reported on accusations that FBI contractors had planted backdoors in the open source operating system OpenBSD. OpenBSD developers have been auditing code since the accusations surfaced last Tuesday. Some bugs have been found and patched, but no evidence of backdoors has been discovered. OpenBSD founder Theo de Raadt believes believes that if said backdoors were ever authored they never made it into OpenBSD.Last week we
Gregory Perry, a former employee of the now defunct security firm NETSEC, sent de Raadt an e-mail last week accusing Jason Wright of planting backdoors in OpenBSD on behalf of the FBI. Wright has firmly denied the charge.
de Raadt sent a lengthy e-mail to the OpenBSD mailing list this week summarizing his thoughts on the ordeal. He notes that Wright mostly worked on device drivers and praised Wright's work in that area.
While auditing OpenBSD code, Marsh Ray discovered one serious bug that was fixed in 2002 without disclosure. However, as Ray wrote on his blog, this bug does not "meet the criteria for a malicious backdoor." The bug was found in code created by Angelos Keromytis, a major contributor to OpenBSD who never worked at NETSEC.
Ray suggests that the bug was the result of rushed coding due to restrictive U.S. policy at the time:
At the time, the US government was pursuing a policy of restricting "export" of crypto by classifying it as a "munition". Aside from the question of whether or not this was a sensible policy, it certainly made the software development process more colorful. The bulk of the IPsec and OCF source code was checked-in with notes such as "This software was developed in Greece" in order to avoid the permanent stain of US development. OpenBSD developers are regularly emigrating to Canada for a weekend or a week in order to compress as much untained development as possible into round-the-clock coding sessions called "hackathons".
Because of the need to document the non-US origin of this code, the code produced from the hackathons needed be committed to the OpenBSD source control system (CVS) before the developers returned to the US, whether it was fully-baked or not. As OpenBSD consistently adhered to a calendar-based release schedule (every six months), this effectively set the clock ticking to get it in release shape.
"Any credence which might have been given to Perry's claims as a result of this bug should be reverted to zero (or less)," Ray wrote. However, he also notes that "OpenBSD did not live up to their stated principle of full disclosure. They should have issued an advisory for this."
The code audit improved the overall security of OpenBSD and proved that it is indeed one of the most secure operating systems available.