Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

FBI added secret backdoors to openBSD IPSEC

Comments

  • Closed Accounts Posts: 1,627 ✭✭✭uprising2


    OpenBSD is an open source operating system, not too many uesrs, relatively small.
    This revelation comes as no surprise to me, I've long suspected such practices, as have many others.

    It's the bigboys microsoft and apple that I'm certain also have such backdoors, and most probably/possibly even more elaborate "extra's".

    The 2 named OS developers mentioned above have always been viewed with suspicion in certain circles and these circles would look for alternative operating systems, hence the feds interest in such operating systems and users of.

    I use windows and occasionally linux/unix, but I've never doubted that should somebody somewhere want to access absolutely anything on my computer, or control webcam/mic they could really easily, they already can with permission and remote desktop, teenage hackers can do it, why not multi billion dollar intelligence agencies.

    Computer security is a myth, virus software is a scam, all encryption is decryptable.

    Don't get me wrong, I use virus software to block the usual crap, but it's easily bypassed by somebody with even a basic knowhow.


  • Registered Users, Registered Users 2 Posts: 8,405 ✭✭✭gizmo


    Pretty serious allegations alright, should be interesting to see what the code review comes up with. On the other hand...
    uprising2 wrote: »
    Computer security is a myth, virus software is a scam, all encryption is decryptable.
    This is just wrong. :o


  • Registered Users, Registered Users 2 Posts: 7,182 ✭✭✭Genghiz Cohen


    Does anyone else see the issue with trying to secretly add ANYTHING to a project that by its very nature is publicy viewable?


  • Registered Users, Registered Users 2 Posts: 634 ✭✭✭loldog


    uprising2 wrote: »
    OpenBSD is an open source operating system, not too many uesrs, relatively small.

    BSD is used a lot on internet servers. Boards.ie uses it:

    http://toolbar.netcraft.com/site_report?url=http://boards.ie

    .


  • Closed Accounts Posts: 90 ✭✭robbyvibes


    i think it's funny if found out to be true because this will affect 100's if not 1000's of other products which used ipsec code from openbsd.

    after 10 years of the project being open source and from what i understand regarded as the most secure operating system out there..it's hard to believe but demonstrates noone is secure.

    all the argument of open source being more secure looks pointless.

    the issue here is that nobody is willing to audit code in their free time so even though some backdoors were found in proftpd and linux kernel, these were only found i believe by chance.

    i'm sure the race is on to find out the backdoors (if they exist) and look to exploit them in devices using openbsd code...which are many no doubt.


  • Advertisement
  • Closed Accounts Posts: 1,324 ✭✭✭RGDATA!


    gizmo wrote: »
    Pretty serious allegations alright, should be interesting to see what the code review comes up with. On the other hand...


    This is just wrong. :o

    what do you think about backdoors in operating systems?
    how much can be understood about operating systems from decompiling them?
    how difficult is it in theory to put something in code and disguise what it is doing to someone who is breaking apart your program to see how it works?


  • Closed Accounts Posts: 1,627 ✭✭✭uprising2


    gizmo wrote: »
    Pretty serious allegations alright, should be interesting to see what the code review comes up with. On the other hand...


    This is just wrong. :o

    Erm, I'd like to differ with your assumption, without going into specifics, I can tell you it is correct, you are just wrong, maybe look into it a little and form your opinion with a little more knowledge, you won't need to feel so embarressed next time.

    Google Backtrack 4, thats a collection of linux tools, powerful stuff, but intelligence agencies I assume would have much more powerful tools at their disposal.

    Edit:
    Can you show me how wrong it's is, then I will show you how wrong you are, I can access my other laptop on my network wthout permission, I can view and copy files, plant keyloggers somewhere in the C:windows folder, with notepad I can create an executable .BAT file, disguise it as anything I want and implant it, bypassing your antivirus and it's not very difficult really.
    I can sniff encrypted traffic and save a .cap file, then decrypt it later.


  • Registered Users, Registered Users 2 Posts: 7,182 ✭✭✭Genghiz Cohen


    uprising2 wrote: »
    Erm, I'd like to differ with your assumption, without going into specifics, I can tell you it is correct, you are just wrong, maybe look into it a little and form your opinion with a little more knowledge, you won't need to feel so embarressed next time.

    Google Backtrack 4, thats a collection of linux tools, powerful stuff, but intelligence agencies I assume would have much more powerful tools at their disposal.

    Edit:
    Can you show me how wrong it's is, then I will show you how wrong you are, I can access my other laptop on my network wthout permission, I can view and copy files, plant keyloggers somewhere in the C:windows folder, with notepad I can create an executable .BAT file, disguise it as anything I want and implant it, bypassing your antivirus and it's not very difficult really.
    I can sniff encrypted traffic and save a .cap file, then decrypt it later.

    Everything is decryptable in theory but given that the FBI couldn't crack a 50-Char password on a suspects harddrive, there are obvious limitations.

    There are people out there who create programs to harm you or your computer. Do you think there aren't?


  • Registered Users, Registered Users 2 Posts: 5,473 ✭✭✭robtri


    uprising2 wrote: »
    Edit:
    Can you show me how wrong it's is, then I will show you how wrong you are, I can access my other laptop on my network wthout permission, I can view and copy files, plant keyloggers somewhere in the C:windows folder, with notepad I can create an executable .BAT file, disguise it as anything I want and implant it, bypassing your antivirus and it's not very difficult really.
    I can sniff encrypted traffic and save a .cap file, then decrypt it later.

    actually all that shows is that you have poor security on the laptop that you are hacking.

    I agree with the cryption piece, with enough time and resources, yes anything is possible, it just a matter of trying every possible combination till you get it right... but a lot of the time, time is the problem with some of the longer encryption matrixs


  • Registered Users, Registered Users 2 Posts: 2,858 ✭✭✭Undergod


    I remember reading that with a long enough key (somewhere in the region of 4000 characters I think) then you could assemble all of matter in the universe into a conventional computer and it would take billions of years to crack. It was in a novel, I'll see if I can track it down.

    So I doubt that it's true to say "all encryption is decrpytable", but I would imagine most computers can be accessed pretty easily by agencies and those who know the backdoors.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 8,405 ✭✭✭gizmo


    uprising2 wrote: »
    Erm, I'd like to differ with your assumption, without going into specifics, I can tell you it is correct, you are just wrong, maybe look into it a little and form your opinion with a little more knowledge, you won't need to feel so embarressed next time.

    Google Backtrack 4, thats a collection of linux tools, powerful stuff, but intelligence agencies I assume would have much more powerful tools at their disposal.

    Edit:
    Can you show me how wrong it's is, then I will show you how wrong you are, I can access my other laptop on my network wthout permission, I can view and copy files, plant keyloggers somewhere in the C:windows folder, with notepad I can create an executable .BAT file, disguise it as anything I want and implant it, bypassing your antivirus and it's not very difficult really.
    I can sniff encrypted traffic and save a .cap file, then decrypt it later.
    And I can encrypt something with a random one-time pad which you wouldn't be able to decrypt. Therefore you supposition that "all encryption is decryptable" is simply false.

    robtri is also right, all that proves is that your laptop is woefully insecure.


  • Registered Users, Registered Users 2 Posts: 7,182 ✭✭✭Genghiz Cohen


    gizmo wrote: »
    And I can encrypt something with a random one-time pad which you wouldn't be able to decrypt. Therefore you supposition that "all encryption is decryptable" is simply false.

    robtri is also right, all that proves is that your laptop is woefully insecure.

    I'm pretty sure, given enough iterations, any encryption is breakable.


  • Registered Users, Registered Users 2 Posts: 8,405 ✭✭✭gizmo


    I'm pretty sure, given enough iterations, any encryption is breakable.
    Not if the pad generated is truly random. The only time the one-time pad system has been broken has been when this is not the case. Do look it up though, it's an extremely interesting topic, especially if you're into maths. The system is also known as the Vernam cipher by the way, if your search hits aren't coming back with enough material. :)


  • Closed Accounts Posts: 1,627 ✭✭✭uprising2


    Lads I'm not saying "I can do it", but it can be done by people with so many billion per year budget. If your computer is connected to a network there's not much your expensive, complicated security features can do about it.


  • Closed Accounts Posts: 4,584 ✭✭✭digme


    uprising2 wrote: »
    Lads I'm not saying "I can do it", but it can be done by people with so many billion per year budget. If your computer is connected to a network there's not much your expensive, complicated security features can do about it.
    You say it like that's a matter of fact, when it's not.


  • Closed Accounts Posts: 1,627 ✭✭✭uprising2


    gizmo wrote: »
    And I can encrypt something with a random one-time pad which you wouldn't be able to decrypt. Therefore you supposition that "all encryption is decryptable" is simply false.

    robtri is also right, all that proves is that your laptop is woefully insecure.

    Your quite right "I wouldn't be able to decrypt"

    My laptop isn't very secure, I was leaning basics and using my other lap as a victim to demonstate to myself how easily it is done by somebody with no formal training in the field.

    All encryption is decryptable though, ask the US military and some genius hackers, time is a factor of course as well as know how.

    One time pad is open source, like openBSD
    "OpenBSD is thought of by many security professionals as the most secure UNIX-like operating system, as the result of a never-ending comprehensive source code security audit"

    Take a look at these:

    http://www.cimt.plymouth.ac.uk/resources/codes/codes_u12_text.pdf

    http://www.red-bean.com/onetime/

    I stand by everything I have said.


  • Closed Accounts Posts: 1,627 ✭✭✭uprising2


    digme wrote: »
    You say it like that's a matter of fact, when it's not.

    Explain, and keep in mind this thread is about backdoors.


  • Moderators, Science, Health & Environment Moderators, Social & Fun Moderators, Society & Culture Moderators Posts: 60,110 Mod ✭✭✭✭Tar.Aldarion


    I'm pretty sure, given enough iterations, any encryption is breakable.

    In a billion trillion years you might crack a code, so that does not really matter. you can make it practically unbreakable

    I also thought some were proven impossible to crack as said above, one time pad?


  • Closed Accounts Posts: 1,627 ✭✭✭uprising2


    In a billion trillion years you might crack a code, so that does not really matter. you can make it practically unbreakable

    I also thought some were proven impossible to crack as said above, one time pad?

    one-time pad is touted as unbreakable....
    Note that the one-time pad method depends completely on the quality of the pad data; if the pad is not truly random, the security of your messages cannot be guaranteed.


    Unbreakable codes
    Certain types of encryption, by their mathematical properties, cannot be defeated by brute force. An example of this is one-time pad cryptography, where every cleartext bit has a corresponding key bit. One-time pads rely on the ability to generate a truly random sequence of key bits. A brute force attack would eventually reveal the correct decoding, but also every other possible combination of bits, and would have no way of distinguishing one from the other. A small, 100-byte, one-time-pad–encoded string subjected to a brute force attack would eventually reveal every 100-byte string possible, including the correct answer, but mostly nonsense. Of all the answers given, there is no way of knowing which is the correct one. Nevertheless, the system can be defeated if not implemented correctly, for example if one-time pads are re-used or intercepted.
    Problems
    Despite Shannon's proof of its security, the one-time pad has serious drawbacks in practice:

    it requires perfectly random one-time pads
    secure generation and exchange of the one-time pad material, which must be at least as long as the message. (The security of the one-time pad is only as secure as the security of the one-time pad key-exchange).careful treatment to make sure that it continues to remain secret from any adversary, and is disposed of correctly preventing any reuse in whole or part — hence "one time". See data remanence for a discussion of difficulties in completely erasing computer media.
    The theoretical perfect security of the one-time-pad applies only in a theoretically perfect setting; no real-world implementation of any cryptosystem can provide perfect security because practical considerations introduce potential vulnerabilities. These practical considerations of security and convenience have meant that the one-time-pad is, in practice, little-used. .
    Implementation difficulties have led to one-time pad systems being broken, and are so serious that they have prevented the one-time pad from being adopted as a widespread tool in information security


  • Moderators, Science, Health & Environment Moderators, Social & Fun Moderators, Society & Culture Moderators Posts: 60,110 Mod ✭✭✭✭Tar.Aldarion


    I'm just saying its possible. :p the length of time take to crack some codes means it may as well be infinity


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 8,405 ✭✭✭gizmo


    uprising2 wrote: »
    one-time pad is touted as unbreakable....

    Implementation difficulties have led to one-time pad systems being broken, and are so serious that they have prevented the one-time pad from being adopted as a widespread tool in information security
    It is unbreakable when, as I pointed out above, a truly random pad is used. There are difficulties in producing this of course and when it is done incorrectly it leaves the encrypted material open to decryption, that does not mean the method is not unbreakable when implemented correctly however.

    As I said to another poster, read into the method, understand the logic behind it and you'll understand why it's unbreakable when implemented correctly.


  • Registered Users, Registered Users 2 Posts: 7,182 ✭✭✭Genghiz Cohen


    I'm just saying its possible. :p the length of time take to crack some codes means it may as well be infinity

    And that's why Quantum Computing is raising serious questions about security.

    Time is not an issue to a QC.

    I still don't get how the one time pads are unbreakable.
    If you can get a list of possible one time pads, can't you apply them to the encrypted file and see with one gives back readable text?

    (All my posts so far have ignored the time factor in cracking a cypher, the statement was "It's impossible" with no mention of time restraints)


  • Registered Users, Registered Users 2 Posts: 8,405 ✭✭✭gizmo


    And that's why Quantum Computing is raising serious questions about security.

    Time is not an issue to a QC.

    I still don't get how the one time pads are unbreakable.
    If you can get a list of possible one time pads, can't you apply them to the encrypted file and see with one gives back readable text?

    (All my posts so far have ignored the time factor in cracking a cypher, the statement was "It's impossible" with no mention of time restraints)
    There is no "list" of possible pads though. Look at the conditions below and imagine how they could be applied to brute forcing an encrypted message.
    If the key is truly random, as large as or greater than the plaintext, never reused in whole or part, and kept secret, the ciphertext will be impossible to decrypt or break without knowing the key


  • Registered Users, Registered Users 2 Posts: 7,182 ✭✭✭Genghiz Cohen


    gizmo wrote: »
    There is no "list" of possible pads though. Look at the conditions below and imagine how they could be applied to brute forcing an encrypted message.

    Uprisings quote
    A brute force attack would eventually reveal the correct decoding, but also every other possible combination of bits, and would have no way of distinguishing one from the other. A small, 100-byte, one-time-pad–encoded string subjected to a brute force attack would eventually reveal every 100-byte string possible, including the correct answer, but mostly nonsense. Of all the answers given, there is no way of knowing which is the correct one.

    So now you have a list of pads, one of them correct.
    Why can't you just (as if it were a simple matter) use each one in turn to try and decode the text?

    Am I misunderstanding the entire process?


  • Closed Accounts Posts: 4,584 ✭✭✭digme


    uprising2 wrote: »
    Explain, and keep in mind this thread is about backdoors.
    What do you want me to explian?
    I was calling you on your comment where you said if it's connected to a network they can get into your computer.I said that's not true.You make it sound so clean cut and simple.


  • Registered Users, Registered Users 2 Posts: 8,405 ✭✭✭gizmo


    Uprisings quote

    So now you have a list of pads, one of them correct.
    Why can't you just (as if it were a simple matter) use each one in turn to try and decode the text?

    Am I misunderstanding the entire process?
    Well the part you quoted actually answers your question. :)

    Let's take a simpler example, take a 5-digit piece of cipher text "GHSPW". Now, using the brute force attack mentioned above, the output would be every single possible five letter permutation, or "word" if you will. Unfortunately you have no idea which one is correct and because the key values are non-repeating, they cannot be used for subsequent words so for every word you'd have to start from scratch.

    So in practice, that piece of cipher text could mean either "bombs" or "paper" and you won't know if it's right, ever. Unless of course you're decrypting something which doesn't use a random key or you happen to intercept the pad being used. :)


  • Closed Accounts Posts: 1,627 ✭✭✭uprising2


    digme wrote: »
    What do you want me to explian?
    I was calling you on your comment where you said if it's connected to a network they can get into your computer.I said that's not true.You make it sound so clean cut and simple.

    Digme, I'm not 100% up on computer security, I'm not a total novice either, I never said any oul joe can do it, but while your connected to the net you have an IP, with the right tools,resources and know how ($ billion budget, the mossad, cia, etc), that IP can be subjected to attacks and have little undetectable scripts, trojans, etc planted somewhere deep within your operating system, we'll probably learn how effective they were in about in 10 years time or so, please dont ask for proof.

    Backdoors etc in operating system would allow intelligence agencies with your IP address to use that as a gateway into your system and should they want retrieve anything they may want from your system.

    I dont know what it is you do, if you work in IT security or whatever, but whatever you learn is not the same as what hackers in these agencies learn, also whatever they know they will keep secret, they wont announce "ohh look what we've discovered".

    Remember man made computers and security for them, nothing is secure on the net, I never said it was simple or not time consuming, just possible and easier than we'll ever be let know.

    Rainbow tables v's bruteforce (a simple example for reference,not really relevant here), RTables (with large GB files) can do in sec's/mins what bruteforce can do in hours for instance, (I know!!! salt etc), so why would a multi billion dollar agency not have much more advanced techniques and trade secrets.

    Remote desktop for instance, I can allow you to practically control my computer from wherever you are, with my permission of course.

    Ettercap,wireshark, etc are joe public tools, much more sophisticated tools would be available to the suits and gifted hackers on their payroll.

    So again I say, nothing is secure, its a myth, theoretically you can have your front door made from 5" thick steel and somebody can climb on your roof, remove a few tiles and in they get.


  • Registered Users, Registered Users 2 Posts: 7,182 ✭✭✭Genghiz Cohen


    gizmo wrote: »
    Well the part you quoted actually answers your question. :)

    Let's take a simpler example, take a 5-digit piece of cipher text "GHSPW". Now, using the brute force attack mentioned above, the output would be every single possible five letter permutation, or "word" if you will. Unfortunately you have no idea which one is correct and because the key values are non-repeating, they cannot be used for subsequent words so for every word you'd have to start from scratch.

    So in practice, that piece of cipher text could mean either "bombs" or "paper" and you won't know if it's right, ever. Unless of course you're decrypting something which doesn't use a random key or you happen to intercept the pad being used. :)

    Ahhhh, gotcha! Nice example too :D


  • Registered Users, Registered Users 2 Posts: 5,473 ✭✭✭robtri


    on the one time use pad....
    how does the reciever of the encrypted message ... read it??? where does the proper recipient get the key????


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 8,405 ✭✭✭gizmo


    robtri wrote: »
    on the one time use pad....
    how does the reciever of the encrypted message ... read it??? where does the proper recipient get the key????
    This example is nice and easy to follow.

    As you can see, the receiver will have a copy of the key which they will use to decrypt the message.


  • Closed Accounts Posts: 1,627 ✭✭✭uprising2


    gizmo wrote: »
    This example is nice and easy to follow.

    As you can see, the receiver will have a copy of the key which they will use to decrypt the message.



    Key point: A stream cipher is essentially a chained block cipher with a block size of 1 (either 1-bit or 1-byte). It generates a keystream against which it XORs the plaintext, operating much like a one-time pad, though less secure in theory but more secure in practice.
    http://www.linuxsecurity.com/resource_files/documentation/hacking-dict.html

    EDIT:
    I fully appreciate the very high standards of OTP, but computers are constantly evolving, more powerful,faster, etc, I'm sure we all had a clugger that took 2 hours to simply start up, but things have changed, suppose having something much more advanced than rainbow tables, 10,000 of the fastest processors currently available connected and working in unity, 1,000,000GB's or so RAM, a possible combination file of 1,000's of TB's, (I said imagine!), how long would you expect it to crack One Time Pad?
    Hacking – Brute Force & Rainbow Table explained
    Memory Space Trade Off
    It is a situation in which time taken for processing can be reduced at the cost of space and vice versa. To make it very clear, lets see this again with the help of an example. In the previous example, we can process the different combination before hand and then store them in a file. And when you need to break a password, combinations are retrieved from that file and this lessens the load on the processor. The only time consumption in this case is the retrieval of data from that file. This file is what is known as a Rainbow Table. It can break passwords in a few minutes and in even a few seconds depending how strong is the password. It can be obtained from the World Wide Web but beware of its size. Its size is in GBs.
    http://blog.ashfame.com/2007/12/hacking-brute-force-rainbow-table-explained/


  • Registered Users, Registered Users 2 Posts: 8,405 ✭✭✭gizmo


    uprising2 wrote: »
    Key point: A stream cipher is essentially a chained block cipher with a block size of 1 (either 1-bit or 1-byte). It generates a keystream against which it XORs the plaintext, operating much like a one-time pad, though less secure in theory but more secure in practice.
    http://www.linuxsecurity.com/resource_files/documentation/hacking-dict.html

    EDIT:
    I fully appreciate the very high standards of OTP, but computers are constantly evolving, more powerful,faster, etc, I'm sure we all had a clugger that took 2 hours to simply start up, but things have changed, suppose having something much more advanced than rainbow tables, 10,000 of the fastest processors currently available connected and working in unity, 1,000,000GB's or so RAM, a possible combination file of 1,000's of TB's, (I said imagine!), how long would you expect it to crack One Time Pad?
    Never, because despite your constant protestations the encryption has been mathematically proven to be undecryptable when implemented correctly. I have already shown in the example above that finding a solution isn't really hard, the problem is, you'll never know if it's the right one regardless of how fast computers become.


Advertisement