[133663] in North American Network Operators' Group
Re: Alleged backdoor in OpenBSD's IPSEC implementation.
daemon@ATHENA.MIT.EDU (sthaug@nethelp.no)
Wed Dec 15 14:02:27 2010
Date: Wed, 15 Dec 2010 20:02:15 +0100 (CET)
To: sfouant@shortestpathfirst.net
From: sthaug@nethelp.no
In-Reply-To: <025d01cb9c79$a4fe82b0$eefb8810$@net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> > More to the point, I think it wouldn't be an NDA, but a security
> > classification on the knowledge of the backdoors, and probably one not
> > subject to automatic downgrading.
>
> Please pardon my ignorance on the matter as I am not involved in any way
> with Open Source development, but it stands to reason that anything of this
> sort would have been scrutinized by the many developers involved with
> OpenBSD and surely would have been discovered at some point. And to further
> that point, is this not something that can be verified now if this code is
> still in the public domain? Or is writing a crypto stack such an esoteric
> task that only a relegated few can possibly decipher the inner workings?
See Ken Thompson's classic paper "Reflections on trusting trust",
http://en.wikipedia.org/wiki/Backdoor_(computing)#Reflections_on_Trusting_Trust
http://cm.bell-labs.com/who/ken/trust.html
> Not that I don't love a good government conspiracy theory, and yes I do
> believe there are a fair amount of backdoors in most code (including that of
> many private and publicly held corporations)... but open source? Just seems
> unlikely to me based on my limited understanding...
The world is not that simple.
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
