Home opinion-and-analysis Open Sauce OpenBSD backdoor claims: bugs found during code audit

Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Subscribe now and get the news that matters to your industry.

* Your Email Address:
* First Name:
* Last Name:
Industry:
Job Function:
Australian State:
Country:
Email marketing by Interspire
weebly statistics

The OpenBSD project has found two bugs during an audit of the cryptographic code in which, it has been alleged, the FBI, through former developers, was able to plant backdoors.


OpenBSD project head Theo de Raadt told iTWire: "We've been auditing since the mail came in! We have already found two bugs in our cryptographic code. We are assessing the impact. We are also assessing the 'archeological' aspects of this.."

The mail he was referring to was sent to him on December 11 by Gregory Perry, a former developer with the project, and claimed that the US Federal Bureau of Investigation had, through some other ex-developers, implemented a number of backdoors in the open cryptographic framework used in OpenBSD.

De Raadt decided to go public with the mail, posting it to the openbsd-tech mailing list, along with his own comments.

In that post, among other statements, he said: "The mail came in privately from a person I have not talked to for nearly 10 years.  I refuse to become part of such a conspiracy, and will not be talking to Gregory Perry about this. Therefore I am making it public so that (a) those who use the code can audit it for these problems, (b) those that are angry at the story can take other actions, (c) if it is not true, those who are being accused can defend themselves."

It must be mentioned here that de Raadt has often copped flak from others in the free software and open source software community for his frankness and openness in dealing with technical and other issues that concern the OpenBSD project. Some years ago, when DARPA suddenly cut funding to the project, after de Raadt had made some pointed comments about the Us invasion of Iraq, he was upfront about it.

"When I received the mail I was in Barbados, and tried to not ruin my wife's vacation by dealing with it then," de Raadt told iTWire. "Upon getting home (to Canada) I decided that was the best approach, since private discussions with two other developers didn't show us other avenues to discuss. We were certain that if we talked to these people who are listed we would not get honesty."

Perry had mentioned two names - Scott Lowe and Jason Wright - and also mentioned "several other developers originating from NETSEC (sic)" in connection with his naming of Wright. The company NetSec was acquired by Verizon in 2006.

Both Lowe and Wright have denied being in any way involved in planting backdoors in the code; Lowe was tracked down by Brian Profitt, a tech writer for ITWorld and a former editor of LinuxToday, who, in the course of his bid to find the man discovered two people with the same name in the same field. Both denied involvement.

Wright denied his involvement in a detailed post in the same thread which de Raadt had started.

"Until 2 days ago I had no idea that both Jason and Angelos (Keromytis) in the past did work for a company that does that business," De Raadt said. "And it is true, wow, that company really was in that business! Now they (the company) belong to Verizon.

"We found out that Angelos (our ipsec developer) also did a period of contract work for that company. The mail did say it wasn't just Jason."

OpenBSD was started by de Raadt in 1996 as a breakaway from NetBSD; it has a reputation for being highly secure. If the claims made by Perry are found to be in any way true, then the project's reputation would take a big hit.

 

PROTECT YOURSELF AGAINST BANDWIDTH BANDITS!

Don't let traffic bottlenecks slow your network or business-critical apps to a grinding halt. With SolarWinds Bandwidth Analyzer Pack (BAP) you can gain unified network availability, performance, bandwidth, and traffic monitoring together in a single pane of glass.

With SolarWinds BAP, you'll be able to:

• Detect, diagnose, and resolve network performance issues

• Track response time, availability, and uptime of routers, switches, and other SNMP-enabled devices

• Monitor and analyze network bandwidth performance and traffic patterns.

• Identify bandwidth hogs and see which applications are using the most bandwidth

• Graphically display performance metrics in real time via dynamic interactive maps

Download FREE 30 Day Trial!

CLICK TO DOWNLOAD!

ITWIRE SERIES - IS YOUR BACKUP STRATEGY COSTING YOU CLIENTS?

Where are your clients backing up to right now?

Is your DR strategy as advanced as the rest of your service portfolio?

What areas of your business could be improved if you outsourced your backups to a trusted source?

Read the industry whitepaper and discover where to turn to for managed backup

FIND OUT MORE!

Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.

Connect