On Wed, Dec 15, 2010 at 12:36 PM, Damien Miller <djm@mindrot.org> wrote:
quoted text
> On Wed, 15 Dec 2010, patrick keshishian wrote:
>
>> It is easy to shoot one's mouth off like that about bounty offered,
>> given the ridiculously constrained "conditions" the bounty is offered
>> under. He might as well offered a million USD. No one will be able to
>> prove this under these restrictions.
>
> His conditions aren't "ridiculously constrained", they seem to be pretty
> much approproiate for the allegations.

seriously?

# - that the OpenBSD Crypto Framework contains vulnerabilities
#   which can be exploited by an eavesdropper to recover plaintext
#   from an IPSec stream,

There is a big assumption about the alleged backdoor or
leak; i.e., that it is used to directly extract "plaintext"
out of an IPSEC stream. OK. Maybe reasonable.

# - that these vulnerabilities can be traced directly to code
#   submitted by Jason Wright and / or other developers linked
#   to Perry, and

Do they really have to be linked back to Perry? Is that
really the important factor in the alleged backdoor's
existence?

# - that the nature of these vulnerabilities is such that there
#   is reason to suspect, independently of Perry's allegations,
#   that they were inserted intentionally-for instance, if the
#   surrounding code is unnecessarily awkward or obfuscated and
#   the obvious and straightforward alternative would either not
#   be vulnerable or be immediately recognizable as vulnerable

Oh, so the alleged backdoor if present _must_ be in
the form of obfuscated code. Oooookay...


# - Finally, I pledge USD 100 to the first person to present
#   convincing evidence showing that a government agency
#   successfully planted a backdoor in a security-critical
#   portion of the Linux kernel.

So not only one has to find the alleged backdoor, but
also link its author to a "government agency" .. via
how I wonder, payroll stub, signed contract, confession?
OK, Maybe not too unreasonable, but it still gives a nice
loophole for blogger to recant on his bounty.

# - In all three cases, the vulnerability must still be present
#   and exploitable when the evidence is assembled and presented
#   to the affected parties. Allowances will be made for the
#   responsible disclosure process.

Must still exist? So proving that at some point the
alleged backdoor existed and was placed in there by
an FBI/NSA pawn isn't good enough, but the alleged
backdoor must still exist. Nice...

# - Exploitability must be demonstrated, not theorized.

Ahh... must be demonstrated. So not only you need
to show there is an alleged leak but also you must
know the means by which the NSA or FBI intended to
use the alleged leak.

But OK.
--patrick