Allegations of OpenBSD Backdoors May be True, Updated
It was just last week that Theo de Raadt, OpenBSD founder and developer, posted an email that claimed the Federal Bureau of Investigations paid OpenBSD developers to leave backdoors in its IPSEC network security stack. Since then early audits have found some questionable code, contributors denied any wrongdoing, and the original source reaffirmed his allegations.
When the original post hit the mailing list December 14, journalists attempted to contact those named in the allegation. Brian Proffitt, FOSS journalist at ITWorld, contacted two individuals by the name given in the original email as participating in the deception and received denials from both. Another named in the email, Jason Wright, answered the posting from de Raadt saying,
Every urban lengend is made more real by the inclusion of real names, dates, and times. I will state clearly that I did not add backdoors to the OpenBSD operating system or the OpenBSD crypto framework (OCF). The code I touched during that work relates mostly to device drivers to support the framework. I don't believe I ever touched isakmpd or photurisd (userland key management programs), and I rarely touched the ipsec internals (cryptodev and cryptosoft, yes). However, I welcome an audit of everything I committed to OpenBSD's tree. I demand an apology.
Gregory Perry, original source of de Raadt's information, suggested a review of all the code committed by "Jason Wright and several other developers he worked with originating from NETSEC." de Raadt told iTWire's Sam Varghese that "Until 2 days ago I had no idea that both Jason and Angelos (Keromytis) in the past did work for a company that does that business. And it is true, wow, that company really was in that business! Now they (the company) belong to Verizon."
Varghese spoke with Perry who defended his claims saying, "I have absolutely, positively nothing to gain from making those statements to Theo, and only did so to encourage a source code audit of the OpenBSD Project based upon the expiry of my NDA with the FBI. Being in any limelight is not my bag at all. If I had this to do over again, I would have sent an anonymous postcard to WikiLeaks."
It'll take time to go through all the code but de Raadt said "two bugs in our cryptographic code" have already been found. "We are assessing the impact. We are also assessing the 'archeological' aspects of this," he added.
No further information on the nature or significance of these bugs was given, but the scope of the allegations have far reaching implications for OpenBSD and Open Source in general. OpenBSD is used in many commercial solutions based on its reputation of being very secure. If security risks of this magnitude are found it could undermine this long earned reputation and call into question the very concept of "many eyes." de Raadt said that the many eyes concept is very real, but the Open Source working relationship is greatly based on trust and not every commit is reviewed. The wide sweeping effects of any deliberate security holes found in OpenBSD could very well be less trust and more review within Open Source projects across the board.
UPDATE: In further developments, de Raadt said yesterday that Angelos had worked on the cypto stack in question for four years when accepting a contract at NETSEC. Angelos "wrote the crypto layer that permits our ipsec stack to hand-off requests to the drivers that Jason worked on. That crypto layer ontained the half-assed insecure idea of half-IV that the US govt was pushing at that time. Soon after his contract was over this was ripped out."
de Raadt further said, "I believe that NETSEC was probably contracted to write backdoors as alleged.
If those were written, I don't believe they made it into our tree. They might have been deployed as their own product.
If such NETSEC projects exists, I don't know if Jason, Angelos or others knew or participated in such NETSEC projects."
So, it appears the original allegations that developers working on OpenBSD networking code could have worked on backdoors but there is no proof and had opportunity to add them to OpenBSD but they probably didn't. And if they did, it was probably pulled out long ago anyway. The bugs previously mentioned were not found to backdoor code.
Audits and overall basic cleanup of code continues.
Susan Linton is a Linux writer and the owner of tuxmachines.org.
Practical Task Scheduling Deployment
July 20, 2016 12:00 pm CDT
One of the best things about the UNIX environment (aside from being stable and efficient) is the vast array of software tools available to help you do your job. Traditionally, a UNIX tool does only one thing, but does that one thing very well. For example, grep is very easy to use and can search vast amounts of data quickly. The find tool can find a particular file or files based on all kinds of criteria. It's pretty easy to string these tools together to build even more powerful tools, such as a tool that finds all of the .log files in the /home directory and searches each one for a particular entry. This erector-set mentality allows UNIX system administrators to seem to always have the right tool for the job.
Cron traditionally has been considered another such a tool for job scheduling, but is it enough? This webinar considers that very question. The first part builds on a previous Geek Guide, Beyond Cron, and briefly describes how to know when it might be time to consider upgrading your job scheduling infrastructure. The second part presents an actual planning and implementation framework.
Join Linux Journal's Mike Diehl and Pat Cameron of Help Systems.
Free to Linux Journal readers.Register Now!
- Murat Yener and Onur Dundar's Expert Android Studio (Wrox)
- SUSE LLC's SUSE Manager
- My +1 Sword of Productivity
- Managing Linux Using Puppet
- Non-Linux FOSS: Caffeine!
- Tech Tip: Really Simple HTTP Server with Python
- SuperTuxKart 0.9.2 Released
- Parsing an RSS News Feed with a Bash Script
- Doing for User Space What We Did for Kernel Space
- Google's SwiftShader Released
With all the industry talk about the benefits of Linux on Power and all the performance advantages offered by its open architecture, you may be considering a move in that direction. If you are thinking about analytics, big data and cloud computing, you would be right to evaluate Power. The idea of using commodity x86 hardware and replacing it every three years is an outdated cost model. It doesn’t consider the total cost of ownership, and it doesn’t consider the advantage of real processing power, high-availability and multithreading like a demon.
This ebook takes a look at some of the practical applications of the Linux on Power platform and ways you might bring all the performance power of this open architecture to bear for your organization. There are no smoke and mirrors here—just hard, cold, empirical evidence provided by independent sources. I also consider some innovative ways Linux on Power will be used in the future.Get the Guide