ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

OpenBSD: Only two remote holes [...] - the rest come from inside?

(1/3) > >>

f0dder:
Potentially bad news ahead:
Allegations regarding OpenBSD IPSEC
Theo de Raadt <deraadt <at> cvs.openbsd.org>
2010-12-14 22:24:39 GMT

I have received a mail regarding the early development of the OpenBSD
IPSEC stack.  It is alleged that some ex-developers (and the company
they worked for) accepted US government money to put backdoors into
our network stack, in particular the IPSEC stack.  Around 2000-2001.

Since we had the first IPSEC stack available for free, large parts of
the code are now found in many other projects/products.  Over 10
years, the IPSEC code has gone through many changes and fixes, so it
is unclear what the true impact of these allegations are.
--- End quote ---
via OSnews.

40hz:
Does seem very odd that, with all the smart coding talent looking at OpenBSD for holes over the years, somebody hadn't discovered it previously.

Sounds like it might well be FUD. Or sour grapes.

I'm gonna take a "wait and see" stance on this one.

(And if it turns out to be true, I'm gonna adopt a low 'horse stance' - and then punch something!) :(

Eóin:
Potentially worrying indeed. Just imagine how much of this could be going on behind the scenes in the likes of MS, Oracle or Apple.

Still, the full disclosure aspect of Theo's response fills me with confidence that the OS as a whole is not corrupt.

P.S. I hate conspiracy theories, so will be waiting to see the facts behind this come out too.

mouser:
Fascinating stuff.

The accused have denied it: http://www.itworld.com/open-source/130820/openbsdfbi-allegations-denied-named-participant

40hz:
In the end, it will be the code audit and not the allegations that prove or disprove the accusation.

Right now I'm about 75% confident it will turn out to be pure vacuum.

Not that I wouldn't put it past a government agency to try to pay somebody to insert such a back door. They have their job to do, after all.  

But I'd be flat out stunned if such a blatant exploit could have remained both unsuspected and undetected by OpenBSD for over nine years. Those guys are awfully smart coders in addition to being security fanatics. And they don't go into denial or damage control mode on those rare occasions when something does go wrong. I think Theo de Raadt's decision to immediately go public with the allegation is proof of that.

(Fingers crossed and waiting for somebody to shout: "Stand down. All Clear!"  8))


Navigation

[0] Message Index

[#] Next page

Go to full version