Allegations that the FBI was behind the creation of a 'back-door' into OpenBSD are creating a storm in the hacker community.
The claims surfaced after Theo de Raadt, founder of OpenBSD, forwarded an email to an Open BSD mailing list. The email was from Gregory Perry, currently at a virtualisation training company, but who claimed to have been a security consultant for the FBI.
In his mail to de Raadt, he goes on to say that, under FBI instructions, security holes were included within OpenBSD – which is widely used in many different guises these days, but particularly in security environments. The FBI has not commented.
He writes: "I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI."
The problem with assessing such claims is that Perry is describing events more than a decade ago and the OpenBSD code has gone through many iterations since then. Going back to check for backdoors will be a time-consuming task.
Perry did not stop there however. He then went on to make another claim; that virtualisation author Scott Lowe was also employed by the FBI and has been keen to promote the use of OpenBSD.
He also recently published several tutorials for the use of OpenBSD VMs in enterprise VMware vSphere deployments, wrote Perry. This has been vehemently denied by Lowe in his own blog and he pointed out that there is another tech author called Scott Lowe. This Lowe, who works for a college in Missouri, is keeping his own counsel for the moment.
Glyn Moody's Open Enterprise Blog: Can Open Source Be Trusted?