[cryptography] Fwd: [gsc] Fwd: OpenBSD IPSEC backdoor(s)

Marsh Ray marsh at extendedsubset.com
Wed Dec 15 04:13:10 EST 2010


On 12/15/2010 01:38 AM, Peter Gutmann wrote:
>
> This is one of those things where those who know the truth won't be able to
> talk about it, and those who can openly talk about it don't know the truth.
> Having pointed out that distinction, I'll now talk about it :-).  It violates
> the principle of least surprise, why on earth would the FBI show their hand in
> violating the integrity of an OSS product,

Note that everyone official, if it's even real, has maintained plausible 
deniability here.

But there at least some of the details check out - I mean, the stormy 
affair between OpenBSD and DARPA isn't exactly a secret.

> especially something of such
> relatively low value when, even in 2000/2001, the real crypto action was in
> OpenSSH?

That was my first thought too: OpenBSD IPsec?! They sure know how to 
pick 'em!

But the guy did implicate the general crypto framework. Searching around 
for various identifiers, it looks like pieces of that code have ended up 
_everywhere_.
E.g.:
 
https://dev.openwrt.org/browser/trunk/target/linux/generic/files/crypto/ocf/cryptodev.c

Connecting unsubstantiated rumor with unrelated speculation, this post 
is dated the day before the Perry email. Basically it suggests there was 
some connection between Wikileaks and BSD, but it's hard to tell the 
degree to which the author is serious.
http://blather.michaelwlucas.com/?p=443

> My guess is that this arose from one of two things:
>
> 1. Someone seriously got their wires crossed (knotted, more like it).

I have no idea if this is relevant:
http://www.bop.gov/iloc2/InmateFinderServlet?Transaction=IDSearch&needingMoreList=false&IDType=IRN&IDNumber=61547-065&x=98&y=17

No mention of Mr. Perry being CTO here about the time this was alleged 
to have occurred:
http://web.archive.org/web/20000816024434/www.netsec.net/management.html

> 2. Someone has it in for OpenBSD (or Theo), and a spooky backdoor conspiracy
> would be an ideal vehicle for it.

You mean he might have made somebody angry?! :-O

> I'm going for (1).

Or even (3) somebody was bored over the holidays and got carried away 
with exaggerated memories of past grandeur.

Still, with the accusations he's throwing around, I imagine a few people 
who have professional reputations to uphold may be considering a call to 
their lawyers.

- Marsh



More information about the cryptography mailing list