Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo

[The Sp3ctacle <sp3ctacle () gmail com>]

It shouldn't be that hard to bindiff the code compiled with with the
shipped compiler with the code from a compiler that predates the
latest backdoor shenanigans.  You could decompile the binary code and
then ask a cryptographer to audit.

On Wed, Dec 22, 2010 at 7:36 PM, mrx <mrx () propergander org uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 23/12/2010 00:00, Dan Kaminsky wrote:
> > On Wed, Dec 22, 2010 at 3:47 PM, Dave Nett <dave.nett () yahoo com> wrote:
> >
> > > http://marc.info/?l=openbsd-tech&m=129296046123471&w=2
> > >
> > > Long mail which just admit has backdoor, poor Theo.
> >
> >
> >     (g) I believe that NETSEC was probably contracted to write backdoors
> >         as alleged.
> >     (h) If those were written, I don't believe they made it into our
> >         tree.  They might have been deployed as their own product.
> >
> > You had only one more sentence to read!  Just one!
>
>
>
> "> where would you start auditing the code? It's just too much.
>
> Actually, it is a very small part of the tree..."
>
>
> I am aware that compilers can be coded to introduce "features" into binaries that are not in the actual source code 
> itself.
> So with all due respect and possibly much ignorance on my part, what is a code audit going to achieve if one uses the 
> shipped compiler to
> compile the source? Unless one codes ones own compiler can any binary be trusted?
>
> Would not reversing the compiled code lead to a proper insight? Are the compiled binaries that handle these crypto 
> functions so complex that
> they cannot be reversed by a skilled assembly coder? I guess that such a coder would have to be an expert 
> cryptographer too, or at least
> collaborate with one.
>
> My curiosity is genuine, I am trying to educate myself about such things.
>
> regards
> Dave
>
>
> - --
> Mankind's systems are white sticks tapping walls.
> Thanks Roy
> http://www.propergander.org.uk
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEVAwUBTRKZc7Ivn8UFHWSmAQIL9Af/e4HawFmXZc2zIHqEz1mah5+NuNiAH6o2
> VJkPiC955moZ5L07rKtfSsV8ktDYUw6EczmPQI5UWFrFsu5SON2LPHkh2ifSrzMS
> Y5fj+Qjg7BWiamO3iDklJS50x1rEVTSAT6ErydKNGFHkQqieTgjAfemhRQBrjQuo
> IYQtF3Ij3v0+gIx+mhQ5mEsxLqKST5Gz6M45VZ9MtfX8fUMkBIQoRBNTHv10oqP+
> pMsQD+M/UG+cCWd+8DuKmvRCHnhIsJPnZqxQZ5b5P0ZVgSx3XbrTB2+st1+B5xNQ
> LI57VElZWEmNVcEAYZ+5T5AG3tJonjCBtwg832fXuk3pHq62C06uag==
> =qHih
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/