Full Disclosure mailing list archives

Re: Allegations regarding OpenBSD IPSEC

From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Wed, 15 Dec 2010 13:25:14 -0600

--On December 15, 2010 10:55:39 AM -0800 bk <chort0 () gmail com> wrote:


On Dec 15, 2010, at 10:32 AM, Paul Schmehl wrote:

--On December 14, 2010 8:40:14 PM -0500 bugs () fbi dhs org wrote:


http://www.downspout.org/?q=node/3

Seems IPSEC might have a back door written into it by the FBI?


So for 10 years IPSEC has had a backdoor in it and not one person
examining  the code has noticed it? <snip>

Read The Cathedral and The Bazaar.

--
Paul Schmehl, Senior Infosec Analyst


I call bullshit on all the people claiming this couldn't possibly have
existed because "anyone can read the source."  How many of you understand
crypto.  OK, now how many of you _actually_ understand crypto?  And of
those, how many look at *BSD?

There have been plenty of recent examples of Open Source projects that
have had undetected security flaws for multiple years.  It's not
difficult to believe a relatively uncommon OS could have a subtle
weakness in a difficult-to-understand part of the code.

In this particular case, it looks to be total FUD by some lunatic with an
axe to grind, but we shouldn't be so arrogant to assume that such a flaw
_could not_ exist.

BTW I actually use OpenBSD on many of my systems and I happen to think
it's a very simple and practical OS, but I'm not blind to potential
problems.


Reading comprehension problems?

I said it was not likely.  I did not say it was not possible.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Allegations regarding OpenBSD IPSEC bugs (Dec 14)
- Re: Allegations regarding OpenBSD IPSEC Paul Schmehl (Dec 15)
  - Re: Allegations regarding OpenBSD IPSEC musnt live (Dec 15)
  - Re: Allegations regarding OpenBSD IPSEC bk (Dec 15)
    - Re: Allegations regarding OpenBSD IPSEC Paul Schmehl (Dec 15)
    - Re: Allegations regarding OpenBSD IPSEC J. Oquendo (Dec 15)
    - Re: Allegations regarding OpenBSD IPSEC Aldis Berjoza (Dec 15)
  - Re: Allegations regarding OpenBSD IPSEC Steve Pinkham (Dec 15)
  - Re: Allegations regarding OpenBSD IPSEC Michal Zalewski (Dec 15)
  - Re: Allegations regarding OpenBSD IPSEC Valdis . Kletnieks (Dec 15)
  - Re: Allegations regarding OpenBSD IPSEC phil (Dec 15)
    - Re: Allegations regarding OpenBSD IPSEC clément Game (Dec 15)
    - Re: Allegations regarding OpenBSD IPSEC BMF (Dec 15)
  - Re: Allegations regarding OpenBSD IPSEC Larry Seltzer (Dec 15)
    - Re: Allegations regarding OpenBSD IPSEC Graham Gower (Dec 15)

(Thread continues...)