Some serious allegations have been raised yesterday as Theo de Raadt, founder and leader of the OpenBSD and OpenSSH projects, has made public a private e-mail he received from Gregory Perry, former CTO of NETSEC and current CEO of GoVirtual Education.
According to Perry – who arranged funding and donations for the OpenBSD Crypto Framework – the FBI “implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI.”
In short, he is saying that ten years ago, the US Government payed some developers working on the development of the OpenBSD IPSEC stack to put backdoors in it. He names one developer – Jason Wright – and advises de Raadt to review the code Wright and other developers originating from NETSEC have contributed to the project.
He also speculates that that is the reason why the project lost DARPA funding and claims that this is why “several inside FBI folks have been recently advocating the use of OpenBSD for VPN and firewalling implementations in virtualized environments.”
Not wishing to “become part of such a conspiracy” – and considering the fact that the first IPSEC stack was offered for free and that part of its code has consequently been implemented in a variety of other projects and products – de Raadt chose to make Perry’s e-mail and his allegations public.
This way, “those who use the code can audit it for these problems, those that are angry at the story can take other actions, and if it is not true, those who are being accused can defend themselves.”