Openbsd Ipsec Backdoor

[digip]

I don't doubt the possibility of this, but if it is true, its a disturbing reality to think that there is no protection from Big Brother if you don't know Big Brother is in at all.

http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

excerpt:

My NDA with the FBI has recently expired, and I wanted to make you

aware of the fact that the FBI implemented a number of backdoors and

side channel key leaking mechanisms into the OCF, for the express

purpose of monitoring the site to site VPN encryption system

implemented by EOUSA, the parent organization to the FBI.

Visit the site for the entire story.

[mux]

I don't doubt the possibility of this, but if it is true, its a disturbing reality to think that there is no protection from Big Brother if you don't know Big Brother is in at all.

http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

excerpt:

Visit the site for the entire story.

Whoa, talk about stirring the hornets nest. Either way this story pans out, it is not going to be good for OpenBSD.

[Infiltrator]

This is not good at all, I won't even use it, in fear of being monitored by the FBI.

[digip]

We have to realize though, that within every product, unless completely open source and free(although in this case didn't hold true) could have backdoors, if not mandated by the governing coutnry in question. I don't doubt there are backdoors in things like Apple OSX, or Microsoft Windows, but I doubt that most people are even on the radar to be monitored. Still, things like a VPN, where communication is meant to be encrypted and trusted, vs just your own communication to the internet at large, that to me strikes a difference. On one hand, you expect everything you do online to not be considered completely private, just for the face that you connected to an open network, the internet. But using tunnels, such as SSH, IPSEC or a VPN, that is when, even the government for that matter, expects some level of private communication. The fact that they even attempted to buy off developers is not so much the problem, but the fact that they may have succeeded is what is disturbing because the level of trust for a specific feature meant to give us privacy just went out the window.

Also, was reading on twitter, someone claiming to be an ex-FBI agent,

says that yes they attempted to do this, but apparently failed. I'm not sure I can believe that without someone who specializes in combing through the source code can tell us exactly whether or not one exists. Even then, there is always the "what if" factor, because I don't know any of these people personally, and it then turns into this more philosophical issue of, can we trust one another. Can people trust anyone, and that makes it an even sadder thing to think about. Humanity at large, in the shitter.

I take privacy seriously, so it always strikes a nerve when I hear about things like this. On the other hand, I fully support the dissemination of information for the greater good of all when it is at stake, ie: wikileaks showing true transparency of what goes on behind closed doors of governments, not just our own here in the USA. I think too many people have focused on the US Cables, and not enough on ALL the work Assange has done for many years, to bring out the information on a lot of issues around the world (granted the method by which this information is acquired is somewhat questionable, him releasing it is no more damaging than any newspaper reporting it or eye witness accounts tweeting it as it happens in real time).

If anything, most of what wikileaks posted is known to the people in the public who witnessed it firsthand only their stories never make it to mainstream media, such as the Chopper incident where they killed the Reuters reporter. Yet it takes a whistle-blower to bring that story to the mainstream instead of the people on the ground who were there, or even the soldiers who were on the ground and saw what happened, being a clear mistake on our part.

http://xkcd.com/834/

[Infiltrator]

We have to realize though, that within every product, unless completely open source and free(although in this case didn't hold true) could have backdoors, if not mandated by the governing coutnry in question. I don't doubt there are backdoors in things like Apple OSX, or Microsoft Windows, but I doubt that most people are even on the radar to be monitored. Still, things like a VPN, where communication is meant to be encrypted and trusted, vs just your own communication to the internet at large, that to me strikes a difference. On one hand, you expect everything you do online to not be considered completely private, just for the face that you connected to an open network, the internet. But using tunnels, such as SSH, IPSEC or a VPN, that is when, even the government for that matter, expects some level of private communication. The fact that they even attempted to buy off developers is not so much the problem, but the fact that they may have succeeded is what is disturbing because the level of trust for a specific feature meant to give us privacy just went out the window.

We are now living in a technology era, where everything is possible. Whether we are being monitored or a software has a backdoor, we should always remain skeptical. I take my privacy matters very seriously too, and now with all this cyber attacks happening around the internet, its really something to think about and be proactive, before its too late.

[HALEN666]

If the FBI was able to do something like that, I don;t want to imagine what CIA and NSA have done. They will do everything they can to spy on Linux users as well. I am pretty sure they are do it one way or the other. The have money, power, and knowledge, so what makes you think they can't do it. If I were them I would focus more on Linux users than WIndows Users because most computers savvies that can participate in cybercrime love Linux. Do you really think those agencies will avoid Linux just because it is open source. They will cheat, pay or do anything they can to have control on it as well. This is not a conspiracy theory it is just reality.

Lets be honest, just because it is open does not mean you can just go and read the code much less understand it. Even people who have the skills to do it would not check millions and millions of lines of code. It would take a huge amount of time and effort to do something like that. A lot of people say that the bigger the code the more bugs are likely to appear in a piece of software, but it is also easier for somebody to put something in there that can be used as a backdoor. Very old bugs have been found even in the Linux kernel that can give total access to the system, that proves it is not as easy as it seems to detect bugs that can be used as backdoors. Who knows maybe they were put there, but somebody screw them up.

Lets just accept it and stop saying open source is the way to go because all it does is to give a false sense of security to people that can't prove it. I agree it is better, but lets just admit it is not bullet proof. Facts not words are what counts.

Edited December 16, 2010 by HALEN666

[digip]

Nothing is bullet proof, no one ever said that. The difference with open source code though, you can use program scanners to read through the source code to check for the backdoors, malware, etc, as where in closed source software or even hardware for that matter(ie: the latest HP flub), you can only test the product through reverse engineering, fuzzing and brute force.

[justapeon]

"Anyone or anything can be touched." an old sicilian saying.

Having the source code does not mean much unless you compile it yourself. Drm is allegedly now in ubuntu, which is just as bad.

Edited December 16, 2010 by inventoman

[Infiltrator]

OMG, this fucking idiot is everywhere.