Allegations regarding OpenBSD IPSec

[perdurabo]

http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

Summary: Former OpenBSD engineer claims the FBI paid some engineers to backdoor their IPSec implementation.

It could be some crazy ramblings, or it may have some truth to it.

IPSec is used to secure network links across IP-based networks. It's my understanding that OpenBSD's implementation is widely-used in other products, similar to OpenSSH.

http://en.wikipedia.org/wiki/Openbsd
http://en.wikipedia.org/wiki/Ipsec

[Slantwire]

Quote:

Originally Posted by perdurabo

Summary: Former OpenBSD engineer claims the FBI paid some engineers to backdoor their IPSec implementation.

It could be some crazy ramblings, or it may have some truth to it.

First impression I'm going with is "crazy ramblings."

OpenBSD is "Open" because it's "open source." As in, anyone can (and is encouraged to) download the raw source code and read it. Spot flaws and report them, even submit code fixes. But submitted changes are audited heavily before being accepted. That's partly to prevent "cure is worse than the disease" situations with badly-written fixes, and also to prevent someone trying to sabotage the code. It's possible someone slipped something in, but a security-minded open source project seems like the most difficult target to do so.

Secondly, the guy who supposedly started this states that his "NDA with the FBI recently expired." I can't speak for others, but I've never signed an NDA that had an expiration date.

The alleged original email has Perry specifically complaining about Bureau types pushing OpenBSD for virtual machine use.... and his signature references VMware, which is probably the biggest seller of virtual machine software. So there are potentially some business competition motives as well.

Also.... the FBI supposedly implemented this secret flaw, leaked it to DARPA, and it still stayed secret until now? Call me skeptical.

I'd say either Perry, de Raadt, or an impostor is making things up.

[perdurabo]

Quote:

Originally Posted by Slantwire

First impression I'm going with is "crazy ramblings."

OpenBSD is "Open" because it's "open source." As in, anyone can (and is encouraged to) download the raw source code and read it. Spot flaws and report them, even submit code fixes. But submitted changes are audited heavily before being accepted. That's partly to prevent "cure is worse than the disease" situations with badly-written fixes, and also to prevent someone trying to sabotage the code. It's possible someone slipped something in, but a security-minded open source project seems like the most difficult target to do so.

Secondly, the guy who supposedly started this states that his "NDA with the FBI recently expired." I can't speak for others, but I've never signed an NDA that had an expiration date.

The alleged original email has Perry specifically complaining about Bureau types pushing OpenBSD for virtual machine use.... and his signature references VMware, which is probably the biggest seller of virtual machine software. So there are potentially some business competition motives as well.

Also.... the FBI supposedly implemented this secret flaw, leaked it to DARPA, and it still stayed secret until now? Call me skeptical.

I'd say either Perry, de Raadt, or an impostor is making things up.

Great points, and it should be verifiable in short order by examining the diffs from the committer logs for the people in question.

I'm not buying it.