The item I find interesting in all this is one I have not seen
commented on:
"the FBI implemented a number of backdoors and
side channel key leaking mechanisms into the OCF,
for the express purpose of monitoring the site to
site VPN encryption system implemented by EOUSA"
Two things come immediately to mind:
1. If I legitimately need access to monitor traffic over
a VPN I either have access to an endpoint, or I have
the keys. Or a warrant.
2. OpenBSD was (is) by this report used by at least one US
agency. There are lots of other little reports and
snippets over time that suggest use by many other
US government agencies.
Therefore, over and above any technical security issues, we have
the allegation that:
1. An agency is (possibly illegitimately) trying to sniff the
traffic of another agency.
2. To do so, that agency deliberately weakened a tool used
by other US government agencies, thereby compromising
their security.
I call fantasy. (On the other hand: prove a backdoor, create a
political tempest where OpenBSD's involvement is almost incidental.)
Carson
--
Carson Harding - harding (at) motd (dot) ca
