Incidentally, I thought I had seen Mr. Perry someplace on TV, and then I remembered he was on an episode of Penn and Tellers "Bullsh*t" a while back. Link for the interested: http://www.youtube.com/watch?v=DT2YET6sg5I
With the strange claims made in the email (outsourcing, expired NDAs, DARPA knew), I wish Theo would've thought twice before publicizing this guy's name. At least the extra eyes on IPSEC might catch something else.
Second question: "Is it credible?" Option 1: "Yes" => panic ensues. Option 2: "No" => "Liar!" Option 3: There is no option 3, you must pick 1 or 2.
"I am looking into the matter; more details will be forthcoming."
You have to release all the details sometime, but the longer you wait, the more people suspect they aren't getting all the details (even if they are) and the larger the drama whirlpool becomes. Did "Kaminsky found a DNS bug, details will be forthcoming" accomplish anything? No, it was a giant clusterfuck.
As a side note, I think it's weird that in a "post-wikileaks" era people are arguing that an open source project named openbsd be less transparent.
You'll have a hard time gathering a small circle of people willing to state, for the record, "We reviewed the code and the invisible bug doesn't exist." Personally, I would want no part in an audit like that.
For a concrete threat, yeah, you fix it first. But the thing about scandals is that delay only incubates a bigger scandal.
On the other hand, I know that such an accusation can have a devastating effect on the live of the accused developer. So the principle of _in dubio pro reo_ should be applied faithfully.
This should be the instinctive reaction of a democratic society. It does seem to be quite hard to have this collective routine work reliably nowadays, which is sad.
But I do think it's worthwhile to take measure of how important a particular piece of software is to our collective security and privacy. It's not necessarily a bad thing for interested parties to not completely trust their systems. Risk mitigation is all about quantifying probable events relative to their damage.
I think a lot of people will take a look at the IPSEC code and that can't be a bad thing.
I'm not saying it's true but only that I don't see any more evidence that it isn't true than that it is - yet.
But the DOJ and US Customs dropped the case against Zimmerman in '96. Obviously they would need to go with a new plan of attack after that method failed for intercepting messages in algorithms and software that is closed or running new algorithms like PGP. Backdoors and trapdoors in software that wraps crypto algorithms is one prong in that attack. The NSA neither confirms nor denies trapdoors, backdoors, etc but DOES employ some of the top cryptographers in the world.
In 2000, the U.S. government lifted the export controls on strong crypto, so (pure speculation) other methods to intercept communications were/are needed. The alleged event here happened in 2000/2001 which might fit with a new MO.
For how many years did the NSA know about timing attacks before they became public knowledge and fixes were incorporated into code? Impossible to know. Code audits certainly didn't spot timing attack problems before people knew to look for them.
It's also impossible to know what other unknown attacks are available to NSA and the likes.
Of course, this is completely irrelevant to 99% of us, since anyone with knowledge of these unknown attacks would use them very sparingly in order to keep them secret.
We're talking about code guys. It's not accusation of rape or broken condom.
1) Main OpenBSD server wasn't compromised, main FTP server ("ftp.openbsd.org") was.
2) Source code (the one in CVS) wasn't compromised, only .tar.gz packages placed on the FTP server were.
3) They did want people to know about this, that's why they released security advisory .
On top of that, at the time "ftp.openbsd.org" wasn't even running OpenBSD, the FTP server was part of SunSITE powered by Solaris .
> I will state clearly that I did not add backdoors to the OpenBSD operating system or the OpenBSD crypto framework (OCF).
It's this sort of emotional, knee-jerk response that leads to irrational behavior.
Someone who hadn't written a back door would simply say: "That is crazy, I had nothing to do with a back door and none exists to my knowledge. I welcome a thorough audit of the code".
That's pretty much exactly what he said, in more verbose form.
But, let's be fair here: A well-respected developer involved in security projects has been declared untrustworthy. He has a right to be angry, and a right to defend himself. Just because the federal government does nasty things, doesn't mean we should just accept unbacked accusations about the integrity of someone, particularly when it seems the guy actually didn't have much to do with the code in question.
Consider an FBI informant who has penetrated a terrorist cell. Suppose one of the actual terrorists suspects him and accuses him of being a traitor in front of the rest. What will he do to save his skin? He'll be indignant, he'll try to tug on any personal ties he has with the other members, he'll cite his reputation, he'll potentially attack the accuser.
Why? Because he feels that in order to be perceived as telling the truth he has to "leak" raw human emotion. He has to communicate that his rational mind is not in control b/c he feels that others will doubt him if they don't see that human emotion.
If he's innocent on the other hand, he'd laugh and say f* you and assume nobody would take it all that seriously, since he would not assume that anybody would listen to such a ludicrous allegation, and if he started to actually worry that the accusation was believable to others, he'd think quite rationally and demand that his accuser produce more evidence, since he has the information advantage about his own actions and could easily refute false charges.
Honestly, your explanation of why he sounds guilty to you reminds me of the paranoid ramblings of, well, paranoid people. Again, it's entirely possible the FBI (though this isn't their jurisdiction really) could be trying to subtly shape free software to their bidding, but this is a baseless, and pretty shaky, claim by someone that allegedly has a commercial incentive in stirring up this shitstorm. I think the accused has every right to be mad as hell about the accusation, especially if he did no such thing.
In any case, I have no clue whether he had anything to do with any backdoor, just trying to make the point that his response is not what I'd expect from someone who had nothing to do with it -- possible exceptions: If he's an unusually egotistical person or if he has significant financial interests which the perception that he was involved could disrupt.
Or, if he is passionate about the software he is involved in building...which Open Source developers generally are. Reputation is the only currency that matters in the Open Source world, and someone has attempted to destroy this guys reputation. (Or any number of other reasons why someone might be bothered by such an accusation. Your assertion that there are only two "possible exceptions" is just ridiculous. Speaking in such certainties about the human brain and human emotions is simply nonsensical.)
Frankly, I think you're talking out of your ass here, with very little understanding of the people you're talking about, or the psychology you seem to believe you know so much about. Do you have no exposure at all to the Open Source community? That's the only way I can imagine you would consider reputation to be something a normal person doesn't have every right to care about and defend from accusations.
Honestly, this developer responded far more politely than I would have in similar circumstances.