That is what is being charged by the lead developer in the OpenBSD project, long known for its lagging behind the FreeBSD distribution, but also known for its sturdiness and security.
In the world of BSD distributions, OpenBSD is known as being rock solid, and without equal in security.
This accusation, by Theo de Raadt, is going to bring a huge amount of scrutiny on the distribution, and upon the practices observed in the development process.
The story in PCWorld has the links to the e-mail sent by one of the developers to de Raadt, that openly admits the link to the FBI and a few reasons why suspicion should be the watchword of the day.
The lead developer has made the e-mail public in hopes of finding the answers to the questions posed by it – whether there are in fact backdoors that can be used by the FBI, and why they were put there in the first place.
The allegations were made public Tuesday by Theo de Raadt, the lead developer in the OpenBSD project. DeRaadt posted an e-mail sent by the former contractor, Gregory Perry, so that the matter could be publicly scrutinized.
“The mail came in privately from a person I have not talked to for nearly 10 years,” he wrote in his a posting to an OpenBSD discussion list. “I refuse to become part of such a conspiracy, and will not be talking to Gregory Perry about this. Therefore I am making it public.”
The original e-mail states that the reason for the news, should you wonder, is because a non-disclosure agreement he had with the FBI had now expired, and so an apparent attack of conscience had hit, making the revelations necessary.
Perry certainly has the pedigree necessary to make the entire story plausible, as he worked at companies involved with the FBI and during the time frame that the code in question, the IPSEC stack, was developed for OpenBSD. The other developments he worked on were encryption cracking methods requested by the FBI – that has always been known it seems.
The method, known as side channel attacks, allowed the FBI to recover information from the Department of Justice at various sites at home and abroad through backdoors built in. This was part of a virtual private network system.
So much for the private part.
The status of the entire matter is completely up in the air right now, with one of the people that worked with Perry stating that he never worked for the FBI, as was alleged by Perry, so that will certainly generate its own level of investigation.
The FBI was contacted by PCWorld and was unable to comment on the matter in any way.
The story certainly will now have a life of its own, because the code that is in question was also used in other operating systems. I can remember reading accusations in newsgroups long ago about the backdoors built into Windows NT, but there was no offer of proof. At least none that came through the newsgroup.
It was widely known that the IP stack for Windows NT was lifted from FreeBSD. If the FreeBSD stack was based completely on, or perhaps the entire same product as, the OpenBSD implementation, that would confirm the knowledge of some of this long ago.
If the stack is as widely used, in untouched form, as many believe, it will certainly change many things, among them the ultimate credibility of the OpenBSD distribution and its developers.
It also calls into question the code review process of OpenBSD, as well as much of open source in total, as the idea is to get as many eyes on the source as possible, to eliminate bugs in the code, but also so that things like this would never be possible. There would be too many mouths having seen the code to shut them all.