

Schneier's take on the alleged backdoor in OpenBSD - cosgroveb
http://www.schneier.com/blog/archives/2010/12/did_the_fbi_pla.html

======
jdp23
I'm where he is. Interesting discussion, though -- and it really highlights
the limits of "with many eyes all bugs are shallow".

------
davidj
he didn't add anything new to the discussion but his opinion. Crypto scholars
are excellent at cryptography and security theory, but when it comes to
actually implementing secure systems (exception being crypto algorithms), and
securing systems, Crypto scholars are horrible. For example he mentions that
it would be better to just find an existing vulnerability instead of planting
an FBI backdoor in the OpenBSD code: good luck Schneier, obviously you don't
know that much about OpenBSD security culture and history. Plus the NSA has a
history of putting backdoors into solutions. This is just my opinion from
experience.

~~~
frisco
Bruce Schneier isn't some random academic. He's extremely highly respected,
and is the Chief Security Technology Officer of BT Communications. He has
_tons_ of experience with securing systems in the real world, and to say he
"obviously [doesn't] know that much about OpenBSD security culture and
history" is crazy.

~~~
davidj
sorry I didn't mean to appear to disrespect Bruce Schneier, I've met him, gone
to his book signings, own all his books, I even buy his books for gifts to my
friends. I'm a huge fan of his work. We need people like him who have done
highly advance studies in the security field; he is the best and an amazingly
lucid writer. I never said he was a random academic or that his overall
research should be disregarded. I really don't think you understand my
original comment. Theory is not practice; they are two separate things. I
guess I should have just said that. do you see my point now?

~~~
tptacek
I am not so much a Schneier fan, so if you feel like you need cover for
leveling any kind of criticism against anything he says, don't worry too much.
Are you _sure_ you believe Schneier would know anything about the code quality
of a specific IPSEC implementation --- or really, about the _code quality_ of
any IPSEC implementation?

~~~
bl4k
Alright, I will bite. What are your reasons for not liking Bruce?

(I can't wait for this)

~~~
tptacek
I don't so much "not like him". But, compare cite records:

[http://scholar.google.com/scholar?q=Serge+Vaudenay&hl=en...](http://scholar.google.com/scholar?q=Serge+Vaudenay&hl=en&btnG=Search&as_sdt=400001&as_sdtp=on)

[http://scholar.google.com/scholar?q=hans+dobberton&hl=en...](http://scholar.google.com/scholar?q=hans+dobberton&hl=en&btnG=Search&as_sdt=400001&as_sdtp=on)

[http://scholar.google.com/scholar?hl=en&q=eli+biham&...](http://scholar.google.com/scholar?hl=en&q=eli+biham&btnG=Search&as_sdt=400000&as_ylo=&as_vis=0)

[http://scholar.google.com/scholar?hl=en&q=bruce+schneier...](http://scholar.google.com/scholar?hl=en&q=bruce+schneier&btnG=Search&as_sdt=400000&as_ylo=&as_vis=0)

~~~
bl4k
oh is that all. An entire generation were taught cryptography on the back of
AC, so he definitely the widest read crypto dev.

~~~
tptacek
He is definitely the widest-read crypto dev. There can be no question of that.

~~~
marchdown
Out of curiosity, who else is out there writing essay-length on crypto and
security in general?

~~~
bl4k
One of the better recent sites has been RSnake's:

<http://ha.ckers.org/>

But he just retired from blogging about netsec and is done with the industry,
I think (a lot of ppl get sick of it, I left the sec industry 10+ years ago
and never looked back)

~~~
tptacek
rsnake doesn't do any crypto work. Like, at all. A fine guy to go to for XSS
or SQLI.

------
wazoox
Given the past feats from Theo de Raadt, my guess is on a nice stunt to get a
free thorough code check :)

~~~
JoachimSchipper
Too many stupid people are saying too many bad things about the OpenBSD
project for this to be a net positive for him.

After all, he doesn't really profit from a free audit, and all the auditing
I've seen so far has been done by the OpenBSD team itself.

------
bl4k
Easy way to prove it isn't true:

Has there ever been a criminal case prosecuted in the USA where the FBI
entered or revealed intercepted VPN data as evidence?

~~~
piotrSikora
This is false logic. This way you can only prove that the backdoor exists, not
that it doesn't.

~~~
bl4k
What I meant to say was that a reason why it may not be true. I started typing
the response with one thing in mind and ended with another.

Point still applies though. No cases where prosecution has cited intercepted
VPN traffic.

