FBI paid for back doors into OpenBSD?

December 15, 2010 By Geoff Duncan

A former contractor says the FBI paid developers to implement back doors into communication encryption software used by the OpenBSD operating system.

The lead developer on the OpenBSD project, Theo de Raadt, has disclosed an email message sent to him by a former contractor, Gregory Perry, who has alleged the U.S. Federal Bureau of Investigation paid developers to put a number of back doors into the communication encryption software used by the OpenBSD operating system. Although the report has not been substantiated, if the allegations are true it means the FBI has been working secretly for years to develop ways to look at encrypted network traffic—and hidden those methods in source code submitted to the open source OpenBSD operating system. And, of course, if the FBI has, in fact, put back doors into OpenBSD, who knows what other open source projects it may worked to clandestinely infiltrate.

The former contractor making the allegations, Gregory Perry, is currently the CEO of GoVirtual, a VMware virtual services firm, and claims his non-disclosure agreement with the FBI has now expired, which is why he only contacted de Raadt with the information now.

“The mail came in privately from a person I have not talked to for nearly 10 years,” da Raadt wrote in his a posting to an OpenBSD discussion list. “I refuse to become part of such a conspiracy, and will not be talking to Gregory Perry about this. Therefore I am making it public.”

Perry names specific contractors and others who implemented back doors, and urges de Raadt and OpenBSD community to review code committed to the project by those developers. Perry also asserts the back doors are one reason the FBI has been advocating the use of OpenBSD for virtual private networks in virtualized environments—all the easier for them to monitor.

Theo de Raadt notes that since the time when Perry worked on the OpenBSD project, the IPSEC stack has been made available for free and substantial parts of the code are now used in a wide variety of open source projects. However, the code has also been through a number of substantial changes in the last decade, making it difficult to assess the potential impact of Perry’s allegations, if they’re true. Making the unsubstantiated claims public, de Raadt says, gives users a chance to audit their code, and a chance for anyone accused to defend themselves.

At least one person named by Perry has categorically denied ever working for the FBI.

So far, the Internet security community is largely greeting Perry’s claims with skepticism, but security experts have noted that, after a decade, it might be very difficult to “walk back the cat” to determine what portions of OpenBSD networking could potentially be impacted.

Showing 4 comments

Snarky1 at 1:03am 1st January 2011 Well people, it was only a matter of time before "big brother" that was rumoured many years ago took place. Your cards (debit, credit etc.) & cameras all over, there is no doubt in my mind you are being watched. Just going online if someone wants to know what you're up to law or criminals know how to monitor you. GM cars with onstar are easily tracked. Get used to it! Some are dumb enough to post their activities on blogs or Facebook. your privacy as you used to know is gone.
loki3 at 2:19pm 16th December 2010 On OSnews.com someone pointed out: "In the original e-mail, Mr. Parry said: "My NDA with the FBI has recently expired" The fact that he calls it an NDA tells me that he does not even know that the FBI grants you a security clearance. A security clearance from a government agency is much different then an NDA from a private company. In the government, your security clearance expiring means that you no longer have access to classified information, but it does not mean you can now tell classified information. Doing so will get you in a lot of legal trouble; whether your "NDA" is valid or not. Now lets say that he did have a security clearance, and merely just told De Raadt it was an NDA to avoid confusion. Information like this would certainly be classified. If his story does check out, he will get into a LOT legal trouble with the US government for leaking classified information. Considering that his has not been a quiet incident and I have yet to see a response from the US government; I very much doubt the validity of this story." Furthermore Perry has said (in an email to Robert McMillan on CSO blogs): "The OCF was a target for side channel key leaking mechanisms, as well as pf (the stateful inspection packet filter),...." This was supposed to have happened prior to the time Perry left NetSec in 2000. Funny he seems to be unaware that pf didn't happen until mid-2001. Liars need perfect memory..... And Jason Wright's commits show no work by him on the crypto in IPSEC.
Brent at 11:50am 15th December 2010 Nothing our government (USA) does will ever surprise me again. I just wish we had a government of the people, by the people and most importantly FOR the people.
1. Jason at 11:35pm 15th December 2010 Totally agree. I also think many think the same.