RE: A Combination of IPSEC, Multiple Wan's and 802.3ad Link Aggregation for Top Secure TCP transmission
Aware of it. (20 years old thing)
That old fact is based on strategy most of OpenBSD code come as a reverse engineering / ports of BSD itself. For a long time, BSD and RedHat was a channel for implementing exploits through code ports.
In the case of Gregory Perry, it's not the first nor the last time he tried to gain some publicity for his "ethical doings"...However, it he was ethical, he would not sign NDA for such project in the first place, rather then waiting 10 years to "deal ethically". NDA does not apply in criminal activity and law breaches, so the whole story of the guy is a bit cheap talk, since that NDA was illegal itself and can't stand on any court - nor the FBI would ever push that to trial at the cost of raising public concerns. Moreover, NDA could not be signed for period more then 5 years dating the end of employment (the court practice).
That, however does not goes against the fact that BSD and RedHat was a primary channel of "infecting" other open source projects at the time, as most vulnerabilities got ported along with the code, and was sneaky enough to simply got missed in the process. That way, vulnerabilities was introduced by people who were totally unaware what they are doing, while in fact, you can't attack gov. agencies for exploits in commercial products accepting these terms within the user agreements. Just take a look at RedHat user agreement. It's not gov to blame that someone ported the code from RedHat or BSD directly breaching the license and pull the vulnerability within the port.
Lucky enough, today distro maintainers pays much more attention due to fact you presented.
All he need to do is admit that his company induced the vulnerability by porting the code without even looking at what they are porting, rather then presenting as "Ethical guy"...
The distros his company created for Internal FBI use, is whole another story. But again, used to present as a nice guy after loosing much of credibility in both public and gov sector.
Yeah from what I read this guy just wanted to make a quick buck.
I like the direction where OpenBSD is going now with all the weird experimental security features they are trying in the kernel etc. I hope this kind of thing won't ever happen again :) Thanks for thorough comment. I assume you have been Defcon and are probably a big BSD fan :)
I like how it's heading too, but actually I'm not the fan of Defcon nor BSD at all :)
As stated, BSD has been used for a while as a method to put sneaky vulnerabilities that indirectly finish in OpenSource projects through ports, making it close to impossible to accuse gov. agencies for them, since porting is not fully legal. It was a sneaky way to infect other distros. Even Apple dropped their line of products such as Time Capsule / AirPort express (BSD based) over many flaws they were unable to control. I would say it needs to take time to get my confidence back. Personally, I prefer Gentoo for mission critical systems, or Debian for less sensitive work.
Def Con, again, too much gov. sponsored. It's close impossible to present something that really affects millions of users. Such as: https://hal.archives-ouvertes.fr/hal-01759199/document :)
When I demonstrated the ability to forward any mobile number through SS7 flaws at GSMA / MWC back in 2013 in front of security audience, the unofficial talks with Def Con reps was something like "It's far better to push MNO's to fix the issues, rather then cause a pandemic attacks by making it further publicly visible". - Right :) If I found some flaws in ZTE or Huawei, that would probably get into the headlines. Millions of affected users - who cares :) It was not the flaw, it was the design.
But not much into it lately. Assuming you were poking about being a fan of BSD and def-con :)
This pic from NSA I hunt sysadmins sums up my view of Defcon, also there is lots of NSA and FBI there.(GCHQ is also probably there and they can die in a fire)
I volunteer at a security con in my area every year, but its mostly organized by like minded people , I also started a security meetup , but I'm hardly involved anymore.
I actually trust the BSD's more than Linux, I hear what you are saying about BSD, but remember Linux is not immune to security issues being purposefully inserted into the distro in whatever way. Did you forget about this one: https://www.schneier.com/blog/archives/2008/05/random_number_b.html? :)
I am not longer a Gentoo person, sorry to say. I was involved in anapnea.net back in the day, just as a lurker mostly. So I've had my fair dose of Gentoo. I like Grsecurity, this is probably the most real Linux security related project and they are definately doing something right, otherwise they wouldn't be getting such harsh reactions from the rest of the world.