Linked by Thom Holwerda on Tue 14th Dec 2010 23:55 UTC, submitted by Oliver
OpenBSD Okay, this is potentially very big news that really needs all the exposure it can get. OpenBSD's Theo de Raadt has received an email in which it was revealed to him that ten years ago, the FBI paid several open source developers to implement hidden backdoors in OpenBSD's IPSEC stack. De Raadt decided to publish the email for all to see, so that the code in question can be reviewed. Insane stuff.
Thread beginning with comment 453594
To read all comments associated with this story, please click here.
Comment by porcel
by porcel on Wed 15th Dec 2010 00:44 UTC
porcel
Member since:
2006-01-28

The level of real code review within OpenBSD can never match that of bigger and better supported projects, which is why this went undetected for as long as it did.

The more people and nations that have a lot riding on the security of of an operating system, the less likely that it can be tampered without detection.

One last thing, it is time that everyone moves to git and to signed commits as done in the linux kernel so that there is complete traceability of any and all changes.

If you think this might be an issue with open source code, just stop and really think what it probably is like in most closed source software and operating systems.

Reply Score: 2

RE: Comment by porcel
by Lennie on Wed 15th Dec 2010 01:17 in reply to "Comment by porcel"
Lennie Member since:
2007-09-22

I would not state that, I think the OpenBSD hackers are a lot more likely to find these kinds of things than any other open source project.

They really do take these things seriously. They look at correctness first (in the broadest sense of the word), most others are focused first on features.

Have you seen their code ?

Reply Parent Score: 5

RE: Comment by porcel
by Delgarde on Wed 15th Dec 2010 04:29 in reply to "Comment by porcel"
Delgarde Member since:
2008-08-19

The level of real code review within OpenBSD can never match that of bigger and better supported projects, which is why this went undetected for as long as it did.


Could be. Or it could be it went undetected because there's nothing there to detect - remember, it's still an unsubstantiated claim at this stage.

Reply Parent Score: 6

RE: Comment by porcel
by Soulbender on Sat 18th Dec 2010 22:27 in reply to "Comment by porcel"
Soulbender Member since:
2005-08-18

The level of real code review within OpenBSD can never match that of bigger and better supported projects, which is why this went undetected for as long as it did.


Or maybe it's just not true but just some lame attempt at attention.

Reply Parent Score: 2