Full Disclosure mailing list archives
Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo
From: Carlos Alberto Lopez Perez <clopez () igalia com>
Date: Thu, 23 Dec 2010 01:53:38 +0100
On 12/23/2010 01:36 AM, mrx wrote:
On 23/12/2010 00:00, Dan Kaminsky wrote:On Wed, Dec 22, 2010 at 3:47 PM, Dave Nett <dave.nett () yahoo com> wrote:http://marc.info/?l=openbsd-tech&m=129296046123471&w=2 Long mail which just admit has backdoor, poor Theo.(g) I believe that NETSEC was probably contracted to write backdoors as alleged. (h) If those were written, I don't believe they made it into our tree. They might have been deployed as their own product.You had only one more sentence to read! Just one!"> where would you start auditing the code? It's just too much. Actually, it is a very small part of the tree..." I am aware that compilers can be coded to introduce "features" into binaries that are not in the actual source code itself. So with all due respect and possibly much ignorance on my part, what is a code audit going to achieve if one uses the shipped compiler to compile the source? Unless one codes ones own compiler can any binary be trusted?
I am also aware that processors can have hidden "features" that make them execute a sightly different program that the one you expect to be executed. So, can we trust processors unless you make your own processor? For example think about the new Intel processors that are shipped with the AES-NI [1] instruction set. How difficult would be to governments and powerful people/companies to hide a trojan horse in this processors? And would you ever notice the existence of this hidden "feature"? [1] http://en.wikipedia.org/wiki/AES_instruction_set
Would not reversing the compiled code lead to a proper insight? Are the compiled binaries that handle these crypto functions so complex that they cannot be reversed by a skilled assembly coder? I guess that such a coder would have to be an expert cryptographer too, or at least collaborate with one. My curiosity is genuine, I am trying to educate myself about such things. regards Dave
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- OpenBSD has Open Backdoored Software Distribution - admitted by Theo Dave Nett (Dec 22)
- Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo Dan Kaminsky (Dec 22)
- Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo mrx (Dec 22)
- Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo Valdis . Kletnieks (Dec 22)
- Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo Paul Schmehl (Dec 22)
- Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo The Sp3ctacle (Dec 22)
- Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo Graham Gower (Dec 22)
- Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo mrx (Dec 22)
- Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo Carlos Alberto Lopez Perez (Dec 23)
- Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo Dan Kaminsky (Dec 22)