OpenBSD: Only two remote holes [...] - the rest come from inside?

[f0dder]

Potentially bad news ahead:

Allegations regarding OpenBSD IPSEC
Theo de Raadt <deraadt <at> cvs.openbsd.org>
2010-12-14 22:24:39 GMT

I have received a mail regarding the early development of the OpenBSD
IPSEC stack.  It is alleged that some ex-developers (and the company
they worked for) accepted US government money to put backdoors into
our network stack, in particular the IPSEC stack.  Around 2000-2001.

Since we had the first IPSEC stack available for free, large parts of
the code are now found in many other projects/products.  Over 10
years, the IPSEC code has gone through many changes and fixes, so it
is unclear what the true impact of these allegations are.

via OSnews.

[40hz]

Does seem very odd that, with all the smart coding talent looking at OpenBSD for holes over the years, somebody hadn't discovered it previously.

Sounds like it might well be FUD. Or sour grapes.

I'm gonna take a "wait and see" stance on this one.

(And if it turns out to be true, I'm gonna adopt a low 'horse stance' - and then punch something!)

[Eóin]

Potentially worrying indeed. Just imagine how much of this could be going on behind the scenes in the likes of MS, Oracle or Apple.

Still, the full disclosure aspect of Theo's response fills me with confidence that the OS as a whole is not corrupt.

P.S. I hate conspiracy theories, so will be waiting to see the facts behind this come out too.

[mouser]

Fascinating stuff.

The accused have denied it: http://www.itworld.c...ed-named-participant

[40hz]

In the end, it will be the code audit and not the allegations that prove or disprove the accusation.

Right now I'm about 75% confident it will turn out to be pure vacuum.

Not that I wouldn't put it past a government agency to try to pay somebody to insert such a back door. They have their job to do, after all.  

But I'd be flat out stunned if such a blatant exploit could have remained both unsuspected and undetected by OpenBSD for over nine years. Those guys are awfully smart coders in addition to being security fanatics. And they don't go into denial or damage control mode on those rare occasions when something does go wrong. I think Theo de Raadt's decision to immediately go public with the allegation is proof of that.

(Fingers crossed and waiting for somebody to shout: "Stand down. All Clear!"  )

[mouser]

From slashdot:

OpenBSD lead developer Theo de Raadt said on a discussion list Tuesday, that he believes that a government contracting firm that contributed code to his project 'was probably contracted to write backdoors,' which would grant secret access to encrypted communications. But that he doesn't think that any of this software made it into the OpenBSD code base."

whether they actually succeeded in getting code in or not, this is pretty huge.

[40hz]

I think it would have been (or will be) a far bigger deal if it actually did make it into the core code.

[Stoic Joker]

I think there's too many people thinking, and not enough people knowing what actually went into said proverbial stew.

[40hz]

^+1

Two words: code audit

Which is in progress. I'll wait to hear the results. 

[mwb1100]

Even if backdoors never made it into the code, I agree with Mouser that if the FBI actually did attempt to get backdoors in place, that's a big deal in itself.

There should be some investigation of whether that allegation is true, though I have no idea how you'd go about doing that.  I imagine it would be hard to get anyone with authority and resources interested in pursuing an investigation.  So you'd be left with asking the accused, with no way to compel any response (much less an honest one).

I'm not even sure if the alleged FBI behavior is illegal - I wouldn't be surprised if it wasn't. Even if legal, it would still be outrageous, in my opinion.

[mouser]

In a follow-up e-mail published this week, de Raadt outlined his current perspective on the controversy and his interpretation of the findings that have emerged from the ongoing code audit. Reviews are being conducted on the history and provenance of code in the IPSEC stack as well as the current implementation. Reviewers have uncovered several bugs that could have security implications, but the nature of the bugs suggests that they were not intentional, nor were they intended to facilitate a backdoor.

http://arstechnica.c...ence-of-backdoor.ars

[Eóin]

Fantastic news to hear! I've always admired OpenBSD