[cryptography] Fwd: [gsc] Fwd: OpenBSD IPSEC backdoor(s)

Marsh Ray marsh at extendedsubset.com
Wed Dec 15 02:14:46 EST 2010


On 12/14/2010 09:11 PM, Rayservers wrote:
>
> Moral: never depend on only one network security layer, and write and verify
> your own crypto. Recall Debian and OpenSSL.

I think it's too early to draw conclusions from this.

I spent a good bit of time going through a bunch of the OpenBSD CVS 
history for the IPsec code and the developers implicated. I didn't see 
any smoking guns right away, though there are a few possible leads. I 
don't know enough about that codebase or have a timeslice view of it 
handy either.

But if you look at the dates on the emails, Theo spent a few days on it 
before he forwarded it. Perhaps he would have prepared a patch before 
disclosing it if he'd found anything.

Something about this doesn't add up and I don't think we're seeing the 
real story emerge yet. The USG seems to be completely off its rocker 
right now reacting to Wikileaks and I wonder if that has something to do 
with the timing of this.

- Marsh



More information about the cryptography mailing list