FBI accused of installing backdoor in OpenBSD operating system
Former contractor says agency was eavesdropping on VPNs used by U.S. attorneys
- By William Jackson
- Dec 15, 2010
Editor's note: This story was updated at 9 a.m. Dec. 16 to add comments from Jason Wright.
A former FBI consultant claims the FBI had backdoors installed in the supposedly secure OpenBSD operating system to allow the agency to eavesdrop on virtual private networks used by U.S. attorneys nearly a decade ago.
Gregory Perry, now CEO of GoVirtual Education, made the allegation Dec. 11 in a personal e-mail to OpenBSD founder Theo de Raadt, who published it three days later on the OpenBSD Tech mailing list.
“That message sent to Theo was not intended for public consumption but rather as a call to audit the OpenBSD codebase, which has been used to create derivative products in the thousands,” Perry told GCN.
Jason Wright, a developer named by Perry as one of those who inserted backdoor software and who now is an engineer at the Energy Department’s Idaho National Laboratory, denied the allegation in his own posting, calling it a “cloak and dagger fairy tale.”
“I will state clearly that I did not add backdoors to the OpenBSD operating system or the Open BSD crypto framework,” he wrote. “I welcome an audit of everything I committed to OpenBSD’s tree.”
Wright demanded an apology from Perry and chastised de Raadt for publishing the accusation with no warning to him.
De Raadt in his posting agreed that publishing a personal message was troublesome. “However, the ‘little ethic’ of a private mail being forwarded is much smaller than the ‘big ethic’ of government paying companies to pay open-source developers to insert privacy-invading holes in software.”
The backdoor was supposedly included in the IPSEC stack that provides cryptography for VPNs. Access to cryptographic keys could allow an eavesdropper to decipher VPN traffic.
Is open-source software secure or not?
DHS aims to bring open-source software to state and local agencies
“Over 10 years, the IPSEC code has gone through many changes and fixes, so it is unclear what the true impact of these allegations are,” de Raadt wrote in his post.
De Raadt said he was publishing the accusation so that the software’s code could be checked for problems. “We are auditing code at the moment trying to find non-obvious mistakes and at the same time waiting to see if any other facts come up,” he told GCN.
So far there have been no reports that back-door code has been found in the software. The FBI did not immediately return requests for comment.
OpenBSD is a Unix-based operating system developed from the Berkeley Software Distribution. De Raadt established the project in Canada in 1995 after leaving the NetBSD project, and the first version was released in 1996. There have been new releases about every six months. The current version, 4.8, was released in November.
Hardware platforms supported by OpenBSD are:
Digital Alpha-based systems.
ARM-based appliances (by Thecus, IO-DATA, and others).
Hewlett-Packard HP 9000 series 300 and 400 workstations.
Hewlett-Packard Precision Architecture (PA-RISC) systems.
Standard PC and clones based on the Intel i386 architecture and compatible processors.
IO-DATA Landisk systems (such as USL-5P) based on the SH4 CPU.
Loongson 2E- and 2F-based systems, such as the Lemote Fuloong and Yeeloong, Gdium Liberty, etc.
Apple New World PowerPC-based machines, from the iMac onward.
Motorola 680x0-based VME systems.
Motorola 881x0-based VME systems.
SGI MIPS-based workstations.
Freescale PowerPC SoC-based machines.
Sun sun4, sun4c, sun4e and sun4m class SPARC systems.
Sun UltraSPARC and Fujitsu SPARC64 systems.
Digital VAX-based systems.
Sharp Zaurus C3x00 PDAs.
Perry said he was working as a consultant for the FBI with the GSA Technical Support Center, which he described as “a cryptographic reverse-engineering project aimed at back-dooring and implementing key escrow mechanisms for smart card and other hardware-based computing technologies.” He said the backdoors were explicitly to monitor VPN traffic of the Executive Office for U.S. Attorneys, a DOJ office that acts as a liaison between the department and the 93 U.S. attorneys across the country.
“This is not new to the FBI, they have been creating these types of alliances for quite some time now, with InfraGard being the best example of how the FBI interfaces with the commercial sector to accomplish their goals,” Perry told GCN.
He said that by the late 1990s there was official uneasiness about the FBI assuming any role in cryptographic export controls and that the agency’s efforts were redirected toward efforts such as the GSA Technical Support Center and partnerships with communications providers.