Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 9 Jun 2020 01:38:56 -0300
From:      Anatoli <me@anatoli.ws>
To:        Valeri Galtsev <galtsev@kicp.uchicago.edu>
Cc:        FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: freebsd vs. netbsd
Message-ID:  <00225a04-237d-9051-9aea-12c192106a20@anatoli.ws>
In-Reply-To: <f667e8f9-b279-a3ce-3fc4-224ba17f4bbb@kicp.uchicago.edu>
References:  <171506d5-19aa-359e-c21d-f07257c52ebd@freenetMail.de> <62d10000-e068-922e-23bd-f7a61e7a4e89@anatoli.ws> <ACE27C81-9437-41D6-BBD4-FA7A7B791428@kicp.uchicago.edu> <6a4f6a15-ec43-03f6-1a41-a109e445f026@anatoli.ws> <f667e8f9-b279-a3ce-3fc4-224ba17f4bbb@kicp.uchicago.edu>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
If you're talking about the allegations that Jason Wright planted
backdoors into OpenBSD for FBI, then you invented about 90% of the
story.

The story is about Gregory Perry's (a former technical consultant for
the FBI) allegations that Jason Wright (an ex-dev) and NETSEC (the
company he and some others worked for) accepted US government money to
put backdoors into OpenBSD's network stack, in particular the IPSEC
stack, around 2000-2001.

This information is public, was discussed multiple times and nothing
extraordinary resulted from it.

After the allegations went public, extensive audits were conducted
internally and externally and nothing serious or of intentional nature
was found by anyone.

For those interested, here are some links:
 1. A TL;DR version about the story by ArsTechnica: [1];
 2. Theo De Raadt (founder of OpenBSD) mail disclosing the allegations
    made privately to him: [2];
 3. His follow-up email: [3];
 4. A follow-up email from Gregory Perry (the one making allegations)
    after his initial email was made public by Theo [4]
 5. Damien Miller (OpenSSH/OpenBSD) comments about feasibility of such
    implantation, very insightful for those interested in technical
    details (as the entire thread) [5];
 6. All allegations denied by named participants: [6];
 7. A follow-up to the story from the past year (2019), a FOIA request
    to the FBI to disclose any involvement with OpenBSD: [7].

If you're talking about this story, nothing new or interesting. If
you're talking about something else, then the burden of proof is on the
one making the claim. So don't say "check that on your own". You're
making a public claim, provide the proof or be considered just a
FUD-spreader.


On the other hand, no software project, public or private, is immune to
governments trying to insert backdoors, though Bruce Schneier believes
this would be just plain stupid: [8].

> I too was considering OpenBSD the most secure operating system out
> there. Till the moment I've learned ..."

So even *if* we suppose that there were any backdoors planted in OpenBSD
(which was never demonstrated by anyone publicly), do you have any
better alternative than OpenBSD? Some OS guaranteed to be free from
government backdoors? Any OS better suited for entire system audits due
to its simplicity and a small, clean code base? Any OS with a better
secure development and peer review process?

If not, what's your point then?

[1]: https://arstechnica.com/information-technology/2010/12/openbsd-code-audit-uncovers-bugs-but-no-evidence-of-backdoor/
[2]: https://marc.info/?l=openbsd-tech&m=129236621626462&w=2
[3]: https://marc.info/?l=openbsd-tech&m=129296046123471
[4]: https://www.csoonline.com/article/2136901/an-fbi-backdoor-in-openbsd-.html
[5]: https://marc.info/?l=openbsd-tech&m=129237675106730&w=2
[6]: https://www.itworld.com/article/2744922/openbsd-fbi-allegations-denied-by-named-participants.html
[7]: https://news.ycombinator.com/item?id=20489904
[8]: https://www.schneier.com/blog/archives/2010/12/did_the_fbi_pla.html


On 8/6/20 12:44, Valeri Galtsev wrote:
> 
> 
> On 2020-06-08 09:25, Anatoli wrote:
>>> The most secure… if you dismiss the fact that one of the developer (who wrote network stack if my memory serves me) was simultaneously receiving payments from one of three letter agencies for several years.
>>
>> Rumors + FUD or do you have any proof?
>>
> 
> When I heard that I checked, and receipt of payments was confirmed by developer himself. That is my recollection, I am merely human whose memory can not be perfect, check that on your own. This even if confirmed as a fact, does not mean he left back doors or weak spots in code.
> 
> The rest is for everyone: to do one's own home work:
> 
> 1. who don't care just dismiss what is said
> 
> 2. Who do care to verify if receipt of payments is the fact, just verify on your own (I never think of myself to be considered the source of absolute truth. Merely as a help to point into direction where who is interested may find something helpful)
> 
> If one verifies the fact of payment(s), the decide for yourself:
> 
> A. Audit the code (I for one realize I will not be able to find fishy spots in that sophisticated code, so this can not be my choice)
> 
> B. Accept that it is likely that good enough programmers did audit code, hence there are no weak (or worse) spots in it
> 
> C. Accept that what top programmer wrote is not that easy to audit, and just shy away from what may (just merely may) be not quite kosher. If you care, of course.
> 
> 
> And again, do your own thinking, this may, just merely may help someone.
> 
> 
> Valeri
> 
>> On 8/6/20 10:26, Valeri Galtsev wrote:
>>>
>>>
>>>> On Jun 7, 2020, at 11:26 PM, Anatoli <me@anatoli.ws> wrote:
>>>>
>>>> IMO
>>>>
>>>> * FreeBSD: servers (performance, stability, relative security, zfs),
>>>>   competes directly with Linux
>>>>
>>>> * OpenBSD: routers/firewalls, desktops (the most secure OS
>>>
>>> The most secure… if you dismiss the fact that one of the developer (who wrote network stack if my memory serves me) was simultaneously receiving payments from one of three letter agencies for several years.
>>>
>>> Valeri
>>>
>>>> and a really
>>>>   good desktop, but its absence of server-class performance is its
>>>>   weakest side + no zfs (just ffs2) and limited virtualization (no SMP)
>>>>   so not suitable for any serious server load where absolute security is
>>>>   not a must). The king in its niche (paranoid security)
>>>>
>>>> * NetBSD: toasters & freezers (runs on anything, otherwise not sure
>>>>   what's the point :), competes with FreeBSD and Linux (and Linux now
>>>>   supports more archs/platforms than Net). IMO no clear vision and thus
>>>>   attracts too little resources both human and economic. IMO midterm not
>>>>   much hope for survival, same as DFly and smaller BSDs.
>>>>
>>>> I believe that OS development is an economy of scale (doing things more
>>>> efficiently or having other advantaged with increasing size) with a
>>>> tendency for a monopoly in the same niche.
>>>>
>>>> There are some features that the larger players establish as a
>>>> commodity, but that are very time-intensive and complex to develop (e.g.
>>>> virtualization, wifi ac and now ax). So what Linux implemented more than
>>>> a decade ago, the BSDs are just catching up now.
>>>>
>>>> Linux world had 2 "obstacles" to its almost flawless growth recently
>>>> (systemd and a ZFS alternative). Now that the things have almost settled
>>>> up, if they don't commit any more serious errors I don't see how the
>>>> BSDs (except OpenBSD as it's not a direct competitor) could compete with
>>>> it in the long term.
>>>>
>>>> Now with ZoL/OpenZFS the long-term future even for FreeBSD is not that
>>>> clear (and the recent iX decisions [1] [2] are a clear sign).
>>>>
>>>> [1] https://arstechnica.com/gadgets/2020/06/truenas-isnt-abandoning-bsd-but-it-is-adopting-linux/
>>>> [2] https://www.truenas.com/TrueOS-Discontinuation/
>>>>
>>>>
>>>> On 7/6/20 22:35, Wesley wrote:
>>>>> greetings,
>>>>>
>>>>> There were freebsd and netbsd (maybe others?) in BSD world.
>>>>> What points did they focus by design?
>>>>> what are their use scenes then?
>>>>>
>>>>> Thank you.
>>>>> _______________________________________________
>>>>> freebsd-questions@freebsd.org mailing list
>>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>>>> _______________________________________________
>>>> freebsd-questions@freebsd.org mailing list
>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>>>
>>> _______________________________________________
>>> freebsd-questions@freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>>>
> 



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?00225a04-237d-9051-9aea-12c192106a20>