On Fri, Dec 18, 2015 at 8:03 AM, Steven M. Bellovin <s...@cs.columbia.edu> wrote: > On 18 Dec 2015, at 11:52, Steven M. Bellovin wrote: > >> On 18 Dec 2015, at 7:28, Dave Taht wrote: >> >>> I think "unauthorized code" is still plausible newspeak for "bug". >>> >>> Why blame finger foo when you can blame terrorists? >> >> It looks like two different holes, one a back door for unauthorized >> console login and one to somehow leak VPN encryption keys. There are >> hints that that latter involved tinkering with certain constants in >> the crypto (https://twitter.com/matthew_d_green/status/677871004354371584); >> that would squarely point the finger at some government's intelligence >> agency. >> >> I don't know who did it, but neither 'bug' nor 'developer debugging >> code' sounds plausible here. > > https://twitter.com/sweis/status/677896363070259200
That tweet got deleted, apparently to redraft/correct; is this the equivalent? https://twitter.com/sweis/status/677897914643976193 https://gist.github.com/hdm/107614ea292e856faa81#file-ssg500-6-3-0r12-0-diff-L16 Royce
