Developer Says FBI Fiddled With OpenBSD
December 16, 2010
A former contributor to the code in the OpenBSD operating system that handles encryption of data has alleged that the FBI paid developers working on the code to write in backdoor mechanisms to circumvent authentication and give law enforcement unfettered access to data.
If it’s true, it could have widespread implications for the security of systems built on open-source code. If not true, it could just be an attempt to undermine the OpenBSD community and spread fear, uncertainty, and doubt among those using secure communications based on open-source. Either way, it’s bound to cast a shadow on OpenBSD and on a variety of other systems that have leveraged the OpenBSD Crypto Framework (OCF). OCF has been ported to Linux and is integrated into a large number of derivative systems.
In an email to Theo de Raadt, one of the founders of the OpenBSD and OpenSSH projects, Gregory Perry, CEO of VMware training solutions provider GoVirtual Education, alleged that he had a non-disclosure agreement with the FBI that had recently expired. He said that this NDA had covered knowledge of work the FBI sponsored to implement "a number of backdoors and side channel key leaking mechanisms into the [OpenBSD Crypto Framework], for the express purpose of monitoring the site-to-site VPN encryption system implemented by EOUSA [the Executive Office for United States Attorneys]," a coordinating office within the US Department of Justice.
Perry named a specific developer involved in the FBI’s efforts — Jason L. Wright, who works for the Department of Energy’s Idaho National Laboratory, and is a contributor to the OpenBSD project and one of the developers of the OpenBSD Crypto Framework. He and "several other developers were responsible for those backdoors," Perry contended. He advised de Raadt that all the code Wright had contributed should be checked over.
From the description Perry gives — that the work was done under NDA, and not under some level of government classification — it sounds as if the FBI wasn’t looking to wiretap servers, but was hoping to gain key-recovery capability for the Department of Justice’s own servers. If there was any work done, it might have been limited to developing a version of OCF for internal use by DOJ and the FBI and not rolled into the wider OpenBSD distribution.
There’s another issue with the charge: The code for OCF is widely published and open to constant review. So any backdoors put into the code would have had to have been subtle and obfuscated to escape the eyes of coders studying the source.
And there’s evidence that suggests this may all be a smear campaign. There are parts of the story that don’t hold up well to scrutiny — or at least that are being denied by people Perry named. Scott Lowe, who Perry said was on the FBI payroll and had been advocating the use of OpenBSD for VPNs and firewalls, has denied any involvement with the FBI and says he doesn’t advocate the use of OpenBSD.
As of press time, an FBI spokesperson had issued no response to a request for comment from Internet Evolution.
If any agency were trying to insert backdoors into OpenBSD, you’d think it would be the National Security Agency (NSA). That is the agency that has been responsible for much of the work on "secure" versions of Linux and on cryptographic standards, and it has a history of pushing forward commercial encryption systems that have backdoors. But why would a government agency pay to have backdoors put into software it uses that are then widely distributed — and if discovered, potentially used against them?
There certainly is room for concern over backdoors. Ever since the passing of the Patriot Act, Internet traffic entering and leaving the US is subject to potential surveillance. In a conversation I recently had with a hospital CIO in Toronto, he said that he was prohibited from using cloud-based healthcare software from companies in the US because of the potential disclosure of patient information due to US government surveillance.
Many within the OpenBSD community question his motives. But the charges certainly will give people who operate VPNs based on OCF reason for pause until the source code has been combed over again.