Announcement

Collapse
No announcement yet.

The FBI Paid OpenBSD Developers For Backdoors?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #46
    Originally posted by deanjo View Post
    Well there goes another opensource myth. So much for "more eyes lead to more secure code" argument.
    Ahh so if something open source has been compromised then it somehow PROVES that it's not more secure than closed source? How
    did you reach that generalised conclusion (apart from either being stupid or just trolling) ?

    With open source you CAN audit, with closed source you CAN'T audit and thus you are totally at the mercy of your provider when it comes to security.

    Comment


    • #47
      Originally posted by yogi_berra View Post
      No, no, it's sex by surprise.
      Hmm they could also plant child porn on his comp using another persons backdoor code
      Those who would give up Essential Liberty to purchase a little Temporary Safety,deserve neither Liberty nor Safety.
      Ben Franklin 1755

      Comment


      • #48
        Originally posted by deanjo View Post
        Well there goes another opensource myth. So much for "more eyes lead to more secure code" argument.
        The funny part is that no-one has actually demonstrated any proof of an actual back door. There's just an email saying 'someone paid someone to put a back door in the code', and suddenly everyone is running around shouting 'OH MY GOD! BSD SUCKS! OPEN SOURCE SUCKS!'

        And there's precisely zero actual evidence so far of an real, actual back door in the code.

        Wake me up when there's something more than a random email from a random person making random claims.

        OH MY GOD! I FORGOT! I worked on a contract for Microsoft a decade ago and somoene told me that their brother's aunt's first cousin's boyfriend was paid by Richard Nixon to put a backdoor in Windows!

        Would anyone take that at all seriously even though Microsoft source is closed and no-one outside the company can even check to see whether such a back door exists? Yet people are ranting about the horrible security of an operating system where anyone who cares can trivially check the real, actual source code.

        Comment


        • #49
          One can only hope the following is true.

          "OpenBSD/FBI allegations denied by named participants"
          http://www.itworld.com/open-source/1...ed-participant

          Comment


          • #50
            Originally posted by BlackStar View Post
            The main issue is that the open-source model is based on trust (or the illusion of trust).
            Open-source is based on "public eyes" model.
            Closed source is based on trust(how that chip "secure" was called again?).
            Trust is a weakness.

            Still, the situation is not so bad as in Syndicate Wars...

            I guess *BSD has once more confirmed they are useless.

            Comment


            • #51
              Originally posted by movieman View Post
              OH MY GOD! I FORGOT! I worked on a contract for Microsoft a decade ago and somoene told me that their brother's aunt's first cousin's boyfriend was paid by Richard Nixon to put a backdoor in Windows!

              Would anyone take that at all seriously even though Microsoft source is closed and no-one outside the company can even check to see whether such a back door exists? Yet people are ranting about the horrible security of an operating system where anyone who cares can trivially check the real, actual source code.
              You'd be surprised what people will take seriously. Some people actually bought the brooklyn bridge: http://www.nytimes.com/2005/11/27/ny...brid.html?_r=1

              Some people believe the September 11, 2001 Al Qaeda attacks were perpetrated by the U.S. Government: http://en.wikipedia.org/wiki/9/11_conspiracy_theories

              Some people believe the moon landings were faked: http://en.wikipedia.org/wiki/Moon_la...iracy_theories

              Some people actually believe that their email has won that lottery or that the counterfeit check cashing/money laundering scheme is legitimate.

              btw - http://scienceblogs.com/goodmath/200..._ritchie_a.php

              "Many eyes" is just a marketing line, it is not a security tool.

              Comment


              • #52
                Originally posted by crazycheese View Post
                Open-source is based on "public eyes" model.
                Yeah. And that's called trust.

                Closed source is based on trust(how that chip "secure" was called again?).
                No, closed-source is based on liability:
                - If a closed-source company releases code that steals user data, the user will sue that company.
                - If an unknown open-source developer contributes a patch that's found to be broken 2 years later (Debian anyone?), how exactly will you track him down? (You've never seen him, you have no name, no street address, no phone number, no nothing but an IP address - if that).

                Trust is a weakness.
                Absolutely.

                Comment


                • #53
                  Originally posted by BlackStar View Post
                  The only difference is that you (the evil attacker) cannot submit a patch directly to Microsoft unless you work there already.
                  That's a different thing BlackStar. But anyway you understand what I mean, coz in later posts we agree with that...

                  Comment


                  • #54
                    Originally posted by deanjo View Post
                    Well there goes another opensource myth. So much for "more eyes lead to more secure code" argument.
                    It goes nowhere. If with so many eyes you have so many problems, imagine what holes in purpose dance under closed source projects.
                    This incident proves that we must only accept opensource models BUT without stopping check them again and again.

                    Comment


                    • #55
                      Originally posted by XorEaxEax View Post
                      Ahh so if something open source has been compromised then it somehow PROVES that it's not more secure than closed source? How
                      did you reach that generalised conclusion (apart from either being stupid or just trolling) ?

                      With open source you CAN audit, with closed source you CAN'T audit and thus you are totally at the mercy of your provider when it comes to security.
                      +1
                      And if you think that I prefer the Linux forums because I thought that the obvious things wouldn't need to be repeated again and again.

                      Comment


                      • #56
                        Originally posted by BlackStar View Post
                        No, closed-source is based on liability:
                        - If a closed-source company releases code that steals user data, the user will sue that company.
                        When was the last time a user successfully sued a closed source software company over a security hole?

                        Have you ever actually read a EULA? Hint: every one I've ever read denies any responsiblity for absolutely any harm their softwre might cause up to and including making the entire universe explode.

                        If users could sue software companies for security holes, Microsoft would have been out of business years ago.

                        Comment


                        • #57
                          Originally posted by pingufunkybeat View Post
                          Just for the record, nobody has even shown that there is a backdoor in the OpenBSD code today, even if there was one successfully planted 10 years ago.
                          This is probably the most significant point anyone has brought up so far.

                          Show us the code where the hole actually exists.

                          Comment


                          • #58
                            Here's(are) the thing(s):
                            1) Just don't do anything stupid on the internet;
                            2) The people creating the backdoors are not making your PC part of a massive botnet (they only create holes in case of person x does y); remember that only the people who know the holes can exploit them, so public holes are always closed;
                            3) Don't upset the government by means of an internet connected PC.

                            Everything is crackable; the rest of planet earth already knew that ages ago...

                            Comment


                            • #59
                              Originally posted by BlackStar View Post
                              No, closed-source is based on liability:
                              - If a closed-source company releases code that steals user data, the user will sue that company.
                              Really, and how would anyone prove that this was malicious behaviour and not a bug? There would be no obvious 'theft' of data, only the security of that data would be compromised. This would easily be explained as a 'bug'.

                              Ever seen a company be held accountable for a bug that compromised their clients data? How many exploits have Windows had which compromised their customers data? Have they been sued for this?

                              Comment


                              • #60
                                Originally posted by BlackStar View Post
                                Yeah. And that's called trust.
                                No this is called "many eyes, full access" principle.
                                This is called "control".

                                Originally posted by BlackStar View Post
                                No, closed-source is based on liability:
                                - If a closed-source company releases code that steals user data, the user will sue that company.
                                - If an unknown open-source developer contributes a patch that's found to be broken 2 years later (Debian anyone?), how exactly will you track him down? (You've never seen him, you have no name, no street address, no phone number, no nothing but an IP address - if that).
                                Again, I disagree. This IS called (blind) trust. A trust is something that you HAVE to do, because you have NO choice. In foss you HAVE the choice.

                                If the company releases binary code that steals user data, they put it into EULA and make it legal under various reasons. Datamining. This is the least possible danger and nearly every company does it.

                                If it was not made official (tiny little text in 300 page EULA is enough for official statement) it is nearly possible to detect the behavior by any AV. Heuristics are 50% not detecting, 50% false positives. Malware/vuln. writers have been using sites like virustotal and OWN commercial solutions to make sure their stuff is undetected for ages.

                                In slight case the binary is suspicious and is submittled to AV, they may produce a signature after heavy manual disasm. For only one version - viruses have been mutating for ages incl via mutation engines.

                                The situation is heavily worsened by DRM. In fact DRM and viruses have very low in difference. A lot of official binary code is obfuscated and protected using similar cryptography as viruses do.

                                If the official binary DOES intend to produce virus-like behavior the most thing that user can do is to suspect and trust his AV or his disasm/watch tools if he has enough skills. Then, there is sweet option of white listing and money agreement. You know, google does not do anything bad, because gods are holy(see blood, dos).

                                For example, Federal Reserve Bank is private company and government depend on it. Who are you going to sue? Government, what government? David vs Goliath?

                                Given best situation, where user has skills and tools to reveal the data stealing, he is going against a company anyway. He will always loose. There is huge array of tools to hinder him, money being most primitive.

                                Lets take nvidia binary driver for linux vs amd opensource driver for example.
                                Do you trust it? I can hire an expert to trace all amd opensource source code for suspicious things. I do not have to ask amd. I can publish the result and it can be evaluated by anyone as a fact.

                                On nvidia I cannot hire anyone but extremely qualified person. I have no access to source, so the only method is via footprints and binary disasm. Additionally, he will need to use the tools - but if they are too closed source, who gonna check the checker?? Even if he finds something after 10 years, the result will be so spread around and so hard to present in human form thanks to obfuscation, and it will be so late in time that I have zero chance to proof. Then I end up with me and huge company against and very technical and huge in size(but vague, inconsistent) proof base.

                                "Oh, that periodic interrupt call? No that was not used for reading the keyboard strokes, it was used to synchronize part of GPU logic to USB speed to prevent choking of keypresses in game."

                                And yes, every release binary driver binary end-result is mutated(I assume). So, additionally my proof is only based on only one specific driver version and cannot be traced in time. And what happens if nvidia does not have that exact code anymore? I have talked to Tom Hall(yes, THAT Tom) about code for Commander Keen for porting reasons. He mentioned its gone. How exactly are you going to sue someone which code is not available anymore?

                                Compare that to proof if I would have open source, human-readable code. And add chance of detection by other programmers, not only machines.

                                Security by obscurity does not work.
                                Security by trust(proprietary) does not work.
                                Security by theories does not work.
                                Best security is in absolutely transparent society without limits. In glass world, where everyones mind can be read by another without slightest possibility to cover it by ANYone.

                                Today we have zillion of malware for win32/64 and only periodical "flashes" of vulnerabilities for linux which get dynamically patched - which improving in essence is.


                                Originally posted by BlackStar View Post
                                - If an unknown open-source developer contributes a patch that's found to be broken 2 years later (Debian anyone?), how exactly will you track him down? (You've never seen him, you have no name, no street address, no phone number, no nothing but an IP address - if that).
                                First, I don't see microsoft firing anyone for writing software with vulnerabilities. Take opentype vulnerability on ms for example - nearly 10 years. And tracking him down is also nearly impossible unless they keep 10 year old comments and unmodified code revisions.

                                Second, tracking down is unimportant. We are talking about writing software, not doing bank robbery. The only thing that plays a role is how secure and verifiable the code is and stays.

                                And the last thing is that proprietary code is NOT your code.
                                You may take it as it is, or leave it.
                                You dont buy it, you license the right to use it under specific conditions.
                                There is no guarantees, no source, no promises.
                                "But we do gladly accept money."

                                Comment

                                Working...
                                X