The lead developer of the OpenBSD operating system says that he believes that a government contracting firm that contributed code to his project "was probably contracted to write backdoors," which would grant secret access to encrypted communications.
Posting to an OpenBSD discussion list Tuesday, Theo de Raadt said that while he now believes that a company called Netsec may have been involved in backdoors, he doesn't think that any of this software made it into the OpenBSD code base.
The controversy was kicked off last week, after former Netsec CEO Gregory Perry e-mailed de Raadt privately, to warn him that there might be 10-year-old bugs in the software that OpenBSD uses for secure Internet communications. Perry said that the back door code was developed as a way for the U.S. Federal Bureau of Investigation to monitor encrypted communications within the U.S. Department of Justice.
OpenBSD's de Raadt went public with the e-mail, saying he'd rather the whole matter be hashed out in public, and while no one has come forward to back up Perry's allegations (quite the opposite -- two people named in his e-mail have said the claims are false), parts of what Perry claimed do check out.
For example, there really was a government security contractor called Netsec. And as Perry claimed, a Netsec developer named Jason Wright did make contributions to OpenBSD. "I believe that Netsec was probably contracted to write backdoors as alleged," de Raadt said in his posting. "If those were written," he added, "I don't believe they made it into our tree. They might have been deployed as their own product."
According to de Raadt, Wright worked primarily on drivers for OpenBSD. Another Netsec developer, Angelos Keromytis, wrote security code that used these drivers, de Raadt said.
If there is a 10-year-old back door in OpenBSD, it would be hard to identify, as it would probably look just like any other security vulnerability. But it would give anyone who knew about it a way to eavesdrop on supposedly secure Internet communications -- VPN traffic, for example -- that used the buggy software.
Last week, the general reaction to Perry was extremely skeptical. According to former FBI agent and computer crime investigator E.J. Hilbert, "the deployment of an open source software with backdoors in it is completely idiotic, because it's open source," he said last week. He called Perry "a nut." If the FBI created back doors in OpenBSD it would be tantamount to giving criminals a way to breaking into OpenBSD systems, Hibbert said. "Everybody in the world is going to be looking at it and finding them."
Since Perry's allegations were made public, developers have found two new bugs in OpenBSD, but de Raadt said Tuesday that he thinks that neither of them is a back door.
In fact, de Raadt seems to think that the whole incident has helped OpenBSD. "I am happy that people are taking the opportunity to audit an important part of the tree which many had assumed -- for far too long -- to be safe as it is," he said.
Except for an e-mail note adding some more detail to his allegations, Perry has not commented further on the matter. Reached Tuesday, an FBI spokesman had no comment on the issue. De Raadt did not respond to messages seeking comment for this story.
Perry is CEO with GoVirtual, a VMware services company. When the backdoor code was allegedly added to OpenBSD's IPsec stack, however, he was CEO of Netsec, which did contract work for the FBI. He has said that he came forward because his FBI nondisclosure agreement has expired.
Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com