> But Theo is missing the point. We're not simply interested in whether OpenBSD is vulnerable today. We want to know if there's any evidence that the IPSEC stack was ever tampered with, and particularly around the time frame that Greg Perry suggested that it was. Worse still, OpenBSD had what appeared to be†† a very serious security flaw, and they fixed it without telling users. OpenBSD users do have a right to ask the question, "hey, what gives?".
> †† We don't know if any particular configuration of OpenBSD with or without hardware accelerators in any particular release of OpenBSD had this problem exploitably, although it sure looks like they did.
Thomas, please try to look at it from a different perspective; You
want to know if there's any evidence of tampering, and you are free to
answer your own question. OpenBSD users and even developers do not have
a "right" to an answer, or better said, a "right" to someone else's
time, instead, they have a responsibility to find the answer on their
own.
If you do not care enough to do the work to prove or disprove your
allegations, then there's really no point in making or reiterating
allegations of tampering or exploitable releases. Unlike most people,
I believe you have the skill and experience necessary to do it, but
without doing the work, you're doing more harm than good.
If you were falsely accused of tampering, you'd be pretty upset with me
if I kept on yammering about it without providing a shred of evidence.
And rightfully so.
I think there is zero chance OpenBSD was backdoored.
I think it's extraordinarily unlikely NETSEC even built a private version of that code with a backdoor of any sort in it, even though to have done so would be no more controversial than writing "ssldump".
I've been saying that for over a week now. Could I possibly be clearer about the fact that I don't think OpenBSD was backdoored? If so, I'm sorry.
What I see now is Theo refusing to put this to bed.
I think Theo should have told Greg Perry where to shove this story, then wrote a message saying that someone with zero credibility made a claim and they were going to look at the code "just in case".
The specifics everyone should understand are as follows...
1.) All of bugs found so far look like unintentional mistakes. Of
course, there's always some wise-ass that will say that a perfect
backdoor should look like an unintentional mistake, so proving intent
is impossible.
2.) No one has done the work necessary to prove the bugs found so far
are actually exploitable. Publicly speculating and debating whether or
not a bug is exploitable is harmful and disingenuous.
3.) Due to complexity, completely proving the code is perfect and free
of all exploitable bugs is intractable. The very best anyone can ever
say is, "I personally didn't find any bugs during my audit."
Given the above, ANY accusation of intentionally putting a backdoor
into code is indefensible, and hence, it is nothing more than vicious
rhetorical defamation. Even if such an accusation is true, it is still
fallacious and must be discarded.
I hope you don't mind if I pilfer a wonderfully descriptive phrase from
you, but I feel accusations of Gregory Perry qualifies him as a
"mendacious kook." I'm not omniscient, so I would never say there's
"zero chance" of a backdoor being placed in anything. None the less, in
this situation, we basically agree. I believe it is exceedingly unlikely
a backdoor ever made it into the tree.
The real problem is Perry made some very serious and damaging
allegations. If Theo had just ignored this kook, he would have been
taken to task for not divulging and addressing them.
Theo did exactly what you suggested in his initial Dec 14th message to
the security-announce@openbsd list:
> The mail came in privately from a person I have not talked to for nearly 10 years. I refuse to become part of such a conspiracy, and will not be talking to Gregory Perry about this. Therefore I am making it public so that (a) those who use the code can audit it for these problems, (b) those that are angry at the story can take other actions, (c) if it is not true, those who are being accused can defend themselves.
I think the initial message to security-announce@ was more than enough.
The underlying cause of your complaint about "refusing to put this to
bed" by stating his opinions in subsequent emails can be found in your
own actions; people demanding they have an imaginary "right" to be told
more.
Essentially, you asked for it to continue. The same is true for many
others, so you are certainly not alone. And yes, even my discussing this
with you publicly on HN means I'm also at fault for the continuation.
The accusations made against Jason Wright and Angelos Keromytis are
indefensible, so I cannot defend them. You cannot defend them. Theo
cannot defend them. No one can defend them, and they cannot defend
themselves. The one thing all of us should clearly and loudly say is,
"The accusations are indefensible, fallacious, and should be discarded,
but we should still look at the code again to see if there are any
undiscovered bugs."
OpenBSD being trolled by some kook is not newsworthy. It happens all the
time. All the articles on HN and elsewhere are just whoring a
fallacious and most likely falsified controversy, and by doing so,
defaming two people who gave their time and effort to develop open
source code.
I am angry. After making great contributions to open source, two great
hackers, Jason Wright and Angelos Keromytis, are being defamed and I am
unable to prove they are innocent because no one can prove they are
innocent of indefensible accusations. It's frustrating.
Out of respect for Jason and Angelos, I'm done talking about it.
The tough question is, why does it take an overly verbose village idiot
like me to clearly state the obvious?
Your heart is clearly in the right place. I feel for you. You and I agree about way, way more than we disagree about. But your summary ignores the plain words of Theo's email. The people talking about this on HN are not "whoring" the controversy. Someone else is, and you know who I think that is.
If you do not care enough to do the work to prove or disprove your allegations, then there's really no point in making or reiterating allegations of tampering or exploitable releases. Unlike most people, I believe you have the skill and experience necessary to do it, but without doing the work, you're doing more harm than good.
If you were falsely accused of tampering, you'd be pretty upset with me if I kept on yammering about it without providing a shred of evidence. And rightfully so.