Interesting. Abuse007's observations make me think that maybe the "backdoor" was a vulnerability that was patched sometime in the past. Time to scan the CVE list for OpenBSD...
-----Original Message----- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Abuse007 Sent: Thursday, December 16, 2010 7:26 AM To: mark seiden Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Allegations regarding OpenBSD IPSEC Binaries can be (and are) analysed just like source code can. That's how a lot of bugs have been found in Windows for example. A lot of open source software has bugs that have gone unnoticed for years. A backdoor can be in the form of an innocent looking programming error (which gives a plausible excuse and therefore deniability). In my opinion it is possible to hide a back door in open source software. Whether it's probable is a different question. Changing the s-boxes in DES (and therefore Triple DES as well) would break comparability with other implementations as it would no longer decrypt the same as a standard implementation. Why purposely program a backdoor when there are already probably already a latent vulnerability in it already? Then there is no deniability concerns and no audit trail of the source code. My 2 cents On 16/12/2010, at 1:04 PM, mark seiden <m...@seiden.com> wrote: > > On Dec 15, 2010, at 5:23 PM, Graham Gower wrote: > >> On 16 December 2010 09:50, Larry Seltzer <la...@larryseltzer.com> wrote: >>>> Has anyone read this yet? >>>> >>>> http://www.downspout.org/?q=node/3 >>>> >>>> Seems IPSEC might have a back door written into it by the FBI? >>>> >>> Surely the thing to do now is not to audit *your own* OpenBSD code, but to >>> audit the OpenBSD code from about 8 years ago. If there's nothing there, >>> then the claim is BS. >>> >>> LJS >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> Or get hold of the old version of OpenBSD used at EOUSA and compare it >> to the OpenBSD code from the same time. >> >> __ > > why should anyone other than a us attorney or perhaps an asst us attorney give a rat's ass > what may have been going on in their govt issue vpn some years ago? > > but, as they prosecute federal crimes, if anyone committed a federal crime within > their office due to this they are certainly equipped to go after them. > > these guys have nothing to do with the fbi (they are familially one of the fbi's little > first cousins within justice dept) and also have nothing to do with the openbsd > distribution. > > justice and fbi and darpa barely talk with each other about technology is my very > strong impression. > > this whole story makes very little sense to anyone who was at all acquainted with this > scene at the time. > > unless you control the compiler (see ken thompson's turing award lecture) it's a > fanciful idea that you could successfully plant a backdoor in an open source OS and > expect it to survive. why even bother? > > (now, watering down the s boxes in single des, that might be feasible...) > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/