Full Disclosure: Re: OpenBSD has Open Backdoored Software Distribution

Nmap Security Scanner
- Intro
- Ref Guide
- Install Guide
- Download
- Changelog
- Book
- Docs
Security Lists
- Nmap Hackers
- Nmap Dev
- Bugtraq
- Full Disclosure
- Pen Test
- Basics
- More
Security Tools
Site News
Advertising
About/Contact
Sponsors:

Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo

From: Carlos Alberto Lopez Perez <clopez () igalia com>
Date: Thu, 23 Dec 2010 01:53:38 +0100

On 12/23/2010 01:36 AM, mrx wrote:

On 23/12/2010 00:00, Dan Kaminsky wrote:

On Wed, Dec 22, 2010 at 3:47 PM, Dave Nett <dave.nett () yahoo com> wrote:

http://marc.info/?l=openbsd-tech&m=129296046123471&w=2

Long mail which just admit has backdoor, poor Theo.

    (g) I believe that NETSEC was probably contracted to write backdoors
        as alleged.
    (h) If those were written, I don't believe they made it into our
        tree.  They might have been deployed as their own product.

You had only one more sentence to read!  Just one!





"> where would you start auditing the code? It's just too much.

Actually, it is a very small part of the tree..."


I am aware that compilers can be coded to introduce "features" into binaries that are not in the actual source code 
itself.
So with all due respect and possibly much ignorance on my part, what is a code audit going to achieve if one uses the 
shipped compiler to
compile the source? Unless one codes ones own compiler can any binary be trusted?

I am also aware that processors can have hidden "features" that make them
execute a sightly different program that the one you expect to be executed.
So, can we trust processors unless you make your own processor?

For example think about the new Intel processors that are shipped with the
AES-NI [1] instruction set. How difficult would be to governments and
powerful people/companies to hide a trojan horse in this processors? And
would you ever notice the existence of this hidden "feature"?

[1] http://en.wikipedia.org/wiki/AES_instruction_set

Would not reversing the compiled code lead to a proper insight? Are the compiled binaries that handle these crypto 
functions so complex that
they cannot be reversed by a skilled assembly coder? I guess that such a coder would have to be an expert 
cryptographer too, or at least
collaborate with one.

My curiosity is genuine, I am trying to educate myself about such things.

regards
Dave


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

OpenBSD has Open Backdoored Software Distribution - admitted by Theo Dave Nett (Dec 22)
- Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo Dan Kaminsky (Dec 23)
  - Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo mrx (Dec 23)
    - Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo Valdis . Kletnieks (Dec 23)
    - Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo Paul Schmehl (Dec 23)
    - Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo The Sp3ctacle (Dec 23)
    - Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo Graham Gower (Dec 23)
    - Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo Carlos Alberto Lopez Perez (Dec 23)
- Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo Paul Schmehl (Dec 23)