Updates on the OpenBSD IPsec Gossip

2010-12-15 15:22:57 by jdixon

As expected, news of a possible ten-year-old collusion to introduce backdoors in the OpenBSD IPsec stack have spread like wildfire. ArsTechnica, The Register, CNET, Forbes are among a long list of mainstream news outlets to chime in on these allegations.

Dag-Erling Smørgrav adds one point to my original commentary; that is, the action of introducing backdoor code into OpenBSD by the FBI would not fall under a "recently expired NDA", as Greg Perry claims. I think Dag is probably correct here. Even if Greg's claims are eventually proven true, something like this would more likely fall under a TOP SECRET (or even as high as TS/SCI) classification, which is typically declassified after a 25-year period. Releasing this information prematurely would land Greg in a steaming lake of hot water.

At least two of the named parties have already stepped forward to refute Greg's story. Scott Lowe posted to the openbsd-tech mailing list, stating that he does not, nor has he ever, had any affiliation or employment with the FBI or the OpenBSD project. Jason Wright followed up a short while later, demanding an apology from Greg Perry and detailing which parts of the code base he worked on during the affected period.

" I will point out that Greg did not even work at NETSEC while the OCF development was going on. Before January of 2000 Greg had left NETSEC. The timeline for my involvement with IPSec can be clearly demonstrated by looking at the revision history of:
	src/sys/dev/pci/hifn7751.c (Dec 15, 1999)
	src/sys/crypto/cryptosoft.c (March 2000)
The real work on OCF did not begin in earnest until February 2000."

I'm personally relieved to see the accused parties step up and assert their innocence. Unfortunately, the story won't end here. The mere possibility of impropriety by these developers or the FBI means the OpenBSD project will have to work long and hard to regain its tarnished reputation. A thorough code audit is the only sure-fire way (and even then, is not guaranteed) to clear these charges.

If you'd like to help with the audit, please consider matching Dag-Erling Smørgrav's triple bounty, or better yet, donating directly to the OpenBSD project.

Comments

at 2010-12-17 00:27:06, Richard Johnson wrote in to say...

Enh, there's no tarnishment of OpenBSD's reputation from this. Actually, it's the opposite. So, nothing to recover.

Still, it'll be interesting to see if any useful bug fixes come out of enhanced scrutiny.

Add a comment:

  name

  email

  url

max length 4000 chars