Alleged backdoor in OpenBSD's IPSEC implementation.

• Previous message (by thread): Alleged backdoor in OpenBSD's IPSEC implementation.
• Next message (by thread): FCC filings against Comcast
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Dec 15, 2010 at 7:28 AM, mikea <mikea at mikea.ath.cx> wrote:
> More to the point, I think it wouldn't be an NDA, but a security
> classification on the knowledge of the backdoors, and probably one not
> subject to automatic downgrading.

Someone working on a classified project or having access to classified
info would be signing a lot more than an NDA.    Which leads me to the
conclusion  Perry probably did not have access to classified info;  a
gov't backdoor planted in OpenBSD would probably be classified,  so
Perry was more likely than not,  either in error or exagerating.

If Perry really is risking making authorities frustrated for revealing
that they have a backdoor,  then it does not help the community much
for him to withold the minimal amount of info required to verify the
claims.  For now it smells of FUD, because the claims are too vague,
unsupported, and the extent of what Perry claims to have witnessed has
not been explained.

An example of Perry being in error would be if  the company was paid
to merely develop a backdoor or side channel,  but not actually to
plant it in their contributed code.

The FBI might have wanted proof of concepts, or backdoored versions of
code as  "drop in piece"  to use for other projects..   for example,
insider penetration testing, or surreptitious monitoring by planting
the backdoored version  on specific targetted systems.

Proof of concept code might have gone nowhere.

In that case, it would be impossible to find the backdoor by analyzing
the OpenBSD source code.     Or a backdoor or coding error made by
someone else entirely might be discovered instead.

Rewriting instead of merely auditing, of course,  presents a risk that
new backdoors could be introduced by whoever rewrites.

Even if a backdoor were developed,   Perry posted very little info
about exactly what  he knows and how he knows it, what was his role in
the project.    Such as the question of:    'Did he personally check
the contributed code  and see the backdoor present?'

--
-JH

• Previous message (by thread): Alleged backdoor in OpenBSD's IPSEC implementation.
• Next message (by thread): FCC filings against Comcast
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]