LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices


Reply
  Search this Thread
Old 12-15-2010, 06:13 AM   #1
mjolnir
Member
 
Registered: Apr 2003
Posts: 722

Rep: Reputation: 73
OpenBSD IPSEC backdoored?


Has anyone else heard of this?

http://lwn.net/Articles/419865/

"I have received a mail regarding the early development of the OpenBSD
IPSEC stack. It is alleged that some ex-developers (and the company
they worked for) accepted US government money to put backdoors into
our network stack, in particular the IPSEC stack. Around 2000-2001."
 
Old 12-15-2010, 06:34 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 28,613
Blog Entries: 55

Rep: Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291
No I haven't but the discussion here seems interesting wrt different POVs: http://marc.info/?l=openbsd-security...7531405260&w=2
 
Old 12-15-2010, 06:57 AM   #3
mjolnir
Member
 
Registered: Apr 2003
Posts: 722

Original Poster
Rep: Reputation: 73
Interesting, quite a bit of it beyond me I'm afraid. :-)
 
Old 12-15-2010, 07:14 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 28,613
Blog Entries: 55

Rep: Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291
Indeed the task of having to audit the IPSEC stack doesn't look appealing. Can't we just pay Bruce?
 
Old 12-15-2010, 01:26 PM   #5
Ubunoob001
Member
 
Registered: Feb 2010
Location: New Orleans, LA
Distribution: Mint 16 RC, Elementary OS Luna, Crunchbang
Posts: 166

Rep: Reputation: 16
It seems to me that paying a former openbsd person to claim to have knowledge of the governments interest in and placing of back-doors in a meticulously audited OSs would be an easy, and cheap, way to discredit the OS (or at least make people think "well even OpenBSD has security problems"). It would, if not an easily discredited claim (ie not a hoax: if this guy was the guy who did work on the OpenBSD project) have a very high impact/cost ratio,especially if they are frustrated with the crypto capabilities of OpenBSD.

If it turns out that this email came from someone other than the claimed sender, then clearly its not a govt interest thing: too easily discredited. However if this guy did send the email, then I would bet its just a discred campaign. But who knows. Praise to the OpenBSD people for being transparent.

Note: I wonder how likely it is that his NDA would have really expired so soon? Perhaps another thing pointing to a hoax?

Last edited by Ubunoob001; 12-15-2010 at 01:30 PM.
 
Old 12-15-2010, 01:50 PM   #6
Ubunoob001
Member
 
Registered: Feb 2010
Location: New Orleans, LA
Distribution: Mint 16 RC, Elementary OS Luna, Crunchbang
Posts: 166

Rep: Reputation: 16
some update material:
http://www.itworld.com/open-source/1...ed-participant
 
Old 12-15-2010, 03:07 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 28,613
Blog Entries: 55

Rep: Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291Reputation: 3291
Quote:
Originally Posted by Ubunoob001 View Post
It seems to me that paying a former openbsd person to claim to have knowledge of the governments interest in and placing of back-doors in a meticulously audited OSs would be an easy, and cheap, way to discredit the OS
..then again if I had to trust anything or anyone I'd rather place trust in Bruce Schneier than whatever IDG or its affiliates spit out onto the 'net. They're not exactly renowned for their reporter and "author" "quality" or capabilities to do "research" let alone have any "news" that wasn't posted elsewhere. I mean, do you really expect anyone to honestly confirm having been on a FBI or affiliate payroll? And tell IDG? Yeah right.
 
Old 12-15-2010, 03:35 PM   #8
Ubunoob001
Member
 
Registered: Feb 2010
Location: New Orleans, LA
Distribution: Mint 16 RC, Elementary OS Luna, Crunchbang
Posts: 166

Rep: Reputation: 16
Quote:
Originally Posted by unSpawn View Post
..then again if I had to trust anything or anyone I'd rather place trust in Bruce Schneier than whatever IDG or its affiliates spit out onto the 'net. They're not exactly renowned for their reporter and "author" "quality" or capabilities to do "research" let alone have any "news" that wasn't posted elsewhere.
Indeed for it to be DOD I would expect a more robust plan than simply attributing a letter to someone, from whom it did not come.

Quote:
Originally Posted by unSpawn View Post
...
I mean, do you really expect anyone to honestly confirm having been on a FBI or affiliate payroll? And tell IDG? Yeah right.
Well and NDAs for such things don't usually expire when the information is still important, unless expected it to be irrelevant at the expiration time, or if it becomes irrelivant for example if they can now crack.....DUM DUM DAAAAAA..... tin foil hats....won't even finish that thought

Yup seems a hoax though at some link on the chain of this story.
 
Old 12-19-2010, 09:45 PM   #9
lupusarcanus
Senior Member
 
Registered: Mar 2009
Location: USA
Distribution: Arch
Posts: 1,022
Blog Entries: 19

Rep: Reputation: 146Reputation: 146
I'm confused.

Was there really a backdoor, or is the accusation false?
 
Old 12-20-2010, 06:05 AM   #10
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,978

Rep: Reputation: 816Reputation: 816Reputation: 816Reputation: 816Reputation: 816Reputation: 816Reputation: 816
Quote:
Originally Posted by leopard View Post
Was there really a backdoor, or is the accusation false?
The point is that we don't know. There is a claim but no actual evidence, at least in the 'will stand up in court' sense of evidence. Now you might think '...well, all anyone has to do is to audit it...after all, the code is open and many eyes make all bugs shallow (yadda, yadda)...' but this is not exactly a trivial thing to do.

(My guess is that anyone who thinks 'well, I'll just do it then, how hard can it be...' is on a sharp-ish learning curve, but if you do do it, and you make a thorough job, your results would be welcomed.)

At this point, my bet would be on hoax/misunderstanding, but then I'm not in a position in which it directly affects me, so I can afford to be a bit more casual than someone who is directly affected.
 
Old 12-20-2010, 08:23 AM   #11
Ubunoob001
Member
 
Registered: Feb 2010
Location: New Orleans, LA
Distribution: Mint 16 RC, Elementary OS Luna, Crunchbang
Posts: 166

Rep: Reputation: 16
Arrow "bugs found during code audit" (supposed quote of de Raadt)

There have been stories/updates on-line that include reference to 'two bugs found' in the code, and that they are being inspected for how they might have played out over time.

The following quote seems to be the one most spread around. This is found in the itwire story linked below.

Code:
"OpenBSD project head Theo de Raadt told iTWire: "We've been auditing since the mail came in! We have already found two bugs in our cryptographic code. We are assessing the impact. We are also assessing the 'archeological' aspects of this..""
I can neither vouch for the authenticity of the stories, nor the reliability of the authors or websites and take no responsibility for the content therin, but here are a few that reference it

Code:
http://www.itwire.com/opinion-and-analysis/open-sauce/43995-openbsd-backdoor-claims-code-audit-begins

http://www.tuxmachines.org/node/49736

http://alge.anart.no/blogs/blog/2010/12/17/openbsd-bugs-found-during-code-audit/
edit: to be clear I am not pushing a particular point of view, just letting those here know what I have read.

Last edited by Ubunoob001; 12-20-2010 at 08:24 AM.
 
Old 12-20-2010, 08:36 AM   #12
lupusarcanus
Senior Member
 
Registered: Mar 2009
Location: USA
Distribution: Arch
Posts: 1,022
Blog Entries: 19

Rep: Reputation: 146Reputation: 146
Quote:
Originally Posted by salasi View Post
The point is that we don't know. There is a claim but no actual evidence, at least in the 'will stand up in court' sense of evidence. Now you might think '...well, all anyone has to do is to audit it...after all, the code is open and many eyes make all bugs shallow (yadda, yadda)...' but this is not exactly a trivial thing to do.

(My guess is that anyone who thinks 'well, I'll just do it then, how hard can it be...' is on a sharp-ish learning curve, but if you do do it, and you make a thorough job, your results would be welcomed.)

At this point, my bet would be on hoax/misunderstanding, but then I'm not in a position in which it directly affects me, so I can afford to be a bit more casual than someone who is directly affected.
Thank you salasi, it is appreciated. I was having trouble getting a short, concise, to-the-point assessment of the situation.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
FBI Added Secret Backdoors to OpenBSD IPSEC kutty_prasad Linux - News 1 12-21-2010 02:36 PM
openbsd ipsec.conf: flow vs ike keyword genmaicha *BSD 0 11-04-2009 02:49 PM
Dynamic IP VPN between IpSec(OpenBSD) and Linux VPN software Peter_APIIT Linux - Server 2 04-09-2008 05:08 AM
[OpenBSD 3.8] /etc/ipsec.conf not present noir911 *BSD 1 03-23-2006 03:10 PM
WARN: poss backdoored ircii-pana at ftp.bitchx.org unSpawn Linux - Security 0 07-01-2002 06:16 PM


All times are GMT -5. The time now is 08:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration