On Thu, 4 Mar 2021 15:05:29 +0000 Joe <j...@jretrading.com> wrote: > On Thu, 4 Mar 2021 08:10:45 -0500 > Celejar <cele...@gmail.com> wrote: > > > On Thu, 4 Mar 2021 09:41:13 +0000 > > Joe <j...@jretrading.com> wrote:
... > > > Indeed. The new heartbeat/data return function in OpenSSL, itself > > > the core of much Open Source security, was suggested by the > > > programmer himself, and the resulting code was audited by *one* > > > other person before approval and distribution. What could possibly > > > go wrong? > > > > The problem I have with your claim is that AFAIK none of the > > ostensible compromises you assume exist have ever been discovered. I > > know there's speculation that this was a backdoor: > > > > https://www.debian.org/security/2008/dsa-1571 > > https://freedom-to-tinker.com/2013/09/20/software-transparency-debian-openssl-bug/ > > > > but that's never been established, and my understanding is that it's > > considered unlikely. > > It was certainly a backdoor for those who knew about it, whether it was > accidental or deliberate is not known, as with Heartbleed. > > In both cases as I understand it, the error was clear in the source > code, and does not require the existence of a compromised toolchain. > But I don't believe that someone building, say, Linux From Scratch will > end up with a guaranteed backdoor-free system. Well, yes, if you redefine "backdoor" to mean "a vulnerability that enables outsiders to access a system," then I agree that realistically, there will never be any "guaranteed backdoor-free system," at least not with current technology. > > Human beings being what they are, is it really plausible that no one > > involved has ever let the cat out of the bag? Are the TLAs really that > > good at what they do? I mean, we have Snowden ... > > > There was a maximum of two people involved in Heartbleed, apart from > any hypothetical intelligence paymasters. It really would be possible > for a bit of clandestine computer code to be known only to one or two > people in exactly the right position in an organisation. The VW > emissions fix would have been known to only a couple of people, and was > discovered empirically, not reported by a whistleblower. A fair point. But I still don't find it that plausible that this kind of thing would be widespread with barely any hint of it ever coming to light. Celejar
