Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Friday, 17 December 2010 10:31

OpenBSD backdoor claims: bugs found during code audit

By

The OpenBSD project has found two bugs during an audit of the cryptographic code in which, it has been alleged, the FBI, through former developers, was able to plant backdoors.


OpenBSD project head Theo de Raadt told iTWire: "We've been auditing since the mail came in! We have already found two bugs in our cryptographic code. We are assessing the impact. We are also assessing the 'archeological' aspects of this.."

The mail he was referring to was sent to him on December 11 by Gregory Perry, a former developer with the project, and claimed that the US Federal Bureau of Investigation had, through some other ex-developers, implemented a number of backdoors in the open cryptographic framework used in OpenBSD.

De Raadt decided to go public with the mail, posting it to the openbsd-tech mailing list, along with his own comments.

In that post, among other statements, he said: "The mail came in privately from a person I have not talked to for nearly 10 years.  I refuse to become part of such a conspiracy, and will not be talking to Gregory Perry about this. Therefore I am making it public so that (a) those who use the code can audit it for these problems, (b) those that are angry at the story can take other actions, (c) if it is not true, those who are being accused can defend themselves."

It must be mentioned here that de Raadt has often copped flak from others in the free software and open source software community for his frankness and openness in dealing with technical and other issues that concern the OpenBSD project. Some years ago, when DARPA suddenly cut funding to the project, after de Raadt had made some pointed comments about the Us invasion of Iraq, he was upfront about it.

"When I received the mail I was in Barbados, and tried to not ruin my wife's vacation by dealing with it then," de Raadt told iTWire. "Upon getting home (to Canada) I decided that was the best approach, since private discussions with two other developers didn't show us other avenues to discuss. We were certain that if we talked to these people who are listed we would not get honesty."

Perry had mentioned two names - Scott Lowe and Jason Wright - and also mentioned "several other developers originating from NETSEC (sic)" in connection with his naming of Wright. The company NetSec was acquired by Verizon in 2006.

Both Lowe and Wright have denied being in any way involved in planting backdoors in the code; Lowe was tracked down by Brian Profitt, a tech writer for ITWorld and a former editor of LinuxToday, who, in the course of his bid to find the man discovered two people with the same name in the same field. Both denied involvement.

Wright denied his involvement in a detailed post in the same thread which de Raadt had started.

"Until 2 days ago I had no idea that both Jason and Angelos (Keromytis) in the past did work for a company that does that business," De Raadt said. "And it is true, wow, that company really was in that business! Now they (the company) belong to Verizon.

"We found out that Angelos (our ipsec developer) also did a period of contract work for that company. The mail did say it wasn't just Jason."

OpenBSD was started by de Raadt in 1996 as a breakaway from NetBSD; it has a reputation for being highly secure. If the claims made by Perry are found to be in any way true, then the project's reputation would take a big hit.

 


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments