OpenBSD Founder Says No FBI 'Backdoor' Found

A secret FBI backdoor was not found in a review of OpenBSD code, says founder Theo de Raadt. But de Raadt did resolve two bugs that could have security implications. Network Security Technology ex-CTO Gregory Perry had said the FBI paid for an OpenBSD backdoor to monitor VPN links. OpenBSD is known as a secure operating system.

Bugs -- yes. Backdoor -- no. That's the conclusion of OpenBSD founder and project leader Theo de Raadt, who reviewed code following a claim earlier this month that the FBI had planted a secret backdoor in the OpenBSD IPsec stack.

Gregory Perry, ex-CTO of Network Security Technology (NetSec), had said his company was paid by the FBI about 10 years ago to provide the backdoor. De Raadt published an e-mail earlier this week with his assessment of the in-progress code audit. De Raadt said two bugs have been found that could have security Relevant Products/Services implications, but they have been resolved and don't appear to have been deliberate attempts to create secret access.
Expired NDA

Earlier this month, De Raadt sent an e-mail to the OpenBSD list revealing that he had received an e-mail from Perry about the alleged plot.

He reprinted the e-mail, in which Perry said his non-disclosure agreement "with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side-channel key leaking mechanisms," designed "for the express purpose of monitoring the site-to-site VPN encryption Relevant Products/Services system." He cited one developer by name, Jason Wright, as well as other unnamed developers.

Wright has denied any knowledge of a FBI-initiated backdoor project, as have others. However, Wright and another developer mentioned by De Raadt who worked on the OpenBSD project, Angelos Keromytis, have both been reported to have worked for NetSec at various times.

Perry said this effort "was probably the reason why you lost your DARPA funding," since that U.S. defense organization "more than likely caught wind of the fact that those backdoors are present and didn't want to create any derivative products based upon the same."

NetSec 'Probably Contracted'

In addition, Perry said, the backdoor implementation is "also why several FBI folks have been recently advocating the use of OpenBSD for VPN and firewalling implementations in virtualized environments."

In his e-mail, De Raadt wrote that he believes "NetSec was probably contracted to write backdoors as alleged," but "if those were written, I don't believe they made it into our tree." Instead, he said, "they might have been deployed as their own product."

NetSec, he wrote, was "in that peculiar near-D.C. business of accepting contracts to do security and anti-security work from parts of the government." He added that, if such NetSec projects existed, he didn't believe the developers involved knew or participated in them.

OpenBSD is an open-source Unix-like operating system descended from Berkeley Software Distribution (BSD). De Raadt began the project in 1995, and OpenBSD is known for security features and processes that the project believes are not present in other OSes. In fact, an OpenBSD 101 "Tutorial for Beginners" on the web calls it "arguably the most secure operating system in the world." Read Full Article


Joe Shabadoo said...

Does the Archos 101 XS Android Tablet with Magnetic Keyboard Cover Deserve all the Hype or is it Mediocre at Best. Here We Review the Android Archos Tablet and All of the Archos 101 Features and Specs

In our Review of the Archos Tablet, We Compare the Archos 101 XS $399 16GB to the iPad 2 also $399 16 GB

Joe Shabadoo said...

I like your blog let me know if you want to link to each other's blogs on this subject... go to my blog and you can send me a personal message

Post a Comment