Following the allegation that the FBI surreptitiously planted a backdoor in the IPSEC stack of OpenBSD (some ten years ago), followers of the controversy have generally split into two factions - those who believe the allegations and those who refute it. Very few, however, seem to be taking a neutral view of the allegations, and the true impact of a potential backdoor in IPSEC is both being over and underestimated.
The allegations are that, 10 years ago, the FBI paid a private company to discretely insert a backdoor into the IPSEC stack of OpenBSD. At the time, this stack was the only freely available IPSEC implementation available. Unsurprisingly, the stack was therefore ported to a number of other Operating Systems including Linux.
The allegations were made by Gregory Perry in an e-mail to the notorious Theo De Raadt. Mr De Raadt believes strongly in openness and so published the correspondence so that others could follow the situation and perform code audits where they believed necessary. Mr Perry asserts that an contributor named Jason Wright also helped the FBI to insert backdoors into the OpenBSD network stack.
The delay of 10 years, Mr Perry asserts, is due to a 10 year Non-Disclosure Agreement that the FBI required him to sign.
- As some have pointed out, such activity would usually be protected by a perpetual Non-Disclosure-Agreement and not a 10 year one.
- Given the open nature of the code, and the security focus of the projects, any backdoor should have been detected. Especially as the OpenBSD project is one of the few to review each and every commit made to their repository.
- Jason Wright has publicly refuted the accusation, although some of the 'evidence' he provided has been publicly discounted as irrelevant to the matter in hand.
- It's plausible that the FBI believed that their backdoor would have been detected within 10 years, and so did not feel the need for a perpetual NDA. Although plausible, it would be unusual.
- The OpenBSD project lost funding from DARPA shortly after the alleged backdoor was inserted, some argue that this may be as a result of DARPA not wanting to distribute code that they knew to be compromised.
- As I discuss in my most recent whitepaper, the US Government have ensured backdoors/trapdoors are available (in proprietary software) in the past.
As others have surmised, there are a number of other plausible explanations;
- Mr Perry could be trying to elicit publicity for himself and his business - something which he seems to have succeeded in
- Mr Perry could be spreading Fear, Uncertainty and Doubt (FUD).
The latter is especially important because proprietary vendors could benefit greatly from any allegations that Open Source Software (OSS) is not as secure as some may assume. It would not be the first time that companies such as Microsoft have employed such tactics, and such allegations often carry a concern that this may be a renewed attempt at discrediting competing operating systems.
One thing that those observing the debate need, is a good dose of level-headedness. It's very easy to get caught up in the excitement, and to develop a knee-jerk reaction. There will doubtless be those who believe the allegations and are considering abandoning FreeBSD in favour of another OS. To do so, however, would be an exercise in futility. Substantial proportions of the OpenBSD IPSEC stack have been used in other operating systems, so the problem (if one exists) could be widespread.
Conversely, given that the IPSEC stack has been updated for well over a decade, any exploit contained within may have been inadvertently disabled and pose no risk to anyone anywhere. Users concerned about the allegations would be using their time better if they were to either assist in the code audit, or to donate to the FreeBSD project to assist in the audit.
It's also worth noting that proprietary software has also suffered from allegations of backdoors in the past. Lotus Notes was released internationally with a 'trapdoor' that would allow the NSA to decrypt encrypted emails in seconds.
Those thinking of migrating to Mac OS X would be well advised to remember that the system is based on BSD and so may also have been affected.
It'll be quite some time until the controversy settles, if at all. In the meantime, we can expect to see minor bugs and faults being displayed as 'proof' of a FBI backdoor. Whilst the renewed effort the allegations have caused will only help the project in the long run, observers can expect to see months of debate over whether or not the backdoor truly exists or not.
Although the debate will probably rage for months, there's very little that the average user can do. Those with the expertise could search the relevant code for a backdoor, but everyone else will have no choice but to sit and wait for the outcome. Changing Operating Systems at this early date would surely be an exercise in jumping out of the kettle into the fire.