Linked by Thom Holwerda on Tue 14th Dec 2010 23:55 UTC, submitted by Oliver
OpenBSD Okay, this is potentially very big news that really needs all the exposure it can get. OpenBSD's Theo de Raadt has received an email in which it was revealed to him that ten years ago, the FBI paid several open source developers to implement hidden backdoors in OpenBSD's IPSEC stack. De Raadt decided to publish the email for all to see, so that the code in question can be reviewed. Insane stuff.
Thread beginning with comment 453624
To read all comments associated with this story, please click here.
So much for the mythical "one thousand eyes"
by MollyC on Wed 15th Dec 2010 04:17 UTC
MollyC
Member since:
2006-07-04

("makes all bugs shallow"), if a few paid-off OSS devs can put backdoors into an OSS OS and they're there for years with nobody noticing.

Reply Score: 3

TheGZeus Member since:
2010-05-19

Well, it actually seems to hold true.
This isn't a bug, it's a _well-designed door_, not just your average hole that results from a bug.
It was probably carefully correct code, but what said code was doing was... evil.

Even then, generally when a closed project is opened, a _huge_ number of bugs are discovered and fixed.

Even through it will never be none, less is still less.

There are more security bugs reported for Linux than Windows/OS X, but they're generally minor, and are generally fixed more quickly.

Reply Parent Score: 3

google_ninja Member since:
2006-02-05

a bug is when someone makes a mistake in code. a "well-designed door" is a full feature. If you can't catch the get_pwnd_by_fbi() function, then you sure as hell aren't going to catch a bug.

Reply Parent Score: 1

lucas_maximus Member since:
2009-08-18

Well, it actually seems to hold true.
This isn't a bug, it's a _well-designed door_, not just your average hole that results from a bug.
It was probably carefully correct code, but what said code was doing was... evil.


A software defect (bug) is surely any behaviour the software does that is not in the specification. So a backdoor is a bug.

Edited 2010-12-17 13:32 UTC

Reply Parent Score: 1

AdamW Member since:
2005-07-06

key word: 'if'. none of this is actually proven. it's an allegation.

Reply Parent Score: 2

Valhalla Member since:
2006-01-24

("makes all bugs shallow"), if a few paid-off OSS devs can put backdoors into an OSS OS and they're there for years with nobody noticing.

Well, with open source you CAN audit, if you don't then obviously it's no safer than closed source. With closed source you don't have that option at all.

Reply Parent Score: 4

google_ninja Member since:
2006-02-05

To argue the other side; With closed source, a company has financial incentive to audit their code, since they can be sued if something goes wrong. In open source, nobody has that incentive.

Reply Parent Score: 3

dylansmrjones Member since:
2005-10-02

Nothing mythical about that. It's been proven repeatedly - in software projects as in many other projects. The strength of openness has proved itself repeatedly. Of course, you of all could not be expected to react less emotionally than you do right now. Given your professional background you had to jump on this one.

Anyway, all bugs are shallow, but when the eyes looking are working for companies creating proprietary solutions, and these companies turns out to be FBI-controlled, the "bugs" will not be found but rather introduced. It only goes to prove that one should embrace the openness even further and be less happy about capitalist meddling with open source.


EDIT: Actually this case proves the point of "many eyeballs making bugs shallow". We will never hear anything detailed about the backdoors we know are in Windows. OTOH they were there 10 years ago when we (in Europe) talked a lot about the backdoors introduced by USA and they are here today. Guaranteed.

Edited 2010-12-15 19:30 UTC

Reply Parent Score: 2