Home Update: OpenBSD Backdoor Seems Unlikely

Update: OpenBSD Backdoor Seems Unlikely

Last week we reported on accusations that FBI contractors had planted backdoors in the open source operating system OpenBSD. OpenBSD developers have been auditing code since the accusations surfaced last Tuesday. Some bugs have been found and patched, but no evidence of backdoors has been discovered. OpenBSD founder Theo de Raadt believes believes that if said backdoors were ever authored they never made it into OpenBSD.

Gregory Perry, a former employee of the now defunct security firm NETSEC, sent de Raadt an e-mail last week accusing Jason Wright of planting backdoors in OpenBSD on behalf of the FBI. Wright has firmly denied the charge.

de Raadt sent a lengthy e-mail to the OpenBSD mailing list this week summarizing his thoughts on the ordeal. He notes that Wright mostly worked on device drivers and praised Wright’s work in that area.

While auditing OpenBSD code, Marsh Ray discovered one serious bug that was fixed in 2002 without disclosure. However, as Ray wrote on his blog, this bug does not “meet the criteria for a malicious backdoor.” The bug was found in code created by Angelos Keromytis, a major contributor to OpenBSD who never worked at NETSEC.

Ray suggests that the bug was the result of rushed coding due to restrictive U.S. policy at the time:

At the time, the US government was pursuing a policy of restricting “export” of crypto by classifying it as a “munition”. Aside from the question of whether or not this was a sensible policy, it certainly made the software development process more colorful. The bulk of the IPsec and OCF source code was checked-in with notes such as “This software was developed in Greece” in order to avoid the permanent stain of US development. OpenBSD developers are regularly emigrating to Canada for a weekend or a week in order to compress as much untained development as possible into round-the-clock coding sessions called “hackathons”.

Because of the need to document the non-US origin of this code, the code produced from the hackathons needed be committed to the OpenBSD source control system (CVS) before the developers returned to the US, whether it was fully-baked or not. As OpenBSD consistently adhered to a calendar-based release schedule (every six months), this effectively set the clock ticking to get it in release shape.

“Any credence which might have been given to Perry’s claims as a result of this bug should be reverted to zero (or less),” Ray wrote. However, he also notes that “OpenBSD did not live up to their stated principle of full disclosure. They should have issued an advisory for this.”

The code audit improved the overall security of OpenBSD and proved that it is indeed one of the most secure operating systems available.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.