[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 09/01/14 06:54, Tremayne, Steve wrote: > Wow. > > I have just been reading about Theo and the BSD history from this > point of view: > http://www.trollaxor.com/2012/12/a-brief-history-of-berkeley-software.html > > Very interesting - and an aspect of history which I was not aware > of! > > > It's interesting - just from the link above - that OpenBSD was found > to have US gov funded backdoors > (http://www.trollaxor.com/2011/10/why-i-uninstalled-openbsd.html) and > that the same author / leader has created OpenSSH > (http://www.theos.com/deraadt/) > > So... that leads me to conclude (this is my own conclusion, not based > on any fact - until advised otherwise) that OpenSSH is exactly that - > wide open and has a Prism funded backdoor too. > > Again - this is just my brief findings from an hour's searching / > reading, so I'd be quite happy for someone to advise that I've got > this wrong. Yeah, as Simon replied, that's just a troll revisionist history and has only a passing relation with the truth. The domain name is a bit of a giveaway... There was a lot of fuss a while back about a supposed backdoor in OpenBSD, but it was alleged that there was a FBI-sponsored vulnerability in ipsec, not OpenSSH: either way, it was demonstrated to be factually untrue. De Raadt may be a lot of things, but he takes the security and transparency of his operating system very seriously and promptly published the originally private letter claiming this on the mailing list before starting an immediate and full audit of all the codebase in question. Needless to say, they didn't find anything. OpenBSD remains the most secure functional OS available, with only two remote holes in the default install since inception. The only operating system I know of with a better record than that is Burroughs MCP, a mainframe OS that runs on Unisys Clearpath/MCP machines that has had 0 remote holes in 53 years. I know of only one DoS style vulnerability ever listed for it publicly, which wasn't exploitable. Regards https://www.schneier.com/blog/archives/2010/12/did_the_fbi_pla.html http://www.cvedetails.com/vulnerability-list/vendor_id-1499/product_id-2588/year-2002/Unisys-Clearpath-Mcp.html -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq