De Raadt Doubts Alleged Backdoors Made It Into OpenBSD

itwbennett writes "In follow-up to last week's controversy over allegations that the FBI installed a number of back doors into the encryption software used by the OpenBSD operating system, OpenBSD lead developer Theo de Raadt said on a discussion list Tuesday, that he believes that a government contracting firm that contributed code to his project 'was probably contracted to write backdoors,' which would grant secret access to encrypted communications. But that he doesn't think that any of this software made it into the OpenBSD code base."

Audit necessary

[dewarrn1]

I hope that he's right, but without a thorough audit, who can say?

Re:Audit necessary

[CAPSLOCK2000]

Even with a thorough audit you will never be sure. That's the beauty of these kinds of accusations, no matter what you do, you can never 100% sure.
OpenBSD is among the best audited code in the world. People have been looking for this backdoor specifically for an entire week and nothing fishy has been found yet.

Re:Audit necessary

Well, great way to halt the actual development, right?

Remember how Microsoft accused ReactOS of copying NT code?

They spent LOTS of time auditing.

Re:Audit necessary

I hope that he's right, but without a thorough audit, who can say?

It is physically impossible that a backdoor makes it past De Raadt's ego into the kernel.

Re:Audit necessary

[milonssecretsn]

OpenBSD does have an ongoing code audit

Perhaps not as thorough as you were suggesting. However, I think for others who are not familiar with OpenBSD's ongoing code audit, the above link will be essential for fully understanding these stories.

Re:Audit necessary

[mysidia]

I hope that he's right, but without a thorough audit, who can say?

The whole scare behind crypto backdoors is they can include sidechannel leakage, and they can include subtle leakage through the underlying drivers. Which can amount to elaborate timing vulnerabilities and other types of vulnerabilities intentionally introduced that are poorly understood by developers in general.

Remember... even though the crypto in the SSH protocol was perfectly sound, as you were typing a password in SSH; a timing attack could be used to assist an attacker in guessing the password typed. For example, the minute timing between keystrokes can identify some passwords that are much more likely to have been typed than others, reducing the attack required to something much easier than brute force.

You can have a backdoor without even revealing the key material or having an obvious vulnerability; all the 3 letter agencies need is a mechanism of reducing the work to crack the key to something much less than brute force. If the operation of the cryptosystem in any way makes the key easier to get than brute force, then the attacker's work is massively reduced.

In other words, it's so subtle that even a thorough audit cannot say, and a complete rewrite of the code would be required to guarantee no intentionally backdoors by the original authors (though it won't guarantee no backdoors by the new authors. and it definitely won't guarantee no subtle vulnerabilities)

It's possible can be no visible error for an audit to discover, and yet, the way the code is structured, could cause information to still be vulnerable through essentially a form of compromising virtual emissions.

The Spine Defense

[Giant+Ape+Skeleton]

I think you must really have no spine if you except money from the FBI to backdoor crypto software.

"I needed the money to pay for my prosthetic spine!"