at least
collaborate with one.

My curiosity is genuine, I am trying to educate myself about such things.

regards
Dave


- -- 
Mankind's systems are white sticks tapping walls.
Thanks Roy
http://www.propergander.org.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBTRKZc7Ivn8UFHWSmAQIL9Af/e4HawFmXZc2zIHqEz1mah5+NuNiAH6o2
VJkPiC955moZ5L07rKtfSsV8ktDYUw6EczmPQI5UWFrFsu5SON2LPHkh2ifSrzMS
Y5fj+Qjg7BWiamO3iDklJS50x1rEVTSAT6ErydKNGFHkQqieTgjAfemhRQBrjQuo
IYQtF3Ij3v0+gIx+mhQ5mEsxLqKST5Gz6M45VZ9MtfX8fUMkBIQoRBNTHv10oqP+
pMsQD+M/UG+cCWd+8DuKmvRCHnhIsJPnZqxQZ5b5P0ZVgSx3XbrTB2+st1+B5xNQ
LI57VElZWEmNVcEAYZ+5T5AG3tJonjCBtwg832fXuk3pHq62C06uag==
=qHih
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ