Linked by Thom Holwerda on Tue 14th Dec 2010 23:55 UTC, submitted by Oliver
OpenBSD Okay, this is potentially very big news that really needs all the exposure it can get. OpenBSD's Theo de Raadt has received an email in which it was revealed to him that ten years ago, the FBI paid several open source developers to implement hidden backdoors in OpenBSD's IPSEC stack. De Raadt decided to publish the email for all to see, so that the code in question can be reviewed. Insane stuff.
Permalink for comment 453765
To read all comments associated with this story, please click here.
Member since:

it was a glib response to a glib answer, thats it. My point (which I still stand by) is that it is much easier to find something that does something completely different then its intent, then something that does whats intended, but the author didn't think of one of the cases that ends up happening to real world people. The person who originally wrote it didn't manage to think of it, it usually means you could read it and not catch it either.

On the other hand, when you read a method that says that it is (for example) reading a file, and instead uploads your passwd file to a remote website, it is hard to miss what it is doing. There are ways you can obfuscate it, but mostly that just makes things unreadable. Blobs of unreadable code should be targets for refactoring, which would expose the issue.

The only way that they would even be comparable is if the back door wasn't written as a back door, but more as a vulnerability (i.e. an intensional bug). In that case, I wouldn't say it was easier or harder to find, it would be the same.

I think that is common sense, and anyone who knows enough to be able to understand the difference between a bug and a feature would be able to see how that is obvious. I don't think that it means that it disproves the whole "many eyes make for shallow bugs" thing, but I do think the assertion that bugs are easier to find then code that says it does one thing but actually does another to be, to be frank, downright moronic.

So, I thought I was banging out a quick, sort of funny response to a dumb comment. If you want to talk about this I'm totally fine with that since you don't seem to be an idiot (which is why I am taking the time to write this out) I wasn't really trying to troll, but at the same time I wasn't seriously trying to debate a point either.

Reply Parent Score: 2