[Moderator's note: normally I would advise that this sort of discussion be taken to ubuntu-devel-discuss, as it's really much more relevant to other projects such as the Linux kernel than to the development of Ubuntu itself. However, I thought it would be useful to have the chance to reply to this on ubuntu-devel, since this has been in the news recently and I'm sure various people are worried about it.]
On Wed, Dec 15, 2010 at 12:31:13PM -0500, Rodney V wrote: > I am longtime user of Ubuntu, and I have concern regarding the recent > allegations of the FBI placing malicious code in OpenBSD. > > Please forward this to other lists as you see fit. > > http://arstechnica.com/open-source/news/2010/12/fbi-accused-of-planting-backdoor-in-openbsd-ipsec-stack.ars > > The reason for my concern is that the alleged code has been undetected > for at least 10 years... This worries me that other distributions > running Unix like enviroments may also be compromised by malicious code > undetected in the Debian/Ubuntu systems as well- including > applications for a very long time. It is not at all obvious that the allegations are grounded in fact. The people named in the allegations have explicitly repudiated them (and of course you might say that they would, but their comments seem pretty convincing to me): http://blog.scottlowe.org/2010/12/14/allegations-regarding-fbi-involvement-with-openbsd/ http://marc.info/?l=openbsd-tech&m=129244045916861&w=2 Who knows what the truth is? I certainly don't. However, it all smells rather odd to me. My first reaction on reading about it was that it sounded like a smear campaign; wouldn't this be an excellent way to try to wreck some developers' careers, if you were so inclined? With enough observation you might even predict that Theo would forward that private e-mail and make use of that to make it all seem more plausible. Of course this is speculation not accusation - for all I know Mr. Perry really is taking the first opportunity to expose a serious problem - and I'm not involved either way, but generally I would recommend applying some healthy scepticism when faced with this sort of thing rather than getting too concerned straight away. Nothing has been proven yet. > I am asking that Devs and the community please perform a code audit. I > know this may sound tedious, but the security of Ubuntu/Debian should > not allowed to be compromised by anyone. I understand that the OpenBSD people are performing a code audit anyway, and they're best-placed to do so to start with; as the alleged point of origin, they have all the history directly to hand and can make use of it. They have a superb reputation for this kind of thing and I don't think there's much point in us trying to duplicate their work independently. If you're a security expert, that's probably the effort you should be joining. If they discover something, that will be a good time to analyse other related codebases to try to work out whether it spread. Before that, we shouldn't allow ourselves to be excessively sidetracked when there may be nothing in it. http://obfuscurity.com/2010/12/Deconstructing-the-OpenBSD-IPsec-Rumors In any case, I'd expect that the best organisations to perform such an audit would be the maintainers of the IPSEC code in the Linux kernel, related userspace tools, and so on. Finally, this is the clearest post I've seen on this issue so far: http://marc.info/?l=freebsd-security&m=129247685124261&w=2 -- Colin Watson [[email protected]] -- ubuntu-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
