[cryptography] Fwd: [gsc] Fwd: OpenBSD IPSEC backdoor(s)

Paul Hoffman paul.hoffman at vpnc.org
Thu Dec 16 20:41:59 EST 2010


At 7:06 PM -0600 12/16/10, Marsh Ray wrote:
>On 12/16/2010 04:46 PM, Steven Bellovin wrote:
>>
>>I've known Angelos Keromytis since about 1997; he's now a colleague
>>of mine on the faculty at Columbia.  I've known John Ioannidis -- the
>>other name attached to that code -- for considerably longer.  I've
>>written papers with both of them.  To anyone who knows them, the
>>thought that either would insert a bug at the FBI's behest is, shall
>>we say, preposterous.
>
>For the record, though I don't know him, I agree with that sentiment.

If you don't know them, then your agreement or disagreement is kind of irrelevant. (I knew them both in that timeframe, and knew Steve pretty well, and agree with his assessment.)

>There were some wild accusations made and widely repeated, I'm trying my best to stick to facts and not direct accusations about anyone.

You failed (miserably, in my opinion). In specific, you said:

At 4:09 PM -0600 12/16/10, Marsh Ray wrote:
>How's this:
>
>OpenBSD shipped with a bug which prevented effective IPsec ESP authentication for a few releases overlapping the time period in question:
>
>>http://code.bsd64.org/cvsweb/openbsd/src/sys/netinet/ip_esp.c.diff?r1=1.74;r2=1.75;f=h
>
>No advisory was made.
>
>The developer who added it, and the developer who later reverted it, were said to be funded by NETSEC
>
>>http://monkey.org/openbsd/archive/misc/0004/msg00583.html
>
>I think there's more. I'm out of time to describe it right now, BBIAB.

Which part of that even has a hint of "not direct accusations about anyone"?

>There was a need for facts, so I went diving into CVS logs and mailing list archives. This is some of the stuff I found that might fit the claims. I would be very reluctant to draw any conclusions for a long time.

I see nothing in the message quoted above that indicates that reluctance.

>Possibly the thing which gets proven here is that even high-quality clean C code is very difficult to make provable statements about, even with the benefit of hindsight.

No one here is asking for provable statements, just ones that are germane to the topic. "I found a code change in the CVS log that might be relevant, here's the URL, does anyone agree" is quite different than what you said in your message.



More information about the cryptography mailing list