WingNews logo WingNews GitHub [2]
top | item 2017570

Schneier's take on the alleged backdoor in OpenBSD

41 points| cosgroveb | 15 years ago |schneier.com | reply

36 comments

order
[+] jdp23|15 years ago|reply
I'm where he is. Interesting discussion, though -- and it really highlights the limits of "with many eyes all bugs are shallow".
[+] davidj|15 years ago|reply
he didn't add anything new to the discussion but his opinion. Crypto scholars are excellent at cryptography and security theory, but when it comes to actually implementing secure systems (exception being crypto algorithms), and securing systems, Crypto scholars are horrible. For example he mentions that it would be better to just find an existing vulnerability instead of planting an FBI backdoor in the OpenBSD code: good luck Schneier, obviously you don't know that much about OpenBSD security culture and history. Plus the NSA has a history of putting backdoors into solutions. This is just my opinion from experience.
[+] frisco|15 years ago|reply
Bruce Schneier isn't some random academic. He's extremely highly respected, and is the Chief Security Technology Officer of BT Communications. He has tons of experience with securing systems in the real world, and to say he "obviously [doesn't] know that much about OpenBSD security culture and history" is crazy.
[+] glhaynes|15 years ago|reply
Plus the NSA has a history of putting backdoors into solutions.

Have there been proven (or at least credibly shown probable) to be NSA backdoors into shipping products?

[+] 16s|15 years ago|reply
He's just pointing out that a big project will have bugs and he's right. That's not a matter of opinion. Not much fuzz testing has been done on OpenBSD since the early 2000s. When Theo did fuzz test back then, he found bugs. He claims to have found two just now while doing the audit in the crypto code. Code has bugs. Large projects have many bugs.
[+] wazoox|15 years ago|reply
Given the past feats from Theo de Raadt, my guess is on a nice stunt to get a free thorough code check :)
[+] JoachimSchipper|15 years ago|reply
Too many stupid people are saying too many bad things about the OpenBSD project for this to be a net positive for him.

After all, he doesn't really profit from a free audit, and all the auditing I've seen so far has been done by the OpenBSD team itself.

[+] bl4k|15 years ago|reply
Easy way to prove it isn't true:

Has there ever been a criminal case prosecuted in the USA where the FBI entered or revealed intercepted VPN data as evidence?

[+] piotrSikora|15 years ago|reply
This is false logic. This way you can only prove that the backdoor exists, not that it doesn't.
[+] _pra|15 years ago|reply
Ah, but perhaps this is why it's so important gitmo detainees, et al, are not granted a trial?