Allegations of backdoors planted in OpenBSD IPSEC stack

OpenBSD logoYesterday (Dec. 14th, infertility 2010), price Theo de Raadt, this site leader of the OpenBSD project published a message with the interesting title “Allegations regarding OpenBSD IPSEC“. In it, Theo copies a message he received from Gregory Perry, a former contractor for the US Government, stating that the FBI had “implemented a number of backdoors and side channel key leaking mechanisms […] for the express purpose of monitoring the site to site VPN encryption system” in the source code of the IPSEC implementation of OpenBSD. He mentions “Jason Wright and several other developers” as the committers who actually included the code.

The message was that interesting for at least two reasons:

  • OpenBSD has always been considered as “the” secure free software operating system (see for example Take a closer look at OpenBSD). It’s motto is “free, functional and secure”, and its website proudly states “Only two remote holes in the default install, in a heck of a long time!”. The message implies that this system could have been intentionally compromised by some OpenBSD developers, paied by FBI, ten years ago.
  • Theo decided to discuss the matter on the open, following the full disclosure policy of the project. This is really rare, since the usual answer in the industry to a situation like this would have been to study it in secret before (maybe) disclosing it.

Since then, we’re seeing a very instructive example of what happens when a free software project discusses problems (in this case, security problems, maybe the worst problems of all) in the open:

It is difficult to know what’s going to happen in the next days, but for now, we have a pretty much open disclosure process, and some code that anyone with knowledge and time could inspect…

Tags: , ,
Add a Comment Trackback

Add a Comment

Please leave these two fields as-is:

Protected by Invisible Defender. Showed 403 to 214,856 bad guys.