Open source security - suspected FBI backdoor in OpenBSD
 

A backdoor seems to be planted in OpenBSD's ipsec component 10 years ago. The backdoor was put there by dev's getting paid by the FBI, and was revealed just recently as the NDA to FBI of one of the dev's expired

Full article on OSnews

This raised 3 questions to me :

It is claimed that open source software is more secure since it is open, and the code is reviewed by many readers. I do question this claim : There's a lot of code out there, and there are many projects which get little attention - Coded by one or few devs, and not of much interest to others to actually read the code. It may well mean that backdoors can exist unnoticed in plain sight, simply because no one ever bothered to review the code before compiling it

It took 10 years (the length of NDA in effect) for ths story to come to the open. Is it acceptable for us (the open source users) that devs have higher priority to their NDA than to the reliability of the code they submit ? Maybe a norm (unwritten rule) should be accepted among open source coders, that this behavior is not acceptable and devs must alert immediately (even if anonymously and obscurely to not be caught by whoever issued the NDA) if they know of such plot getting underway

If I dont trust the binaries of my distro, I can compile. To verify the integrity of the source, I can check the checksums, or validate a signature. But where do I get the assumed signature of the original devs in the first place ? It is possible for a project page to provide both a tampered code signed with the wrong key and the public wrong key itself, so it can be unknown that the key is wrong at all

How about the fact that pretty much everyone involved is saying it didn't happen? Including someone posting that the accuser did not even work at the facility when the supposed compromise happened.

But hey, why ruin a good conspiracy theory when everyone can get their paranoia on.

It might not happen this time. But it is an opportunity to think of how to deal with this possibiliy

Was posted a full 3 days ago here: http://www.linuxquestions.org/questi...doored-850373/.

So how about using something that actually happened as an example?

At first glance I'd say that this is some kind of FUD campaign. Being a FOSS project it shouldn't take very long to figure out whether or not the claims have any basis, until then opinions really don't mean much.

Something else to think about: why on earth would an NDA covering such sensitive information expire so soon? I've only signed one legal document so far that might be considered an NDA and if memory serves me right, there was no expiry date (and this wasn't related to secret goverment shenanigans).

Please post your thread in only one forum. Posting a single thread in the most relevant forum will make it easier for members to help you and will keep the discussion in one place. This thread is being closed because it is a duplicate.