Full Disclosure mailing list archives
Re: Allegations regarding OpenBSD IPSEC
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Fri, 17 Dec 2010 11:12:06 -0600
--On December 16, 2010 7:47:36 PM -0500 Larry Seltzer <larry () larryseltzer com> wrote:
Instead of an overt back-door, is it possible that Theo's old friend (;)) is referring to exploitable vulnerabilities. These vulnerabilities may or may not have been found in the interim and fixed, but not recognized as backdoors. As you said, it's impossible to prove a negative (prove to me that you haven't read Moby Dick), but the scenario above sounds kind of reasonable to me.
If you work in security (I mean professionally - dealing day to day with the problems that arise - not the wannabes who post to lists and act like know-it-alls), you quickly learn to cast a jaundiced eye on unsubstantiated claims made on the internet. You begin to ask, what is the poster's motive? What's the goal of publicizing this? What is he not saying? In the case of Mr. Perry, he has made claims that have proven to be untrue (or at least been categorically denied by the persons supposedly involved), and he has thrown out some big names as if those substantiate his claims. (Shades of the common trait of internet myths.) The one thing Mr. Perry has not done, and which, if his claims have any merit at all, he could easily do, since he claims he's no longer under NDA, is post the code that proves that there is a backdoor. After all, he supposedly wrote it, along with others. He must know precisely what and where it is. At a minimum he could say that Theo needs to closely audit netif.h or crypto.c or des_setkey.c or something similar. So why hasn't he posted the code? I can think of some plausible reasons. (There may be others.) Perhaps he wants to create FUD around OpenBSD for some reason. (Note to musnt live: I don't use OpenBSD. If you had a clue how to read mail headers you would know that or if you had the simple skills to do a Google search, you would know that I'm a port maintainer for FreeBSD. Oh, I've installed and run OpenBSD in the past. But I haven't used it in years. And I don't give a hoot about it or about Theo, one way or the other. And the thought of smelling his crotch has never once crossed my mind - but it did yours - which leads to some interesting questions about your proclivities.) Perhaps he wants to gain some notoriety. He's certainly done that. Perhaps he really doesn't know anything at all about a backdoor and is simply blowing smoke. Perhaps he is aware of rumors about a backdoor but has no proof and is hoping Theo will do the hard work of auditing the code for him. Perhaps he thinks there's a backdoor but he hasn't the coding skills to confirm it or even to audit the code. Only Mr. Perry knows the truth. But one thing is certain. He could easily end the controversy if he wanted to but he hasn't. And that says a great deal more about him and his motives than it does about the integrity of the OpenBSD code or the possibility of a backdoor existing in it. The fact that I have to write all this irritates me. It's a waste of my time. But that's the price you pay for being on the internet, which abounds with idiots who will swallow every wild and unsubstantiated claim without question and who live in a world of paranoia where Big Brother is always right around the corner. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Allegations regarding OpenBSD IPSEC, (continued)
- Re: Allegations regarding OpenBSD IPSEC Graham Gower (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC mark seiden (Dec 15)
- Re: Allegations regarding OpenBSD IPSEC Abuse007 (Dec 16)
- Re: Allegations regarding OpenBSD IPSEC Valdis . Kletnieks (Dec 16)
- Re: Allegations regarding OpenBSD IPSEC malfy (Dec 16)
- Re: Allegations regarding OpenBSD IPSEC Larry Seltzer (Dec 16)
- Re: Allegations regarding OpenBSD IPSEC Paul Schmehl (Dec 16)
- Re: Allegations regarding OpenBSD IPSEC John Horn (Dec 16)
- Re: Allegations regarding OpenBSD IPSEC Larry Seltzer (Dec 16)
- Re: Allegations regarding OpenBSD IPSEC J. Oquendo (Dec 16)
- Re: Allegations regarding OpenBSD IPSEC Paul Schmehl (Dec 17)
- Re: Allegations regarding OpenBSD IPSEC Larry Seltzer (Dec 17)
- Re: Allegations regarding OpenBSD IPSEC Paul Schmehl (Dec 17)
- Re: Allegations regarding OpenBSD IPSEC Gary Baribault (Dec 17)
- Re: Allegations regarding OpenBSD IPSEC news (Dec 17)
- Re: Allegations regarding OpenBSD IPSEC Valdis . Kletnieks (Dec 17)
- Re: Allegations regarding OpenBSD IPSEC Григорий Братислава (Dec 17)
- Re: Allegations regarding OpenBSD IPSEC Григорий Братислава (Dec 17)
- Re: Allegations regarding OpenBSD IPSEC Charlie Derr (Dec 18)
- Re: Allegations regarding OpenBSD IPSEC Григорий Братислава (Dec 17)
- Re: Allegations regarding OpenBSD IPSEC Paul Schmehl (Dec 17)