The lead developer on the OpenBSD project, Theo de Raadt, has disclosed an email message sent to him by a former contractor, Gregory Perry, who has alleged the U.S. Federal Bureau of Investigation paid developers to put a number of back doors into the communication encryption software used by the OpenBSD operating system. Although the report has not been substantiated, if the allegations are true it means the FBI has been working secretly for years to develop ways to look at encrypted network traffic—and hidden those methods in source code submitted to the open source OpenBSD operating system. And, of course, if the FBI has, in fact, put back doors into OpenBSD, who knows what other open source projects it may worked to clandestinely infiltrate.
The former contractor making the allegations, Gregory Perry, is currently the CEO of GoVirtual, a VMware virtual services firm, and claims his non-disclosure agreement with the FBI has now expired, which is why he only contacted de Raadt with the information now.
“The mail came in privately from a person I have not talked to for nearly 10 years,” da Raadt wrote in his a posting to an OpenBSD discussion list. “I refuse to become part of such a conspiracy, and will not be talking to Gregory Perry about this. Therefore I am making it public.”
Perry names specific contractors and others who implemented back doors, and urges de Raadt and OpenBSD community to review code committed to the project by those developers. Perry also asserts the back doors are one reason the FBI has been advocating the use of OpenBSD for virtual private networks in virtualized environments—all the easier for them to monitor.
Theo de Raadt notes that since the time when Perry worked on the OpenBSD project, the IPSEC stack has been made available for free and substantial parts of the code are now used in a wide variety of open source projects. However, the code has also been through a number of substantial changes in the last decade, making it difficult to assess the potential impact of Perry’s allegations, if they’re true. Making the unsubstantiated claims public, de Raadt says, gives users a chance to audit their code, and a chance for anyone accused to defend themselves.
At least one person named by Perry has categorically denied ever working for the FBI.
So far, the Internet security community is largely greeting Perry’s claims with skepticism, but security experts have noted that, after a decade, it might be very difficult to “walk back the cat” to determine what portions of OpenBSD networking could potentially be impacted.