Announcement

Collapse
No announcement yet.

The FBI Paid OpenBSD Developers For Backdoors?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • mat69
    replied
    Originally posted by deanjo View Post
    Well there goes another opensource myth. So much for "more eyes lead to more secure code" argument.
    That is not a myth per se.
    Actually it is true.
    If more (knowledgeable) people look at your code it will turn out more secure, at least if not all of them have bad intentions.

    Now the only problem is to get more eyes.

    Leave a comment:


  • drelyn86
    replied
    I wonder how much of this happens in closed-source development...

    Leave a comment:


  • pingufunkybeat
    replied
    Just for the record, nobody has even shown that there is a backdoor in the OpenBSD code today, even if there was one successfully planted 10 years ago.

    Leave a comment:


  • deanjo
    replied
    Originally posted by pingufunkybeat View Post
    Really? Have you shown that closed source software is more secure / has zero backdoors?

    One backdoor which went unnoticed only shows that more eyes do not lead to perfect code without any backdoors. It doesn't show that open code has as many backdoors as closed code.
    Your missing the point. Far to many people have his illusion that opensource code because it is freely viewable means it is secure. What is really disturbing is that open has this backdoor and freebsd doesn't and a simple diff would have shown the code.

    Leave a comment:


  • pingufunkybeat
    replied
    Originally posted by deanjo View Post
    Well there goes another opensource myth. So much for "more eyes lead to more secure code" argument.
    Really? Have you shown that closed source software is more secure / has zero backdoors?

    One backdoor which went unnoticed only shows that more eyes do not lead to perfect code without any backdoors. It doesn't show that open code has as many backdoors as closed code.

    Leave a comment:


  • oibaf
    replied
    Originally posted by Smorg View Post
    How has this been in there for a decade without anyone noticing? Where's the code they're talking about? Was this only in some proprietary fork of BSD? This whole story sounds unlikely.
    Also Debian SSL vulnerable keys went unnoticed for 2 years: http://wiki.debian.org/SSLkeys

    Originally posted by deanjo View Post
    Well there goes another opensource myth. So much for "more eyes lead to more secure code" argument.
    It's still applying. With OpenBSD we can audit its code and prove/discard this claim. When such claims were done with Windows no one can verify if it's true or not.

    Leave a comment:


  • sreyan
    replied
    Originally posted by cl333r View Post
    You do know that Microsoft can (and will) give them the stripped version of code without the security back-doors, don't you?
    This is certainly true.

    Most firms however will audit the code provided by microsoft and audit a decompiled version using HexRays Decompiler or some other in house tool. No serious audit can be done without looking at disassembled machine code. HexRays does produce almost readable psuedo c code. Obviously for bytecode languages like .net or java decompiling can be much more user readable.

    Leave a comment:


  • deanjo
    replied
    Well there goes another opensource myth. So much for "more eyes lead to more secure code" argument.

    Leave a comment:


  • Wyatt
    replied
    Originally posted by linux5850 View Post
    "Linux 2.6.31 perf_counter x86/x64 Local Root Exploit with SELinux user_u defeat and disabling"
    http://www.youtube.com/watch?v=KvREwhfQmbc

    and here is the guys Youtube channel. Phoronix should interview him.

    http://www.youtube.com/user/spendergrsec
    Brad is pretty well known for digging at/digging holes in SELinux at this point. It's amusing, despite the security implications.

    Leave a comment:


  • XorEaxEax
    replied
    Originally posted by BlackStar View Post
    You do know that Microsoft customers can request access to the Windows source-code for security audits, don't you? This is kind of a necessity, give that Windows is occasionally used in security-critical places.
    What point is there to audit parts of windows source code when you still get a binary shipped which could have been compiled using a 'edited' source code?

    As for the BSD stuff, it seems that the letter was legit:

    http://blogs.csoonline.com/1296/an_f...oor_in_openbsd

    but of course that doesn't necessarily mean that Gregory Perry is telling the truth. Time will tell.

    Leave a comment:

Working...
X