"We received plenty of e-mail alerting us of a mailing list post [1]
alleging a backdoor in the Open BSD IPSec code. The story is too good to
pass up and repeated on twitter and other media. However, aside from the
mailing list post, there is little if any hard evidence of such a
backdoor. The code in question is 10 years old. Since then, it has been
changed, extended, patched and copied many times. I personally do not
have the time nor the skill to audit code of the complexity found in
modern crypto implementations. But my gut feeling is that this is FUD if
not an outright fraud.
Keep using VPNs, if you are worried, limit the crypto algorithms used to
more modern once. It is always a good idea to build additional defensive
layers and review configurations from time to time. But at some point,
you have to decide who you trust in this game and how paranoid you can
afford to be.
[1] http://marc.info/?l=openbsd-tech&m=129236621626462&w=2";
http://isc.sans.edu/diary.html?storyid=10087&rss
FUD? Vero? Verosimile?
Stefano
________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List
