| |||||||||||||
OpenBSD IPSEC backdoored?OpenBSD IPSEC backdoored?Posted Dec 15, 2010 13:17 UTC (Wed) by clugstj (subscriber, #4020)Parent article: OpenBSD IPSEC backdoored?
It would be truly astounding if someone could put such a subtle back door in the code that hadn't been discovered in 10 years - and ported to other platforms.
Is anyone so paranoid (except Theo) that they believe this is really a problem?
(Log in to post comments)
OpenBSD IPSEC backdoored? Posted Dec 15, 2010 14:15 UTC (Wed) by foom (subscriber, #14868) [Link]
I dunno, I find it feasible. Software has bugs. Even 10-year-old bugs. If you can deliberately insert the right kind of bug in the right place...
OpenBSD IPSEC backdoored? Posted Dec 15, 2010 16:58 UTC (Wed) by whitemice (guest, #3748) [Link]
Sure there are bugs ... and then there is a significant *feature* [which is what this would technically be] of a protocol stack. You aren't going to mistake something like this for a typo.
OpenBSD IPSEC backdoored? Posted Dec 15, 2010 18:02 UTC (Wed) by marcH (subscriber, #57642) [Link]
A large number of honest, unintentional bugs in C end up being security risks. For sure a good and dedicated team of engineers can come up with security risks that look like bugs.
OpenBSD IPSEC backdoored? Posted Dec 15, 2010 21:57 UTC (Wed) by njs (guest, #40338) [Link]
Have you seen the Underhanded C contest? Some of the entries are pretty amazing.
OpenBSD IPSEC backdoored? Posted Dec 15, 2010 14:27 UTC (Wed) by tialaramex (subscriber, #21167) [Link]
It's pretty obvious that Theo is skeptical, that's exactly why he has posted this. If he discards it, and it's later found (astoundingly) to be true, he looks guilty. If he had instantly thought "this must be true" he'd have presumably ordered a quiet audit of IPSEC to try to find the issue before making headlines.
The story sounds very strange, but to be fair lots of true stories are stranger. Named developers and a specific period are given, if these clues aren't enough for us to find any evidence, then I agree that there was probably none to find. The supposed target (and the fact that people involved who didn't need to know claim they were told it) is a weird choice too, but it's not as though the US Attorneys (basically people who prosecute federal crimes) are above suspicion themselves.
OpenBSD IPSEC backdoored? Posted Dec 15, 2010 15:25 UTC (Wed) by nix (subscriber, #2304) [Link]
Quite. I mean, it's a bug in IPSEC. Even if IPSEC turns out to be broken completely from top to bottom, it's used so little that it's not going to rock anyone's boat at all.
OpenBSD IPSEC backdoored? Posted Dec 15, 2010 16:56 UTC (Wed) by whitemice (guest, #3748) [Link]
+1 It isn't feasible at all. Something as complex as an IPSec backdoor [and IPSec itself is *complicated*] would be obvious as heck; I strongly doubt the potential for a "subtle" back door.
OpenBSD IPSEC backdoored? Posted Dec 15, 2010 17:32 UTC (Wed) by iabervon (subscriber, #722) [Link]
It's entirely possible for a backdoor to look like a regular bug of no particular consequence. For example, having the second and third arguments to memset backwards is a common mistake that doesn't usually cause crashes or corruption but may leak data, and usually isn't particularly security-critical either (because the leaked data doesn't end up going anywhere anyway). So there are a lot of memset bugs that have been made and fixed over the past ten years, and people fixing them ordinarily don't consider whether they might have been intentionally introduced to leak key material to observers. So, even if no backdoors were found, and even if reviewers would find any flaw in the code in that period, it doesn't mean that there weren't backdoors.
Obviously, people frequently find security flaws that were accidental, had been there for a while, and could be exploited with detailed knowledge. Among these, one that was intentional but of a common form wouldn't stand out.
|
|||||||||||||