If you haven’t already seen the news on Slashdot, Reddit, Ars Technica, OS News, or other sites, Theo de Raadt, the OpenBSD project leader, made public a letter sent to him by one of the original contributors to the OpenBSD IPSec network stack originally developed about 10 years ago stating that the FBI had inserted backdoors into the code while working for NETSEC. As Theo mentions in his response it’s uncertain to what extent this affects OpenBSD or any other project who has borrowed code from the project. I think it’s important to take these allegations with a very large grain of salt. Being an open source project OpenBSD’s code is scrutinized by many eyes and undergoes the round of security audits that the Unix-like operating system is so well known for. Why this is only now being brought forward is anyone’s guess. Gregory Perry who sent the email to Theo claims that it’s because his NDA has expired. Also interesting to note, Scott Lowe who is mentioned in the email as having some sort of ultimatum for his recent OpenBSD advocacy has refuted the claims stating that he has never been affiliated with the FBI. In any event I am certain that OpenBSD developers will exercise due diligence by auditing the code to see if there is any warrant to the claims made by Perry. I don’t think this is anything to become paranoid about.
Here is an excerpt from Theo’s response:
The mail came in privately from a person I have not talked to for nearly 10 years. I refuse to become part of such a conspiracy, and will not be talking to Gregory Perry about this. Therefore I am making it public so that (a) those who use the code can audit it for these problems, (b) those that are angry at the story can take other actions, (c) if it is not true, those who are being accused can defend themselves.