Re: GOST key gen?

"George Orwell" <nobody@xxxxxxxxxxxx> wrote in message news:089c5450f06212a06ac0e344687b4004@xxxxxxxxxxxxxxx
On Thu, 21 May 2009 21:59:01 -0700, "Joseph Ashwood" <ashwood@xxxxxxx>
Actually open versus closed source has nothing to do with security, it is a
common misconception that it is otherwise.

A backdoor can be integrated into open source just as easily, SSH's history speaks very well on this, one of the early implementations accidently used the all zero key 255/256 times an accidental, but still highly effective, backdoor, all the way to the most recent critical vulnerability, again an accidental, but critical, backdoor. I also remember an Obfuscated C Code style competition to implement such a backdoor in the most hidden manner.

Closed-source does make backdoors generally easier, but with modern decompilers everything is quickly becoming open source, one look at the dissections of Skype shows just how ineffective even extreme attempts at guarding the code is.


Relevant Pages

  • RE: [Full-Disclosure] Moox firefox/thunderbird builds. Anyone looked at these yet?
    ... Subseven had a backdoor in it for years.... ... >> Yes, but because it's open source, you know that thousands ... > backdoor is indistinguishable from an unintentional security ... and unintentional security flaws can thrive in open ...
  • Re: NSA,Windows, etc.
    ... Tom St Denis wrote: ... >> the open source community and there's absolutely no need to rely on ... at them and while a distributor would be able to create a backdoor ... backdoor since being caught most likely would mean to go out of business. ...
  • Re: bestcrypt 7.20 vs drivecrypt 4.4
    ... both the software is not opensource and high risk for backdoor ... If you care about open source, I wonder why you're running on Windows. ...
  • Re: Is Tor still credible?
    ... > When I read the FAQ some time ago, ... > there is no backdoor in Tor, but warned that in the case that they ... Has anyone watched the source code changes since ... It's still open source isn't it? ...