Re: Allegations regarding OpenBSD IPSEC

[Larry Seltzer <larry () larryseltzer com>]

> The one thing Mr. Perry has not done, and which, if his claims have any
> merit at all, he could easily do, since he claims he's no longer under
NDA,
> is post the code that proves that there is a backdoor.  After all, he
> supposedly wrote it, along with others.

Actually, he did not say that he wrote code. He said that "Jason
Wright and several other developers were responsible for those
backdoors"

-----Original Message-----
From: Paul Schmehl [mailto:pschmehl_lists () tx rr com]
Sent: Friday, December 17, 2010 12:12 PM
To: Larry Seltzer; full-disclosure () lists grok org uk
Subject: RE: [Full-disclosure] Allegations regarding OpenBSD IPSEC

--On December 16, 2010 7:47:36 PM -0500 Larry Seltzer
<larry () larryseltzer com> wrote:

> Instead of an overt back-door, is it possible that Theo's old friend
(;))
> is referring to exploitable vulnerabilities. These vulnerabilities may
or
> may not have been found in the interim and fixed, but not recognized as
> backdoors.
>
> As you said, it's impossible to prove a negative (prove to me that you
> haven't read Moby Dick), but the scenario above sounds kind of
reasonable
> to me.

If you work in security (I mean professionally - dealing day to day with
the problems that arise - not the wannabes who post to lists and act like
know-it-alls), you quickly learn to cast a jaundiced eye on
unsubstantiated
claims made on the internet.  You begin to ask, what is the poster's
motive?  What's the goal of publicizing this?  What is he not saying?

In the case of Mr. Perry, he has made claims that have proven to be untrue

(or at least been categorically denied by the persons supposedly
involved),
and he has thrown out some big names as if those substantiate his claims.
(Shades of the common trait of internet myths.)

The one thing Mr. Perry has not done, and which, if his claims have any
merit at all, he could easily do, since he claims he's no longer under
NDA,
is post the code that proves that there is a backdoor.  After all, he
supposedly wrote it, along with others.  He must know precisely what and
where it is.  At a minimum he could say that Theo needs to closely audit
netif.h or crypto.c or des_setkey.c or something similar.

So why hasn't he posted the code?  I can think of some plausible reasons.
(There may be others.)  Perhaps he wants to create FUD around OpenBSD for
some reason.  (Note to musnt live: I don't use OpenBSD.  If you had a clue

how to read mail headers you would know that or if you had the simple
skills to do a Google search, you would know that I'm a port maintainer
for
FreeBSD.  Oh, I've installed and run OpenBSD in the past.  But I haven't
used it in years.  And I don't give a hoot about it or about Theo, one way

or the other.  And the thought of smelling his crotch has never once
crossed my mind - but it did yours - which leads to some interesting
questions about your proclivities.)

Perhaps he wants to gain some notoriety.  He's certainly done that.

Perhaps he really doesn't know anything at all about a backdoor and is
simply blowing smoke.

Perhaps he is aware of rumors about a backdoor but has no proof and is
hoping Theo will do the hard work of auditing the code for him.

Perhaps he thinks there's a backdoor but he hasn't the coding skills to
confirm it or even to audit the code.

Only Mr. Perry knows the truth.  But one thing is certain.  He could
easily
end the controversy if he wanted to but he hasn't.  And that says a great
deal more about him and his motives than it does about the integrity of
the
OpenBSD code or the possibility of a backdoor existing in it.

The fact that I have to write all this irritates me.  It's a waste of my
time.  But that's the price you pay for being on the internet, which
abounds with idiots who will swallow every wild and unsubstantiated claim
without question and who live in a world of paranoia where Big Brother is
always right around the corner.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/