On Dec 15, 2010, at 10:32 AM, Paul Schmehl wrote:
--On December 14, 2010 8:40:14 PM -0500 bugs () fbi dhs org wrote:
http://www.downspout.org/?q=node/3
Seems IPSEC might have a back door written into it by the FBI?
So for 10 years IPSEC has had a backdoor in it and not one person
examining the code has noticed it? <snip>
Read The Cathedral and The Bazaar.
--
Paul Schmehl, Senior Infosec Analyst
I call bullshit on all the people claiming this couldn't possibly have
existed because "anyone can read the source." How many of you understand
crypto. OK, now how many of you _actually_ understand crypto? And of
those, how many look at *BSD?
There have been plenty of recent examples of Open Source projects that
have had undetected security flaws for multiple years. It's not
difficult to believe a relatively uncommon OS could have a subtle
weakness in a difficult-to-understand part of the code.
In this particular case, it looks to be total FUD by some lunatic with an
axe to grind, but we shouldn't be so arrogant to assume that such a flaw
_could not_ exist.
BTW I actually use OpenBSD on many of my systems and I happen to think
it's a very simple and practical OS, but I'm not blind to potential
problems.
