Re: [bitfolk] NSA and SSL

On Wed, 11 Sep 2013, Andrew Griffiths wrote:
> Snowden hasn't said anything about sudo as far as I know. I just got
> thinking after I heard the news about SSL. If a backdoor could be
> planted in OpenBSD and SSL without anyone noticing for all these years
> then why not with sudo too? I heard some people weren't happy with its
> introduction when it was first released - a bit before my time though!

I think there are two reasons why I think this is unlikely.

Firstly, 'normal' bugs in software - epsecially in often used packages
like sudo - are a lot easier to spot than cryptographic backdoors, which
usually rely on certain mathematical properties making the crypto a lot
less weaker than it seems.

Secondly, sudo escalates privileges on a machine. There are many privilege
escalation vulnerabilities* in all operating systems, so they wouldn't
need to backdoor sudo for that.

* these are subsequently patched. But we can be sure there are ones that
we don't know about, and some of these the NSA does know about.

Martijn.