OpenBSD development lead Theo de Raadt says that he believes a government contracting firm was hired to write back doors into communications and encryption technology, but that those back doors, if written, did not make it into the OpenBSD code base. However, he is still encouraging contributors and users of the open source project to audit the code to look for any problems—and a few other issues have been uncovered.
The controversy erupted last week when Gregory Perry, the former CEO of a government contractor called Netsec, sent de Raadt a private message indicating there could be back doors in OpenBSD’s secure communications technology inserted a decade ago at the behest of the federal government. Rather than sit on the claim, de Raadt went public with the message, disclosing its complete contents and noting he refused “to become part of such a conspiracy.”
In a follow-up posting to an OpenBSD discussion list, de Raadt outlined what he believes the current state of affairs. de Raadt confirms Netsec did work as a contractor on government computer security projects, Gregory Perry did work there, and two contractors who made contributions to OpenBSD did work on OpenBSD’s IPSEC layer—and one of them was the architect and primary developer of the IPSEC stack who worked on the project for four years. However, while those implementations had cryptography issues, de Raadt is, for the moment, satisfied they are historical artifacts of federal regulations governing use of cryptography, rather than any intentional malice.
de Raadt says he does believe Netsec was contracted to write back doors; however, if those were written, he doesn’t believe they made their way into OpenBSD, although they may will have “deployed as their own product.”
Since de Raadt went public with Perry’s allegations, two new bugs have been uncovered in OpenBSD’s cryptography technology: one propagates a fix for an old, well-known security vulnerability from the cryptography later to drivers, and the other is essentially a bit of housekeeping. de Raadt says he’s also looking at cleaning up an “extremely ugly” function and found a small bug in another aspect of random number-generating code.
Meanwhile, de Raadt indicates he is pleased so many developers are examining the OpenBSD code base for possible problems, saying this “is the best process we can hope for.”
So far, no one has stepped forward to back up Perry’s claims that the federal government paid to have back doors inserted into OpenBSD, and two people named in Perry’s allegations have specifically refuted Perry’s claims. Numerous industry watchers have questioned the utility of inserting backdoors into open source projects—particularly projects used in government work—since, if the vulnerabilities are uncovered, they’d immediately be in the hands of criminals. But maybe that’s just what the Feds want people to think.