LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices



Closed Thread
 
Search this Thread
Old 12-18-2010, 02:26 PM   #1
Latios
Member
 
Registered: Dec 2010
Distribution: Arch
Posts: 115

Rep: Reputation: 21
Open source security - suspected FBI backdoor in OpenBSD


A backdoor seems to be planted in OpenBSD's ipsec component 10 years ago. The backdoor was put there by dev's getting paid by the FBI, and was revealed just recently as the NDA to FBI of one of the dev's expired

Full article on OSnews

This raised 3 questions to me :

It is claimed that open source software is more secure since it is open, and the code is reviewed by many readers. I do question this claim : There's a lot of code out there, and there are many projects which get little attention - Coded by one or few devs, and not of much interest to others to actually read the code. It may well mean that backdoors can exist unnoticed in plain sight, simply because no one ever bothered to review the code before compiling it

It took 10 years (the length of NDA in effect) for ths story to come to the open. Is it acceptable for us (the open source users) that devs have higher priority to their NDA than to the reliability of the code they submit ? Maybe a norm (unwritten rule) should be accepted among open source coders, that this behavior is not acceptable and devs must alert immediately (even if anonymously and obscurely to not be caught by whoever issued the NDA) if they know of such plot getting underway

If I dont trust the binaries of my distro, I can compile. To verify the integrity of the source, I can check the checksums, or validate a signature. But where do I get the assumed signature of the original devs in the first place ? It is possible for a project page to provide both a tampered code signed with the wrong key and the public wrong key itself, so it can be unknown that the key is wrong at all
 
Old 12-18-2010, 03:05 PM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
How about the fact that pretty much everyone involved is saying it didn't happen? Including someone posting that the accuser did not even work at the facility when the supposed compromise happened.

But hey, why ruin a good conspiracy theory when everyone can get their paranoia on.
 
Old 12-18-2010, 03:21 PM   #3
Latios
Member
 
Registered: Dec 2010
Distribution: Arch
Posts: 115

Original Poster
Rep: Reputation: 21
It might not happen this time. But it is an opportunity to think of how to deal with this possibiliy
 
Old 12-18-2010, 03:27 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,693
Blog Entries: 54

Rep: Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961
Was posted a full 3 days ago here: http://www.linuxquestions.org/questi...doored-850373/.
 
Old 12-18-2010, 04:20 PM   #5
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Quote:
Originally Posted by Latios View Post
It might not happen this time. But it is an opportunity to think of how to deal with this possibiliy

So how about using something that actually happened as an example?
 
Old 12-18-2010, 05:06 PM   #6
easuter
Member
 
Registered: Dec 2005
Location: Portugal
Distribution: Slackware64 13.0, Slackware64 13.1
Posts: 538

Rep: Reputation: 62
At first glance I'd say that this is some kind of FUD campaign. Being a FOSS project it shouldn't take very long to figure out whether or not the claims have any basis, until then opinions really don't mean much.

Something else to think about: why on earth would an NDA covering such sensitive information expire so soon? I've only signed one legal document so far that might be considered an NDA and if memory serves me right, there was no expiry date (and this wasn't related to secret goverment shenanigans).
 
Old 12-18-2010, 07:06 PM   #7
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Lubuntu
Posts: 19,176
Blog Entries: 4

Rep: Reputation: 430Reputation: 430Reputation: 430Reputation: 430Reputation: 430
Please post your thread in only one forum. Posting a single thread in the most relevant forum will make it easier for members to help you and will keep the discussion in one place. This thread is being closed because it is a duplicate.
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
FBI Added Secret Backdoors to OpenBSD IPSEC kutty_prasad Linux - News 1 12-21-2010 03:36 PM
LXer: Open source good for security LXer Syndicated Linux News 0 08-14-2008 03:00 PM
LXer: OpenBSD: Intel Accused Of Being "An Open Source Fraud" LXer Syndicated Linux News 0 10-01-2006 06:21 PM
Open Source Security t3gah Linux - Security 1 05-05-2005 09:50 PM
SANS/FBI Releases the Twenty Most Critical Internet Security Vulnerabilities jeremy Linux - Security 4 10-07-2002 07:37 PM


All times are GMT -5. The time now is 02:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration