Allegations of FBI Backdoors in OpenBSD
December 15th, 2010Via: IT World:
Amidst startling accusations revealed by OpenBSD founder and lead developer Theo de Raadt today that 10 years ago the US Federal Bureau of Investigations paid developers to insert security holes into OpenBSD code, some confusion about the accusations has already emerged, with one named party strongly denying any involvement.
According to a post by de Raadt on the [openbsd-tech] mailing list, he received an email from Gregory Perry, CEO of GoVirtual Education, a Florida-based VMWare training firm, in which Perry told de Raadt he was “aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA [an acronym for the US Dept. of Justice], the parent organization to the FBI.”
In his message to de Raadt, Perry stated that while Perry was the CTO at NETSEC, “Jason Wright and several other developers were responsible for those backdoors.” Perry said that he was now able to share this information with de Raadt because his non-disclosure agreement with the FBI had “recently expired.”
If true, this type of government involvement would erode the already tenuous perception many open source developers have about the lack of respect the US government has for the privacy of its citizens.
But there are already challenges about the accuracy of Perry’s statements.
For instance, at the close of his message to de Raadt, Perry stated that the presence of these backdoors were why “several inside FBI folks have been recently advocating the use of OpenBSD for VPN and firewalling implementations in virtualized environments.”
“For example,” Perry concluded, “Scott Lowe is a well respected author in virtualization circles who also happens top [sic] be on the FBI payroll, and who has also recently published several tutorials for the use of OpenBSD VMs in enterprise VMWare vSphere deployments.”
I contacted Scott Lowe, VMWare-Cisco Solutions Principal at EMC this evening to ask if he had a comment about Perry’s statement to de Raadt. Lowe quickly responded via e-mail his denial:
“Mr. Perry is mistaken. I am not, nor have I ever been, affiliated with or employed by the FBI or any other government agency. Likewise, I have not ever contributed a single line of code to OpenBSD; my advocacy is strictly due to appreciation of the project and nothing more,” Lowe replied.
When I followed up with the question of why Perry might want to implicate Lowe for assisting the FBI in promoting OpenBSD, Lowe replied, “I do not know why Mr. Perry mentioned my name. I do know that there is another Scott Lowe, who also writes about virtualization, to whom Mr. Perry might be referring; I don’t have any information as to whether that individual is or is not involved.”
Mr. Lowe from North Carolina has been confused with the other Scott Lowe, Director of IT at Westminster College in Missouri, before.
As to whether Mr. Lowe of Missouri was involved is still unknown: he has yet to return my requests for comments, though they were sent after normal work hours in Missouri, which could certainly explain the delay.
Research Credit: dilinger, rmf
One of the myths of open source software is that all the security vulnerabilities will be identified and fixed, including, presumably, those deliberately planted there for nefarious purposes. But one can theorize vulnerabilities so subtle, that only a handful of technicians would be able to spot them, such people would be occupied with other things.
From the wikipedia page:
“The project is widely known for the developers’ insistence on open source code and quality documentation, uncompromising position on software licensing, and focus on security and code correctness . . . .
OpenBSD includes a number of security features absent or optional in other operating systems, and has a tradition in which developers audit the source code for software bugs and security problems.”