Linked by Thom Holwerda on Tue 14th Dec 2010 23:55 UTC, submitted by Oliver
OpenBSD Okay, this is potentially very big news that really needs all the exposure it can get. OpenBSD's Theo de Raadt has received an email in which it was revealed to him that ten years ago, the FBI paid several open source developers to implement hidden backdoors in OpenBSD's IPSEC stack. De Raadt decided to publish the email for all to see, so that the code in question can be reviewed. Insane stuff.
Permalink for comment 453769
To read all comments associated with this story, please click here.
google_ninja
Member since:
2006-02-05

7 years, but only high level application languages (ruby/perl/lisp/a bit of smalltalk/c#/java), never done systems stuff.

I can sort of muddle through C++ (never really had interest or job opertunities), but something like "if(x > rx * 3 && x <= (rx + rwidth) * 3 && y > ry && y < ry + rheight)" I wouldn't consider to be that great in any language, and a prime candidate for refactoring. You may not catch it in a security audit, but you will if you are trying to maintain quality in your code base.

In any case, I will concede that a deliberate obfuscation like what you linked to is of equal difficulty to find then a bug in similarly gnarly code. What I don't buy is that it is significantly harder to find, which was the implication of the person I was responding to.

wrt the whole incompetence remark we're talking about skimming an article and banging something out while drinking my coffee getting ready to start the day. I probably would have said the same thing as the previous paragraph in a great deal less of a condescending way if I had fully read the article and thought through what it probably was referring to. I would call that "introducing a vulnerability", a back door to me sounds more like I am expecting something in a specific format, but if I get it in another format just return true. That sort of misunderstanding would definitely be incompetence if I were in the security industry, but that is very very far from what I do.

Reply Parent Score: 2