OpenBSD project chief Theo de Raadt has said that he accepts contracting firm NETSEC “was probably contracted to write backdoors” into the open-source platform, but believes none of the exploit code made it into the eventual tree. The comments come as early investigations are made into OpenBSD code following allegations by an ex-NETSEC programmer that the FBI paid to have backdoor access installed into the OS.
One of the coders named in the original allegations has since denied any involvement in working on covert exploits – which, it was suggested, were inserted to allow the FBI to monitor VPN traffic in systems running OpenBSD – though de Raadt does piece together a timeline which could at least partially involve his code. That involves a subsequent coder, Angelos Keromytis, putting together a crypto layer using government-backed security policies, later removed; de Raadt has said that he does “not believe that either of two problems, or other problems not yet spotted, are a result of clear malice.”
While the code audit is underway, it’s yet to gather any sort of directional momentum; instead, de Raadt is advocating each coder looking at different sections and working to flush out any bugs or inaccuracies they discover along the way. “We’ve proven that if we start nibbling at a source tree looking for small bugs or unclear things which need improvement,” he suggests, “the results always eventually pay off.”