OpenBSD chief believes contractor tried to write backdoors

Discussing allegations, Theo de Raadt says that government contractor Netsec 'was probably contracted to write backdoors.'

The lead developer of the OpenBSD operating system says that he believes that a government contracting firm that contributed code to his project "was probably contracted to write backdoors," which would grant secret access to encrypted communications.

Posting to an OpenBSD discussion list Tuesday, Theo de Raadt said that while he now believes that a company called Netsec may have been involved in backdoors, he doesn't think that any of this software made it into the OpenBSD code base.

The controversy was kicked off last week, after former Netsec CEO Gregory Perry e-mailed de Raadt privately, to warn him that there might be 10-year-old bugs in the software that OpenBSD uses for secure Internet communications. Perry said that the back door code was developed as a way for the U.S. Federal Bureau of Investigation to monitor encrypted communications within the U.S. Department of Justice.

OpenBSD's de Raadt went public with the e-mail, saying he'd rather the whole matter be hashed out in public, and while no one has come forward to back up Perry's allegations (quite the opposite -- two people named in his e-mail have said the claims are false), parts of what Perry claimed do check out.

For example, there really was a government security contractor called Netsec. And as Perry claimed, a Netsec developer named Jason Wright did make contributions to OpenBSD. "I believe that Netsec was probably contracted to write backdoors as alleged," de Raadt said in his posting. "If those were written," he added, "I don't believe they made it into our tree. They might have been deployed as their own product."

According to de Raadt, Wright worked primarily on drivers for OpenBSD. Another Netsec developer, Angelos Keromytis, wrote security code that used these drivers, de Raadt said.

If there is a 10-year-old back door in OpenBSD, it would be hard to identify, as it would probably look just like any other security vulnerability. But it would give anyone who knew about it a way to eavesdrop on supposedly secure Internet communications -- VPN traffic, for example -- that used the buggy software.

Last week, the general reaction to Perry was extremely skeptical. According to former FBI agent and computer crime investigator E.J. Hilbert, "the deployment of an open source software with backdoors in it is completely idiotic, because it's open source," he said last week. He called Perry "a nut." If the FBI created back doors in OpenBSD it would be tantamount to giving criminals a way to breaking into OpenBSD systems, Hibbert said. "Everybody in the world is going to be looking at it and finding them."

Since Perry's allegations were made public, developers have found two new bugs in OpenBSD, but de Raadt said Tuesday that he thinks that neither of them is a back door.

In fact, de Raadt seems to think that the whole incident has helped OpenBSD. "I am happy that people are taking the opportunity to audit an important part of the tree which many had assumed -- for far too long -- to be safe as it is," he said.

Except for an e-mail note adding some more detail to his allegations, Perry has not commented further on the matter. Reached Tuesday, an FBI spokesman had no comment on the issue. De Raadt did not respond to messages seeking comment for this story.

Perry is CEO with GoVirtual, a VMware services company. When the backdoor code was allegedly added to OpenBSD's IPsec stack, however, he was CEO of Netsec, which did contract work for the FBI. He has said that he came forward because his FBI nondisclosure agreement has expired.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags governmentsecurityoperating systemssoftwareU.S. Department of JusticeGovernment use of ITU.S. Federal Bureau of InvestigationNetsec

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?