Bugs — yes. Backdoor — no. That’s the conclusion of OpenBSD founder and project leader Theo de Raadt, who reviewed code following a claim earlier this month that the FBI had planted a secret backdoor in the OpenBSD IPsec stack.
Gregory Perry, ex-CTO of Network Security Technology (NetSec), had said his company was paid by the FBI about 10 years ago to provide the backdoor. De Raadt published an e-mail earlier this week with his assessment of the in-progress code audit. De Raadt said two bugs have been found that could have security implications, but they have been resolved and don’t appear to have been deliberate attempts to create secret access.
Earlier this month, De Raadt sent an e-mail to the OpenBSD list revealing that he had received an e-mail from Perry about the alleged plot.
He reprinted the e-mail, in which Perry said his non-disclosure agreement “with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side-channel key leaking mechanisms,” designed “for the express purpose of monitoring the site-to-site VPN encryption system.” He cited one developer by name, Jason Wright, as well as other unnamed developers.
Wright has denied any knowledge of a FBI-initiated backdoor project, as have others. However, Wright and another developer mentioned by De Raadt who worked on the OpenBSD project, Angelos Keromytis, have both been reported to have worked for NetSec at various times.
Perry said this effort “was probably the reason why you lost your DARPA funding,” since that U.S. defense organization “more than likely caught wind of the fact that those backdoors are present and didn’t want to create any derivative products based upon the same.”
NetSec ‘Probably Contracted’
In addition, Perry said, the backdoor implementation is “also why several FBI…