Much touted as totally secure, the OpenBSD operating system has backdoors that were installed in its early days by the FBI.
Gregory Perry, who is now Chief Executive Officer, GoVirtual Education was involved in the OpenBSD project in the early days. He has written to the founder of the Open BSD project Theo de Raadt to warn him that he was hired by the Untouchables to install backdoors in the software.
De Raadt has published the email here In it Perry said that now his NDA with the Feds is over he can finally talk about his involvement with the project.
Perry said that he worked at the GSA Technical Support Center, which was a cryptologic reverse engineering project aimed at backdooring and implementing key escrow mechanisms for smart card and other hardware-based computing technologies.
He said the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organisation of the FBI.
Perry claimed that the actual code was written by Jason Wright and several other developers were responsible for those backdoors.
He warned de Raadt to look closely at all code commits by Wright as well as the other developers he worked with originating from NETSEC.
Perry speculates that the backdoors are the reason why OpenBSD lost DARPA funding,as they didn’t want to create any derivative products based upon it. At the time the pulling of funding was thought to be because de Raadt publicly attacked the US invasion of Iraq.
It might also be be the reason that FBI folks have been recently advocating the use of OpenBSD for VPN and firewalling implementations in virtualised environments.
Perry names Scott Lowe as a well respected author in virtualisation circles who also happens top be on the FBI payroll, and who has also recently published several tutorials for the use of OpenBSD VMs in enterprise VMware vSphere deployments.
If this is true, then it would have happened in 2000 and 2001. De Raadt said that large parts of the code are now found in many other projects/products.
However, he said that over a decade the IPSEC code has gone through many changes and fixes, so the true impact of these allegations are unclear.
De Raadt said that he was not going to be come part of any conspiracy, and will not be talking to Gregory Perry about this.
He said if Perry’s claims were true he had to make them public so that those who use the code can audit it for these problems,
If the claims were untrue then those who are being accused can defend themselves.
” I don’t like it when my private mail is forwarded. However the “little ethic” of a private mail being forwarded is much smaller than the “big ethic” of government paying companies to pay open source developers (a member of a community-of-friends) to insert privacy-invading holes in software,” De Raadt wrote.