Announcement

Collapse
No announcement yet.

The FBI Paid OpenBSD Developers For Backdoors?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • BlackStar
    replied
    Originally posted by Apopas View Post
    Every model is based on trust. The same thing can become/be in proprietary/closed code as well, though then you have no hope to ever learn it.
    No, not really.

    though then you have no hope to ever learn it
    This means you can't trust it, period.

    Leave a comment:


  • BlackStar
    replied
    Edit: someone should really file for a patent on backdoors. Steps:

    1. file for a nice, vague patent, e.g. "a secure software system or module for enabling and managing system communication" (sounds good, doesn't it?)
    2. set up a troll company
    3. sue FBI, CIA, M5, Microsoft, Crypto AG and everyone else you can think of
    4. deny rape allegations
    5. profit!

    Leave a comment:


  • Apopas
    replied
    Originally posted by BlackStar View Post
    The main issue is that the open-source model is based on trust (or the illusion of trust). Take that away and it doesn't work nearly as well.
    Every model is based on trust. The same thing can become/be in proprietary/closed code as well, though then you have no hope to ever learn it.

    Leave a comment:


  • BlackStar
    replied
    Originally posted by curaga View Post
    If we can't trust OpenBSD to be secure...

    Also, anyone know how this affects linux? Is the same code used somewhere?
    This affects all open-source projects by implication, even if they do not use the same source-code. The main issue is that the open-source model is based on trust (or the illusion of trust). Take that away and it doesn't work nearly as well.

    The linux kernel weights at 13500000 lines of code developed by hundreds (if not thousands) of individuals, so even with peer-reviewed patches and dedicated commiters, attackers have a good chance of hiding compromising code somewhere in there. (It doesn't help that C is insecure and unverifiable by default, either).

    I'm not sure what can be done about this. It might be interesting to have a few high-profile contributors inject "evil" code to test the peer-review system and then use the results to tighten security - but this also involves a loss of trust in the process.

    Leave a comment:


  • curaga
    replied
    If we can't trust OpenBSD to be secure...

    Also, anyone know how this affects linux? Is the same code used somewhere?

    Leave a comment:


  • Nevertime
    replied
    Originally posted by jakubo View Post
    wtf! when will US action will have any consequences? when will countries and ppl start to protest (successfully) against so called protectors of us democracy...
    sorry... maybe i just watched "enemy of the state" yesterday. but still there are plans to murder Julian Assange but a nobel prize for its chinese counterpart. funny isnt it?
    I assumed the prize was given to the Chinese guy due to the relevance of the current issues with wikileaks and Assange. Perhaps a more pragmatic move than giving it to Assange directly. At the very least the organizers wanted to make a display of their high regard for people standing up for press freedom.

    Leave a comment:


  • yotambien
    replied
    Bad news. We'll see what comes out of it.

    http://pohl.ececs.uc.edu/opendoku/doku.php?id=start

    Leave a comment:


  • mat69
    replied
    Originally posted by yoshi314 View Post
    well, so much for openbsd's security claims.

    but seriously, they agreed to cripple their own software? and nobody catched that?

    this might cause quite a stir. i'd expect that now many more people will point their eyes towards similar open crypto solutions, looking for backdoors.
    Certainly not enough though.
    There is a reason for libraries, they make live a lot easier.

    But who in their right mind have looked at gnupg more closely or any of the libs they use? It would take ages and you would have coded nothing in between.

    There are millions lines of security related code for which often you have to dig through hundreds of RFC, ISO-specs etc. pages to know what _should_ be implemented and then having to understand the code, for which often you have to understand the "bowels" of the operating systems the code should work on.


    What I wonder is for how much (or rather "few") money these people were bought.

    Leave a comment:


  • yoshi314
    replied
    that might also mean that many open security projects will drastically lower their level of trust towards their own developers.

    this already smells bad.

    Leave a comment:


  • mat69
    replied
    Bah, 1 minute sucks ass.
    The Red Hat remark has in fact nothing to do with this article, just to avoid misunderstandings.

    Leave a comment:

Working...
X