Linked by Thom Holwerda on Tue 14th Dec 2010 23:55 UTC, submitted by Oliver
OpenBSD Okay, this is potentially very big news that really needs all the exposure it can get. OpenBSD's Theo de Raadt has received an email in which it was revealed to him that ten years ago, the FBI paid several open source developers to implement hidden backdoors in OpenBSD's IPSEC stack. De Raadt decided to publish the email for all to see, so that the code in question can be reviewed. Insane stuff.
Permalink for comment 453590
To read all comments associated with this story, please click here.
Member since:

If you are scared or concerned about this article and what may be in Open Source software, you must read this, and think about its ramifications:

This technique, which was actually implemented in early Unix systems (which were distributed with all the source code), allows for back doors to be included in source-based projects, while being invisible in the source code itself!

That means, for example, that your gcc compiler may have this embedded in it; you can thoroughly review every line of that source code and find nothing, but if you recompile it from source (to make sure that nothing is hidden in the binary), the back door is re-inserted into the new executable.

BTW, the original Unix hack was finally discovered by a student who was using dbx (which wasn't part of the original Unix system -- it was "brand new code") to debug the login command, and discovered an odd "jump" in the program counter.

This technique may be made more complicated (and harder to find) by incorporating the same form of "hiding hack" in the available debuggers and assemblers as well.

Given today's revelation, I would not be surprised to find this has already been done in common Open Source software.

Reply Score: 9