Deconstructing the OpenBSD IPsec Rumors

2010-12-14 21:58:01 by jdixon

Theo de Raadt posted an email to the openbsd-tech mailing list Tuesday evening which contained details of alleged backdoors added to the OpenBSD IPsec code by government contractors some ten years ago. Subsequent posts from Bob Beck and Damien Miller add further commentary, but neither confirm nor deny the allegations. Damien goes so far as to propose a number of possible avenues as the most likely places to begin a new audit.

One of the purported conspirators is Jason Wright, a cryptology expert at the Idaho National Laboratory, who committed a significant amount of crypto and sparc64 code to the OpenBSD project. Although I haven't seen Jason in years, I consider "Wookie" a good friend and hope these accusations are false. If Damien's hypothesis is correct, it seems highly unlikely that Jason (or any US developers) introduced backdoors directly into the crypto code. A more likely scenario would be the malicious reuse of mbufs in the network stack.

As Brian T. Merritt suggests, it seems even more likely that Linux would be similarly "exploited". Lest we forget that while these claims against OpenBSD revolve around FBI involvement, Linux has had significant portions of its security code infiltrated by the NSA. Between these two code bases you're talking about an enormous portion of the networking infrastructure that powers the Internet.

As a former OpenBSD committer, this saddens me. Not just because of the possibility that this might be true, but that regardless of whether or not this could be true, it means that developer and community resources will be swallowed into the rumor vacuum for untold weeks and possibly months. This results in less innovation, fewer bugfixes, and worst of all, a growing distrust among everyone involved.

This story has all the characteristics of being newsworthy for a long while. It has already made major headlines across Twitter, Slashdot, Reddit and OSNews. Most articles and tweets imply that the claims are fact, without any investigation of the source claim or the actual code in question. I hope that all parties involved are cleared of any wrongdoing. Either way, the cat is out of the proverbial bag. These claims will undermine a significant portion of goodwill and trust among all Free Software / Open Source projects. In the end, nobody wins.


at 2010-12-15 06:45:53, Marc Espie wrote in to say...

I fail to see this as such a bad thing. It won't be the first time we will be auditing code. Heck, it's what we do most of the time. Even old code. That's where the bugs lie (I fixed an important 10 years old race condition in ldconfig three days ago).

As far as Jason's involvement goes, no comment. We don't have any proof. A little audit and a bit more security, that's all that matters.

at 2010-12-15 08:18:18, Franc wrote in to say...


Just wondering how many people are able to judge this. I know i can't. I can read most code but lack the math to judge encryption etc.

at 2010-12-15 12:47:43, Ex Netsecer wrote in to say...

I know Jason myself- but I call him 'code-wookie'. :) I can't claim whether Greg's allegations are true or false, however I can claim that most "1st generation" folks at NetSec get carpet bombed with legal threats from Mr. Perry on what seems to be a regular 4- 5 year cycle. This has happened like clockwork since his fabulously dramatic resignation from the company. Needless to say I usually take anything he says with double fistfulls of salt.

Add a comment:




max length 4000 chars