Full Disclosure mailing list archives
Re: Allegations regarding OpenBSD IPSEC
From: "J. Oquendo" <sil () infiltrated net>
Date: Wed, 15 Dec 2010 14:23:55 -0500
On 12/15/2010 1:55 PM, bk wrote:
On Dec 15, 2010, at 10:32 AM, Paul Schmehl wrote:--On December 14, 2010 8:40:14 PM -0500 bugs () fbi dhs org wrote:http://www.downspout.org/?q=node/3 Seems IPSEC might have a back door written into it by the FBI?So for 10 years IPSEC has had a backdoor in it and not one person examining the code has noticed it? <snip> Read The Cathedral and The Bazaar. -- Paul Schmehl, Senior Infosec AnalystI call bullshit on all the people claiming this couldn't possibly have existed because "anyone can read the source." How many of you understand crypto. OK, now how many of you _actually_ understand crypto? And of those, how many look at *BSD? There have been plenty of recent examples of Open Source projects that have had undetected security flaws for multiple years. It's not difficult to believe a relatively uncommon OS could have a subtle weakness in a difficult-to-understand part of the code. In this particular case, it looks to be total FUD by some lunatic with an axe to grind, but we shouldn't be so arrogant to assume that such a flaw _could not_ exist. BTW I actually use OpenBSD on many of my systems and I happen to think it's a very simple and practical OS, but I'm not blind to potential problems. -- chort _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
<2cents> I take the Devil's Advocate approach here: We "assume" all the code in OpenBSD is audited for one. Secondly I quote Juvenal: "*/Quis custodiet ipsos custodes" /*Who is to say the person auditing the code wasn't the one who backdoored the code, this assuming there is or was a backdoor. Thirdly, by Theo "coming clean" and offering disclosure to the public, it could remove the potential of being exposed via pre-emptive strike. If he stays shut and is exposed further down the road, it leads to more questioning. Again, this is assuming that 1) there is a backdoor 2) Theo somehow knew. Furthermore, to think along the lines of "So for 10 years IPSEC has had a backdoor in it and not one person examining the code has noticed it", I too concur with the fact that crypto is a very specific and specialized area which many would not have the capabilities to audit. Because open source projects like OpenBSD are built around trust, there is no way to validate who is working on what. What does one propose in an area like an OpenBSD project? Background checks for all their developers, this would not solve the problem. I personally don't believe based on Theo's demeanor and approach to security that he would have allowed this let alone KNOWN that it occurred. However, the reality is, "who is watching the watchers" </2cents> -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Allegations regarding OpenBSD IPSEC bugs (Dec 14)
- Re: Allegations regarding OpenBSD IPSEC Paul Schmehl (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC musnt live (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC bk (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC Paul Schmehl (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC J. Oquendo (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC Aldis Berjoza (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC Steve Pinkham (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC Michal Zalewski (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC Valdis . Kletnieks (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC phil (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC clément Game (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC BMF (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC Larry Seltzer (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC Graham Gower (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC mark seiden (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC Paul Schmehl (Dec 15)