FUD on OpenBSD?
-
Can anyone make sense of this?
So the FBI was paying the people the OpenBSD Projetc people to plant backdoors in their IPSEC implementation, then DARPA cut their funding because of that. I find it ludicrous, but still, WTF?
-
It's a weird story.
If I'm the FBI and I'm interested in compromising security, would I choose OpenBSD? (I'd choose windows) Would I choose VPN? Not really. Also, you need a very good programmer to first create the vulnerability and then hide it all those years (and preferably make it look like a bug if he ever gets found out), not just any old hacker. He even mentions "several developers", so you also need to make sure the guys never talk. Minor point: I don't know enough about the FBI but would they really be interested? (isn't this more a typical CIA thing?) The more you think about the whole scenario, the less likely it sounds.
The other possibilty is that mr Perry wants to somehow screw the developer he mentions. This scenario seems a bit more likely. If so however, this may have been a very dumb thing to do - this is going to backfire big time.
-
@b-redeker said:
If I'm the FBI and I'm interested in compromising security, would I choose OpenBSD? (I'd choose windows)
Well, if you're the FBI and stupid, you might choose BSD with the assumption that Microsoft was still using BSD code in their network stack. (They weren't; they did take the initial implementation from BSD, but they never synched it up afterwards, instead maintaining their own copy. And of course, now all that's rewritten from scratch anyway.)
@b-redeker said:
Also, you need a very good programmer to first create the vulnerability and then hide it all those years (and preferably make it look like a bug if he ever gets found out), not just any old hacker.
Yeah, that strikes me as the most unlikely bit. There's no way this code could stay hidden for a decade. I mean... never say never... but it seems pretty fucking unlikely.
(Of course, that doesn't necessarily mean the original story is false! Maybe the developer took the money but never added the code. Or was offered the money but never took it.)
@b-redeker said:
The other possibilty is that mr Perry wants to somehow screw the developer he mentions. This scenario seems a bit more likely. If so however, this may have been a very dumb thing to do - this is going to backfire big time.
Pretty elaborate for that, don't you think? Although I do believe Theo de Raadt should have censored the guy's name in the email forward.
I'm guessing what happened is some law enforcement official approached them asking about the feasibility of doing it. They had a conversation and mistakenly walked away believing that the FBI was willing to pay to have a back door inserted into the code. Gregory Perry never heard back from them, but believes (for some reason) that his colleague accepted an offer. Ten years later, the NDA on the (original) conversation with the FBI expires, and Gregory writes this email.
Edit: Forgot to add, the loss of DARPA funding and a current FBI official recommending cloud computing are just coincidence. The email doesn't provide any good evidence that either of those events was related to his conversation with the FBI.
That explanation sounds much more reasonable to me, and doesn't necessarily make anybody "eeevil".
Despite this sounding really dumb, the pure amount of "paranoid" in the open source world (especially about the US Government) means this is going to explode. Whee.
-
Just saw this in my RSS: http://www.itworld.com/open-source/130820/openbsdfbi-allegations-denied-named-participant
Scott Lowe (both of them) deny ever working with the FBI or any other government agency. The one in Missouri has never even used BSD.
That part of the story, at least, is probably crap.
-
I clicked the link, saw this "theo de raadt" and more or less stoped taking it seriously. Really if you think linus is a bit strong worded, and RMS is a bit estranged, you haven't seen nothing yet.
-
-
@blakeyrat said:
@stratos said:
and RMS is a bit estranged
I don't know what word you intended here...?
RMS=Richard Matthew Stallman I think. Certainly fits.
-
@BC_Programmer said:
RMS=Richard Matthew Stallman I think. Certainly fits.
I know who RMS is. The word "estranged" is what I'm trying to narrow down... it doesn't make any sense in context.
-
He's estranged from sanity and/or the real world.
-
