Slashdot Mirror
BSD Coder Denies Adding FBI Backdoor
jfruhlinger writes "Theo de Raadt has made the shocking claim that OpenBSD includes a backdoor that the FBI paid coders to build. Brian Proffitt has tracked down one of the programmers named as being on the FBI payroll (actually, he tracked down two programmers with the same name). Both deny working with the FBI."
It was not Theo that made that claim. It was Theo that released the email he got from the guy making that claim! Big big difference!
The difference is that the original story is posted by kdawson, so no registered users will see it, because we've all blocked him from the front page. This one is posted by Taco, so we'll see it.
I am TheRaven on Soylent News
I mean the idea that this person would still be alive when "the NDA expired..." was odd.
Why would the FBI make any NDA on something as shameful as this that would expire during one's lifetime?
I went to battle M.C. Escher, but drew a blank.
You didn't get that this was a follow-up story, then, huh?
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
Oh please, de Raadt didn't claim shit. Here's the original mail.
Theo seems skeptical himself, he just didn't want to hold back a potential security issue.
Who's this "kdawson" you speak of?
Depending on the situation, they might not legally be able to admit it. If your work was Classified, you might be prohibited by law from admitting to it.
Not saying that is true or even likely in this case, but it is possible. I wouldn't want to run afoul of a government NDA.
Lost at C:>. Found at C.
The normal length for classified material is 50 years. That isn't to say it can't last longer or be declassified earlier, but 50 years is the normal NDA length. Why would this be any different? In particular there was the implication that they'd been heavily pushing it because of the backdoor. Ok but they had to know that the NDA was about to expire and thus the jig would be up and it would be, if anything, harmful.
Makes no sense. I am not buying this in the slightest without some proof. Some guy claiming something in an e-mail isn't proof, that is Internet nuttery as normal.
Theo did no such thing. Perry did.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
There was never any OpenBSD contributor named Scott Lowe. Did anyone actually bother to read the source material or check facts, before claiming as such?
The finger was being pointed at Scott Lowe FOR HIS Virtualization BLOG, which are merely articles that discuss the use of OpenBSD.
The mailing list author, was making a totally reckless claim with no proof shown that He was advocating OpenBSD for the benefit of the FBI which is downright ludicrous attention whoring attempt on the part of someone reposting that claim without corroboration.
A mailing list posting by one person is not a credible source to be taken at face value. Information needs to be corroborated. Posting some random person's vague accusations as front page news borders on gross negligence.
Someone sent an email to Theo making the claim. Theo put it on the internet. Now it's true.
Because it's too much trouble to quote or reproduce Theo's brief email and people wouldn't know what to make of it anyway.
The raw and cold truth is that contributors to all the open OSs can't really be vetted. Not in a meaningful way. And the number of people who are deep low level 'hackers' capable of writing the code is relatively small. The numbers able to code audit to a level of examination are even fewer. So yes, the code is open, the code is visible, the code can and could be audited. But here is the thing, being auditable is not the same as being audited. And personally, I would not be shocked if a full audit was run if something might be found.
That being said, this is one step better than closed source, where some of the above is not possible or viable, and in cases where money crosses palms, may in fact be unwanted.
Further to this though, I personally don't expect government to simply roll over and die. I expect them to take steps to try and stay one step ahead of bad things, and the relaxing of technology limits has benefitted people across the world, even if I were to make a case that the cost is that at the point of a pyramid - the goves can hunt down the world culprits and suspects. In some cases - releasing the tech in fact has your enemy using that tech after some time and you get to tap into it.
At least its an interesting story :)
We`re all equal
No.
But that's because they're bound by patient confidentiality, and not a boilerplate 10 year "don't talk about anything you learned at work" NDA.
So the two cases don't really compare. At all.
More like, you KNOW there are backdoors in Windows, Mac OS X, iOS, and all the other products they have. But don't switch to open-source purely because it's open-source and therefore, backdoors can't be hidden in the code. Even very careful audits can still miss cleverly hidden backdoors.
The silly thing about this issue is that no one can confirm or deny it, short of a full on hard core code review. The people who did it certainly won't say either way (other than "it might"), the ones who know about it won't acknowledge it. And the backdoor doesn't have to be a shell-granting root access. It can a simple matter of key leakage through subtle means and the code looks otherwise innoculous.
It's no wonder you smell poop, it's coming straight out of your mouth.
-- Linux user #369862
He simply released the email that was sent to him.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
Warning: People denying the existence of robots may be robots themselves.
> If you made a deal to keep a secret you keep that secret.
If I made a deal to keep a secret for five years I keep it for five years.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
OF course not. such a coder would be easily spotted because they know what they are doing and produce clean code that works... This will stand out BIG TIME at Microsoft.
Do not look at laser with remaining good eye.
Funnily, that's exactly what happened to me - I wondered what people were talking about when they said it was a dupe. This is the only website I've ever had to block a submitter on, and kdawson the ONLY author I've ever had to block on any website because every submission I read from them annoyed me or was blatantly complete bollocks.
I only use OSes I can trust!
You dont realize how it is possible to hide evil code in front of someone's face..
http://underhanded.xcott.com/
go there and read, look at the winning and runner up entries... If you are a competent coder you can hide things right in front of someone and they will not spot it. It's scary as hell what some of these guys can do.
Do not look at laser with remaining good eye.
This means that a code audit would find this so-called back door, yes?
Nope. OpenBSD is audited, but the auditors are human (well, some aren't, but they can only spot categories of bug that are well documented). The code is not formally, mathematically verified (doing so for nontrivial C code is basically impossible), so there's always the possibility of a bug and, as the OpenBSD team says, the only difference between a bug and a vulnerability is the intelligence of the attacker.
Regular code audits increase the probability that a backdoor would be found, but they don't guarantee it. That's why this is such effective FUD: it's basically impossible to prove that it's not true.
I am TheRaven on Soylent News
Nonsense. Nobody working for this site has ever been a good enough perl coder to pull that off.
Kdawson is just an internet myth, long ago disproven by snopes.
SJW: Someone who has run out of real oppression, and has to fake it.
The allegation is inclusion of a side-channel in the crypto algorithm for leakage of key bits.
If you know about crypto coding, you'll know instantly why that would be easy to hide and hard to find.
IPSEC is a well-documented standard: you can't just stick 'random numbers' which happen to contain parts of the key in the data stream as you could with some home-grown crypto system. The fact that it is a standard which has to interoperate with other implementations of the standard eliminates most of the usual methods of deliberately leaking keys.
Certainly there could be deliberate timing effects, etc, but everyone these days should be using crypto implementations which protect against such things.
I've been following slashdot for over 10 years and I finally registered an account just a few weeks ago. Why? Because I got so sick of kdawson's inflammatory Fox-news-esque junk articles that I finally decided to register just for the sole purpose of kill-filing him.
How do you know they're planted by the DOD, rather than simply programming mistakes that no one caught?
Hard-coded secondary keys are pretty big programming mistakes. Maybe for debugging, or an old recovery mechanism that was disabled?
Support my political activism on Patreon.
Can't say I have. The last joke I made about bestial dwarf porn got modded up pretty quickly.
Blank until