Do you use Unix? Do you think your computing is secure due to the powerful encryption built into this platform by OpenBSD cryptographic framework? Well think again. It appears that the FBI is alleged to have paid some open-source developers to create exploitable holes in that cryptographic framework that have been there for upwards of 10 years.
In an e-mail sent to BSD project leader Theo de Raadt, former NETSEC CTO Gregory Perry has claimed that NETSEC developers helped the FBI plant “a number of backdoors” in the OpenBSD cryptographic framework approximately a decade ago.
Perry says that his nondisclosure agreement with the FBI has expired, allowing him to finally bring the issue to the attention of OpenBSD developers. Perry also suggests that knowledge of the FBI’s backdoors played a role in DARPA’s decision to withdraw millions of dollars of grant funding from OpenBSD in 2003.
“I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI,” wrote Perry. “This is also probably the reason why you lost your DARPA funding, they more than likely caught wind of the fact that those backdoors were present and didn’t want to create any derivative products based upon the same.”
The e-mail became public when de Raadt forwarded it to the OpenBSD mailing list on Tuesday, with the intention of encouraging concerned parties to conduct code audits. To avoid entanglement in the alleged conspiracy, de Raadt says that he won’t be pursuing the matter himself. Several developers have begun the process of auditing the OpenBSD IPSEC stack in order to determine if Perry’s claims are true.
“It is alleged that some ex-developers (and the company they worked for) accepted US government money to put backdoors into our network stack,” de Raadt wrote. “Since we had the first IPSEC stack available for free, large parts of the code are now found in many other projects/products. Over 10 years, the IPSEC code has gone through many changes and fixes, so it is unclear what the true impact of these allegations are.”
If this last statement is true the security holes will not only apply to Unix but every other OS that uses IPSEC such as Windows and Mac. I am curious to see what the OpenBSD community uncovers in the code as this could have far reaching ramification for bring into question whether this action constitutes warrantless surveillance.