Wednesday, December 15, 2010

I love a good conspiracy theory

Ok...so here's a good one.

It seems that slightly over 10 years ago, the FBI may have arranged for some "backdoor" code to facilitate eavesdropping on VPNs (Virtual Private Networks -- things that people use as secure communication lines between computers to prevent eavesdropping) in the OpenBSD operating system, specifically in the implementation of IPSEC. That's right. The FBI apparently wants to be able to eavesdrop on secure communications. And they're willing to sneak the code to do it into widely-used software (think something like Windows).

The allegations come from what ought to be a fairly reliable source: Gregory Perry, the former CTO of NETSEC, a company responsible for some of the OpenBSD development. You would think that such an individual would not make claims like this frivolously. And what makes the situation even more interesting is that the "open" in "OpenBSD" is for open source: the source code (i.e. the computer programs that make up the operating system) is available for scrutiny by essentially anyone in the world. This means that (1) it's in use by a number of organizations because it's free (so there may be a lot of vulnerabilities out there) and (2) lots of folks can be pawing through this code to see if the alleged backdoor code does, indeed, exist.

It is hard to imagine that a backdoor would not have been noticed long before now, given that the code has been freely available for 10 years. This calls into question the validity of the allegations. It is possible, however, that the backdoor was, indeed, discovered some time back, and the offending code removed from earlier versions, attributed to coding errors rather than FBI interference. All of this will be fleshed out as people look through the current version of OpenBSD as well as earlier versions and other operating systems that evolved from OpenBSD.

It is tempting to chalk this up to the Bush-era penchant for secret eavesdropping (aka warrantless wiretaps), but if it turns out to be true, I'm afraid we'll have to lay this one to the credit of another backdoor bad boy. Yes, I'm talking about Bill "Clipper Chip" Clinton.

A good summary of the story is to be found here.

The original email and the announcement to the OpenBSD community can be found here.

And further information provided by Gregory Perry can be found here.

It will be very interesting to see whether Perry's allegations are confirmed over the coming weeks. I don't think it will take long, if they are true.

Edited to add: Declan McCullagh has some good context information here.


Edited to add (12/22): report indicating that head of OpenBSD acknowledges that Netsec may have been paid to create backdoors, but believes that these were never actually released (except possibly in Netsec variants).
Edited to add (12/23): Another report with a bunch of, what I believe is misleading title and text, but with some interesting technical details at the end.

No comments: