I met a software engineer that insisted technologies like OpenSSH with an open source licence might have back doors known by the government.
Does that have any chance to be true?
I met a software engineer that insisted technologies like OpenSSH with an open source licence might have back doors...
Kayden Sanders
Other urls found in this thread:
en.wikipedia.org
gnu.org
twitter.com
Charles Rodriguez
That software engineer is a windows shill so he is trying to deter you from freedom.
Joshua Price
No. There's 0%. 0%. Heh, heh, heh. 0%, goy.
Liam Cruz
He was actually a hard core FreeBSD user if I recall correctly.
Luke Perry
He's right, it MIGHT have.
In the meantime, proprietary technologies like Windows are KNOWN to have backdoors.
en.wikipedia.org
gnu.org
Jonathan Martinez
There has been speculation that some crypto algorithms in OpenSSL, like AES and ECDSA, have mathematical weaknesses that make them easier to crack, especially with special-purpose hardware. The NSA was involved in the development of these algorithms and made some questionable design decisions.
There is no smoking gun, and such flaws wouldn't make it trivial to crack the encryption. They would reduce the time necessary by orders of magnitude but it would still be expensive enough that it could only be used to crack communications or files already regarded as suspicious. There is not enough computing power to decrypt all the traffic flowing through an ISP with this technique.
Another algorithm in OpenSSL, ed25519, is widely regarded as immune to these attacks.
Nathan Hall
They have I've seen em'.
Aiden Hall
Well, not seen seen but I've smelled em' so close.
Brandon Brooks
For a bit more context, there is one (ECDSA) where the government provided "recommended" parameters for strength. It is strongly believed that these parameters are actually backdoored (there's a mathematical explanation for how they could backdoor the parameters).
This kind of encryption is, of course, recommended by the gov't, so many companies opt for the recommended keys. So there are many connections that are insecure by default
Leo Clark
Most of open source is gov-funded, in big part from the defense budget.
If you're not paying, you're the product.
Brandon Rogers
Might is better than definitely like with windows 10.
Aiden Collins
That's a naive view. The best place to hide is in plain sight. After the recent fiasco, Windows will be extremely hard pressed to NOT have backdoors because every script kiddie is looking into it for their moment of fame.
Therefore it's very likely for Windows, under a regime of disabled information services (which is very transparent how to do it), is more secure than the autistic behavior "oh it's linux, it's NEVER insecure".
tl;dr: prepare your anus linuxcuck
Juan Sullivan
there are 3 main ways crypto software can get fucked:
> weak algorithms - e.g., Dual_EC_DRBG, possibly NIST ECC curves
> flawed protocols - overly complicated designs inherently leak information or are just easy to fuck up implementations
> implementation bug/"bugs" - e.g., Heartbleed
the simpler the system, the fewer opportunities that exist for mistakes and backdoors.
in reality, it's just easier for bad actors to get server keys for RSA-style handshakes.
for signed diffie-hellman handshakes (ephemeral/perfect-forward-secrecy or otherwise), compromised RNG in either client/server end is also sufficient, which is scary to think about.
Nathan Martin
Sure, but it is far less likely. Take a look at The Underhanded C contest.
Levi Walker
Look up the whole MODULUS mess.
Hard coded numbers in lots of open source crypto that were attacked for BIG BIG MONEY by the nsa. Never use a default modulus.
>inb4 RDRAND
Gabriel Watson
Came here to post this
Cameron Cook
Let's put it this way: the same team who develops OpenBSD develops OpenSSH. OpenBSD is an entire OS, used due to it's security around the world (banks, routers, etc. Very common for top notch security.) OpenBSD has only had 2 remote vulns since it was made in the 90's, so I'd argue it's more secure. It's also included by default in OpenBSD.
Ethan Miller
Be skeptical, people.
Open sourced does not mean secure and private in any way.
People do malicious stuff under excuse "you can read the code" knowing nobody will do so.
Jordan Cooper
Open source is a necessary condition for software to be considered secure. You're right, however, that it is not a sufficient condition.
Jackson Bennett
...
Alexander Davis
>That's a naive view.
I disagree. It's a semi-trolling statement that has motivated many a bug hunter into action. More bugs have been found in Linux lately largely due to our smug attitudes and the noteriety that comes from finding them. Patches usually get released almost immediately, so I would say this is a winning situation for Linux. Back when nobody used Linux it WAS safe to assume you'd never have anything to fear, because nobody could be bothered with targeting a few thousand neckbeards who probably really knew their shit and would catch on to anything suspicious. These days, Linux is enjoying a larger, less skilled audience, and this is making it a more profitable target. In short, you have to make some noise to attract the attention of security experts if you want to get the bugs fixed.Especially if you have a small share of the market.
Josiah Martinez
Rewording it.
Open source is a mandatory premise for software to be considered secure. A mandatory condition for software to be considered secure would be constant and accessible audits.
Being closed (thus failing premise) = not secure
Passing premise = potential
Passing premise & condition = secure
Jackson Sullivan
>The best place to hide is in plain sight
This is only true, assuming you are up against a human adversary.
Look at how much money Microsoft and Google are dumping into machine learning. It's pretty reasonable to assume that they have reliable ways to find a needle in a haystack.
>disabled information services
How do you really know that they are disabled, though?
Let's assume the worst case scenario: backdoors are built into windows at the kernel level, and there are some "services" which the operating system doesn't expose to userland.
>inb4 traffic analysis
Programs like wireshark ask the OS to provide information about network traffic, and then the program displays it to you. There is nothing stopping a diabolical operating system (not necessarily suggesting that Windows has reached this point) from lying about that information. My point is that if you can't trust your OS, there is no reason to even think about disabling info services.
Yes, we can't trust linux in the same sense, because none of us have a solid grasp of the source code, but it's much easier to trust something made by thousands of individual contributors and a few corporations working together out in the open, than a monolith made by one company behind a veil.
Aaron Richardson
It's far more risky to be malicious and open source your software than to be malicious and proprietary. While I'm not going to read every line of the source code in every open source software i use, I'm not going to be able to do that in proprietary software too and hopefully an indipendant audit fill fix the open source security issue.
Jacob Reed
yes he's the shitposter that posts in every BSD related thread
merely mentioning it is enough to get him to come in here and whine about shills and cuck licenses
Austin Peterson
posts like these are how I know there are no real computer scientists here anymore. go back to Sup Forums you windows obsessed manchild
Andrew Bell
Sup Forums is just Sup Forums-gaymen computers mostly now. 4+4 /tech/ has more technology related threads