Page 3 of 12 FirstFirst 12345 ... LastLast
Results 21 to 30 of 114

Thread: The FBI Paid OpenBSD Developers For Backdoors?

  1. #21
    Join Date
    Feb 2008
    Location
    Linuxland
    Posts
    5,108

    Default

    If we can't trust OpenBSD to be secure...

    Also, anyone know how this affects linux? Is the same code used somewhere?

  2. #22
    Join Date
    Oct 2007
    Location
    Under the bridge
    Posts
    2,144

    Default

    Quote Originally Posted by curaga View Post
    If we can't trust OpenBSD to be secure...

    Also, anyone know how this affects linux? Is the same code used somewhere?
    This affects all open-source projects by implication, even if they do not use the same source-code. The main issue is that the open-source model is based on trust (or the illusion of trust). Take that away and it doesn't work nearly as well.

    The linux kernel weights at 13500000 lines of code developed by hundreds (if not thousands) of individuals, so even with peer-reviewed patches and dedicated commiters, attackers have a good chance of hiding compromising code somewhere in there. (It doesn't help that C is insecure and unverifiable by default, either).

    I'm not sure what can be done about this. It might be interesting to have a few high-profile contributors inject "evil" code to test the peer-review system and then use the results to tighten security - but this also involves a loss of trust in the process.

  3. #23
    Join Date
    Mar 2009
    Location
    Hellas
    Posts
    1,056

    Default

    Quote Originally Posted by BlackStar View Post
    The main issue is that the open-source model is based on trust (or the illusion of trust). Take that away and it doesn't work nearly as well.
    Every model is based on trust. The same thing can become/be in proprietary/closed code as well, though then you have no hope to ever learn it.

  4. #24
    Join Date
    Oct 2007
    Location
    Under the bridge
    Posts
    2,144

    Default

    Edit: someone should really file for a patent on backdoors. Steps:

    1. file for a nice, vague patent, e.g. "a secure software system or module for enabling and managing system communication" (sounds good, doesn't it?)
    2. set up a troll company
    3. sue FBI, CIA, M5, Microsoft, Crypto AG and everyone else you can think of
    4. deny rape allegations
    5. profit!

  5. #25
    Join Date
    Oct 2007
    Location
    Under the bridge
    Posts
    2,144

    Default

    Quote Originally Posted by Apopas View Post
    Every model is based on trust. The same thing can become/be in proprietary/closed code as well, though then you have no hope to ever learn it.
    No, not really.

    though then you have no hope to ever learn it
    This means you can't trust it, period.

  6. #26
    Join Date
    Sep 2009
    Posts
    33

    Default

    Wow the kind of story that matters. Thanks for reporting this.

  7. #27
    Join Date
    Feb 2008
    Location
    Linuxland
    Posts
    5,108

    Default

    It's been said that OpenSwan and FreeSwan do not contain this code.

    @Blackstar:

    Sex by surprise charges, not rape

  8. #28
    Join Date
    Mar 2009
    Location
    Hellas
    Posts
    1,056

    Default

    Quote Originally Posted by BlackStar View Post
    No, not really.
    Why not? Who can stop me from adding backdoors in my proprietary code?

    This means you can't trust it, period.
    Exactly. That's what we get from that. If such things happen in open code, we can not, never ever, trust code we can't see. That's why is the most stupid thing ever that the greek army (and a lot of others) uses windows as it's main platform

  9. #29
    Join Date
    Oct 2007
    Location
    Under the bridge
    Posts
    2,144

    Default

    Quote Originally Posted by Apopas View Post
    Why not? Who can stop me from adding backdoors in my proprietary code?
    The only difference is that you (the evil attacker) cannot submit a patch directly to Microsoft unless you work there already.

    The fact is that users with high security requirements cannot reasonably trust either open-source or closed-source code without a security audit. This is generally simpler to perform on open-source software and you benefit from the fact that multiple eyes have looked at the source code before (security through transparency, all crypto is based on this).

    Exactly. That's what we get from that. If such things happen in open code, we can not, never ever, trust code we can't see. That's why is the most stupid thing ever that the greek army (and a lot of others) uses windows as it's main platform
    I'd say that the OS is the least of the problems with this army but yeah, building all government infrastructure on closed-source code controlled by another country is probably not the brightest idea.

  10. #30
    Join Date
    Aug 2010
    Posts
    59

    Default

    One thing everyone should do is learn how useless SELinux is.

    Here is one video:

    "Linux 2.6.31 perf_counter x86/x64 Local Root Exploit with SELinux user_u defeat and disabling"
    http://www.youtube.com/watch?v=KvREwhfQmbc

    and here is the guys Youtube channel. Phoronix should interview him.

    http://www.youtube.com/user/spendergrsec

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •