From owner-freebsd-security@FreeBSD.ORG Thu Dec 16 05:20:22 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CEFA21065672 for ; Thu, 16 Dec 2010 05:20:22 +0000 (UTC) (envelope-from rfarmer@predatorlabs.net) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 8F3CA8FC15 for ; Thu, 16 Dec 2010 05:20:22 +0000 (UTC) Received: by qwj9 with SMTP id 9so2820874qwj.13 for ; Wed, 15 Dec 2010 21:20:21 -0800 (PST) MIME-Version: 1.0 Received: by 10.224.67.136 with SMTP id r8mr7399779qai.63.1292476821789; Wed, 15 Dec 2010 21:20:21 -0800 (PST) Received: by 10.220.59.69 with HTTP; Wed, 15 Dec 2010 21:20:21 -0800 (PST) X-Originating-IP: [128.95.133.99] In-Reply-To: References: <4d08a854.w8rPywliRhHs/MXH%akosela@andykosela.com> <20101215193315.GA41513@mud.stack.nl> Date: Wed, 15 Dec 2010 21:20:21 -0800 Message-ID: From: Rob Farmer To: Andy Kosela Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Johan van Selst , freebsd-security@freebsd.org Subject: Re: Allegations regarding OpenBSD IPSEC X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Dec 2010 05:20:22 -0000 On Wed, Dec 15, 2010 at 14:09, Andy Kosela wrote: > Would you publically say: "yes, I was on the FBI payroll and planted > those backdoors". =A0Let's be honest here. Yes, let's. What is your motive for bringing up this issue? Are you on an intelligence agency's payroll, which has inserted backdoors into another OS (say Linux), and are trying to get people to switch from BSD? Can you prove this isn't true? The problem with this, and other conspiracy theories, is they are characterized by vague accusations that are hard to verify, one way or another. Governments (and virtually all large organizations) have done unethical things in the past and will do so in the future. As I see it, either this type of thing is widespread, in which all OSes (open and proprietary) are probably affected, or it is BS. Security experts may audit the code, but since they could be in on it, their results can't be trusted. And if you can't trust the reputation of the developers, then what? Audit the entire thing yourself? How many people have the time and skills to do so? There's nothing average people can do with these allegations, other than accept (without evidence) that those named are sleazes, which is unfair, to say the least - how does one prove they aren't involved in such a thing? And why should they have to? What happened to "innocent until proven guilty?" >=A0We need to witness what Greg > Perry has more to say about this. =A0If he claims this is true I guess > he still got the code for that -- let him publish it or at least point > us in the right direction in the OpenBSD source code. That should have been done at the start. --=20 Rob Farmer