Operating systems

What can the OpenBSD IPsec backdoor allegations teach us?

Recent allegations that the FBI slipped some backdoors into OpenBSD encryption software raise an important question about government involvement in security.

As of 14 December 2010, Theo de Raadt disclosed some worrisome news to the openbsd-tech mailing list:

I have received a mail regarding the early development of the OpenBSD

IPSEC stack. It is alleged that some ex-developers (and the company

they worked for) accepted US government money to put backdoors into

our network stack, in particular the IPSEC stack. Around 2000-2001.

The implications of this are shocking. OpenBSD has been widely regarded as one of the most secure operating systems in the world for years, in large part because the stated raison d'être of the project is security. The approach the OpenBSD project takes revolves around a number of identifiable policies, some more official than others, including:

  1. extensive code review to eliminate the biggest source of security problems -- vulnerabilities in software implementations
  2. simplicity of design
  3. skepticism when people try to push security snake oil and theater
  4. distrust of closed source, which can be used to hide security issues, and greater trust for open source software open to verification
  5. secure configuration by default

Practicing this set of policies has proven largely effective over the years, and there is an air of benevolent fanaticism within the OpenBSD project over adherence to principles of good, transparent security. This is why the revelation OpenBSD project leader Theo de Raadt revealed to the openbsd-tech list is so troubling and surprising. Perhaps further revelations will provide enough detail about the specific problems -- assuming they actually exist -- for us to get a better picture of why they remained undiscovered for so long.

A quick, off the cuff assessment suggests these allegations of backdoors in OpenBSD IPsec code are quite possibly truthful. The form of the announcement lends it an air of plausibility, so for the time being we would be reasonable to treat the matter as a real vulnerability in OpenBSD security. Former NETSEC CTO Gregory Perry's email to Theo de Raadt says:

My NDA with the FBI has recently expired, and I wanted to make you

aware of the fact that the FBI implemented a number of backdoors and

side channel key leaking mechanisms into the OCF, for the express

purpose of monitoring the site to site VPN encryption system

implemented by EOUSA, the parent organization to the FBI. Jason

Wright and several other developers were responsible for those

backdoors, and you would be well advised to review any and all code

commits by Wright as well as the other developers he worked with

originating from NETSEC.

Some will surely use this to make arguments against OpenBSD as a secure OS. Others will surely construct spurious arguments against the security benefits of open source software. The fact of the matter, however, is that this bolsters the argument for the security benefits of open source software, rather than undercutting it -- because the security benefits of open source software are based in large part on transparency, and we now have the benefit of knowing about the problem where a closed source software vendor would more likely have hushed it up, and perhaps even been in on the thing from the beginning. Ultimately, however, this situation should be taken as a source of lessons we can learn about securing our software, regardless of any holy wars over the security benefits of open source models of software development.

  1. Do not trust government involvement in development of secure software. Whether the software is open source or closed, the governmental motivation remains the same: monitoring the activities and secrets of members of the public. Whether you believe their intentions are good (protecting us from terrorists) or corrupt (cracking down on peaceful dissidents), the result is that government is strongly motivated to violate individual privacy -- which means compromising security technologies.
  2. Prefer simple systems over complex systems. The more complex the system, the easier it is to hide problems in plain sight, whether those problems are hidden there by accident or by malicious intent. If these problems exist, the relative complexity of IPsec implementations in general surely contributed to the continuing obscurity of the backdoor code in the system.
  3. Actively seek peer review. While opening the source is necessary to maximizing the long term security of your software, it is not sufficient on its own to doing so. Look for opportunities to entice people to review the system for potential problems, test it extensively, and contribute to a greater understanding of the potential problem areas. The greater your reputation for security and transparency, the more assiduously you should seek peer review. Ironically, it is possible that OpenBSD's reputation for security has actually encouraged relative indolence amongst those who might otherwise have tried to find security issues in its associated software.
  4. Use the simplest solution that will do what you need. This is the kind of policy that results in OpenBSD default installs having as much of its capabilities turned off as possible. It is also the kind of policy that prompts people to ensure that any GUI software is deactivated or entirely absent from server systems. What many people do not take into consideration along these lines is that sometimes they should just use simpler software. If all you need is an SSH proxy to protect your TechRepublic logins while using your laptop in a coffee shop, use an SSH proxy, and not an IPsec VPN.
  5. While there are definite security benefits to open source software development, the Unix operating system architecture, and the OpenBSD project's approach to ensuring software security, taking any of this as a practical guarantee is foolish. Software security is no place for blind faith, and there is no "most secure" OS for all purposes.

It would be a bad idea to leap to the conclusion that this means OpenBSD cannot be trusted more than many other OSes for a lot of deployments. It is still the first choice for building a firewall, for many security experts, using OpenBSD's PF. It is certainly a good idea to stop using the default IPsec stack in OpenBSD systems for the moment, though.

At least one positive outcome of this event is likely: in the future, OpenBSD attention to security reviews of source code will probably be even more rigorous than before.

On a more personal note, Perry's email to Theo de Raadt implicates a technology writer in the conspiratorial FBI activities he alleges:

This is also why several inside FBI folks have been recently

advocating the use of OpenBSD for VPN and firewalling implementations

in virtualized environments, for example Scott Lowe is a well

respected author in virtualization circles who also happens top be on

the FBI payroll, and who has also recently published several tutorials

for the use of OpenBSD VMs in enterprise VMware vSphere deployments.

The specific "Scott Lowe" to which he refers is uncertain. There are at least two such individuals -- both of whom deny such claims -- who might write about virtualization, among other topics. I have met TechRepublic's own Scott Lowe, and am inclined to believe he has not engaged in the activities Perry alleges, though of course I do not know him well enough to vouch for him personally. The fact that his writing focuses on Microsoft technologies, and to my knowledge, he has never written in favor of OpenBSD as the platform for VPN infrastructure, certainly suggests that he should not be regarded as part of the problem in this case.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

81 comments
saghaulor
saghaulor

What Chad is trying to point out is that one breach in the FLOSS security model, does not constitute all out failure of the FLOSS security model. One instance of insecurity doesn't necessitate that the entire code base is riddled with security holes. It is a possibility, but it is not guaranteed. It may be the case that these backdoors were pushed through, and unnoticed. And it's perfectly plausible to have them go undiscovered for such a long period. If the code was signed off as good, then why revisit old code? If the review process was also compromised, and no-one had any idea, it may very well be the case that no-one had the inclination to review it because they assumed it was satisfactory. Chad was merely making a logical point, that the logic of your statements were faulty. However, it may be the case that your conclusion nonetheless is true. The jury is still out on the truth of your conclusion, namely, that the FLOSS security model is entirely flawed, and consequently FLOSS code cannot be trusted. I'm sure the BSD community will coordinate their efforts and review the entire code base. And please everyone, I know you feel strongly about these things, but lets keep our heads on and not sling insults like children.

ivank2139
ivank2139

Has anyone questioned MS along the same lines? I was led to believe the Chinese have the source to Windows for exactly this ame reason, to install backdoors and to investigate any existing backdoors. Does anyone suspect windows source to include anything similar? What other OS's might be subject to the same security issues?

Bobarino
Bobarino

audited the code in the last 9 years. And it's a safe bet they're auditing the entire stack now. It will be interesting to see what they turn up. The subsequent discussion on that OpenBSD list was a great read. I'll definitley be checking that list again.

ScarF
ScarF

But now, I am not certain of anything. Using OpenBSD's PF instead of IPSec? Who can guarantee that there aren't backdoors, too? And, what makes us believe that only the governments can slip some backdoors into the OSS code? Why not criminal organizations? There are some extremely skilled guys paid by them - see the botnets as an example. And, btw, how the heck did these backdoors went unnoticed by everyone checking the code, for almost TEN years? This story either is a big BS and a new hit targeting the OSS community ? there are many groups of interest for this -, or it is so troublesome that I no longer see a difference between the OSS and closed source regarding the security. Again, should this story be true, any argument that OSS is secure fails. The reason? How many of us did actually check the codes? How many of us have the ability to actually understand what the actions of the code are? How many people on the planet can do this? How many of them are trustworthy enough for checking everything for us? What is their level of corruptibility? Probably, in the end, this is a proof that Zuckerberg is right with his lack of interest for privacy and security. In the human society - governed by paranoid and corrupted idiots - there isn't such thing.

santeewelding
santeewelding

With secrets in the first place. The rest, to use an expression of yours, is hand-waving. Exercise and teach what you will.

dina04
dina04

I know--MS is constantly trying to plug its holes. But this is different. More simplicity--not less--can add transparency. Beware the technospies trying to get your trade secrets...they can be coming from anywhere. Of course our gov can access everything--who doesn't believe that after 911? But are the rogues in cahoots???

ScarF
ScarF

What I was merely saying is that this issue should raise a signal to the entire OSS community that unwanted code may be inserted. For disabling this, there may be a need for revisiting the FLOSS model. I am not the one to decide this. Extrapolating this to the max and concluding that it is my believe that the entire OSS is unsecure or flowed, is just an undeserved exageration. I am an OSS user, I had my own contributions to the OSS, and definitely I don't consider myself an adversary of the OSS. But, I am an atheist. I just raised a concern regarding the FLOSS security model. It is my believe that things can always be improved, and I dislike the self-sufficiency. However, regarding this issue I still give more than 70% chances for the entire story to be just another attack against the OSS. I regret the flame, as much as I regret that some persons felt attacked by my comments. I also regret putting myself in such a position. I will think twice before posting anything else in Techrepublic forums. Otherwise, anyone can interpret words however he likes trying to find hidden meanings. But, I stop here. This is my last comment on this matter.

apotheon
apotheon

That was clear and balanced, and presented what I have said half a dozen different ways with yet another clear presentation. I suspect it will fall on deaf ears. Without revisiting what I have said in detail, I don't think I've slung any insults at ScarF unless you think calling him a troll was insulting -- and that is certainly a valid interpretation of the statement. I can't quite bring myself to feel sorry for saying so, though.

robo_dev
robo_dev

Two points: 1) The EOUSA is not in charge of the FBI. 2) A NDA with the FBI would not 'expire'. First of all he states that the EOUSA is the parent organization of the FBI...but it is not. This makes me believe that this whole email is a hoax, or the author is having some mental issues. The strength or weakness of encryption puts life in danger. The assertion that the NDA with the FBI 'expired' is pure fantasy. If you have an agreement with a Federal agency regarding something vital to national security, it's not going to expire. Hello Walter Mitty, your therapist is here.... "for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI." The EOUSA is the group of US prosecutors...similar to state Attorney Generals, that's part of the DOJ. If you want to do the mundane task of monitoring someone's VPN, does it really make sense to re-create the whole protocol so you can do easier key breaking? That's like infiltrating a lock maker to change the design to make locks easier to pick, just so you can break into one target more easily...total nonsense. They're the FBI...they send a guy with some lockpicks and they got the keys in ten minutes. Or they swap in a compromised VPN concentrator which captures all the data BEFORE it gets encrpyted...much simpler. Getting physical access to the device is much simpler and cheaper than five weeks of brute-force computing time spent cracking DES keys. Plus, even if you hacked the site-to-site encryption keys, what can you do with that? VPN devices are port-to-port devices...there is no exposed host. Even if you start pulling traffic off in some basement room at the local phone POP office, it's illogical and impractical to capture, store, process, and decrypt terabytes of data...all for what purpose? These US Attorneys work for the same organization. Since the FBI is part of the DOJ, they could simply ASK for the keys or discover them internally if they had a valid reason to need them.

valduboisvert
valduboisvert

..since MS-DOS they always added "hidden" features in their code. I am not saying that Windows 7 has backdoors now. But judging by MS history they seem very likely to implement one or other similar "hidden" features. With or without the whole OpenBSD IPsec backdoor allegation, when security is a concern we are all much better off with OpenBSD than any other OS out there.

dayen
dayen

Windows is said to have a backdoor requested by the NSA HACKERS claim to be runing a copy of XP with the backdoor removed

SgtPappy
SgtPappy

all OS's have security flaws at one time or another.

apotheon
apotheon

> Again, should this story be true, any argument that OSS is secure fails. I take it you only read half the article.

interpoI
interpoI

"only the governments can slip some backdoors into the OSS code? Why not criminal organizations?" ^ ^ ^ ^ ^ ^ ^ They are one in the same my friend.

mira_pl
mira_pl

...how is it possible that so many users seem to have missed the existence of that backdoor? I can understand it's possible if you only use the system but what about sysadmins? Was it so well hidden?

apotheon
apotheon

> Extrapolating this to the max and concluding that it is my believe that the entire OSS is unsecure or flowed, is just an undeserved exageration. It's what you said. That's no exaggeration. When I (repeatedly) tried to point out that a statement to that effect is not actually reasonable, you even argued in favor of it! Now, you pretend it's not what you said. What nonsense. > I will think twice before posting anything else in Techrepublic forums. Try thinking twice before posting anything categorical here without first checking to see whether it's at all reasonable. There's a big difference between, on one hand, equating 98% with 0%, and on the other hand, asking questions about whether it's actually 98%. Reasonable questions will generally be treated as reasonable questions; categorical statements that are patently ridiculous, on the other hand, are more likely to be treated as if they are ridiculous.

AnsuGisalas
AnsuGisalas

"Make your contribution such as it is required, at the stage at which it occurs, by the accepted purpose or direction of the talk exchange in which you are engaged." That was Grice. Grice has things to make you a better soldier for your cause. Specifically, you must get over your fixation with the bare words. We all use metatext. We all rely on the kindness of strangers - or rather, the effort of our audience to understand what we mean.

dina04
dina04

unless they examine all the data. Called "FISHING." Hence they have to get it. Physical access too time-consuming and risky. You are assuming they have someone in their sites. This is normally not the case. They have to process tons of information from innocents to find one guilty--like the needle in the haystack. You tell me--How would YOU find him if you don't know where he is??? And, of course, this must be done without chance of discovery, without risking exposure (publicity might be created)and everything getting shut done. And since we are here on forum this venue may be used to steer everyone in the wrong direction. Just to let you know...

SkyNET32
SkyNET32

*sigh*. Ok, if you want to laugh. I decided after some careful research, to see what everyone was talking about with the BSD flavors of OS's that I thought, let me try it, and when I heard that folks thought OpenBSD was very secure, I wanted to try it. It took me a bit of reading, but just the other day I decided to give it a go and try to install it, for the first time, and I didn't even think it would work, or I must've done something wrong (I have NO unix skills, and very limited knowledge of DOS, or CIL commands) but I was able to get an old machine to install OpenBSD. Now what...... :D I have no idea what to do next. Heh, My wife saw it and said "What the hell is that crap?" , "where's the browser?" LOL And then the story about the FBI and OpenBSD came out and I was like "oh, bother". A friend of mine more versed in unix/linux os's told me that openbsd is a hard system to learn, there's practically no gui for it, and its mostly for servers, not for desktop use per se, but I wanted to see if I could use it darn it! :D I've used ubuntu a lot (feeling proud that 'oh look at me I'm secure!') but now after reading Mr. Perrin's older article that its default install config is NOT the best security practice, never mind me trying to figure out what was it, OpenVMS? Jeez, I think I should take a class. :(

ScarF
ScarF

I read it in its whole entirety. But, I really like how some jump accusing others that they haven't read the entire article. Chad's argument that there will be guys - like me, maybe - bashing the OSS security, and all the subsequent discourse, don't hold water if this story is true. My argument - 9 years of code audit without anyone seeing these exploits - is quite simple and straight forward. But, I doubt that the story is true as much as I doubt that the above mentioned argument is valid. I honestly disbelieve the whole story and I consider it to be just another fud targeting OSS. Plus, I trust the security paranoid community around OpenBSD. But, for more information this is the original thread http://marc.info/?l=openbsd-security-announce&m=129237531405260&w=2 Please, read all the posts (they are 55 now). It is very instructive. The rest is just mass-media hype. The only problem I have is with Greg Perry. What the heck made him sending that message to Theo, first of all? Or, as Seneca said through Medea's mouth: 'Cui prodest scelus, is fecit.' and I don't see Greg's benefit in doing this. But, again, read the entire thread linked above - should you haven't done it already.

dayen
dayen

Why should Crimminals work on it when the Goverment will sell them the info or program never trust goverment they are evil by by default and must be watch. did they do it I don't know I guess I should have been looking I found backdoor code at GM years ago and they didn't listen and they went broke I hope someone listening now

ScarF
ScarF

And, Julian Assange's recent problems tell the story better than anything else.

Ed.Pilling
Ed.Pilling

When you check the history of some government agencies and how they treated people they didn?t like. Yes our entire lives have to be a open book to them but they operate in a cloud of secrecy with no accountability.

AnsuGisalas
AnsuGisalas

if it's true. But sysadmins aren't by default going through the sourcecode, now are they? A backdoor is not "findable" in the function of the program, unless it's buggy. It's not an easter-egg type, where you can click somewhere on the GUI to bypass a password...

seanferd
seanferd

I take the intent to be, "Here is a Scott Lowe who talks about OpenBSD & VMWare." I suppose you could take this as evidence that one such person fitting some of these criteria exists.

apotheon
apotheon

My thought on the matter is that you should use whatever OS simultaneously: 1. makes you comfortable and lets you achieve what you want 2. encourages you to learn and to improve your computing environment in new and interesting ways If OpenBSD is a bit much for you, try something else. If you find you're excited to learn new things and not put off too much by how differences in the system from what is more familiar to you introduces challenges into your entire computing experience, then I think you're on the right track. When choosing a new OS and using security concerns as part of your set of criteria, make sure you have some understanding why that switch in OS is supposed to improve security. If the explanation makes sense to you, you're more likely to make a good choice and use the system effectively than if you just heard something is supposed to be secure and used it based on what someone else said without any understanding.

SkyNET32
SkyNET32

Yayz! All for me! But do you guys think its robust/secure enough? Probably not up there with OpenBSD but still. Should be fun for me to play with. :D Happy Holidays!!

dayen
dayen

Thank you for the link guess I am going to have to read code again I getting old but I got to know let you know if I find anything. Lets hope I still got it ?

apotheon
apotheon

santeewelding: If you don't understand my words, all I can think to say is "get a dictionary". ScarF: > You consider your little article the ultimate commentary on this problem No, I don't. That's absurd. > you refuse to make the minimal effort to understand others' points of view. Once I am done understanding your words, there's nothing more to try to understand -- because your words are all you have given me. I'm not telepathic. If you have something to say that has not been said with your words, it's time to say it with words. > I stand my opinion I know -- and that complete failing of simple logic is what boggles my mind in what you have said over and over again. If I were to take the same approach to "understanding" things, and found out you had wet your bed when you were two years old, I would then have to assume that any claims you might make that you don't wet your bed as an adult are "nullified" (to use your word). Since most people wet their beds at some point during the early potty training process, it's probably safe to assume you wet your bed at least once in your young life -- so I'll just declare that you're a bed-wetter, because having wet the bed once means that any arguments that you've been better potty-trained than that are "nullified". . . . or maybe I could actually apply a little logic to my analysis of the matter, and recognize that the above argument about bed-wetting is BS, just like yours about open source software development. > As we speak, I have five OpenBSD routers connecting my company's branches. I am a security paranoid and I selected OpenBSD for this exact reason - they are also security paranoids. Based on your arguments against OpenBSD security now, I suspect your reasons for selecting OpenBSD then were based more on facile acceptance of something someone once said to you than on any actual understanding of security. That being the case, it's just pure blind luck that you ended up with an OS that, overall, is probably one of the most secure in the world. By the same token, it looks like it will be pure accident that will lead you to abandon it in favor of something less secure in the long run. Good luck with that. > If I cannot trust OpenBSD anymore, than I cannot trust any other OS ? You should be employing a well-reasoned risk analysis, not blind faith, to motivate your technology selections. Your use of the word "trust" indicates that blind faith is your choice, though -- and now that you're losing faith, you are inclined to disbelieve everything (not just show some healthy skepticism, but actively disbelieve), which is just as bad as trusting blindly. > Without any relation to the presented problem, you implied earlier that Microsoft includes backdoors in its code, at the request of third party organizations. No, I didn't. I stated that it was more likely MS Windows had such backdoors than major open source OSes. There's a big difference between talking about probability and actuality, but then, you've already demonstrated that you do not understand that difference. > You also let people believe that these backdoors are not a specific development for a specific customer, but for enabling one organization to access other organizations' systems. What are you talking about? > I will to forward this thread to Microsoft to find their opinion about these allegations. Good luck with that. I'm sure they'll laugh at: 1. you, for so terribly misunderstanding everything 2. the open source community, for having to deal with people like you, self-proclaimed advocates who are willing to turn on their blind faith with viciousness based on evidence that proves something completely different from what they believe it proves

ScarF
ScarF

You consider your little article the ultimate commentary on this problem, and you refuse to make the minimal effort to understand others' points of view. Too bad for you, and too bad for Techrepublic's quality. I stand my opinion: If the Greg Perry's allegations are real, than anyone is able to insert backdoors into the OSS code without being detected - 10 years in the case of OpenBSD. This nullifies all the claims for security and reliability of the OSS based on the code transparency. This actually means that there is no one checking the code, or able to understand every action of the code, or with enough time to do this. This may be even more dangerous since organizations like NSA don?t even need to pressure a SW company to do this. They simply can hire some good programmers to contribute code to the OSS. As we speak, I have five OpenBSD routers connecting my company's branches. I am a security paranoid and I selected OpenBSD for this exact reason - they are also security paranoids. If I cannot trust OpenBSD anymore, than I cannot trust any other OS ? OSS or non-OSS (and, btw, as Canadian I am extremely proud of OpenBSD as well as any other Canadian SW or HW product). The rest of your bumbling about the superiority of the OSS doesn't interest me at all. I continue my waiting for OpenBSD?s conclusions. I am still thankful to you for publishing this news which I wasn't aware of. And, a final thought coming from the frustration you provoked with your style of communication. Without any relation to the presented problem, you implied earlier that Microsoft includes backdoors in its code, at the request of third party organizations. You also let people believe that these backdoors are not a specific development for a specific customer, but for enabling one organization to access other organizations' systems. Please, detail this with proves. I will to forward this thread to Microsoft to find their opinion about these allegations. What I know for now, is the following: http://www.computerworld.com/s/article/9141182/Microsoft_denies_it_built_backdoor_in_Windows_7

santeewelding
santeewelding

What the hell does "universal" do modifying "systemic"? You are caught up in your keyboard.

santeewelding
santeewelding

Check it out: my keyboard is heavier in caliber than yours is light. Let's get into what the hell you mean by, "really". I don't think you have any idea of what you broach. Correction: you don't. You are a mouse gun.

apotheon
apotheon

I had no idea you were so dumb, santeewelding. How could you have missed the logical void at the center of ScarF's statement that a single instance proves a universal systemic failure?

santeewelding
santeewelding

If anything, it was [i]your[/i] last that reeks of herring.

apotheon
apotheon

> Now I understand your hysteria. Now I understand that you're more of a troll than an honest contributor to discussion. The rest of your commentary here is (ironically) hysterical conspiracy theory without a shred of evidence, logical fallacy, and wildly slung insults. I'm not going to entertain it any further.

ScarF
ScarF

Now I understand your hysteria. First, I don't see this a single mistake. I see it as the disclosed mistake, result of the paid effort by one subversive(?) organization to implement mechanisms in an OSS OS for rendering its security useless. The following questions raise - just to clarify, I am concerned about OSS security only since I have no doubts that closed code has many-many-many backdoors: - how many such efforts are not yet known? - how many OSS projects are affected by these kind of backdoors? - if these allegations are true, why the code being open failed to allow others to discover the backdoor in such a crytical segment of the code all these years (Greg Perry quit NETSEC in 2000)? Finally, are you really willing to discuss all the implications, or you only prefer to hear yourself talking (which reminds me of another exponent of the OSS priesthood inside Techrepublic's team). Now, back to the context of allegations being real: What I am saying - while you don't understand - is that the system failed to protect itself. The OSS projects have the sources public for everyone to see them, and no one found the backdoors. Why? This has to be addressed and corrected if the OSS community plans to continue its claims regarding the security and reliability. At a personal level I am highly concerned about this entire story around OpenBSD since I have a number of OpenBSD routers in my organization, for which I am personally responsible. Sorry, I have to leave now. We may continue tomorrow.

apotheon
apotheon

Weird, how you say you read my whole article (I'm Chad) without noticing that it points out that a single mistake is not proof of a systematic failure of the model. I guess maybe that's too abstract for you to grasp, though.

AnsuGisalas
AnsuGisalas

I was just musing on directional camouflage, and how to foil it. Thinking of, how to look at something differently to have the unexpected stand out. I guess the first option you mentioned would be the closest, of course, I have no idea if it'd make finding bad things easier... Maybe what's needed is simply a "code insert detection 101" course... after all, seeing lots of examples of real back doors would let a code inquisitor construct an intuition for them.

apotheon
apotheon

Pretty much the best you could do, at this point, is one of three things: 1. something like rdoc, which gives you an organized listing of methods and modules, and provides auto-formatting of documentation from comments 2. something that produces a very verbose, point-by-point explanation of what every token in your source code does, providing a word-count that's probably two orders of magnitude greater than the token-count of your code, and doesn't really help anyone better understand what the code is doing 3. learn to read source code What you describe is, in fact, basically what source code is: a higher-level, succinct, understandable representation of the less human-readable machine language.

AnsuGisalas
AnsuGisalas

no way to reorganize instructions into a more obvious format? Like the stealth of a F-117 Nighthawk works best if the radar receiver is close to the radar emittor, a reorganization of the instructions might help?

Sterling chip Camden
Sterling chip Camden

If the IPs to which the data was sent were owned by fbi.gov or nsa.gov. Those boys usually know how to cover their tracks pretty well.

AnsuGisalas
AnsuGisalas

It would be like an interpreter of sorts, reads instructions (code or binaries) and writes a documentation-style description of what it does. It'd have to follow the threads of instructions, so that instructions that connect are described together... Would it be possible to make such a program so that it could conceivably help check what a program does? It would be immensely useful for checking small apps for all sorts of platforms, so that could be used to fund it's development from being useful on a small scale (phone apps) to a very large scale (kernels)...

AnsuGisalas
AnsuGisalas

that the Feds were using the BD frequently and for long spans of time. Having a tool like that, you don't use it for casual eavesdropping. You use it when it lets you achieve something very specific. The odds of finding it by way of its activity is proportional to the amount of activity. Even if everything goes to logs, finding evidence in the logs is tough, with the volume of traffic to consider.

apotheon
apotheon

Are you asking whether someone would have noticed "strange" network traffic, analyzed it, and discovered that it is somehow related to the IPsec VPN? It's possible that someone might have noticed it that way; it is also possible that nobody would have noticed it that way. Hard to say. There are too many variables involved.

mira_pl
mira_pl

Thanks for explaining. However I thought someone might have spotted it(not necessarily a sysadmin) when configuring or trying to improve performance maybe...

apotheon
apotheon

It was FreeBSD. I wrote an article about it for TR: China chooses FreeBSD as basis for secure OS

JCitizen
JCitizen

just a silly way to bring attention to alois.cohard web-links? I like your avatar! Wonder why! ;) P.S. (edited) - wasn't OpenBSD that OSS the Chinese government adopted as it's sanctioned public operating system? Seems to me this could just be FUD generated by our side, to throw them off guard. Not that it would be particularly funny, because I don't trust my government much more than theirs; unfortunately.