On Wed, Dec 15, 2010 at 12:00:56PM -0500, Stefan Fouant wrote: > > -----Original Message----- > > From: mikea [mailto:mi...@mikea.ath.cx] > > Sent: Wednesday, December 15, 2010 8:28 AM > > To: nanog@nanog.org > > Subject: Re: Alleged backdoor in OpenBSD's IPSEC implementation. > > > > > > > > Someone is confusing FBI with NSA, methinks. And yes, if this is > > > the kind of thing not talked about, "NDA"s expire when you do. But > > > seriously ... this would seem to be the kind of code that Smart > > People > > > should be doing security audits on Just Because. > > > > > > So rustle up a couple of PostDocs, and give them an idea for a > > Thesis, > > > and yer set. > > > > More to the point, I think it wouldn't be an NDA, but a security > > classification on the knowledge of the backdoors, and probably one not > > subject to automatic downgrading. > > Please pardon my ignorance on the matter as I am not involved in any way > with Open Source development, but it stands to reason that anything of this > sort would have been scrutinized by the many developers involved with > OpenBSD and surely would have been discovered at some point. And to further > that point, is this not something that can be verified now if this code is > still in the public domain? Or is writing a crypto stack such an esoteric > task that only a relegated few can possibly decipher the inner workings? > > Not that I don't love a good government conspiracy theory, and yes I do > believe there are a fair amount of backdoors in most code (including that of > many private and publicly held corporations)... but open source? Just seems > unlikely to me based on my limited understanding...
In sober honesty, I doubt that there are any backdoors in any *BSD crypto stack that is really open source -- modulo the issues set out in "On trusting trust". But while I doubt it, that doesn't mean that I'm certain there are none. At this point, a real Conspiracy Theorist (TM) would ramble on about how all the *BSD crypto stack folks either were co-opted by the NSA or were under threat of death or worse if they talked. -- Mike Andrews, W5EGO mi...@mikea.ath.cx Tired old sysadmin
