Allegations that the FBI paid open-source developers to install back-door access in the open cryptographic framework used in OpenBSD have emerged, with a former developer claiming he was among a team responsible for the covert modifications. Coder Gregory Perry claims that his non-disclosure agreement (NDA) with the FBI “has recently expired” and, in an email to OpenBSD project chief Theo de Raadt, names developers he says submitted security-compromised code. Perry also suggests that OpenBSD’s DARPA funding was cut back in 2003 after the organization “caught wind of the fact that these backdoors were present.”
“My NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI.” Gregory Perry, CEO GoVirtual Education
The backdoor access, Perry alleges, is the primary reason why the FBI – and those he suggests are on the bureau’s payroll – advocates adoption of OpenBSD for VPN and firewalling in virtualized environments.
For his part, de Raadt refuses “to become part of such a conspiracy” and claims he will not be investigating Perry’s allegations. Instead, he suggests anybody using the code should handle their own security audit: “large parts of the code are now found in many other projects/products” Perry says, “so it is unclear what the true impact of these allegations are.”