Welcome to European Tribune. It's gone a bit quiet around here these days, but it's still going.
Display:
melo:
what's to stop any gvt privately insisting that any encryption co. wants to survive as a legal business has to provide a back door to lawnforcement? seems such an obvious way to harvest the eebuldoers, after trapping their naive asses conveniently into a few traps.

Nothing, which is why you should not put your faith in proprietary code delivered by a company. Even if you do not code yourself, or even read code, it is safer to use free software (or open source) where the source code is available for anyone to tinker with. This way the odds are high that if there is a backdoor some programmer will discover it and holler about it and/or create a similar program without the backdoor.

The Freenet Project - /whatis

Freenet is free software

The Freenet Project - /developer

Source Code

We are using git as our source code management system, hosted on github. We have many different git repositories for the website, freenet itself (fred), official plugins, the two installers, libraries and so on; for the list, see our page on github.

We strongly recommend that you use the official command-line git client, or the Windows port. If you want to use the Eclipse git integration, see the tutorial here.

And free software are often developed without having a company, so the only line to pressure is individuals.

Of course, there has been attempts to shoot down free software as such. IPRED2 included in early drafts to criminalise patent incursions, including jail terms. And since everything is covered by a patent, that means being able to throw free-coders in jail. But there are companies around free software, some government agencies prefer software without backdoors and so on, so this far free software is alive.

Sweden's finest (and perhaps only) collaborative, leftist e-newspaper Synapze.se

by A swedish kind of death on Mon Dec 20th, 2010 at 04:23:26 AM EST
[ Parent ]
it is safer to use free software (or open source) where the source code is available for anyone to tinker with.

And make sure you compile it yourself and trust the compiler. See Ken Thompson's Turing Award lecture for why.

by gk (gk (gk quattro due due sette @gmail.com)) on Mon Dec 20th, 2010 at 04:30:07 AM EST
[ Parent ]
by njh on Tue Dec 21st, 2010 at 12:04:50 AM EST
[ Parent ]
Well, yes, malicious code can be planted in open source too (though as some commentators on that list has stated, it would be as easy to just pose as a developer and try to hide backdoors when submitting new code). But open source is better at handling it.

May Contain Traces of Bolts: OpenBSD IPSec backdoor allegations: triple $100 bounty

OpenBSD IPSec backdoor allegations: triple $100 bounty

In case you hadn't heard: Gregory Perry alleges that the FBI paid OpenBSD contributors to insert backdoors into OpenBSD's IPSec stack, with his (Perry's) knowledge and collaboration.

If that were true, it would also be a concern for FreeBSD, since some of our IPSec code comes from OpenBSD.

I'm having a hard time swallowing this story, though. In fact, I think it's preposterous. Rather than go into further detail, I'll refer you to Jason Dixon's summary, which links to other opinions, and add only one additional objection: if this were true, there would be no "recently expired NDA"; it would be a matter of national security.

I'll put my money where my mouth is, and post a triple bounty:

  1. I pledge USD 100 to the first person to present convincing evidence showing:

    • that the OpenBSD Crypto Framework contains vulnerabilities which can be exploited by an eavesdropper to recover plaintext from an IPSec stream,
    • that these vulnerabilities can be traced directly to code submitted by Jason Wright and / or other developers linked to Perry, and
    • that the nature of these vulnerabilities is such that there is reason to suspect, independently of Perry's allegations, that they were inserted intentionally--for instance, if the surrounding code is unnecessarily awkward or obfuscated and the obvious and straightforward alternative would either not be vulnerable or be immediately recognizable as vulnerable.
  2. I pledge an additional USD 100 to the first person to present convincing evidence showing that the same vulnerability exists in FreeBSD.

  3. Finally, I pledge USD 100 to the first person to present convincing evidence showing that a government agency successfully planted a backdoor in a security-critical portion of the Linux kernel.

Checking the comments there, there are some organisations and persons matching the bounty. So the programmer that finds such a backdoor (if it exists) gets some money and more importantly fame.

The reaction when actual backdoors are in commercial code is often to scream bloody murder in the press, accuse the one that found it for hacking their safe system, and so on.

Sweden's finest (and perhaps only) collaborative, leftist e-newspaper Synapze.se

by A swedish kind of death on Tue Dec 21st, 2010 at 03:41:42 AM EST
[ Parent ]
Uh-huh. The guy is able to speak now because his NDA on NSA black ops expired. WTF?
by Colman (colman at eurotrib.com) on Tue Dec 21st, 2010 at 03:54:19 AM EST
[ Parent ]
My NDA with the FBI has recently expired, and I wanted to make you
aware of the fact that the FBI implemented a number of backdoors and
side channel key leaking mechanisms into the OCF, for the express
purpose of monitoring the site to site VPN encryption system
implemented by EOUSA, the parent organization to the FBI.  Jason
Wright and several other developers were responsible for those
backdoors, and you would be well advised to review any and all code
commits by Wright as well as the other developers he worked with
originating from NETSEC.

Seriously?

by Colman (colman at eurotrib.com) on Tue Dec 21st, 2010 at 03:55:06 AM EST
[ Parent ]
Uh, I thought they used to give people security clearances, not NDAs...

Some guy at the FBI must have an MBA...

Of all the ways of organizing banking, the worst is the one we have today — Mervyn King, 25 October 2010

by Migeru (migeru at eurotrib dot com) on Tue Dec 21st, 2010 at 03:58:47 AM EST
[ Parent ]
Jason Wright denies it on the same list (about 10 posts "next"), but lists his contributions to make it easier to check for those thus inclined.

Sweden's finest (and perhaps only) collaborative, leftist e-newspaper Synapze.se
by A swedish kind of death on Tue Dec 21st, 2010 at 04:03:26 AM EST
[ Parent ]

Display:

Occasional Series