Full Disclosure mailing list archives
Re: Allegations regarding OpenBSD IPSEC
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Thu, 16 Dec 2010 14:50:06 -0600
There are several problems with this story that seem to have been overlooked. First, if someone was able to alter the crypto source code 10 years ago, you have to assume that in the following 10 years not one person reviewing or editing that code would have noticed a thing. So, the person who did the altering has to be smarter than every other crypto guy who worked on the code. Smart enough that nobody would even notice what he did and smart enough that nothing would be noticed operationally. Not one entity, with all the security personnel those entities employed, would have ever noticed or even inadvertently stumbled across any traffic going to an unexpected place. Second, no one editing the crypto code after the alteration would have ever made a single change to the code that would affect the alteration in an adverse way, either rendering it inoperable or causing it to generate traffic that would be unexpected and noticed by watchful eyes. Now we're talking a genius on the level of Einstein, at least. Of all the code in use, crypto is probably the most scrutinized and is scrutinized by the smartest guys. All of whom were apparently too dumb to notice *anything* unusual in the code at all, if this story is to be believed. And he was able to alter it in a way that made it completely resistant to any future changes in the code. Finally, the guy who sent Theo the email obviously lied, or else there's a third Scott Lowe that hasn't yet been unearthed. It's impossible to prove a negative. So, if you want to hurt or get back at Theo for some reason, the easiest way to do it is claim there's a supersekrit backdoor in the code that no one has noticed for ten years. Now Theo gets to go on a wild goose chase that has no resolution, because you cannot prove there is no backdoor. The best you can do is claim to have thoroughly audited the code and not found one. Conspiracy theorists thrive on claims that can never be disproven. A hundred years from now, people will still be whispering that there's a backdoor in the crypto supplied by OpenBSD. Just like they claim that Oswald didn't act alone and the government blew up the twin towers. Common sense and the preponderance of the evidence tell you otherwise, but all that is ignored in favor of the grand theory that big brother is watching. Rational people don't fall for this stuff. Should the code be audited? Of course! Auditing is always useful and often productive. Should we assume the worst? Not without better evidence than what we have before us now. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Allegations regarding OpenBSD IPSEC, (continued)
- Re: Allegations regarding OpenBSD IPSEC phil (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC clément Game (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC BMF (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC phil (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC Larry Seltzer (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC Graham Gower (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC mark seiden (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC Abuse007 (Dec 16)
- Re: Allegations regarding OpenBSD IPSEC Valdis . Kletnieks (Dec 16)
- Re: Allegations regarding OpenBSD IPSEC malfy (Dec 16)
- Re: Allegations regarding OpenBSD IPSEC Larry Seltzer (Dec 16)
- Re: Allegations regarding OpenBSD IPSEC Paul Schmehl (Dec 16)
- Re: Allegations regarding OpenBSD IPSEC John Horn (Dec 16)
- Re: Allegations regarding OpenBSD IPSEC Larry Seltzer (Dec 16)
- Re: Allegations regarding OpenBSD IPSEC J. Oquendo (Dec 16)
- Re: Allegations regarding OpenBSD IPSEC Paul Schmehl (Dec 17)
- Re: Allegations regarding OpenBSD IPSEC Larry Seltzer (Dec 17)
- Re: Allegations regarding OpenBSD IPSEC Paul Schmehl (Dec 17)
- Re: Allegations regarding OpenBSD IPSEC Gary Baribault (Dec 17)
- Re: Allegations regarding OpenBSD IPSEC news (Dec 17)
- Re: Allegations regarding OpenBSD IPSEC Valdis . Kletnieks (Dec 17)
- Re: Allegations regarding OpenBSD IPSEC Григорий Братислава (Dec 17)