Allegations of OpenBSD Backdoors May be True, Updated

 in
OpenBSD

It was just last week that Theo de Raadt, OpenBSD founder and developer, posted an email that claimed the Federal Bureau of Investigations paid OpenBSD developers to leave backdoors in its IPSEC network security stack. Since then early audits have found some questionable code, contributors denied any wrongdoing, and the original source reaffirmed his allegations.

When the original post hit the mailing list December 14, journalists attempted to contact those named in the allegation. Brian Proffitt, FOSS journalist at ITWorld, contacted two individuals by the name given in the original email as participating in the deception and received denials from both. Another named in the email, Jason Wright, answered the posting from de Raadt saying,

Every urban lengend is made more real by the inclusion of real names, dates, and times. I will state clearly that I did not add backdoors to the OpenBSD operating system or the OpenBSD crypto framework (OCF). The code I touched during that work relates mostly to device drivers to support the framework. I don't believe I ever touched isakmpd or photurisd (userland key management programs), and I rarely touched the ipsec internals (cryptodev and cryptosoft, yes). However, I welcome an audit of everything I committed to OpenBSD's tree. I demand an apology.

Gregory Perry, original source of de Raadt's information, suggested a review of all the code committed by "Jason Wright and several other developers he worked with originating from NETSEC." de Raadt told iTWire's Sam Varghese that "Until 2 days ago I had no idea that both Jason and Angelos (Keromytis) in the past did work for a company that does that business. And it is true, wow, that company really was in that business! Now they (the company) belong to Verizon."

Varghese spoke with Perry who defended his claims saying, "I have absolutely, positively nothing to gain from making those statements to Theo, and only did so to encourage a source code audit of the OpenBSD Project based upon the expiry of my NDA with the FBI. Being in any limelight is not my bag at all. If I had this to do over again, I would have sent an anonymous postcard to WikiLeaks."

It'll take time to go through all the code but de Raadt said "two bugs in our cryptographic code" have already been found. "We are assessing the impact. We are also assessing the 'archeological' aspects of this," he added.

No further information on the nature or significance of these bugs was given, but the scope of the allegations have far reaching implications for OpenBSD and Open Source in general. OpenBSD is used in many commercial solutions based on its reputation of being very secure. If security risks of this magnitude are found it could undermine this long earned reputation and call into question the very concept of "many eyes." de Raadt said that the many eyes concept is very real, but the Open Source working relationship is greatly based on trust and not every commit is reviewed. The wide sweeping effects of any deliberate security holes found in OpenBSD could very well be less trust and more review within Open Source projects across the board.

UPDATE: In further developments, de Raadt said yesterday that Angelos had worked on the cypto stack in question for four years when accepting a contract at NETSEC. Angelos "wrote the crypto layer that permits our ipsec stack to hand-off requests to the drivers that Jason worked on. That crypto layer ontained the half-assed insecure idea of half-IV that the US govt was pushing at that time. Soon after his contract was over this was ripped out."

de Raadt further said, "I believe that NETSEC was probably contracted to write backdoors as alleged.

If those were written, I don't believe they made it into our tree. They might have been deployed as their own product.

If such NETSEC projects exists, I don't know if Jason, Angelos or others knew or participated in such NETSEC projects."

So, it appears the original allegations that developers working on OpenBSD networking code could have worked on backdoors but there is no proof and had opportunity to add them to OpenBSD but they probably didn't. And if they did, it was probably pulled out long ago anyway. The bugs previously mentioned were not found to backdoor code.

Audits and overall basic cleanup of code continues.

______________________

Susan Linton is a Linux writer and the owner of tuxmachines.org.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Its open. Wide open.

astinsan's picture

I think it is funny that this happens to openbsd of all *nix like systems out there... openbsd. They used to be very perticular about what goes into their system. Sounds like they degraded to the good ol boys club.

The sad part is regardless of what anyone says over at openbsd. There is no fixing this. The only fix will be breaking it up into another distro and restructure the chain of custody to keep it from happening again.

Jay

Open Source

seslipanel's picture

Soryy man , Their not even remotely similar ? Thanks

sesli panel 
seslipanel

The Reality of ODD!

Anonymous's picture

The first paragraph was about how odd the ways security is bought and sold by the public & security providers both criminal or not.

The second paragraph was about the insecurity regardless of whatever efforts, but of course open source doesn't mean open the door.

Hope that clears it up. I like open source I think its a better secure front in fact, because if there is bad open code it is more likely to be reported faster publicly than closed code. If you report [reveal] bad closed code you could still face litigation problems and you could end up prosecuted for a seemingly good deed. If I'm wrong, who do you report to? How sure to who you report will bring valued results on closed code? Can you trust a software company that reports on itself while it's code is closed to the public? And last, how come the reporting resources [if any] are not common erk... open?

Self Modifying Security?

Anonymous's picture

With this era of paranoiac terror, there is many assuming themselves as a higher authority over others considering security concerns. Under that constructed logic to whomever thinks that way, murder mystery novels at the local library are really how to books for the idiots. Smart would be ripping out the last pages and opt a fee to receive a copy of the ending? Of course that would place all readers not buying in resolving the conclusion as potential suspects.

Self modifying code can be put anywhere anytime and under a clock set trigger to modify then the backdoors appear and they can also be made to close and revert things back to normal. In fact I found out, just following the basic need for security or more for self comfort is ALL anyone can do. Some of my file have been vanishing from my system frequently, and sometime with my quick eye and feelings I note others are lurking in my computer. The only secure thing left on this world is your private thoughts in your mind.

Guilt and security capitalized on at the same time like the library idea above, the social perversion unnaturally continues.

Uh?

Anonymous's picture

Dude, what are you trying to say?

Very important topicn a big

voyance's picture

Very important topicn a big thanks for you

Please have some common decency

Sam Varghese's picture

What a ripoff! Lady, if you're quoting from my piece, kindly have the common decency to link to it. Else, do your own homework. http://www.itwire.com/opinion-and-analysis/open-sauce/43995-openbsd-back...

How on earth do you believe

Anonymous's picture

How on earth do you believe this article is a steal of yours ? Their not even remotely similar.

How on earth do you believe

Anonymous's picture

How on earth do you believe this article is a steal of yours ? Their not even remotely similar.

Ironic that you would defend someone else's writing with poor grammar and spelling. Please look up the dictionary definition of "their" and then look up "they're".

You're (as in YOU ARE, not your) confusing 2 homophones. If you are an adult, it means you waddled through school never understanding why your teachers would always put red-ink squiggles on your school reports.

You would do better in these conversations if you listened more than spoke.

Now Hear This!!!

Anonymous's picture

It is people like you who get beat up at traffic lights (only beat up if their fortunate) school cafeterias and locker rooms for being condescending nerds. Roll that up in your college degree and smoke it.

Do you really expect such a snotty lecture on grammar and spelling will motivate anyone to practice the lost art of writing with any more care than they currently demonstrate?

If proper spelling and grammar would find me as a peer to the likes of you I say !@$% it. Cal me stoopid!

HOPE I didn't misspell any of that!

Oh, and on the off chance that I did not express myself with sufficient clarity... PISS OFF!

just because...

Dulwithe's picture

just because his grammar is bad doesn't mean his point is off base. And it seems like a typo due to quick writing. How many times have you made typos in quickly written correspondence, or should I assume that you never have made mistakes with your homophones?? Or perhaps you are homophonophobic??

And it seems like a typo due

Anonymous's picture

And it seems like a typo due to quick writing.

That's not applicable here. A typo is replacing a real word with a mutant word by transposing, adding, or removing a letter (for example, "teh best").

When someone uses "their" (possessive) in place of "they're" (they-are), it's an offense against everyone around them. Unlikely is the case they have never been corrected; they do it for the same reasons the will-not-capitalize first word or will-not-use-punctuation crowd do it: to get back at those who corrected them in school. While the Internet has been great for communication, it has had the negative impact of democratizing anti-intellectualism. It's now considered acceptable to turn in papers which desecrate the English language.

PS - It is good to see Susan acknowledge her quotation/citation error. Both Sam and Susan are excellent writers. :-)

Can't see the forest for the trees...

Dulwithe's picture

While I could go into a diatribe on the definition of typo, the fact that you have responded in this way shows that:

1) You focus too much on the slight grammatical/typing mishap. (That is normally considered a "typo".)
2) You avoided addressing the point that just because a person's grammar and/or spelling is bad does not mean that his/her point is any less valid.

Grammar Nazi alert...

Anonymous's picture

Grammar Nazi alert...

Grammar·

Anonymous's picture

Can't take you seriously with your poor grammar.

That's not what Sam claimed

Ryan Rix's picture

That's not what Sam claimed at all, just that if you're going to cite another story, it's common courtesy to actually, you know, link to it. Seems fair in my book.

It's not just citing my stories either

Sam Varghese's picture

Look at the three paragraphs below:

---------
Gregory Perry, original source of de Raadt's information, suggested a review of all the code committed by "Jason Wright and several other developers he worked with originating from NETSEC." de Raadt told iTWire's Sam Varghese that "Until 2 days ago I had no idea that both Jason and Angelos (Keromytis) in the past did work for a company that does that business. And it is true, wow, that company really was in that business! Now they (the company) belong to Verizon."

Sam Varghese spoke with Perry who defended his claims saying, "I have absolutely, positively nothing to gain from making those statements to Theo, and only did so to encourage a source code audit of the OpenBSD Project based upon the expiry of my NDA with the FBI. Being in any limelight is not my bag at all. If I had this to do over again, I would have sent an anonymous postcard to WikiLeaks."

It'll take time to go through all the code but de Raadt said "two bugs in our cryptographic code" have already been found. "We are assessing the impact. We are also assessing the 'archeological' aspects of this," he added.

---------------
Most of it is direct quotes from my stories. Ms Linton has linked to the mailing lists from which much less material is used. You would think that in the interests of fairness and ethics, one would link to my stories as well.

re: citing

Susan Linton's picture

Dear Mr. Varghese,

You're right and I apologize. It was an unprofessional oversight that I have corrected now. I assure you and all that I will not let it happen again.

You could have written me directly and got reparations lots faster than chiding and insulting me in public.

But again, I'm sorry for neglecting to link to some of the most important sources for my article. I wish you and yours a very Merry Christmas.

Sincerely,
Susan Linton

Susan Linton is a Linux writer and the owner of tuxmachines.org.

You insulted yourself

Sam Varghese's picture

You indulge in unethical practices and when I point it out, you are the victim? Wow, that's rich, even from someone who writes for Linux Journal.

I merely pointed out some salient facts - that without wholesale quoting from my articles, you wouldn't have had anything to write about. Your original post had seven paragraphs and none of them shows any original work. And I am insulting you?

Get real.

easy there big fella

akane's picture

First- you used the word "ripoff" in a way that applies either to the author or her work. That's insulting.
Nothing in her reply indicates that she's a victim. She said only that you would have got satisfaction more quickly by communicating directly rather than posting comments and insulting her. That statement may or may not be true, but it doesn't make her a "victim".

Yes, she acted wrongly. You got an apology. What more do you want?

Having received an apology, you can't even accept it gracefully but have to then insult the entire Linux Journal. Very classy.

Btw, before you get uptight about the things I've written here, keep in mind I've "merely pointed out some salient facts."

Unbelievable

Anonymous's picture

It is unbelievable how childish you Linux people are. If you stole someone's work, have the courtesy of linking to it without playing the victim. Frakkin' do-gooder Linux wacktoids anyway, cant even keep Linux safe and secure from the frikkin' FBI. What is this, amateur hour? Shame, linux wacktoids , shame.

its about OpenBSD, not GNU/Linux

Anonymous's picture

The piece was about issues with OpenBSD, not GNU/Linux (yes, it is GNU/Linux). There is a difference between the two. Some "frikkin" accuracy would be nice, wacktoid.

Let's count identified malware for a start

Jose_X's picture

Raise your hands if you have a clue about what goes on behind your back when you use Windows or any other proprietary platform.

Exactly.

Oh, and Swiss Cheese is a back door. Malware left and right demonstrate how outsiders, never mind those with inside access, can overcome all the defenses of Windows without you realizing it. Malice or incompetence is but a detail.

Wake up call for all Open Source Distro's

Anonymous's picture

This should be a wake up call for all Open Source OS Distro's. It means it is time to go back and start the review. OpenBSD isn't that big and the number of people involved is fairly small so if they are able to sneak something in with OpenBSD then you can bet the bigger distros with lots of contributors should be in question. This should immediately send people for all projects scrambling to figure out how far reaching this is. Funny how if you or I were to open a back door into someone elses machine to see what they are doing we would be arrested. The government does it and it is accepted... Unbelievable!

it does not matter.....

Anonymous's picture

It doesnt matter......if you wanted to place backdoors in linux/BSD systems the easiest way I could think of is to do like the chinese did a few years ago when they DNS spoofed all of the .gov sites and directed traffic to their servers.......then have your own ubuntu (or other distro specific) repository setup with "updates" that have rootkits embedded in them.

it doesn't work like that.

starsilk's picture

it doesn't work like that. distribution's software packages are *already* mirrored all over the place, onto different servers. it's perfectly safe, because every single package (and the lists of available packages) are cryptographically signed before they are released - your package manager checks the signature before accepting the package.

if you try to install a package with a bad signature (ie: hacked), your package manager will throw a fit and refuse to install it.

so, hacking the DNS doesn't let you hack the software. the worst you can do is prevent people getting updates for a while.

> then have your own ubuntu

Anonymous's picture

> then have your own ubuntu (or other distro specific) repository setup with "updates" that have rootkits embedded in them.

The ubuntu packages are signed with a distribution key. The fake updates in your scenario would soon be uncovered as such. That is not to say that perhaps thousands of users wouldn't ignore the security warning and install the "updates" anyway...

... This affirms that Closed Source Has Backdoors ...

Anonymous's picture

Is this why India, China and the United Arab Emirates are so desperate to force RIM to expose their servers secure communications and not putting the same pressure on MS Microsoft and MAC etc? Have they already exposed those servers to their surveillance so they don't have to pressure them?

>>> quoting >>>
"What this tells me that if the FBI is paying someone to put backdoors in open source, then they are most certainly paying someone to put backdoors in closed source. The only difference is that it will be much harder to find the back doors in closed source."

Open Source vs Closed Source

Anonymous's picture

A lot of commenters are saying that it is better that it is open so that it can be reviewed, but this has been there for 10 years! It doesn't matter if it is open so it can be audited if it is not being audited!

Much harder to find the back doors in closed source?

It has been *10 years*!

Right

GregH's picture

Which, if well founded (and that in itself is a big if) would indicate the OpenBSD project is not doing enough peer review. It's *still* not a bad thing for Open Source. It would just mean OpenBSD was poorly managed. But, like I say, nothing here has been conclusively confirmed in either direction yet.

"What this tells me that if

Anonymous's picture

"What this tells me that if the FBI is paying someone to put backdoors in open source..." No one has established that this has in fact happened or is even likely to have happened in the OpenBSD IPSEC case.

"Which is a good thing... I'm using Arch Linux and the security model there is ... nonexistent, as far as I can understand." Not sure what aspect of security you're referring to here. It does seem as though the protection of the security repository is looser than that of, say Gentoo; see http://en.wikipedia.org/wiki/Arch_Linux#Repository_security.

Statements like "The wide sweeping effects of any deliberate security holes found in OpenBSD could very well be less trust and more review within Open Source projects across the board" are Fox-Newsian "concern-trolling." I'm all for more review and care in Open Source projects, but there is no cause for panic. Witness the recent quick discovery and amelioration of an exploit laid into the source code of proftpd by someone who had exploited an unpatched vulnerability in proftpd itself on the distribution server for proftpd. The hack was found and corrected after only four days and the vulnerability that allowed the intrusion in the first place was corrected.

be careful

korbé's picture

Roday, what have we?

- An e-mail thath say "I have put backdoor" with many inconsistencies with date and people involved. Jason, cited in the mail, don't touch algorithm in IPSEC and 10 years ago ,when Jason join NETSEC,Gregory Perry had been "evicted" from this compagny.
- Two bug finded, but we don't know if they're security hole or not, Intentional or not, when there're created....

Ok, for this time, no evidence about this backdoors.

Please, read this mail of Theo: http://marc.info/?l=openbsd-tech&m=129296046123471&w=2

Far reaching implications?

GregH's picture

Why would "the scope of the allegations have far reaching implications for OpenBSD and Open Source in general"?

Firstly, the very fact OpenBSD *is* open source and can be reviewed should bring comfort to IT professionals. How many closed-source products have FBI-requested back doors? And you will *never* know about them.

Secondly, how on earth would these allegations against a few OpenBSD developers have any implications for other open source projects?

To my mind this is a classic example of why open source products are good, not why they are bad.

A model for open source

Anonymous's picture

I'm an OpenBSD and Linux user myself. I distrust the backdoor allegations as being entirely accurate 10 years later but I think that in spite of this, it's only going to help the OpenBSD project and open source projects in general further down the road. There has to be more scrutiny in commits. This just goes to show that even the most heavily audited projects can't be too careful.

This affirms that Closed Source Has Backdoors

Anonymous's picture

What this tells me that if the FBI is paying someone to put backdoors in open source, then they are most certainly paying someone to put backdoors in closed source. The only difference is that it will be much harder to find the back doors in closed source.

"The wide sweeping effects of

Anonymous's picture

"The wide sweeping effects of any deliberate security holes found in OpenBSD could very well be less trust and more review within Open Source projects across the board."

Which is a good thing... I'm using Arch Linux and the security model there is ... nonexistent, as far as I can understand.

You don't like it? Ask for a

Anonymous's picture

You don't like it? Ask for a refund.

Arch is bare-bones. A kernel, a package manager, a lot of good documentation, and not much else. No custom menus, desktop environment, nothing. The code they provide you (which isn't much) is their responsibility. The rest is yours. If you want someone to hold your hand and pick your software for you, go to Ubuntu.

I think he's referring to the

Anonymous's picture

I think he's referring to the lack of integrity checking in the package manager.

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState