OpenBSD Code Audit Denies FBI Backdoor Allegations

12 days ago former NETSEC CTO Gregory Perry (nicknamed The Prez!) sent an email to BSD project leader Theo de Raadt. In the email Perry alleged that the FBI had backdoors inserted in the cryptographic framework of OpenBSD, and that DARPA dropped funding of OpenBSD for that reason. Perry wrote:
My NDA with the FBI has recently expired, and I wanted to make you
aware of the fact that the FBI implemented a number of backdoors and
side channel key leaking mechanisms into the OCF, for the express
purpose of monitoring the site to site VPN encryption system
implemented by EOUSA, the parent organization to the FBI. Jason
Wright and several other developers were responsible for those
backdoors, and you would be well advised to review any and all code
commits by Wright as well as the other developers he worked with
originating from NETSEC.

This is also probably the reason why you lost your DARPA funding, they
more than likely caught wind of the fact that those backdoors were
present and didn't want to create any derivative products based upon
the same.
Perry's claims generated legitimate concerns in the OpenBSD community, and sparked a full scale audit of OpenBSD code.

After code audits de Raadt has come forward to deny that any such backdoors exist, although he did disclose that there was a serious bug in the Encapsulating Security Payload code that was not brought to the public's attention in 2002. Vulnerability to cypher-block chaining oracle attacks were discovered in some drivers, and fixes have been devised for those bugs. Theo de Raadt believes those vulnerabilities were accidents, albeit serious ones, rather than intentionally inserted bugs.

Some in the IT community immediately had questions regarding the scope of such a maneuver, specifically whether or not Linux may have been targeted by like endeavors. The issue seems not to affect Linux, as the IPSec stack for Linux appears to be entirely original. There were also legitimate concerns with regard to Apple Computers, which has used BSD code in their computers (freeBSD to be exact, but the BSD's have done a lot of code sharing). There has also been a vocal concern involving how fast OpenBSD responded and the apparent speed of the code review. If admitting a problem would cost your company millions of dollars, then would you admit it or come forward with an official denial?

This story will likely die. There are too few people with serious concerns and way too many people who question the validity of Perry's claims. Besides that, though, shouldn't everyone assume that the FBI and the NSA have done everything in their power to make backdoors possible and work from that assumption? It boggles the mind that there are people who might think such claims are outrageous, when in reality it would be outrageous to think that the intelligence community had done no such thing. It's their job to make such things possible, regardless of public opinion.
 
Subscribe by Email. . . RSS. . .
Creative Commons License
Symbols of Decay is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License..
Related written works at Angelfire, Sex Symbols, Cymbals of Silence.Repent or Die