Home opinion-and-analysis The Linux Distillery Open Sauce OpenBSD backdoor claims: bugs found during code audit

Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

The OpenBSD project has found two bugs during an audit of the cryptographic code in which, it has been alleged, the FBI, through former developers, was able to plant backdoors.


OpenBSD project head Theo de Raadt told iTWire: "We've been auditing since the mail came in! We have already found two bugs in our cryptographic code. We are assessing the impact. We are also assessing the 'archeological' aspects of this.."

The mail he was referring to was sent to him on December 11 by Gregory Perry, a former developer with the project, and claimed that the US Federal Bureau of Investigation had, through some other ex-developers, implemented a number of backdoors in the open cryptographic framework used in OpenBSD.

De Raadt decided to go public with the mail, posting it to the openbsd-tech mailing list, along with his own comments.

In that post, among other statements, he said: "The mail came in privately from a person I have not talked to for nearly 10 years.  I refuse to become part of such a conspiracy, and will not be talking to Gregory Perry about this. Therefore I am making it public so that (a) those who use the code can audit it for these problems, (b) those that are angry at the story can take other actions, (c) if it is not true, those who are being accused can defend themselves."

It must be mentioned here that de Raadt has often copped flak from others in the free software and open source software community for his frankness and openness in dealing with technical and other issues that concern the OpenBSD project. Some years ago, when DARPA suddenly cut funding to the project, after de Raadt had made some pointed comments about the Us invasion of Iraq, he was upfront about it.

"When I received the mail I was in Barbados, and tried to not ruin my wife's vacation by dealing with it then," de Raadt told iTWire. "Upon getting home (to Canada) I decided that was the best approach, since private discussions with two other developers didn't show us other avenues to discuss. We were certain that if we talked to these people who are listed we would not get honesty."

Perry had mentioned two names - Scott Lowe and Jason Wright - and also mentioned "several other developers originating from NETSEC (sic)" in connection with his naming of Wright. The company NetSec was acquired by Verizon in 2006.

Both Lowe and Wright have denied being in any way involved in planting backdoors in the code; Lowe was tracked down by Brian Profitt, a tech writer for ITWorld and a former editor of LinuxToday, who, in the course of his bid to find the man discovered two people with the same name in the same field. Both denied involvement.

Wright denied his involvement in a detailed post in the same thread which de Raadt had started.

"Until 2 days ago I had no idea that both Jason and Angelos (Keromytis) in the past did work for a company that does that business," De Raadt said. "And it is true, wow, that company really was in that business! Now they (the company) belong to Verizon.

"We found out that Angelos (our ipsec developer) also did a period of contract work for that company. The mail did say it wasn't just Jason."

OpenBSD was started by de Raadt in 1996 as a breakaway from NetBSD; it has a reputation for being highly secure. If the claims made by Perry are found to be in any way true, then the project's reputation would take a big hit.

 

FREE CLOUD BACKUPS MANAGEMENT WEBINAR

Are your technicians spending too much time just managing your clients cloud backups?

Backups are an important part of any IT business but they should not consume more than their fair share of time and money.

Discover how to reduce the amount of time & money spent managing your Cloud Backups during this Free Webinar.

REGISTER FOR FREE WEBINAR!

FREE NETWORKING SERVICES CASE STUDY

As one of the world’s largest social networking services, Facebook handles a lot of user information, and requires input from an astounding range of stakeholders 24 hours a day, 7 days a week — from both inside and outside the business.

Discover how Facebook was helped to connect remote employees, vendors, consultants, and partners to applications and web services quickly and reliably - without risking sensitive data.

GET CASE STUDY!

GET THE IT BUDGET YOU WANT

Explore your Network Treasure Trove to get the IT Budget you want

With Australian businesses projected to spend over $78.7 Billion why does it feel like you can never get the budget you need?.

In most cases your budget will get approved because the proposals are not only technically correct, but also provide good, credible evidence on how the spend aligns with key business objectives.

Did you know that your Network Monitoring tool can help you build a comprehensive business case without an MBA?

HERE ARE 8 TIPS TO GET THE IT BUDGET YOU WANT.

CLICK HERE!

Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.

Connect

 

 

 

 

Join the iTWire Community and be part of the latest news, invites to exclusive events, whitepapers and educational materials and oppertunities.
Why do I want to receive this daily update?
  • The latest features from iTWire
  • Free whitepaper downloads
  • Industry opportunities