FBI Poked Spy Hole in OpenBSD, Says Former Contractor
Dec 15, 2010 12:26 PM PT
Allegations surfaced Tuesday that the FBI put backdoors into the network stack of OpenBSD.
They were made by a Gregory Perry, who claimed to be chief technology officer of NETSEC, a government contractor.
The allegations were emailed to Theo de Raadt, founder of OpenBSD.
de Raadt sent it on to the OpenBSD community, stating he wouldn't speak to Perry about the issue and suggesting the community can take whatever action it sees fit.
Perry alleged that while he was the chief technology officer at NETSEC about a decade ago, he did some consulting for the FBI's GSA Technical Support Center.
The FBI implemented some backdoors and side channel key leaking mechanisms into the OpenBSD Crypto Framework, Perry claimed. This was to monitor the site-to-site virtual private network (VPN) encryption system implemented by the Executive Office for United States Attorneys, Perry said. Now that his non-disclosure agreement has expired, he claimed, he's free to share the secret.
Perry claimed several developers were responsible for those backdoors and urged de Raadt to review code written by Wright and other developers. He also alleged that "inside FBI folks" are advocating the use of OpenBSD for implementing VPNs and firewalls.
Neither Perry nor the FBI responded to requests for comment by press time.
The Mystery of the Perry
Perry's something of an enigma -- GoVirtual Education, the company he now claims to be CEO of, could not be immediately spotted using a direct Google search for the name.
The website of NETSEC, the company of which he claimed to have been CTO 10 years ago, has been archived, and attempts to contact it through the site failed.
NETSEC claims to have been a professional services firm dealing with security architecture and engineering, among other things. It also claimed to have provided a 24/7 computer emergency response team capability to the Executive Office of the United States Attorneys for three years.
The Perry Cloud of Uncertainty
Perry's allegations may be unfounded, Chris Wysopal, cofounder and CTO of Veracode, told TechNewsWorld.
"There's a few things that don't make sense," Wysopal pointed out. "One is that, if the government had a contract with an organization to put in a backdoor, that would be a government secret that wouldn't expire after a certain amount of time. So I can't see how an NDA about this would expire."
On the other hand, if backdoors had been inserted into the crypto framework, they'd be difficult to detect.
"You need to do an in-depth analysis line by line of the code and look for different side effects that the code might have," Wysopal explained. "If you're not a crypto expert, I don't think you'd find the backdoor by just eyeballing the code," he added.
However, there's a chance that Perry's allegations might have some truth to them.
"There have been rumors since the early '80s that the National Security Agency had a backdoor into the DES encryption algorithm," Bill Roth, executive vice president at LogLogic, told TechNewsWorld. "So it's not surprising that the U.S. government or indeed any government would do this. What's surprising is that we hadn't head about it sooner."
Perhaps developers were blinded by their specialist expertise so they couldn't see the backdoor code, Charles King, principal at Pund-IT, suggested.
"Few developers examine protocols beyond their bailiwicks," King explained.
What About the Open Source Community?
Perry's comments have led many developers to begin auditing the OpenBSD IPSEC stack, King told TechNewsWorld. However, no one has confirmed the existence of any backdoors so far, he added.
"Coming in the midst of the controversy surrounding WikiLeaks, I expect this issue to spark vigorous dialog and debate, but it would be a mistake to paint it in simplistic black and white terms," King warned.
On the other hand, OpenBSD is one of the smaller OS distributions. "Other operating environments, including Linux, Windows, FreeBSD and OS X offer similar functionality," King pointed out.
Indeed, some open source software vendors said they don't even use the OpenBSD Crypto Framework.
"We don't use that library at all, so it has no impact on us directly," Meghan Gill, a spokesperson for 10gen, which offers the MongoDB open source non-relational database, told TechNewsWorld.
"Mozilla does not use OpenBSD or their crypto stack," Mozilla Foundation spokesperson Melissa Shapiro told TechNewsWorld.
The OpenBSD Foundation stepped away from the issue of backdoors when contacted for comment.
"The OpenBSD Foundation does not and cannot speak for or on behalf of the OpenBSD project, related projects, or the individuals in the communities of the projects in any way," foundation spokesperson Kenneth Westerback told TechNewsWorld.
The foundation did not exist at the time the backdoor project was allegedly launched, Westerback added.
"Berkeley Systems Distribution is a version of Unix that's been out since the late '70s," LogLogic's Roth pointed out. There could have been many changes made to the source code in that time, he said.