Linked by Thom Holwerda on Tue 14th Dec 2010 23:55 UTC, submitted by Oliver
OpenBSD Okay, this is potentially very big news that really needs all the exposure it can get. OpenBSD's Theo de Raadt has received an email in which it was revealed to him that ten years ago, the FBI paid several open source developers to implement hidden backdoors in OpenBSD's IPSEC stack. De Raadt decided to publish the email for all to see, so that the code in question can be reviewed. Insane stuff.
Thread beginning with comment 453587
To read all comments associated with this story, please click here.
UltraZelda64
Member since:
2006-12-05

It's real bad when a United States government agency can secretly bribe developers of an OS whose developers seemed to take pride in the fact that their code didn't have certain restrictions (ie, regarding cryptography) that it would be forced to contain if it was released in the US. So much for the "it came from Canada, the US can't touch it" claim--apparently it's just a completely false sense of security.

It's not just sad, but disturbing that this happened--to OpenBSD, of all the OSes. And even more so that this was planted in the OS ten f***ing years ago. Come on, really, the *other* developers never noticed this until an e-mail was sent to Theo just now? Now, I'm not slamming open source, so don't take it that way--but isn't open code supposed to prevent this kind of stuff? And such a security- and code-correctness-focused OS like OpenBSD didn't catch it?

This is extremely disturbing. I'm a US citizen, and let me be the first to say f*** you Government. And all ten of the OpenBSD developers that decided to take the bribe money secretly give the government extra power in a security-focused (or hell, ANY) OS.

And who knows what other OSes are affected, as the link says--considering it's open source and possibly shared with other operating systems. Or *if* they are really affected--hopefully it's just a bunch of bullshit.

Edited 2010-12-15 00:21 UTC

Reply Score: 2

sertsa Member since:
2005-07-09

EASY there, nothing is known. Let the code auditing begin.

Edited 2010-12-15 00:27 UTC

Reply Parent Score: 15

_txf_ Member since:
2008-03-17

True that is scary.

But the other side of the coin is the NSA developing SELinux.

Reply Parent Score: 3

broken_symlink Member since:
2005-07-06

And whose to say there aren't any backdoors in that?

Reply Parent Score: 3

phreck Member since:
2009-08-13

isn't open code supposed to prevent this kind of stuff?


The good thing: Even if it is vulnerable now, everybody who is competent has the freedom to review and patch the code, or to pay someone competent she/he trusts enough.

With closed sources, you neither ever know whether there are backdoors (except with reverse engineering, which is a criminal act in some jurisdictions; gladly not in germany), nor are you able to patch it (except for cracking, not legal everywhere, too).

Edited 2010-12-15 08:48 UTC

Reply Parent Score: 1

dsmogor Member since:
2005-09-01

The problem is that if this story is true, it have pretty much voided these assumptions.
Esp. openbsd is not just some random hack but a project run by dedicated, respectable team around the cult of security.
The OSS image ramification could potentially be disastrous.

Reply Parent Score: 2

jabbotts Member since:
2007-09-06

Uz.. did your FOIA request come back with documented evidence of the backdoor already? Perhaps you have completed a code audit and can point to where in the OpenBSD source tree the vuln has been created?

Maybe we should treat this as rumor until something more substantial than an email from some random persons supports it?

Reply Parent Score: 2

Soulbender Member since:
2005-08-18

It's even more sad that there are people who beleive this nonsense.

Reply Parent Score: 2