FBI Backdoored OpenBSD? - Page 2

xilman · 2010-12-17, 00:44

Quote:

Originally Posted by Wacky

I, too, think that this is a bunch of "conspiracy" BS.

Any true hidden backdoors are imbedded in things that are not "under public scrutiny". If Intel or some BIOS manufacturer has been "paid off" to intentionally place a "backdoor" in their hardware or boot_firmware, it might be difficult to detect.

In a similar vein, compromising a particular compiler (for example, gcc) to insert "backdoor" code, independent of the source code submitted, is hard to imagine and sustain.

Even if some trojan were introduced, it is questionable that it could lie totally hidden, without any "sleeper cell" tripping some alarm on un-compromised networks.
...
.

I also have serious doubts.

Note, however, that some backdoors are much more subtle than others and may be very difficult indeed to spot. Something which leaks a single bit of keymat once every few network transactions would be most unlikely to be spotted in a blackbox investigation. Properly done, it would be very difficult to discover even with full access to source code. The leaking code would quite probably look like a subtle bug of the sort which people make through carelessness all the time.

An ex-colleague of mine, now also ex-MSR Cambridge, yesterday posted the following statement to a security mailing list to which we both subscribe:

Any sufficiently advanced malice is indistinguishable from incompetence.

I can provide illustrations of the similar statement

Any sufficiently advanced incompetence is indistinguishable from malice.

and did so on the same mailing list.

Paul

CRGreathouse · 2010-12-17, 02:03

I read a paper perhaps a year ago on this subject, and it seemed to support Paul's statement. (I don't imagine anyone knows the paper?)

Mr. P-1 · 2010-12-17, 02:33

Quote:

Originally Posted by xilman

Any sufficiently advanced incompetence is indistinguishable from malice.

George Bush

retina · 2010-12-17, 06:36

Quote:

Originally Posted by Mr. P-1

By "hackers" do you mean "people interested in breaking into computers"? or "extremely talented programmers"?

I agree that the latter, particularly those who develop NetBSD, would probably have found them by now.

Hacking to break stuff versus programming to make stuff, while they do overlap a small amount, are still mostly different skill sets. Usually programmers concentrate strongly on getting the damn thing working. While hackers are concentrating on getting a working thing to work in different ways than it was intended. So the developers are probably not the best people to be finding the faults. It needs a fresh eye without the preconceptions about what the code is designed to do.

cheesehead · 2010-12-18, 05:52

Quote:

Originally Posted by retina

So the developers are probably not the best people to be finding the faults. It needs a fresh eye without the preconceptions about what the code is designed to do.

When I was programming, my biggest mistakes and embarrassments were related to my unjustified assumptions. When I was testing someone else's code, it was all-too-easy to find such flaws.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
mprime on OpenBSD 4.1	robo_mojo	PrimeNet	5	2008-05-04 12:49
Running the client under OpenBSD 3.3	_ArJaN_	NFSNET Discussion	8	2004-05-05 13:42

2010-12-17, 02:03	#13
CRGreathouse Aug 2006 5,987 Posts	I read a paper perhaps a year ago on this subject, and it seemed to support Paul's statement. (I don't imagine anyone knows the paper?)