Pages

Wednesday, December 15, 2010

OpenBSD allegedly backdoored

I posted less before I started reading TechMeme (and Hacker News, for that matter). TechMeme linked into the middle of this thread on the openbsd-tech mailing list whose subject is "Allegations regarding OpenBSD IPSEC." The heart of the controversy is the accusation that the FBI contributed source code to OpenBSD that functioned as a back door "for the express purpose of monitoring the site to site VPN encryption system."

IPSEC provides, among other things, data encryption. The code that turns unencrypted data, or plaintext, into encrypted data would obviously be a desirable place for law enforcement to tap into communications.

That's if the accusation is true. It's going to be difficult to prove, even having access to the source code itself. The code would have been added ten years ago and subject to modification since then. More than one developer noted that any code which contributed to a back door could easily have been perceived as an innocuous bug, and fixed on that basis without anyone realizing it had been added deliberately.

If, again, the accusation has any merit at all.

The very existence of the thread and of the two explicit denials the accusations have sparked so far illustrates yet again how easy it is to start a firestorm that engulfs people's reputations. (One of those denials is part of the thread, while the other was posted in a blog.)

Gregory Perry, who started this particular firestorm, had better have more than the ominous-sounding but vague accusations he made in his original email. Otherwise he can kiss his own reputation in the developer community goodbye.

No comments:

Post a Comment