I don't buy into conspiracy theories often but I really can't see how you can fail to follow your own RFC. If he had a check in there to make sure the payload_length wasn't too large I would say "hey, he forgot to make sure it wasn't too small and he never even mentioned checking if it was too small that in the RFC"... but he actually never checked for anything.. so maybe it is just a mistake. He definitely failed to follow his own RFC which never mentioned making sure the length was correct, just that it wasn't too big, and that's something he never did. I don't get how the reviewer can miss it too, like it's code for an RFC the reviewer is COMPLETELY new to... so at first the code looks a bit mad until you read the RFC, then you realize right away that he's missing shit. Seems silly, i don't think the reviewer ever read the RFC. On Sat, 2014-04-12 at 02:48 +0200, tpb-crypto@laposte.net wrote:
Message du 11/04/14 20:33 De : "Cypher"
I agree that there is no proof that this bug was introduced on purpose and it might be a simple oversight (no matter what it looks like or could be). We have to keep in mind that one of the things spies do is sow suspicion and doubt - it's a powerful weapon! All these vulnerabilities we're finding in critical software /might just be/ mistakes and oversights. Or they might be deliberate attacks by the NSA/GCHQ. Part of the power these agencies wield is that /we'll likely never know/ and so we suspect...everyone. Everything.
Too many bugs, in too many convenient places. One or two may be a coincidence, several of them like it appears to be the case, is not. We know who did it and now even if it is a coincidence, the culprit will be pointed at the NSA.
The timing the code was included in the tree cannot be a coincidence. There's one more thing we have to look at. When nobody is paying attention, someone is trying to sneak bad code.
The NSA mandate was to protect the people, not to make them vulnerable. Disbanding such a rogue organization would be the right thing to do.