OpenBSD IPSec backdoor allegations: triple $100 bounty

In case you hadn't heard: Gregory Perry alleges that the FBI paid OpenBSD contributors to insert backdoors into OpenBSD's IPSec stack, with his (Perry's) knowledge and collaboration.

If that were true, it would also be a concern for FreeBSD, since some of our IPSec code comes from OpenBSD.

I'm having a hard time swallowing this story, though. In fact, I think it's preposterous. Rather than go into further detail, I'll refer you to Jason Dixon's summary, which links to other opinions, and add only one additional objection: if this were true, there would be no “recently expired NDA”; it would be a matter of national security.

I'll put my money where my mouth is, and post a triple bounty:

1. I pledge USD 100 to the first person to present convincing evidence showing:

   • that the OpenBSD Crypto Framework contains vulnerabilities which can be exploited by an eavesdropper to recover plaintext from an IPSec stream,
   • that these vulnerabilities can be traced directly to code submitted by Jason Wright and / or other developers linked to Perry, and
   • that the nature of these vulnerabilities is such that there is reason to suspect, independently of Perry's allegations, that they were inserted intentionally—for instance, if the surrounding code is unnecessarily awkward or obfuscated and the obvious and straightforward alternative would either not be vulnerable or be immediately recognizable as vulnerable.

2. I pledge an additional USD 100 to the first person to present convincing evidence showing that the same vulnerability exists in FreeBSD.

3. Finally, I pledge USD 100 to the first person to present convincing evidence showing that a government agency successfully planted a backdoor in a security-critical portion of the Linux kernel.

Additional conditions:

• In all three cases, the vulnerability must still be present and exploitable when the evidence is assembled and presented to the affected parties. Allowances will be made for the responsible disclosure process.
• Exploitability must be demonstrated, not theorized.
• I will not evaluate the evidence myself, but rely on the consensus of the OpenBSD, FreeBSD, Linux and / or infosec communities.
• Primacy will be determined in a similar manner.
• The evidence must be presented, and the bounty claimed, no later than 2012-12-31 23:59:59 UTC—a little more than two years from today.
• The bounty will, at the claimant's discretion, either be transferred to the claimant by PayPal—no cash, checks, direct deposits or wire transfers—or donated directly to a non-profit of his or her choice.

[2010-12-16 fixed link]

Tidenes mest overvurderte skiløper

Nå er jeg faen meg drit lei av å høre om Petter Northug.

Hovedsaken i Norgesnyhetene på Radio Norge i ettermiddag var Northugs «fantastiske comeback». Han kom nemlig på 13. plass i 15 km i verdenscupen i dag. Marit Bjørgens gullmedalje i 10 km ble nevnt i en bisetning. At det er hennes sjette seier så langt i verdenscupen, eller at hun leder sammenlagt med nesten 40% flere poeng enn nummer to, fikk vi ikke høre noe om.

Jeg skulle tro de fleste ville være enige i at seks førsteplasser og 540 poeng er hakket mer imponerende enn én trettendeplass og 20 poeng.

Vi fikk heller ikke høre noe om at de norske kvinnene har mer enn dobbelt så mange poeng som mennene og at Norge leder cupen (med knapp margin foran Sverige) ene og alene takket være kvinnenes innsats.

Avisene er ikke spesielt bedre: Northug havner i full bredde på toppen av nettsidene, mens Marit Bjørgen og Tora Berger (som reddet skiskytterstafetten, riktignok godt hjulpet av at Frankrikes Marie Laure Brunet skjøt seg bort på siste stående) får mindre saker langt nede. Aftenposten vier Tora Berger tre avsnitt med ren avskrift fra NTB.

NRK-sporten begynner på sin side kveldssendingen med en sak om at skiskyttermennene ønsker seg mer av oppmerksomhet. Marit Bjørgens sjette verdenscupgull får andreplass, før de går videre til gulvvask curling og engelsk seriefoppall. Skiskytterkvinnene nevnes ikke med ett ord.

Nei, mediene vil heller snakke om en bortskjemt trønder med divanykker som han overhodet ikke har gjort seg fortjent til, og som er totalt blottet for sportsånd og respekt for lagkamerater, motstandere, presse og publikum. En skiløper som sjelden leverer når det gjelder, men som vi blir fortalt er blitt bedt om å holde igjen på trening for ikke å demoralisere lagkameratene. Et par uker senere er han på alle avisforsider – fordi han har tatt gull? Nei, fordi han visstnok er overtrent og muligens må stå over flere løp. Det gir ham i hvertfall en god unnskyldning for å gjøre det dårlig i 2010-2011-sesongen.

Jeg husker så altfor godt 30 km skibytte fra Vancouver tidligere i år, der Northug kom på 11. plass. NRKs kommentatorer brukte stort sett hele løpet på å fortelle seerne at Northug gikk taktisk, at han sparte på kreftene for å sette inn støtet mot slutten og ta gull... mens resten av verden hadde skjønt allerede halvveis i klassisken at han rett og slett ikke hadde en sjanse. Jeg har sjelden opplevd noe så pinlig.

Vær så snill, folkens: la oss få høre mer om de som faktisk presterer, og mindre om de som bare poserer. La oss få høre mer om Marit Bjørgen og resten av kvinnelandslaget! La oss få høre mer om kvinnehåndball, om Katrine Lunde Haraldsens fantastiske prestasjon i Lillehammer denne uken! Og vær så snill, la oss få slippe å høre mer om Northug. I hvertfall til han kommer seg opp på pallen igjen.

[2010-12-15 rettet en stavefeil]

I'm so indie, only I can understand my art

I have to stop buying those indie games that get rave reviews from “New Games Journalism” sites and are promoted on the front page of Steam and included in “mid-week madness” packages. I mean, I like indie games, and I like the idea of a cottage industry of game designers who risk everything on a crazy idea that no major studio (except Valve) would touch with a ten-foot pole simply because they have nothing to lose anyway, but seriously, you may think of yourself as the next Peter Molyneux or John Romero or Gabe Newell or David Cage, but you see, Molyneux, Romero, Newell and Cage know something you still haven't learned: it doesn't matter how innovative your game is, it still has to be playable.

Random list of “innovative” indie games that are actually complete crap:

• Can't-remember-the-title that was heralded as the indie game that would revolutionize the game industry: tried the demo. I got a scrolling blue screen that was supposed to evoke the idea of sinking further and further into the deep blue sea and a thingy in the middle of it that I could move around with the mouse. The thingy sank further and further into the deep blue sea. Nothing happened. I failed to suspend my disbelief in the sanity of gaming journalists. Last I heard, it was slated to be reworked into a full-blown PlayStation game.
• Brainpipe: huh? It only qualifies as innovative if you've never played any of a zillion games, including early 1980s arcade games, that are exactly the same except the thingy you move around with your mouse is a spaceship instead of an iris. I got to level 5 (out of 10) on my first and only try, even though the screen went black for most of level 3 and I was too busy trying to apparate the task manager to even move the mouse.
• ProtoGalaxy: pretty graphics, annoying physics and crappy controls. So bad that I played it for only ten minutes including the tutorial before uninstalling it. Basically a botched clone of PixelJunk Shooter, which itself is a fantastic remake of Fort Apocalypse). If you want PixelJunk Shooter, you know where to find it.
• Galcon Fusion: OK, doesn't actually pretend to be cutting edge, just a new and extended take on an old theme. Reasonably good-looking with simple mechanics that are easy to learn. The trouble is that I played for less than an hour (57 minutes, to be exact), and in that time, I figured out how to beat two of the game modes in less than half a minute per round, nine times out of ten, at “Grand Admiral” level (maximum difficulty). I got to “Admiral” in a third mode and “Commander” in a fourth before I decided that I had better things to do with my time. Still, not bad if your only other options are Freecell, Minesweeper and watching paint dry. Actually, this is the only game on the list that ranks higher than watching paint dry. Except maybe Brainpipe.

Just so you won't think I hate all indie games, here are a couple that I do enjoy:

• Oasis: the first indie game I ever bought. A bit like minesweeper except with more varied gameplay, an actual story, progression and an element of strategy. All in all a great casual game. Not quite sure it qualifies as independent, though.
• Mole Control: childish—in a good way—but not as simple as it appears at first glance, especially if you're gunning for perfect on every level. It's basically minesweeper, except you can only uncover tiles that are adjacent to already-uncovered tiles, and you have a few extra tricks up your sleeve.
• Chime: need I say more? If you don't have it already, buy it. Now. A tip, though: Chime is not Tetris. Chime is Chime. It'll confuse the hell out of you until you stop trying to play Tetris.

Yes, all three are casual games—but most indie games are either casual or arcade games, with a few notable exceptions such as Darwinia. With a little talent, imagination and perseverance, two guys and a dog can write a game engine, but it takes a lot of resources to create assets (script, levels, graphics, music, sound effects etc.) for a decent adventure, RPG or RTS game.

I'd also like to list some non-indie games which were nonetheless marketed as indie and which, despite (I assume) multi-million-dollar development budgets and rave reviews were, in my humble opinion, fundamentally crap:

• Psychonauts: the graphics and mechanics hurt my brain. The story was so far out it could have been written by Neil Gaiman if Neil Gaiman wrote for the love of money and not for the love of a good story and he was on crack. The characters were either wet rags or total assholes. The gameplay was a mish-mash of various been-there-done-thats. I gave up after two levels because I simply couldn't suspend my disbelief or identify with any of the characters. Strangely, Psychonauts was the brainchild of Tim Schafer, author or co-author of such classics as the Monkey Island series, Day of the Tentacle, Full Throttle and, more recently, Brütal Legend.
• Lucidity: ummm... it's a platformer... except the controls are crap and so are the physics. Yeah, the story is cute and the graphics are pretty. So what? It's still unplayable.

One indie-except-not-really game (or, to be precise, game series) that most definitely does not suck is the Sam & Max series. By the way, how did they manage to make a third series after Sam & Max basically destroyed the world in the final episode of the second series? Oh, and I guess I should also mention the Penny Arcade games.

¹ I use the term “indie” in the sense of a small game developer, possibly even just one or two people, who design, develop, publish and market their games with little or no assistance. By some definitions, studios like Funcom (300+ employees) are also independent developers, but I call bullshit on that; they are independent simply because they have the resources to do for themselves what publishers do for other developers. Besides, Funcom made plenty of games for big-name publishers such as Sony, Sega and Disney in their infancy, including the infamous Pocahontas.