[aklug] Re: FBI backdoors into openBSD?

On 12/15/2010 12:47 PM, Lee wrote:
> anyone else come across this?
>
> http://marc.info/?l=openbsd-tech&m=129236621626462&w=2
> ---------
> To unsubscribe, send email to<aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>

Not to be a turd.. but.. I'm calling B.S. on any allegations that there are still/were
compromised systems using public binaries.

The event itself could have happened as told. I'm under the impression that the effects
only had a certain radius and hopefully were not world wide.

What do you think the odds are that publically available source code would have contained
a method for covertly passing key information (toggling bits in packets, changing the
packet rate, packet padding, useless packets) would have gone unnoticed to developers as
well as the many eyes principles. I would love to know how many cryptology students have
looked specifically at the OpenBSD source code over the years (as far back as this
reported security breach) to learn off of it.. bright people too..

There has been a LOT of work on the cryptographic framework for OpenBSD over the years as
well as the IPSEC stack. This is true for all BSD systems which often use each others
code base for reference as well as.. wait for it.. the actual protocol/method standard
specifications. The binaries on the other hand....

Now.. if I controlled distribution of VPN software (or an entire OS), which at the time
didn't use public key verification for binaries AFAIK, by replacing requested content or
drive/floppy/keycard images with a compromised version.. then I could get away with
whatever I want.

If the feds wanted to hire a developer (private signature key holder) for a few years to
maintain a key leaking solution in binaries (therefore hard to scrutinize) that would be
distributed only to certain individuals.. whats the big deal? This sort of thing happens
more often than you think (I have no proof other than standard run of the mill infosec
paranoia).

Now.. if those binaries had to be leaked to the world as we know it to maintain
appropriate cover.. that's different. Even examining the source code wouldn't help if the
compromised functions didn't exist until compile time - which none of us control.

I bet I just made a few gentoo/slackware hippies grin.

Thems my two cents.

- Shane
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Dec 16 12:13:15 2010