[LACNIC/Seguridad] [OT?] Fwd: Allegations regarding OpenBSD IPSEC

Arturo Servin aservin en lacnic.net
Jue Dic 16 09:29:08 BRST 2010


	Si, ha habido bastante debate si es cierto o no, si es posible o no, y sobre las intenciones del informante.

	
slds,
as
	
On 16 Dec 2010, at 07:51, Fernando Gont wrote:

> FYI.
> 
> El resto del thread (incluyendo la respuesta del acusado) puede leerse
> en http://www.kerneltrap.org/mailarchive/openbsd-tech/2010/12/14/6887148
> 
> P.S.: El mail lo envio para que estÚn informados... no porque
> necesariamente crea que las acusaciones sean ciertas, ni nada de eso.
> 
> Saludos,
> Fernando
> 
> 
> 
> 
> -------- Original Message --------
> Subject: Allegations regarding OpenBSD IPSEC
> Date: Tue, 14 Dec 2010 15:24:39 -0700
> From: Theo de Raadt <deraadt en cvs.openbsd.org>
> To: tech en cvs.openbsd.org
> 
> I have received a mail regarding the early development of the OpenBSD
> IPSEC stack.  It is alleged that some ex-developers (and the company
> they worked for) accepted US government money to put backdoors into
> our network stack, in particular the IPSEC stack.  Around 2000-2001.
> 
> Since we had the first IPSEC stack available for free, large parts of
> the code are now found in many other projects/products.  Over 10
> years, the IPSEC code has gone through many changes and fixes, so it
> is unclear what the true impact of these allegations are.
> 
> The mail came in privately from a person I have not talked to for
> nearly 10 years.  I refuse to become part of such a conspiracy, and
> will not be talking to Gregory Perry about this.  Therefore I am
> making it public so that
>    (a) those who use the code can audit it for these problems,
>    (b) those that are angry at the story can take other actions,
>    (c) if it is not true, those who are being accused can defend
> themselves.
> 
> Of course I don't like it when my private mail is forwarded.  However
> the "little ethic" of a private mail being forwarded is much smaller
> than the "big ethic" of government paying companies to pay open source
> developers (a member of a community-of-friends) to insert
> privacy-invading holes in software.
> 
> ----
> 
> From: Gregory Perry <Gregory.Perry en GoVirtual.tv>
> To: "deraadt en openbsd.org" <deraadt en openbsd.org>
> Subject: OpenBSD Crypto Framework
> Thread-Topic: OpenBSD Crypto Framework
> Thread-Index: AcuZjuF6cT4gcSmqQv+Fo3/+2m80eg==
> Date: Sat, 11 Dec 2010 23:55:25 +0000
> Message-ID:
> <8D3222F9EB68474DA381831A120B1023019AC034 en mbx021-e2-nj-5.exch021.domain.local>
> Accept-Language: en-US
> Content-Language: en-US
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
> MIME-Version: 1.0
> Status: RO
> 
> Hello Theo,
> 
> Long time no talk.  If you will recall, a while back I was the CTO at
> NETSEC and arranged funding and donations for the OpenBSD Crypto
> Framework.  At that same time I also did some consulting for the FBI,
> for their GSA Technical Support Center, which was a cryptologic
> reverse engineering project aimed at backdooring and implementing key
> escrow mechanisms for smart card and other hardware-based computing
> technologies.
> 
> My NDA with the FBI has recently expired, and I wanted to make you
> aware of the fact that the FBI implemented a number of backdoors and
> side channel key leaking mechanisms into the OCF, for the express
> purpose of monitoring the site to site VPN encryption system
> implemented by EOUSA, the parent organization to the FBI.  Jason
> Wright and several other developers were responsible for those
> backdoors, and you would be well advised to review any and all code
> commits by Wright as well as the other developers he worked with
> originating from NETSEC.
> 
> This is also probably the reason why you lost your DARPA funding, they
> more than likely caught wind of the fact that those backdoors were
> present and didn't want to create any derivative products based upon
> the same.
> 
> This is also why several inside FBI folks have been recently
> advocating the use of OpenBSD for VPN and firewalling implementations
> in virtualized environments, for example Scott Lowe is a well
> respected author in virtualization circles who also happens top be on
> the FBI payroll, and who has also recently published several tutorials
> for the use of OpenBSD VMs in enterprise VMware vSphere deployments.
> 
> Merry Christmas...
> 
> Gregory Perry
> Chief Executive Officer
> GoVirtual Education
> 
> "VMware Training Products & Services"
> 
> 540-645-6955 x111 (local)
> 866-354-7369 x111 (toll free)
> 540-931-9099 (mobile)
> 877-648-0555 (fax)
> 
> http://www.facebook.com/GregoryVPerry
> http://www.facebook.com/GoVirtual
> 
> 
> _______________________________________________
> Seguridad mailing list
> Seguridad en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/seguridad




Más información sobre la lista de distribución Seguridad