On Wed, Dec 15, 2010 at 12:36 PM, Damien Miller <d...@mindrot.org> wrote: > On Wed, 15 Dec 2010, patrick keshishian wrote: > >> It is easy to shoot one's mouth off like that about bounty offered, >> given the ridiculously constrained "conditions" the bounty is offered >> under. He might as well offered a million USD. No one will be able to >> prove this under these restrictions. > > His conditions aren't "ridiculously constrained", they seem to be pretty > much approproiate for the allegations.
seriously? # - that the OpenBSD Crypto Framework contains vulnerabilities # which can be exploited by an eavesdropper to recover plaintext # from an IPSec stream, There is a big assumption about the alleged backdoor or leak; i.e., that it is used to directly extract "plaintext" out of an IPSEC stream. OK. Maybe reasonable. # - that these vulnerabilities can be traced directly to code # submitted by Jason Wright and / or other developers linked # to Perry, and Do they really have to be linked back to Perry? Is that really the important factor in the alleged backdoor's existence? # - that the nature of these vulnerabilities is such that there # is reason to suspect, independently of Perry's allegations, # that they were inserted intentionally-for instance, if the # surrounding code is unnecessarily awkward or obfuscated and # the obvious and straightforward alternative would either not # be vulnerable or be immediately recognizable as vulnerable Oh, so the alleged backdoor if present _must_ be in the form of obfuscated code. Oooookay... # - Finally, I pledge USD 100 to the first person to present # convincing evidence showing that a government agency # successfully planted a backdoor in a security-critical # portion of the Linux kernel. So not only one has to find the alleged backdoor, but also link its author to a "government agency" .. via how I wonder, payroll stub, signed contract, confession? OK, Maybe not too unreasonable, but it still gives a nice loophole for blogger to recant on his bounty. # - In all three cases, the vulnerability must still be present # and exploitable when the evidence is assembled and presented # to the affected parties. Allowances will be made for the # responsible disclosure process. Must still exist? So proving that at some point the alleged backdoor existed and was placed in there by an FBI/NSA pawn isn't good enough, but the alleged backdoor must still exist. Nice... # - Exploitability must be demonstrated, not theorized. Ahh... must be demonstrated. So not only you need to show there is an alleged leak but also you must know the means by which the NSA or FBI intended to use the alleged leak. But OK. --patrick
