Slashdot Mirror

← Back to Stories (view on slashdot.org)

BSD Coder Denies Adding FBI Backdoor

Posted by CmdrTaco on from the not-gonna-quote-the-doors dept.

jfruhlinger writes "Theo de Raadt has made the shocking claim that OpenBSD includes a backdoor that the FBI paid coders to build. Brian Proffitt has tracked down one of the programmers named as being on the FBI payroll (actually, he tracked down two programmers with the same name). Both deny working with the FBI."

13 of 239 comments (clear)

  1. Please correct. by santax · · Score: 5, Informative

    It was not Theo that made that claim. It was Theo that released the email he got from the guy making that claim! Big big difference!

    1. Re:Please correct. by santax · · Score: 5, Informative

      You haven't read that mail if you are saying that. Just read the damn mail! http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

    2. Re:Please correct. by jfruhlinger · · Score: 5, Informative

      I'm the one who submitted it to Slashdot, and it's totally my fault, not a mistake in TFA. Apologies.

    3. Re:Please correct. by John+Hasler · · Score: 5, Insightful

      It isn't totally your fault. It is also the fault of the Slashdot editor who didn't bother to read the article.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    4. Re:Please correct. by tenchikaibyaku · · Score: 4, Insightful

      Even if there's no truth whatsoever behind the initial claim, I suspect we'll be seeing this pop up in various more and less accurate forms for several years to come.

  2. Re:Oh come on by TheRaven64 · · Score: 4, Insightful

    The difference is that the original story is posted by kdawson, so no registered users will see it, because we've all blocked him from the front page. This one is posted by Taco, so we'll see it.

    --
    I am TheRaven on Soylent News
  3. The whole story seemed a bit off by Fibe-Piper · · Score: 4, Interesting

    I mean the idea that this person would still be alive when "the NDA expired..." was odd.

    Why would the FBI make any NDA on something as shameful as this that would expire during one's lifetime?

    --
    I went to battle M.C. Escher, but drew a blank.
  4. Well it might by Sycraft-fu · · Score: 4, Insightful

    The normal length for classified material is 50 years. That isn't to say it can't last longer or be declassified earlier, but 50 years is the normal NDA length. Why would this be any different? In particular there was the implication that they'd been heavily pushing it because of the backdoor. Ok but they had to know that the NDA was about to expire and thus the jig would be up and it would be, if anything, harmful.

    Makes no sense. I am not buying this in the slightest without some proof. Some guy claiming something in an e-mail isn't proof, that is Internet nuttery as normal.

  5. What the hell? by mysidia · · Score: 5, Insightful

    There was never any OpenBSD contributor named Scott Lowe. Did anyone actually bother to read the source material or check facts, before claiming as such?

    The finger was being pointed at Scott Lowe FOR HIS Virtualization BLOG, which are merely articles that discuss the use of OpenBSD.

    The mailing list author, was making a totally reckless claim with no proof shown that He was advocating OpenBSD for the benefit of the FBI which is downright ludicrous attention whoring attempt on the part of someone reposting that claim without corroboration.

    A mailing list posting by one person is not a credible source to be taken at face value. Information needs to be corroborated. Posting some random person's vague accusations as front page news borders on gross negligence.

  6. Theo didn't make the claim by 7x7 · · Score: 4, Insightful

    Someone sent an email to Theo making the claim. Theo put it on the internet. Now it's true.

  7. Bump by AdmV0rl0n · · Score: 5, Interesting

    The raw and cold truth is that contributors to all the open OSs can't really be vetted. Not in a meaningful way. And the number of people who are deep low level 'hackers' capable of writing the code is relatively small. The numbers able to code audit to a level of examination are even fewer. So yes, the code is open, the code is visible, the code can and could be audited. But here is the thing, being auditable is not the same as being audited. And personally, I would not be shocked if a full audit was run if something might be found.

    That being said, this is one step better than closed source, where some of the above is not possible or viable, and in cases where money crosses palms, may in fact be unwanted.

    Further to this though, I personally don't expect government to simply roll over and die. I expect them to take steps to try and stay one step ahead of bad things, and the relaxing of technology limits has benefitted people across the world, even if I were to make a case that the cost is that at the point of a pyramid - the goves can hunt down the world culprits and suspects. In some cases - releasing the tech in fact has your enemy using that tech after some time and you get to tap into it.

    At least its an interesting story :)

    --
    We`re all equal .. Just some of us are less equal than others.
  8. Re:No BBlobs? by Lumpy · · Score: 5, Interesting

    You dont realize how it is possible to hide evil code in front of someone's face..

    http://underhanded.xcott.com/

    go there and read, look at the winning and runner up entries... If you are a competent coder you can hide things right in front of someone and they will not spot it. It's scary as hell what some of these guys can do.

    --
    Do not look at laser with remaining good eye.
  9. Re:Smells like FUD to me by TheRaven64 · · Score: 5, Insightful

    This means that a code audit would find this so-called back door, yes?

    Nope. OpenBSD is audited, but the auditors are human (well, some aren't, but they can only spot categories of bug that are well documented). The code is not formally, mathematically verified (doing so for nontrivial C code is basically impossible), so there's always the possibility of a bug and, as the OpenBSD team says, the only difference between a bug and a vulnerability is the intelligence of the attacker.

    Regular code audits increase the probability that a backdoor would be found, but they don't guarantee it. That's why this is such effective FUD: it's basically impossible to prove that it's not true.

    --
    I am TheRaven on Soylent News