Linked by Thom Holwerda on Tue 14th Dec 2010 23:55 UTC, submitted by Oliver
OpenBSD Okay, this is potentially very big news that really needs all the exposure it can get. OpenBSD's Theo de Raadt has received an email in which it was revealed to him that ten years ago, the FBI paid several open source developers to implement hidden backdoors in OpenBSD's IPSEC stack. De Raadt decided to publish the email for all to see, so that the code in question can be reviewed. Insane stuff.
Permalink for comment 453605
To read all comments associated with this story, please click here.
james_parker
Member since:
2005-06-29

It is easy to prove that gcc does not have the Thompson hack. (Technically, the proof shows either that gcc doesn't have the hack or else all C compilers have the identical hack).


Actually, the proof is not nearly that strong. Rather than requiring all C compilers to have it, only the set of C compilers on which this test were tried and passed must have it. Now, if a new C compiler, with a clean room design and test were written and the test passed, this would dramatically increase the confidence (it would be imperfect, since there may be some structural indication that this is a C compiler that an infected "booting" compiler would detect and propagate the hack). Also, libraries, assemblers, parser generators, etc., must also be checked.

Given sufficient resources it could be increasingly difficult to detect; however, the US Federal Government (FBI, CIA, NSA) would be one of the very few -- if not only -- entity with the resources to do it; further, the cost of doing so would be far higher than that needed to detect it.

Edited 2010-12-15 01:26 UTC

Reply Parent Score: 2