Slashdot Mirror

← Back to Stories (view on slashdot.org)

De Raadt Doubts Alleged Backdoors Made It Into OpenBSD

Posted by timothy on from the giving-away-all-our-best-tricks dept.

itwbennett writes "In follow-up to last week's controversy over allegations that the FBI installed a number of back doors into the encryption software used by the OpenBSD operating system, OpenBSD lead developer Theo de Raadt said on a discussion list Tuesday, that he believes that a government contracting firm that contributed code to his project 'was probably contracted to write backdoors,' which would grant secret access to encrypted communications. But that he doesn't think that any of this software made it into the OpenBSD code base."

6 of 136 comments (clear)

  1. Re:Audit necessary by CAPSLOCK2000 · · Score: 5, Informative

    Even with a thorough audit you will never be sure. That's the beauty of these kinds of accusations, no matter what you do, you can never 100% sure.
    OpenBSD is among the best audited code in the world. People have been looking for this backdoor specifically for an entire week and nothing fishy has been found yet.

  2. Link to the ACTUAL FREAKING POST by brunes69 · · Score: 4, Informative

    Since the useless summary did not include one

    http://marc.info/?l=openbsd-tech&m=129296046123471&w=2

  3. Link directly to Theo's post by martyros · · Score: 4, Informative

    A link to Theo's post on the subject is much more informative.

    Highlights:

    • Two of the guys named in the original allegation did work on the security stack, but
    • Almost certainly didn't check in any malicious code, and
    • "wrote much code in many areas that we all rely on. Daily. Outside the ipsec stack."

    Also:

    I believe that NETSEC was probably contracted to write backdoors as alleged. If those were written, I don't believe they made it into our tree. They might have been deployed as their own product.

    --

    TCP: Why the Internet is full of SYN.

  4. Re:Audit necessary by milonssecretsn · · Score: 5, Informative

    OpenBSD does have an ongoing code audit

    Perhaps not as thorough as you were suggesting. However, I think for others who are not familiar with OpenBSD's ongoing code audit, the above link will be essential for fully understanding these stories.

    --
    Hey, I was only kidding. You don't have to MOD me "Troll" . . . again . . . .
  5. Re:Sorry, but how..? by 0123456 · · Score: 3, Informative

    Read this for an idea, someone hacked in some well crafted code that appeared innocent, had the machine not been hacked it probably would have stayed

    That code is neither innocent nor well-crafted. Setting uid to zero is not 'innocent' and using '&& (x = 0)' is not well-crafted since it will always evaluate to false. I don't know whether the compiler will generate a warning in that case, but it should, and while a brief look through the code might miss that it's using = instead of ==, any kind of code review worthy of the name would spot it and flame the developer who wrote it.

  6. Yes, you are right... by PaulBu · · Score: 4, Informative

    "Reflections on trusting trust", by Ken Thompson:

    http://cm.bell-labs.com/who/ken/trust.html

    Paul B.