Page 4 of 12 FirstFirst ... 23456 ... LastLast
Results 31 to 40 of 114

Thread: The FBI Paid OpenBSD Developers For Backdoors?

  1. #31
    Join Date
    Nov 2007
    Posts
    317

    Default

    WAsn't someone paid to not disclose a SAMBA bug quite a while ago?

  2. #32
    Join Date
    Oct 2009
    Posts
    353

    Default

    Also remember that Google is working with the CIA (more likely with other organizations too), Microsoft with NSA (likely with other orgs too), OpenBSD is and has been compromised for a decade too. All of this is virtually impossible to fix because it's either closed source or those who injected bad code certainly made sure it's not easily discoverable, and IMHO Linux is compromised too because it amounts for like 50% of all servers and common sense implies that the USA government couldn't possibly leave Linux alone since it's the 500 pounds gorilla in the server market.
    In short, de facto, no matter how bad it sounds, the current state of security is a joke, and btw I'm sure Window$ has even more (much more!) CIA/NSA/FBI back-doors spying crap.

  3. #33
    Join Date
    Oct 2009
    Posts
    353

    Default

    Since in windows the code doesn't have to hide (since window$ is closed source) such code might even have a dedicated API, i.e. the "Windows Spying API", just kidding..

  4. #34
    Join Date
    Oct 2007
    Location
    Under the bridge
    Posts
    2,149

    Default

    Quote Originally Posted by cl333r View Post
    Since in windows the code doesn't have to hide (since window$ is closed source) such code might even have a dedicated API, i.e. the "Windows Spying API", just kidding..
    You do know that Microsoft customers can request access to the Windows source-code for security audits, don't you? This is kind of a necessity, give that Windows is occasionally used in security-critical places.

    Not saying that deliberate backdoors aren't there, but they are probably well-hidden in non-apparent places (like the header and random padding of encrypted packets). This kind of stuff is almost impossible to detect without forehand knowledge.

  5. #35
    Join Date
    Oct 2009
    Posts
    353

    Default

    You do know that Microsoft can (and will) give them the stripped version of code without the security back-doors, don't you?

  6. #36
    Join Date
    Oct 2009
    Posts
    845

    Default

    Quote Originally Posted by BlackStar View Post
    You do know that Microsoft customers can request access to the Windows source-code for security audits, don't you? This is kind of a necessity, give that Windows is occasionally used in security-critical places.
    What point is there to audit parts of windows source code when you still get a binary shipped which could have been compiled using a 'edited' source code?

    As for the BSD stuff, it seems that the letter was legit:

    http://blogs.csoonline.com/1296/an_f...oor_in_openbsd

    but of course that doesn't necessarily mean that Gregory Perry is telling the truth. Time will tell.

  7. #37
    Join Date
    Jan 2009
    Location
    Columbus, OH, USA
    Posts
    323

    Default

    Quote Originally Posted by linux5850 View Post
    "Linux 2.6.31 perf_counter x86/x64 Local Root Exploit with SELinux user_u defeat and disabling"
    http://www.youtube.com/watch?v=KvREwhfQmbc

    and here is the guys Youtube channel. Phoronix should interview him.

    http://www.youtube.com/user/spendergrsec
    Brad is pretty well known for digging at/digging holes in SELinux at this point. It's amusing, despite the security implications.

  8. #38
    Join Date
    May 2007
    Location
    Third Rock from the Sun
    Posts
    6,587

    Default

    Well there goes another opensource myth. So much for "more eyes lead to more secure code" argument.

  9. #39
    Join Date
    Apr 2007
    Posts
    121

    Default

    Quote Originally Posted by cl333r View Post
    You do know that Microsoft can (and will) give them the stripped version of code without the security back-doors, don't you?
    This is certainly true.

    Most firms however will audit the code provided by microsoft and audit a decompiled version using HexRays Decompiler or some other in house tool. No serious audit can be done without looking at disassembled machine code. HexRays does produce almost readable psuedo c code. Obviously for bytecode languages like .net or java decompiling can be much more user readable.

  10. #40

    Default

    Quote Originally Posted by Smorg View Post
    How has this been in there for a decade without anyone noticing? Where's the code they're talking about? Was this only in some proprietary fork of BSD? This whole story sounds unlikely.
    Also Debian SSL vulnerable keys went unnoticed for 2 years: http://wiki.debian.org/SSLkeys

    Quote Originally Posted by deanjo View Post
    Well there goes another opensource myth. So much for "more eyes lead to more secure code" argument.
    It's still applying. With OpenBSD we can audit its code and prove/discard this claim. When such claims were done with Windows no one can verify if it's true or not.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •