We should probably assume all the major and important companies in our everyday technologies have been asked to do it. Microsoft was asked to put one at least in Bitlocker, too:
It doesn't necessarily mean that they all agreed, but we should assume the closed source ones did it (since we can't verify now anyway), while the open source ones should be audited much more carefully from now on.
I'm at Microsoft and I had lunch with Niels Ferguson the other day. He's still in the Windows division, overseeing the crypto implementation in Windows. His opinion expressed here http://blogs.msdn.com/b/si_team/archive/2006/03/02/542590.as... hasn't changed.
EDIT: For some reason I can't reply to cperceiva directly at tis time. Perhaps I've commented too much in the last few hours? Anyway...
It's a fair question. I don't actually know all of the checks which are in place around the security critical parts of the code, but I have been by the care, ability, and professionalism of the people I've met who work on it.
It always seems to come down to having people we can trust cooperating in an environment of trust-and-verify, i.e., audit and review. My gut feeling is that the core crypto libraries, including the code securing Bitlocker encryption, are probably one of the worst places for a rogue insider to try to hide a bugdoor.
How much do you trust the least trustworthy person who has write access to your code?
My biggest concern isn't that Microsoft or Apple or Red Hat might agree to include a back door in their software; but rather that individual developers might be bribed to "accidentally" introduce exploitable bugs.
> Torvalds responded 'no' while shaking his head 'yes'
This is a bit of a pet peeve. For those who can't tell the difference between nod and shake:
A nod of the head is a gesture in which the head is tilted in alternating up and down arcs along the sagittal plane. In many cultures, it is most commonly, but not universally, used to indicate agreement, acceptance, or acknowledgment. [Source: http://en.wikipedia.org/wiki/Nod_(gesture)]
The Head Shake is a gesture in which the head is turned left and right along the transverse plane repeatedly in quick succession. In many cultures, it is most commonly, but not universally, used to indicate disagreement, denial, or rejection. [Source: http://en.wikipedia.org/wiki/Head_shake]
It's probably worth mentioning that OpenBSD similarly had some controversy a little while back. Allegedly, someone working in the IPSEC portion of the code may have been asked to do the same according to an email received by Theo :
10 comments
[ 2.3 ms ] story [ 33.7 ms ] threadThis was taken out of context after he made a joke spawning from a question posed via the audience.
(Source: I was there)
http://mashable.com/2013/09/11/fbi-microsoft-bitlocker-backd...
It doesn't necessarily mean that they all agreed, but we should assume the closed source ones did it (since we can't verify now anyway), while the open source ones should be audited much more carefully from now on.
EDIT: For some reason I can't reply to cperceiva directly at tis time. Perhaps I've commented too much in the last few hours? Anyway...
It's a fair question. I don't actually know all of the checks which are in place around the security critical parts of the code, but I have been by the care, ability, and professionalism of the people I've met who work on it.
It always seems to come down to having people we can trust cooperating in an environment of trust-and-verify, i.e., audit and review. My gut feeling is that the core crypto libraries, including the code securing Bitlocker encryption, are probably one of the worst places for a rogue insider to try to hide a bugdoor.
My biggest concern isn't that Microsoft or Apple or Red Hat might agree to include a back door in their software; but rather that individual developers might be bribed to "accidentally" introduce exploitable bugs.
Take a look at some of the Underhanded C Contest entrants, some of them are so perfectly evil, and plausibly deniable to boot.
http://underhanded.xcott.com/?page_id=22
A nod of the head is a gesture in which the head is tilted in alternating up and down arcs along the sagittal plane. In many cultures, it is most commonly, but not universally, used to indicate agreement, acceptance, or acknowledgment. [Source: http://en.wikipedia.org/wiki/Nod_(gesture)]
The Head Shake is a gesture in which the head is turned left and right along the transverse plane repeatedly in quick succession. In many cultures, it is most commonly, but not universally, used to indicate disagreement, denial, or rejection. [Source: http://en.wikipedia.org/wiki/Head_shake]
No he didn't. He said yes and no at the same time to comic effect.
He never admits or indeed denies anything.
http://marc.info/?l=openbsd-tech&m=129236621626462