De Raadt Doubts Alleged Backdoors Made It Into OpenBSD

itwbennett writes "In follow-up to last week's controversy over allegations that the FBI installed a number of back doors into the encryption software used by the OpenBSD operating system, OpenBSD lead developer Theo de Raadt said on a discussion list Tuesday, that he believes that a government contracting firm that contributed code to his project 'was probably contracted to write backdoors,' which would grant secret access to encrypted communications. But that he doesn't think that any of this software made it into the OpenBSD code base."

Re:Audit necessary

[CAPSLOCK2000]

Even with a thorough audit you will never be sure. That's the beauty of these kinds of accusations, no matter what you do, you can never 100% sure.
OpenBSD is among the best audited code in the world. People have been looking for this backdoor specifically for an entire week and nothing fishy has been found yet.

Link to the ACTUAL FREAKING POST

[brunes69]

Since the useless summary did not include one

http://marc.info/?l=openbsd-tech&m=129296046123471&w=2 [marc.info]

Link directly to Theo's post

[martyros]

A link to Theo's post [marc.info] on the subject is much more informative.

Highlights:

• Two of the guys named in the original allegation did work on the security stack, but
• Almost certainly didn't check in any malicious code, and
• "wrote much code in many areas that we all rely on. Daily. Outside the ipsec stack."

Also:

I believe that NETSEC was probably contracted to write backdoors as alleged. If those were written, I don't believe they made it into our tree. They might have been deployed as their own product.

Re:Audit necessary

[milonssecretsn]

OpenBSD does have an ongoing code audit [openbsd.org]

Perhaps not as thorough as you were suggesting. However, I think for others who are not familiar with OpenBSD's ongoing code audit, the above link will be essential for fully understanding these stories.

Re:Sorry, but how..?

[0123456]

Read this for an idea, someone hacked in some well crafted code that appeared innocent, had the machine not been hacked it probably would have stayed

That code is neither innocent nor well-crafted. Setting uid to zero is not 'innocent' and using '&& (x = 0)' is not well-crafted since it will always evaluate to false. I don't know whether the compiler will generate a warning in that case, but it should, and while a brief look through the code might miss that it's using = instead of ==, any kind of code review worthy of the name would spot it and flame the developer who wrote it.

Yes, you are right...

[PaulBu]

"Reflections on trusting trust", by Ken Thompson:

http://cm.bell-labs.com/who/ken/trust.html [bell-labs.com]

Paul B.