Linked by Thom Holwerda on Tue 14th Dec 2010 23:55 UTC, submitted by Oliver
OpenBSD Okay, this is potentially very big news that really needs all the exposure it can get. OpenBSD's Theo de Raadt has received an email in which it was revealed to him that ten years ago, the FBI paid several open source developers to implement hidden backdoors in OpenBSD's IPSEC stack. De Raadt decided to publish the email for all to see, so that the code in question can be reviewed. Insane stuff.
Thread beginning with comment 453769
To view parent comment, click here.
To read all comments associated with this story, please click here.
google_ninja
Member since:
2006-02-05

7 years, but only high level application languages (ruby/perl/lisp/a bit of smalltalk/c#/java), never done systems stuff.

I can sort of muddle through C++ (never really had interest or job opertunities), but something like "if(x > rx * 3 && x <= (rx + rwidth) * 3 && y > ry && y < ry + rheight)" I wouldn't consider to be that great in any language, and a prime candidate for refactoring. You may not catch it in a security audit, but you will if you are trying to maintain quality in your code base.

In any case, I will concede that a deliberate obfuscation like what you linked to is of equal difficulty to find then a bug in similarly gnarly code. What I don't buy is that it is significantly harder to find, which was the implication of the person I was responding to.

wrt the whole incompetence remark we're talking about skimming an article and banging something out while drinking my coffee getting ready to start the day. I probably would have said the same thing as the previous paragraph in a great deal less of a condescending way if I had fully read the article and thought through what it probably was referring to. I would call that "introducing a vulnerability", a back door to me sounds more like I am expecting something in a specific format, but if I get it in another format just return true. That sort of misunderstanding would definitely be incompetence if I were in the security industry, but that is very very far from what I do.

Reply Parent Score: 2

TheGZeus Member since:
2010-05-19

Time does not equal competence.

Also, I don't believe you.

Reply Parent Score: 2

Valhalla Member since:
2006-01-24

In any case, I will concede that a deliberate obfuscation like what you linked to is of equal difficulty to find then a bug in similarly gnarly code. What I don't buy is that it is significantly harder to find, which was the implication of the person I was responding to.

I disagree, a bug is not intentionally hard to find although it certainly still can be extremely hard to find. A back door on the other hand is intentionally and specifically crafted so that it is hard to find, it can come in many guises but obviously it will create a vulnerability which can be exploited, but unlike 'innocent' bugs this has been hidden to the best of the programmers ability.

And if you know the code in question very well, and it is sufficiently advanced (crypto certainly fits that bill) then it's kind of obvious that except in extreme cases, a deliberately hidden vulnerability will be harder to find than a non-deliberately hidden bug causing a vulnerability, since the programmer would know how to make it as hard as possible to discover.

I would call that "introducing a vulnerability", a back door to me sounds more like I am expecting something in a specific format, but if I get it in another format just return true. That sort of misunderstanding would definitely be incompetence if I were in the security industry, but that is very very far from what I do.

Heh, well that explains a bit of your comment. Sadly backdoors are a far wider concept than a login/pass and a 'Greetings professor Falken, how about a game of chess?'.

I'd wager that historically the most common 'backdoors' would be buffer overflows resulting in execution of malicious code.

Reply Parent Score: 2

TheGZeus Member since:
2010-05-19

Yes.
Obvious.

Obvious even to someone with _nothing but theory and application scripting_ experience.

Yes, I have a 433-line init.el(and a few other custom *.el files), 182 line .stumpwmrc, and 208-line .conkerorrc, but I'm no hacker.

This guy's just a... 'hack', to use stage vernacular.

Reply Parent Score: 2