D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] BSD / Back doors / etc (was CentOS joining the RedHat mothership)


On 09/01/14 06:54, Tremayne, Steve wrote:
> Wow.
> I have just been reading about Theo and the BSD history from this
> point of view: 
> http://www.trollaxor.com/2012/12/a-brief-history-of-berkeley-software.html
>  Very interesting - and an aspect of history which I was not aware
> of!
> It's interesting - just from the link above - that OpenBSD was found
> to have US gov funded backdoors
> (http://www.trollaxor.com/2011/10/why-i-uninstalled-openbsd.html) and
> that the same author / leader has created OpenSSH
> (http://www.theos.com/deraadt/)
> So... that leads me to conclude (this is my own conclusion, not based
> on any fact - until advised otherwise) that OpenSSH is exactly that -
> wide open and has a Prism funded backdoor too.
> Again - this is just my brief findings from an hour's searching /
> reading, so I'd be quite happy for someone to advise that I've got
> this wrong.

Yeah, as Simon replied, that's just a troll revisionist history and has
only a passing relation with the truth. The domain name is a bit of a

There was a lot of fuss a while back about a supposed backdoor in
OpenBSD, but it was alleged that there was a FBI-sponsored vulnerability
in ipsec, not OpenSSH: either way, it was demonstrated to be factually
untrue. De Raadt may be a lot of things, but he takes the security and
transparency of his operating system very seriously and promptly
published the originally private letter claiming this on the mailing
list before starting an immediate and full audit of all the codebase in
question. Needless to say, they didn't find anything.

OpenBSD remains the most secure functional OS available, with only two
remote holes in the default install since inception. The only operating
system I know of with a better record than that is Burroughs MCP, a
mainframe OS that runs on Unisys Clearpath/MCP machines that has had 0
remote holes in 53 years. I know of only one DoS style vulnerability
ever listed for it publicly, which wasn't exploitable.



The Mailing List for the Devon & Cornwall LUG
FAQ: http://www.dcglug.org.uk/listfaq