OpenBSD chief believes contractor tried to write backdoors

Discussing allegations, Theo de Raadt says that government contractor Netsec 'was probably contracted to write backdoors.'

The lead developer of the OpenBSD operating system says that he believes that a government contracting firm that contributed code to his project "was probably contracted to write backdoors," which would grant secret access to encrypted communications.

Posting to an OpenBSD discussion list Tuesday, Theo de Raadt said that while he now believes that a company called Netsec may have been involved in backdoors, he doesn't think that any of this software made it into the OpenBSD code base.

The controversy was kicked off last week, after former Netsec CEO Gregory Perry e-mailed de Raadt privately, to warn him that there might be 10-year-old bugs in the software that OpenBSD uses for secure Internet communications. Perry said that the back door code was developed as a way for the U.S. Federal Bureau of Investigation to monitor encrypted communications within the U.S. Department of Justice.

OpenBSD's de Raadt went public with the e-mail, saying he'd rather the whole matter be hashed out in public, and while no one has come forward to back up Perry's allegations (quite the opposite -- two people named in his e-mail have said the claims are false), parts of what Perry claimed do check out.

For example, there really was a government security contractor called Netsec. And as Perry claimed, a Netsec developer named Jason Wright did make contributions to OpenBSD. "I believe that Netsec was probably contracted to write backdoors as alleged," de Raadt said in his posting. "If those were written," he added, "I don't believe they made it into our tree. They might have been deployed as their own product."

According to de Raadt, Wright worked primarily on drivers for OpenBSD. Another Netsec developer, Angelos Keromytis, wrote security code that used these drivers, de Raadt said.

If there is a 10-year-old back door in OpenBSD, it would be hard to identify, as it would probably look just like any other security vulnerability. But it would give anyone who knew about it a way to eavesdrop on supposedly secure Internet communications -- VPN traffic, for example -- that used the buggy software.

Last week, the general reaction to Perry was extremely skeptical. According to former FBI agent and computer crime investigator E.J. Hilbert, "the deployment of an open source software with backdoors in it is completely idiotic, because it's open source," he said last week. He called Perry "a nut." If the FBI created back doors in OpenBSD it would be tantamount to giving criminals a way to breaking into OpenBSD systems, Hibbert said. "Everybody in the world is going to be looking at it and finding them."

Since Perry's allegations were made public, developers have found two new bugs in OpenBSD, but de Raadt said Tuesday that he thinks that neither of them is a back door.

In fact, de Raadt seems to think that the whole incident has helped OpenBSD. "I am happy that people are taking the opportunity to audit an important part of the tree which many had assumed -- for far too long -- to be safe as it is," he said.

Except for an e-mail note adding some more detail to his allegations, Perry has not commented further on the matter. Reached Tuesday, an FBI spokesman had no comment on the issue. De Raadt did not respond to messages seeking comment for this story.

Perry is CEO with GoVirtual, a VMware services company. When the backdoor code was allegedly added to OpenBSD's IPsec stack, however, he was CEO of Netsec, which did contract work for the FBI. He has said that he came forward because his FBI nondisclosure agreement has expired.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags U.S. Federal Bureau of InvestigationU.S. Department of JusticeGovernment use of ITsecuritysoftwaregovernmentoperating systemsNetsec

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?