The accusation came at a really strange time. I'm inclined to think more people jumped on the government conspiracy bandwagon because of the recent release of the diplomatic cables via wikileaks.
Incidentally, I thought I had seen Mr. Perry someplace on TV, and then I remembered he was on an episode of Penn and Tellers "Bullsh*t" a while back. Link for the interested: http://www.youtube.com/watch?v=DT2YET6sg5I
Many of the commenters in the last thread admitted to this, which made it all the more irrational. There was even a debate about whether, in general, 'conspiracy theories' were more or less common than the public perception. As if that had any bearing on these specific allegations.
With the strange claims made in the email (outsourcing, expired NDAs, DARPA knew), I wish Theo would've thought twice before publicizing this guy's name. At least the extra eyes on IPSEC might catch something else.
I think Theo de Raadt is right to make the accusation open, because it is quite a serious thing.
On the other hand, I know that such an accusation can have a devastating effect on the live of the accused developer. So the principle of _in dubio pro reo_ should be applied faithfully.
This should be the instinctive reaction of a democratic society. It does seem to be quite hard to have this collective routine work reliably nowadays, which is sad.
Jason L. Wright is known by many as "Wookiee" for reasons that may be obvious to many of you. Now I realize that it's been done before, but would it be too much to ask that we consider the term Wookieeleaks when referring to this matter? ;-)
Chewie was a female and being pregnant most of the time from her incessant whoring resulting in the hairy toe head always putting pressure on her bladder ... did cause a leak or two.
Not sure what to believe here but we do know that the NSA and authorities do need to have access to data for security. If there are systems that aren't apt to putting in backdoors or trapdoors then they treat you like Phil Zimmerman in the 90's by dropping the DOJ on you: http://www.philzimmermann.com/EN/faq/index.html + http://en.wikipedia.org/wiki/Phil_Zimmermann or at least that was the MO at that time.
But the DOJ and US Customs dropped the case against Zimmerman in '96. Obviously they would need to go with a new plan of attack after that method failed for intercepting messages in algorithms and software that is closed or running new algorithms like PGP. Backdoors and trapdoors in software that wraps crypto algorithms is one prong in that attack. The NSA neither confirms nor denies trapdoors, backdoors, etc but DOES employ some of the top cryptographers in the world.
In 2000, the U.S. government lifted the export controls on strong crypto, so (pure speculation) other methods to intercept communications were/are needed. The alleged event here happened in 2000/2001 which might fit with a new MO.
Fortunately there's a way to resolve whether this is whistle blowing or mud slinging. Someone with some expertise in that area should audit the code to check whether the allegations have any basis. The original email makes some fairly specific claims, at least some of which are probably verifiable.
The code has probably already been audited, but of course, more audits might reveal more problems. However, there might be non-obvious ways to make the code vulnerable to side-channel/timing attacks, and if you don't know what you're looking for, the only thing you can really do is to take as many precautions as you can.
For how many years did the NSA know about timing attacks before they became public knowledge and fixes were incorporated into code? Impossible to know. Code audits certainly didn't spot timing attack problems before people knew to look for them.
It's also impossible to know what other unknown attacks are available to NSA and the likes.
Of course, this is completely irrelevant to 99% of us, since anyone with knowledge of these unknown attacks would use them very sparingly in order to keep them secret.
I submitted this a little while ago, but it's scrolled off the new submissions page while this story seems to be hanging on, so reposting here. Sorry for the submission pimping.
The reason OpenBSD was thought of so secured is because they audited the entire code at one time and continuously audit code for new holes. The reason they audited the code in the first place was because way back in the day the main OpenBSD server was compromised and backdoors were placed in the code. They do not like people to know this.
It's really funny how there is so much indignation about this. What difference does it make whether it's true or false, there should be an audit of the code.
It's this sort of emotional, knee-jerk response that leads to irrational behavior.
It's a big allegation. This email didn't strike me as an overly emotional response. It was a very firm refutation from a respected member of the community about a hefty accusation.
If you're the one being accused, you have to worry about the accusation coloring other people's judgement of you. Most people really aren't logical creatures. People tend to not remember the source or veracity of things they know. So even if you're innocent, others may automatically assume you're a jerk.
[+] [-] 3dFlatLander|15 years ago|reply
Incidentally, I thought I had seen Mr. Perry someplace on TV, and then I remembered he was on an episode of Penn and Tellers "Bullsh*t" a while back. Link for the interested: http://www.youtube.com/watch?v=DT2YET6sg5I
[+] [-] mikedouglas|15 years ago|reply
With the strange claims made in the email (outsourcing, expired NDAs, DARPA knew), I wish Theo would've thought twice before publicizing this guy's name. At least the extra eyes on IPSEC might catch something else.
[+] [-] febeling|15 years ago|reply
On the other hand, I know that such an accusation can have a devastating effect on the live of the accused developer. So the principle of _in dubio pro reo_ should be applied faithfully.
This should be the instinctive reaction of a democratic society. It does seem to be quite hard to have this collective routine work reliably nowadays, which is sad.
[+] [-] cmeiklejohn|15 years ago|reply
[+] [-] dwc|15 years ago|reply
[+] [-] sitmack|15 years ago|reply
[+] [-] kenjackson|15 years ago|reply
[+] [-] Zak|15 years ago|reply
[+] [-] drawkbox|15 years ago|reply
But the DOJ and US Customs dropped the case against Zimmerman in '96. Obviously they would need to go with a new plan of attack after that method failed for intercepting messages in algorithms and software that is closed or running new algorithms like PGP. Backdoors and trapdoors in software that wraps crypto algorithms is one prong in that attack. The NSA neither confirms nor denies trapdoors, backdoors, etc but DOES employ some of the top cryptographers in the world.
In 2000, the U.S. government lifted the export controls on strong crypto, so (pure speculation) other methods to intercept communications were/are needed. The alleged event here happened in 2000/2001 which might fit with a new MO.
[+] [-] motters|15 years ago|reply
[+] [-] gnaffle|15 years ago|reply
For how many years did the NSA know about timing attacks before they became public knowledge and fixes were incorporated into code? Impossible to know. Code audits certainly didn't spot timing attack problems before people knew to look for them.
It's also impossible to know what other unknown attacks are available to NSA and the likes.
Of course, this is completely irrelevant to 99% of us, since anyone with knowledge of these unknown attacks would use them very sparingly in order to keep them secret.
[+] [-] khafra|15 years ago|reply
[+] [-] slim|15 years ago|reply
We're talking about code guys. It's not accusation of rape or broken condom.
[+] [-] tedunangst|15 years ago|reply
http://news.ycombinator.com/item?id=2010606
http://marc.info/?l=openbsd-cvs&m=129245633605693&w=...
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] davidj|15 years ago|reply
[+] [-] piotrSikora|15 years ago|reply
[+] [-] Flemlord|15 years ago|reply
> I will state clearly that I did not add backdoors to the OpenBSD operating system or the OpenBSD crypto framework (OCF).
[+] [-] tvon|15 years ago|reply
[+] [-] geekinthecorner|15 years ago|reply
[+] [-] losethos|15 years ago|reply
[deleted]
[+] [-] grandalf|15 years ago|reply
It's this sort of emotional, knee-jerk response that leads to irrational behavior.
[+] [-] frisco|15 years ago|reply
[+] [-] 16s|15 years ago|reply
[+] [-] flogic|15 years ago|reply
[+] [-] peterbotond|15 years ago|reply