[cryptography] Fwd: [gsc] Fwd: OpenBSD IPSEC backdoor(s)
marsh at extendedsubset.com
Wed Dec 15 02:14:46 EST 2010
On 12/14/2010 09:11 PM, Rayservers wrote:
> Moral: never depend on only one network security layer, and write and verify
> your own crypto. Recall Debian and OpenSSL.
I think it's too early to draw conclusions from this.
I spent a good bit of time going through a bunch of the OpenBSD CVS
history for the IPsec code and the developers implicated. I didn't see
any smoking guns right away, though there are a few possible leads. I
don't know enough about that codebase or have a timeslice view of it
But if you look at the dates on the emails, Theo spent a few days on it
before he forwarded it. Perhaps he would have prepared a patch before
disclosing it if he'd found anything.
Something about this doesn't add up and I don't think we're seeing the
real story emerge yet. The USG seems to be completely off its rocker
right now reacting to Wikileaks and I wonder if that has something to do
with the timing of this.
More information about the cryptography