On 18 Dec 2015, at 11:52, Steven M. Bellovin wrote:
> On 18 Dec 2015, at 7:28, Dave Taht wrote: > >> I think "unauthorized code" is still plausible newspeak for "bug". >> >> Why blame finger foo when you can blame terrorists? > > It looks like two different holes, one a back door for unauthorized > console login and one to somehow leak VPN encryption keys. There are > hints that that latter involved tinkering with certain constants in > the crypto (https://twitter.com/matthew_d_green/status/677871004354371584); > that would squarely point the finger at some government's intelligence > agency. > > I don't know who did it, but neither 'bug' nor 'developer debugging > code' sounds plausible here. https://twitter.com/sweis/status/677896363070259200
