[Tfug] OpenBSD possibly vulnerable in IPSEC?
Angus Scott-Fleming
angussf at geoapps.com
Thu Dec 16 01:00:01 MST 2010
On 15 Dec 2010 at 2:42, Jude Nelson wrote:
> Hey everyone,
>
> Recently came across this on the OpenBSD mailing list. I wonder how
> accurate it is: http://marc.info/?l=openbsd-tech&m=129236621626462&w=2
I'm going to watch this with interest.
Anyone else here old enough to remember this classic from 1990 (which was 20
years after I got my first computer login)? This was back when all Unix was
open source and yet there was apparently a backdoor in the 'login' command
almost from Day 1 ...
ACM Classic: Reflections on Trusting Trust
http://cm.bell-labs.com/who/ken/trust.html
... The moral is obvious. You can't trust code that you did not
totally create yourself. (Especially code from companies that employ
people like me.) No amount of source-level verification or scrutiny
will protect you from using untrusted code. In demonstrating the
possibility of this kind of attack, I picked on the C compiler. I
could have picked on any program-handling program such as an
assembler, a loader, or even hardware microcode. As the level of
program gets lower, these bugs will be harder and harder to detect. A
well installed microcode bug will be almost impossible to detect.
--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/
More information about the tfug
mailing list