Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo

From: Carlos Alberto Lopez Perez <clopez () igalia com>
Date: Thu, 23 Dec 2010 01:53:38 +0100
On 12/23/2010 01:36 AM, mrx wrote:

On 23/12/2010 00:00, Dan Kaminsky wrote:

On Wed, Dec 22, 2010 at 3:47 PM, Dave Nett <dave.nett () yahoo com> wrote:



http://marc.info/?l=openbsd-tech&m=129296046123471&w=2

Long mail which just admit has backdoor, poor Theo.





    (g) I believe that NETSEC was probably contracted to write backdoors
        as alleged.
    (h) If those were written, I don't believe they made it into our
        tree.  They might have been deployed as their own product.



You had only one more sentence to read!  Just one!





"> where would you start auditing the code? It's just too much.

Actually, it is a very small part of the tree..."


I am aware that compilers can be coded to introduce "features" into binaries that are not in the actual source code 
itself.
So with all due respect and possibly much ignorance on my part, what is a code audit going to achieve if one uses the 
shipped compiler to
compile the source? Unless one codes ones own compiler can any binary be trusted?


I am also aware that processors can have hidden "features" that make them
execute a sightly different program that the one you expect to be executed.
So, can we trust processors unless you make your own processor?

For example think about the new Intel processors that are shipped with the
AES-NI [1] instruction set. How difficult would be to governments and
powerful people/companies to hide a trojan horse in this processors? And
would you ever notice the existence of this hidden "feature"?

[1] http://en.wikipedia.org/wiki/AES_instruction_set


Would not reversing the compiled code lead to a proper insight? Are the compiled binaries that handle these crypto 
functions so complex that
they cannot be reversed by a skilled assembly coder? I guess that such a coder would have to be an expert 
cryptographer too, or at least
collaborate with one.

My curiosity is genuine, I am trying to educate myself about such things.

regards
Dave




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: