[133656] in North American Network Operators' Group
Re: Alleged backdoor in OpenBSD's IPSEC implementation.
daemon@ATHENA.MIT.EDU ('mikea')
Wed Dec 15 12:07:58 2010
Date: Wed, 15 Dec 2010 11:07:48 -0600
From: "'mikea'" <mikea@mikea.ath.cx>
To: Stefan Fouant <sfouant@shortestpathfirst.net>
Mail-Followup-To: Stefan Fouant <sfouant@shortestpathfirst.net>,
nanog@nanog.org
In-Reply-To: <025d01cb9c79$a4fe82b0$eefb8810$@net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Dec 15, 2010 at 12:00:56PM -0500, Stefan Fouant wrote:
> > -----Original Message-----
> > From: mikea [mailto:mikea@mikea.ath.cx]
> > Sent: Wednesday, December 15, 2010 8:28 AM
> > To: nanog@nanog.org
> > Subject: Re: Alleged backdoor in OpenBSD's IPSEC implementation.
> >
> > >
> > > Someone is confusing FBI with NSA, methinks. And yes, if this is
> > > the kind of thing not talked about, "NDA"s expire when you do. But
> > > seriously ... this would seem to be the kind of code that Smart
> > People
> > > should be doing security audits on Just Because.
> > >
> > > So rustle up a couple of PostDocs, and give them an idea for a
> > Thesis,
> > > and yer set.
> >
> > More to the point, I think it wouldn't be an NDA, but a security
> > classification on the knowledge of the backdoors, and probably one not
> > subject to automatic downgrading.
>
> Please pardon my ignorance on the matter as I am not involved in any way
> with Open Source development, but it stands to reason that anything of this
> sort would have been scrutinized by the many developers involved with
> OpenBSD and surely would have been discovered at some point. And to further
> that point, is this not something that can be verified now if this code is
> still in the public domain? Or is writing a crypto stack such an esoteric
> task that only a relegated few can possibly decipher the inner workings?
>
> Not that I don't love a good government conspiracy theory, and yes I do
> believe there are a fair amount of backdoors in most code (including that of
> many private and publicly held corporations)... but open source? Just seems
> unlikely to me based on my limited understanding...
In sober honesty, I doubt that there are any backdoors in any *BSD
crypto stack that is really open source -- modulo the issues set out in
"On trusting trust". But while I doubt it, that doesn't mean that I'm
certain there are none.
At this point, a real Conspiracy Theorist (TM) would ramble on about how
all the *BSD crypto stack folks either were co-opted by the NSA or were
under threat of death or worse if they talked.
--
Mike Andrews, W5EGO
mikea@mikea.ath.cx
Tired old sysadmin
