Former contractor alleges OpenBSD has FBI backdoors

A former US Government contractor has claimed the FBI placed a number of backdoors into the OpenBSD operating system.

In an email made public on Tuesday, Gregory Perry former chief technologist at the now-defunct Network Security Technology (NETSEC) claimed a 10-year Non Disclosure Agreement (NDA) with the FBI had recently expired and he felt it was time to speak out. During his time at NETSEC Mr Perry was reportedly a consultant for the FBI's GSA Technical Support Center.

''I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF [OpenBSD Crypto Framework], for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI,'' he said.

The e-mail was sent to OpenBSD founder Theo de Raadt, who posted it publicly and washed his hands of what he believed to be a ''conspiracy''.

The mail came in privately from a person I have not talked to for nearly 10 years.  I refuse to become part of such a conspiracy, and will not be talking to Gregory Perry about this.  Therefore I am making it public so that
    (a) those who use the code can audit it for these problems,
    (b) those that are angry at the story can take other actions,
    (c) if it is not true, those who are being accused can defend themselves,'' he said.

It is unclear if Mr Perry's claims have any merit - Mr de Raadt noted that the code in question has gone through many revisions in the decade since it was allegedly tampered with and the supposed backdoors may no longer exist.

On its website, OpenBSD is claimed to be a ''Multiplatform Ultra-Secure Operating System''.

Mr Perry named developer Jason Wright as one of several individuals responsible for implementing the backdoors.

''You would be well advised to review any and all code commits by Wright as well as the other developers he worked with originating from NETSEC,'' he said.

Mr Wright yesterday angrily denied any involvement and categorically denied adding any backdoors to OpenBSD or the OpenBSD Crypto Framework.

''I will state clearly that I did not add backdoors to the OpenBSD operating system or the OpenBSD crypto framework (OCF),'' he said.

''I demand an apology from Greg Perry (cc'd) for this accusation.  Do not use my name to add credibility to your cloak and dagger fairy tales.''

In a tweet, former FBI agent E.J. Hilbert, claimed the OpenBSD ''experiment'' occurred, but was unsuccessful.

Report a problem with article
Previous Story

"Windows Live Plugin" website launched

Next Story

Gmail adds contact restore, delegation, expands mobile to other languages


Commenting is disabled on this article.

I thought this was common knowledge for a while now and was surprised this was even considered news.

The only thing that is odd, is the method and 'story' regarding the backdoor, as it is not a 'backdoor' that directly exists in code, as that would have been fairly obvious and possibly found by now. Also it was not the FBI that initially had this access information.

The NSA has access to a encryption key that will validate, even though the key is normally randomly generated. It works in a reverse key mechanism if I remember correctly, so that they can generate a duplicated valid key at any time.

This news originally was 'known' at the time Microsoft was introducing Bitlocker during the development of Vista and was demonstrating Bitlocker to the FBI for internal use that would be secure for laptops in the field. This did raise conversations with Microsoft the FBI and the NSA at the time; however, no compromise was made because the NSA already was capable of brute force cracking any level of encryption.

So this is kind of news, but not really news as it was talked about years ago, and it became widely known at a time when the it also became known how good the the NSA was at just powering through virtually all encryption.

So even Bitlocker or NTFS encryption or whatever encryption or crypto technology or framework you might use is 'virtually' safe from most of the world, but if it is important enough, the NSA can pop it if needed. And it don't matter if they do it with a key crack like in OpenBSD or if they invest the time and CPU cycles to just brute force break it.

So, maybe news to some, but not something that really matters when you consider what the NSA is capable of anyway.

could be true, sure the source code is open and free, but dont build there own version, dont you just download a cd like ubuntu and install it, so one could say that when they build the version for CDs then they add in the backdoors? (i could be wrong)

lflashl said,
could be true, sure the source code is open and free, but dont build there own version, dont you just download a cd like ubuntu and install it, so one could say that when they build the version for CDs then they add in the backdoors? (i could be wrong)

The article discusses backdoors deliberately left in the source code.
Some could be added before distribution (like Google adding spy modules during Chromium->Chrome conversion), but it's rather rare.