It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
One of the developers named in the OpenBSD backdoor allegations has denied any involvement, with Jason L. Wright arguing that the work he carried out on the OS related instead to device drivers and demanding an apology. Former OpenBSD coder Gregory Perry made claims earlier this month that the FBI had installed covert backdoor access into the popular open-source platform, so as to allow the bureau to monitor VPN and other traffic.
OpenBSD IPSec backdoor allegations: triple $100 bounty
In case you hadn't heard: Gregory Perry alleges that the FBI paid OpenBSD contributors to insert backdoors into OpenBSD's IPSec stack, with his (Perry's) knowledge and collaboration.
If that were true, it would also be a concern for FreeBSD, since some of our IPSec code comes from OpenBSD.
I'm having a hard time swallowing this story, though. In fact, I think it's preposterous. Rather than go into further detail, I'll refer you to Jason Dixon's summary, which links to other opinions, and add only one additional objection: if this were true, there would be no “recently expired NDA”; it would be a matter of national security.
I'll put my money where my mouth is, and post a triple bounty:
What can the OpenBSD IPsec backdoor allegations teach us?
...Ultimately, however, this situation should be taken as a source of lessons we can learn about securing our software, regardless of any holy wars over the security benefits of open source models of software development.
1. Do not trust government involvement in development of secure software. Whether the software is open source or closed, the governmental motivation remains the same: monitoring the activities and secrets of members of the public. Whether you believe their intentions are good (protecting us from terrorists) or corrupt (cracking down on peaceful dissidents), the result is that government is strongly motivated to violate individual privacy — which means compromising security technologies.
2. Prefer simple systems over complex systems. The more complex the system, the easier it is to hide problems in plain sight, whether those problems are hidden there by accident or by malicious intent. If these problems exist, the relative complexity of IPsec implementations in general surely contributed to the continuing obscurity of the backdoor code in the system...
The OpenBSD project has found two bugs during an audit of the cryptographic code in which, it has been alleged, the FBI, through former developers, was able to plant backdoors.
OpenBSD project head Theo de Raadt told iTWire: "We've been auditing since the mail came in! We have already found two bugs in our cryptographic code. We are assessing the impact. We are also assessing the 'archeological' aspects of this.."
Developer defends claims of backdoors in OpenBSD
...An audit of the cryptographic code has commenced and de Raadt told iTWire yesterday that two bugs had been found.
Perry said he had sent a private email to de Raadt, urging him to perform a source code audit of the OpenBSD Project based upon the allegations contained within the mail.
"Theo then sent, without my permission and against my wishes, the entire contents of that email with my contact particulars to a public listserver, which ignited this firestorm of controversy that I am now seemingly embroiled in," he said.
"If I had this to do over again, I would have sent an anonymous postcard to WikiLeaks probably."...
Originally posted by aivlas
reply to post by JBA2848
Cofee is a joke, people hype stuff up to much with out knowing what it is.
www.microsoft.com...edit on 18-12-2010 by aivlas because: (no reason given)
So we have tptb wanting to shut down the internet but it's the one way they can snoop on everything we do sort it out people.edit on 18-12-2010 by aivlas because: (no reason given)
Originally posted by senselessgarbage
Let me summarize this story:
1) This is an accusation that the FBI paid a software developer to put a backdoor into the IPSEC OpenBSD code. This is used worldwide in internet-connected devices, whether you're on Windows, Mac, Linux, your phone, or whatever system. It would allow people to snoop on the data you are sending.
2) This is only an accusation. No proof of concept code has been shown.
3) The guy alleged to have accepted the FBI bribe has denied this.
Right now, this is garbage, until it is proven.
Originally posted by c00kbook
A random number generated in software can never truly be random as there is always code used to generate the "random" number. If you have access to this code your job is alot easier.
Originally posted by aivlas
reply to post by tristar
People hyped it up to be this amazing tool when it really isn't, it's just an easy to use thing for police to use with little training, you can get all the functionality of cofee from other appsedit on 19-12-2010 by aivlas because: (no reason given)
OpenBSD project chief Theo de Raadt has said that he accepts contracting firm NETSEC “was probably contracted to write backdoors” into the open-source platform, but believes none of the exploit code made it into the eventual tree. The comments come as early investigations are made into OpenBSD code following allegations by an ex-NETSEC programmer that the FBI paid to have backdoor access installed into the OS.