On Wed, Dec 15, 2010 at 7:28 AM, mikea <mikea@mikea.ath.cx> wrote:
More to the point, I think it wouldn't be an NDA, but a security classification on the knowledge of the backdoors, and probably one not subject to automatic downgrading.
Someone working on a classified project or having access to classified info would be signing a lot more than an NDA. Which leads me to the conclusion Perry probably did not have access to classified info; a gov't backdoor planted in OpenBSD would probably be classified, so Perry was more likely than not, either in error or exagerating. If Perry really is risking making authorities frustrated for revealing that they have a backdoor, then it does not help the community much for him to withold the minimal amount of info required to verify the claims. For now it smells of FUD, because the claims are too vague, unsupported, and the extent of what Perry claims to have witnessed has not been explained. An example of Perry being in error would be if the company was paid to merely develop a backdoor or side channel, but not actually to plant it in their contributed code. The FBI might have wanted proof of concepts, or backdoored versions of code as "drop in piece" to use for other projects.. for example, insider penetration testing, or surreptitious monitoring by planting the backdoored version on specific targetted systems. Proof of concept code might have gone nowhere. In that case, it would be impossible to find the backdoor by analyzing the OpenBSD source code. Or a backdoor or coding error made by someone else entirely might be discovered instead. Rewriting instead of merely auditing, of course, presents a risk that new backdoors could be introduced by whoever rewrites. Even if a backdoor were developed, Perry posted very little info about exactly what he knows and how he knows it, what was his role in the project. Such as the question of: 'Did he personally check the contributed code and see the backdoor present?' -- -JH