Home opinion-and-analysis The Linux Distillery Open Sauce OpenBSD backdoor claims: bugs found during code audit

Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Get all your tech news delivered to your mail box five days a week
iTWire UPDATE - it's FREE!


The OpenBSD project has found two bugs during an audit of the cryptographic code in which, it has been alleged, the FBI, through former developers, was able to plant backdoors.


OpenBSD project head Theo de Raadt told iTWire: "We've been auditing since the mail came in! We have already found two bugs in our cryptographic code. We are assessing the impact. We are also assessing the 'archeological' aspects of this.."

The mail he was referring to was sent to him on December 11 by Gregory Perry, a former developer with the project, and claimed that the US Federal Bureau of Investigation had, through some other ex-developers, implemented a number of backdoors in the open cryptographic framework used in OpenBSD.

De Raadt decided to go public with the mail, posting it to the openbsd-tech mailing list, along with his own comments.

In that post, among other statements, he said: "The mail came in privately from a person I have not talked to for nearly 10 years.  I refuse to become part of such a conspiracy, and will not be talking to Gregory Perry about this. Therefore I am making it public so that (a) those who use the code can audit it for these problems, (b) those that are angry at the story can take other actions, (c) if it is not true, those who are being accused can defend themselves."

It must be mentioned here that de Raadt has often copped flak from others in the free software and open source software community for his frankness and openness in dealing with technical and other issues that concern the OpenBSD project. Some years ago, when DARPA suddenly cut funding to the project, after de Raadt had made some pointed comments about the Us invasion of Iraq, he was upfront about it.

"When I received the mail I was in Barbados, and tried to not ruin my wife's vacation by dealing with it then," de Raadt told iTWire. "Upon getting home (to Canada) I decided that was the best approach, since private discussions with two other developers didn't show us other avenues to discuss. We were certain that if we talked to these people who are listed we would not get honesty."

Perry had mentioned two names - Scott Lowe and Jason Wright - and also mentioned "several other developers originating from NETSEC (sic)" in connection with his naming of Wright. The company NetSec was acquired by Verizon in 2006.

Both Lowe and Wright have denied being in any way involved in planting backdoors in the code; Lowe was tracked down by Brian Profitt, a tech writer for ITWorld and a former editor of LinuxToday, who, in the course of his bid to find the man discovered two people with the same name in the same field. Both denied involvement.

Wright denied his involvement in a detailed post in the same thread which de Raadt had started.

"Until 2 days ago I had no idea that both Jason and Angelos (Keromytis) in the past did work for a company that does that business," De Raadt said. "And it is true, wow, that company really was in that business! Now they (the company) belong to Verizon.

"We found out that Angelos (our ipsec developer) also did a period of contract work for that company. The mail did say it wasn't just Jason."

OpenBSD was started by de Raadt in 1996 as a breakaway from NetBSD; it has a reputation for being highly secure. If the claims made by Perry are found to be in any way true, then the project's reputation would take a big hit.

 

ITWIRE SERIES - REVENUE-CRITICAL APPS UNDERPERFORMING?

Avoid War Room Scenarios and improve handling of critical application problems:

• Track all transactions, end-to-end, all the time and know what your users experience 24/7

• View code level details with context and repair problems quickly

• Fix problems in minutes before they wreak havoc

• Optimize your most important applications, Java, .NET, PHP, C/C++ and many more

Start your free trial today!

CLICK FOR FREE TRIAL!

ITWIRE SERIES - IS YOUR BACKUP STRATEGY COSTING YOU CLIENTS?

Where are your clients backing up to right now?

Is your DR strategy as advanced as the rest of your service portfolio?

What areas of your business could be improved if you outsourced your backups to a trusted source?

Read the industry whitepaper and discover where to turn to for managed backup

FIND OUT MORE!

Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.

Connect