topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Friday December 13, 2024, 9:47 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: OpenBSD: Only two remote holes [...] - the rest come from inside?  (Read 6007 times)

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Potentially bad news ahead:
Allegations regarding OpenBSD IPSEC
Theo de Raadt <deraadt <at> cvs.openbsd.org>
2010-12-14 22:24:39 GMT

I have received a mail regarding the early development of the OpenBSD
IPSEC stack.  It is alleged that some ex-developers (and the company
they worked for) accepted US government money to put backdoors into
our network stack, in particular the IPSEC stack.  Around 2000-2001.

Since we had the first IPSEC stack available for free, large parts of
the code are now found in many other projects/products.  Over 10
years, the IPSEC code has gone through many changes and fixes, so it
is unclear what the true impact of these allegations are.
via OSnews.
- carpe noctem

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Re: OpenBSD: Only two remote holes [...] - the rest come from inside?
« Reply #1 on: December 14, 2010, 07:21 PM »
Does seem very odd that, with all the smart coding talent looking at OpenBSD for holes over the years, somebody hadn't discovered it previously.

Sounds like it might well be FUD. Or sour grapes.

I'm gonna take a "wait and see" stance on this one.

(And if it turns out to be true, I'm gonna adopt a low 'horse stance' - and then punch something!) :(
« Last Edit: December 15, 2010, 01:18 AM by 40hz »

Eóin

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,401
    • View Profile
    • Donate to Member
Re: OpenBSD: Only two remote holes [...] - the rest come from inside?
« Reply #2 on: December 15, 2010, 08:58 AM »
Potentially worrying indeed. Just imagine how much of this could be going on behind the scenes in the likes of MS, Oracle or Apple.

Still, the full disclosure aspect of Theo's response fills me with confidence that the OS as a whole is not corrupt.

P.S. I hate conspiracy theories, so will be waiting to see the facts behind this come out too.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,914
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: OpenBSD: Only two remote holes [...] - the rest come from inside?
« Reply #3 on: December 15, 2010, 12:24 PM »
Fascinating stuff.

The accused have denied it: http://www.itworld.c...ed-named-participant

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Re: OpenBSD: Only two remote holes [...] - the rest come from inside?
« Reply #4 on: December 15, 2010, 12:52 PM »
In the end, it will be the code audit and not the allegations that prove or disprove the accusation.

Right now I'm about 75% confident it will turn out to be pure vacuum.

Not that I wouldn't put it past a government agency to try to pay somebody to insert such a back door. They have their job to do, after all.  

But I'd be flat out stunned if such a blatant exploit could have remained both unsuspected and undetected by OpenBSD for over nine years. Those guys are awfully smart coders in addition to being security fanatics. And they don't go into denial or damage control mode on those rare occasions when something does go wrong. I think Theo de Raadt's decision to immediately go public with the allegation is proof of that.

(Fingers crossed and waiting for somebody to shout: "Stand down. All Clear!"  8))


« Last Edit: December 15, 2010, 01:26 PM by 40hz »

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,914
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: OpenBSD: Only two remote holes [...] - the rest come from inside?
« Reply #5 on: December 22, 2010, 10:08 AM »
From slashdot:

OpenBSD lead developer Theo de Raadt said on a discussion list Tuesday, that he believes that a government contracting firm that contributed code to his project 'was probably contracted to write backdoors,' which would grant secret access to encrypted communications. But that he doesn't think that any of this software made it into the OpenBSD code base."

whether they actually succeeded in getting code in or not, this is pretty huge.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Re: OpenBSD: Only two remote holes [...] - the rest come from inside?
« Reply #6 on: December 22, 2010, 10:13 AM »
I think it would have been (or will be) a far bigger deal if it actually did make it into the core code.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Re: OpenBSD: Only two remote holes [...] - the rest come from inside?
« Reply #7 on: December 22, 2010, 10:49 AM »
I think there's too many people thinking, and not enough people knowing what actually went into said proverbial stew.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Re: OpenBSD: Only two remote holes [...] - the rest come from inside?
« Reply #8 on: December 22, 2010, 12:46 PM »
^+1 :Thmbsup:

Two words: code audit

Which is in progress. I'll wait to hear the results.  8)

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,645
    • View Profile
    • Donate to Member
Re: OpenBSD: Only two remote holes [...] - the rest come from inside?
« Reply #9 on: December 22, 2010, 04:00 PM »
Even if backdoors never made it into the code, I agree with Mouser that if the FBI actually did attempt to get backdoors in place, that's a big deal in itself.

There should be some investigation of whether that allegation is true, though I have no idea how you'd go about doing that.  I imagine it would be hard to get anyone with authority and resources interested in pursuing an investigation.  So you'd be left with asking the accused, with no way to compel any response (much less an honest one).

I'm not even sure if the alleged FBI behavior is illegal - I wouldn't be surprised if it wasn't. Even if legal, it would still be outrageous, in my opinion.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,914
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: OpenBSD: Only two remote holes [...] - the rest come from inside?
« Reply #10 on: December 24, 2010, 11:05 AM »
In a follow-up e-mail published this week, de Raadt outlined his current perspective on the controversy and his interpretation of the findings that have emerged from the ongoing code audit. Reviews are being conducted on the history and provenance of code in the IPSEC stack as well as the current implementation. Reviewers have uncovered several bugs that could have security implications, but the nature of the bugs suggests that they were not intentional, nor were they intended to facilitate a backdoor.

http://arstechnica.c...ence-of-backdoor.ars

Eóin

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,401
    • View Profile
    • Donate to Member
Re: OpenBSD: Only two remote holes [...] - the rest come from inside?
« Reply #11 on: December 24, 2010, 11:13 AM »
Fantastic news to hear! I've always admired OpenBSD :-*