--On December 16, 2010 7:47:36 PM -0500 Larry Seltzer <la...@larryseltzer.com> wrote:
> Instead of an overt back-door, is it possible that Theo's old friend (;)) > is referring to exploitable vulnerabilities. These vulnerabilities may or > may not have been found in the interim and fixed, but not recognized as > backdoors. > > As you said, it's impossible to prove a negative (prove to me that you > haven't read Moby Dick), but the scenario above sounds kind of reasonable > to me. > If you work in security (I mean professionally - dealing day to day with the problems that arise - not the wannabes who post to lists and act like know-it-alls), you quickly learn to cast a jaundiced eye on unsubstantiated claims made on the internet. You begin to ask, what is the poster's motive? What's the goal of publicizing this? What is he not saying? In the case of Mr. Perry, he has made claims that have proven to be untrue (or at least been categorically denied by the persons supposedly involved), and he has thrown out some big names as if those substantiate his claims. (Shades of the common trait of internet myths.) The one thing Mr. Perry has not done, and which, if his claims have any merit at all, he could easily do, since he claims he's no longer under NDA, is post the code that proves that there is a backdoor. After all, he supposedly wrote it, along with others. He must know precisely what and where it is. At a minimum he could say that Theo needs to closely audit netif.h or crypto.c or des_setkey.c or something similar. So why hasn't he posted the code? I can think of some plausible reasons. (There may be others.) Perhaps he wants to create FUD around OpenBSD for some reason. (Note to musnt live: I don't use OpenBSD. If you had a clue how to read mail headers you would know that or if you had the simple skills to do a Google search, you would know that I'm a port maintainer for FreeBSD. Oh, I've installed and run OpenBSD in the past. But I haven't used it in years. And I don't give a hoot about it or about Theo, one way or the other. And the thought of smelling his crotch has never once crossed my mind - but it did yours - which leads to some interesting questions about your proclivities.) Perhaps he wants to gain some notoriety. He's certainly done that. Perhaps he really doesn't know anything at all about a backdoor and is simply blowing smoke. Perhaps he is aware of rumors about a backdoor but has no proof and is hoping Theo will do the hard work of auditing the code for him. Perhaps he thinks there's a backdoor but he hasn't the coding skills to confirm it or even to audit the code. Only Mr. Perry knows the truth. But one thing is certain. He could easily end the controversy if he wanted to but he hasn't. And that says a great deal more about him and his motives than it does about the integrity of the OpenBSD code or the possibility of a backdoor existing in it. The fact that I have to write all this irritates me. It's a waste of my time. But that's the price you pay for being on the internet, which abounds with idiots who will swallow every wild and unsubstantiated claim without question and who live in a world of paranoia where Big Brother is always right around the corner. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/