OpenBSD is thought of by many security professionals as the most secure UNIX-like operating system, an even more they claim “to be NUMBER ONE in the industry for security (if we are not already there)” according to their website:
But it is alleged that some ex-developers (and the company they worked for) accepted US government money to put backdoors into the OpenBSD IPSEC network stack around 2000- 2001. If this turns true, and if the early code basis of the IPSEC implementation that is later being used in other operating systems is affected, a new wave of attacks will hit our network in the near future.But it also confirm something we know or believe is and was there, unable to proof so far, the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI.
[STORY UPDATE #1]
The Answer is NO according to Theo de Raadt own conclusion:
“Well, the allegations came without any facts pointing at specific code.”
Full conclusion available here: http://article.gmane.org/gmane.os.openbsd.tech/22727
[STORY UPDATE #2]
The StuxNet connection
A little more on OpenBSD’s IPsec.
Theo confirms that Gregory Perry did work at NETSEC and that Jason Wright and Angelos Keromytis were funded by NETSEC as well. Theo says he wasn’t aware at the time that NETSEC was involved in backdoor or wiretapping projects.
Mickey, an OpenBSD developer from that time period has published a rambling memoir entitled how I stopped worrying and loved the backdoor (A reference to the film Dr. Strangelove) in which he confirms that both Jason and Angelos were funded by netsec. He also makes the point that this served to fund OpenBSD and Theo indirectly as well. Many of his claims are verifiable by looking at the OpenBSD CVS commit history and honestly I’d noticed some of it myself and thought it was odd. He describes encounters with agents of various TLAs.
Probably the most straightforward interpretation of Mickey’s story simply confirms what we already knew: funny stuff was going on in the source tree at that time and people crossing international borders sometimes receive some heavy arm-twisting by the US government, even if they are American citizens such as Jacob Appelbaum andMoxie Marlinspike. It’s not hard to imagine that pressure being applied to someone seeking to continue working or studying in the US.
I was planning to let this particular dog lie (well, at least until I had a working exploit :-), but suddenly a New York Times article drops a clue which adds another unbelievable twist to the plot. They report that it was a joint US-Israeli hacking effort which developed theStuxnet attack on Iran’s uranium enrichment centrifuges. (For all the hyperbole surrounding Stuxnet, everyone agrees it is the most effective and sophisticated targeted attack on a nation’s specific industrial process.) For its part, it was the US’s Idaho National Laboratory which provided significant background research into the security properties of Siemens industrial control “SCADA” systems like the ones which run Iran’s centrifuges. The INL slide deck really says it all, with diagrams and photos of US government security researchers testing out attack models against racks of Siemens gear of the same sort used in Iran.
But I’d remembered seeing Idaho National Laboratory once before – in Jason Wright’s CV. He’d written a paper for the U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program entitled Recommended Practice for Securing Control System Modems. This was in January 2008, about the time the Stuxnet project is believed to have gotten going. In 2009, he published Time Synchronization in Heirarchical TESLA Wireless Sensor Networks pdf at a conference on Resilient Control Systems.
When speaking at SecTor, a data security conference in Canada, Jason’s bio describes him as:
Jason Wright is a cyber security researcher at the Idaho National Laboratory working with SCADA and Process Control system vendors to secure critical infrastructure assets. He is also a semi-retired OpenBSD developer (also known as a “slacker”) responsible for many device drivers and layer 2 pieces of kernel code.
So we know Jason Wright was hacking on OpenBSD IPsec crypto code at the time the backdoor was alleged to have been added, and that he was pentesting Siemens SCADA systems at the time Stuxnet was being constructed and at the very same national nuclear research lab identified by the New York Times.
This guy sure seems to have a talent for coincidences.