Home opinion-and-analysis Open Sauce OpenBSD backdoor claims: bugs found during code audit

Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

The OpenBSD project has found two bugs during an audit of the cryptographic code in which, it has been alleged, the FBI, through former developers, was able to plant backdoors.


OpenBSD project head Theo de Raadt told iTWire: "We've been auditing since the mail came in! We have already found two bugs in our cryptographic code. We are assessing the impact. We are also assessing the 'archeological' aspects of this.."

The mail he was referring to was sent to him on December 11 by Gregory Perry, a former developer with the project, and claimed that the US Federal Bureau of Investigation had, through some other ex-developers, implemented a number of backdoors in the open cryptographic framework used in OpenBSD.

De Raadt decided to go public with the mail, posting it to the openbsd-tech mailing list, along with his own comments.

In that post, among other statements, he said: "The mail came in privately from a person I have not talked to for nearly 10 years.  I refuse to become part of such a conspiracy, and will not be talking to Gregory Perry about this. Therefore I am making it public so that (a) those who use the code can audit it for these problems, (b) those that are angry at the story can take other actions, (c) if it is not true, those who are being accused can defend themselves."

It must be mentioned here that de Raadt has often copped flak from others in the free software and open source software community for his frankness and openness in dealing with technical and other issues that concern the OpenBSD project. Some years ago, when DARPA suddenly cut funding to the project, after de Raadt had made some pointed comments about the Us invasion of Iraq, he was upfront about it.

"When I received the mail I was in Barbados, and tried to not ruin my wife's vacation by dealing with it then," de Raadt told iTWire. "Upon getting home (to Canada) I decided that was the best approach, since private discussions with two other developers didn't show us other avenues to discuss. We were certain that if we talked to these people who are listed we would not get honesty."

Perry had mentioned two names - Scott Lowe and Jason Wright - and also mentioned "several other developers originating from NETSEC (sic)" in connection with his naming of Wright. The company NetSec was acquired by Verizon in 2006.

Both Lowe and Wright have denied being in any way involved in planting backdoors in the code; Lowe was tracked down by Brian Profitt, a tech writer for ITWorld and a former editor of LinuxToday, who, in the course of his bid to find the man discovered two people with the same name in the same field. Both denied involvement.

Wright denied his involvement in a detailed post in the same thread which de Raadt had started.

"Until 2 days ago I had no idea that both Jason and Angelos (Keromytis) in the past did work for a company that does that business," De Raadt said. "And it is true, wow, that company really was in that business! Now they (the company) belong to Verizon.

"We found out that Angelos (our ipsec developer) also did a period of contract work for that company. The mail did say it wasn't just Jason."

OpenBSD was started by de Raadt in 1996 as a breakaway from NetBSD; it has a reputation for being highly secure. If the claims made by Perry are found to be in any way true, then the project's reputation would take a big hit.

 

FREE REPORT - IT MONITORING TOOLS COMPARISON

Are you looking to find the most efficient IT Monitoring tool available?

IT Monitoring is an essential part of the operations of any organisation with a significant network architecture.

Multiple IT monitoring platforms are available on the market today, supporting the various needs of small, medium-sized, and large enterprises, as well as managed service providers (MSPs).

This new report studies and compares eight different IT monitoring products in terms of functionality, operations, and usability on the same server platform with 100 end devices.

Which product is easiest to deploy, has the best maintenance mode capabilities, the best mobile access and custom reporting, dynamic thresholds setting, and enhanced discovery capabilities?

Download your free report to find out.

DOWNLOAD!

Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.

Connect