*BSDThis forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
"I have received a mail regarding the early development of the OpenBSD
IPSEC stack. It is alleged that some ex-developers (and the company
they worked for) accepted US government money to put backdoors into
our network stack, in particular the IPSEC stack. Around 2000-2001."
Distribution: Mint 16 RC, Elementary OS Luna, Crunchbang
Posts: 166
Rep:
It seems to me that paying a former openbsd person to claim to have knowledge of the governments interest in and placing of back-doors in a meticulously audited OSs would be an easy, and cheap, way to discredit the OS (or at least make people think "well even OpenBSD has security problems"). It would, if not an easily discredited claim (ie not a hoax: if this guy was the guy who did work on the OpenBSD project) have a very high impact/cost ratio,especially if they are frustrated with the crypto capabilities of OpenBSD.
If it turns out that this email came from someone other than the claimed sender, then clearly its not a govt interest thing: too easily discredited. However if this guy did send the email, then I would bet its just a discred campaign. But who knows. Praise to the OpenBSD people for being transparent.
Note: I wonder how likely it is that his NDA would have really expired so soon? Perhaps another thing pointing to a hoax?
Last edited by Ubunoob001; 12-15-2010 at 01:30 PM.
It seems to me that paying a former openbsd person to claim to have knowledge of the governments interest in and placing of back-doors in a meticulously audited OSs would be an easy, and cheap, way to discredit the OS
..then again if I had to trust anything or anyone I'd rather place trust in Bruce Schneier than whatever IDG or its affiliates spit out onto the 'net. They're not exactly renowned for their reporter and "author" "quality" or capabilities to do "research" let alone have any "news" that wasn't posted elsewhere. I mean, do you really expect anyone to honestly confirm having been on a FBI or affiliate payroll? And tell IDG? Yeah right.
Distribution: Mint 16 RC, Elementary OS Luna, Crunchbang
Posts: 166
Rep:
Quote:
Originally Posted by unSpawn
..then again if I had to trust anything or anyone I'd rather place trust in Bruce Schneier than whatever IDG or its affiliates spit out onto the 'net. They're not exactly renowned for their reporter and "author" "quality" or capabilities to do "research" let alone have any "news" that wasn't posted elsewhere.
Indeed for it to be DOD I would expect a more robust plan than simply attributing a letter to someone, from whom it did not come.
Quote:
Originally Posted by unSpawn
...
I mean, do you really expect anyone to honestly confirm having been on a FBI or affiliate payroll? And tell IDG? Yeah right.
Well and NDAs for such things don't usually expire when the information is still important, unless expected it to be irrelevant at the expiration time, or if it becomes irrelivant for example if they can now crack.....DUM DUM DAAAAAA..... tin foil hats....won't even finish that thought
Yup seems a hoax though at some link on the chain of this story.
Was there really a backdoor, or is the accusation false?
The point is that we don't know. There is a claim but no actual evidence, at least in the 'will stand up in court' sense of evidence. Now you might think '...well, all anyone has to do is to audit it...after all, the code is open and many eyes make all bugs shallow (yadda, yadda)...' but this is not exactly a trivial thing to do.
(My guess is that anyone who thinks 'well, I'll just do it then, how hard can it be...' is on a sharp-ish learning curve, but if you do do it, and you make a thorough job, your results would be welcomed.)
At this point, my bet would be on hoax/misunderstanding, but then I'm not in a position in which it directly affects me, so I can afford to be a bit more casual than someone who is directly affected.
Distribution: Mint 16 RC, Elementary OS Luna, Crunchbang
Posts: 166
Rep:
"bugs found during code audit" (supposed quote of de Raadt)
There have been stories/updates on-line that include reference to 'two bugs found' in the code, and that they are being inspected for how they might have played out over time.
The following quote seems to be the one most spread around. This is found in the itwire story linked below.
Code:
"OpenBSD project head Theo de Raadt told iTWire: "We've been auditing since the mail came in! We have already found two bugs in our cryptographic code. We are assessing the impact. We are also assessing the 'archeological' aspects of this..""
I can neither vouch for the authenticity of the stories, nor the reliability of the authors or websites and take no responsibility for the content therin, but here are a few that reference it
The point is that we don't know. There is a claim but no actual evidence, at least in the 'will stand up in court' sense of evidence. Now you might think '...well, all anyone has to do is to audit it...after all, the code is open and many eyes make all bugs shallow (yadda, yadda)...' but this is not exactly a trivial thing to do.
(My guess is that anyone who thinks 'well, I'll just do it then, how hard can it be...' is on a sharp-ish learning curve, but if you do do it, and you make a thorough job, your results would be welcomed.)
At this point, my bet would be on hoax/misunderstanding, but then I'm not in a position in which it directly affects me, so I can afford to be a bit more casual than someone who is directly affected.
Thank you salasi, it is appreciated. I was having trouble getting a short, concise, to-the-point assessment of the situation.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.