Allegations of FBI crypto backdoors in OpenBSD IPSEC

[dfranke]

That depends. Do we just have to find a vuln somewhere in one of NETSEC's check-ins, or do we have to prove it was put there deliberately?

[tptacek]

Vulns are disqualified if a similar vuln was check in to an analogous crypto product within a 5 year window.

[pbhjpbhj]

Wouldn't that be a great way to hide it though, insert a vulnerability that you've seen elsewhere and know how to exploit rather than inserting something completely unfamiliar. Indeed if it's been in some other app and not discovered then it's unlikely to get noticed quickly.