Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] FBI Backdoor in BSD's network stack?

Pranesh Prakash pranesh at cis-india.org
Wed Dec 15 09:47:09 PST 2010


There are reports of supposed "backdoors and side channel key leaking
mechanisms" paid for by the FBI ten years ago in BSD's implementation of
IPSec "for the express purpose of monitoring the site to site VPN
encryption system implemented by EOUSA, the parent organization to the FBI."

So far code audit hasn't turned up anything.  And many believe this to
be a false claim.

Original announcement on the OpenBSD-Tech list by Theo de Raadt:
http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

[snip]
> I have received a mail regarding the early development of the OpenBSD
> IPSEC stack.  It is alleged that some ex-developers (and the company
> they worked for) accepted US government money to put backdoors into
> our network stack, in particular the IPSEC stack.  Around 2000-2001.
> 
> Since we had the first IPSEC stack available for free, large parts of
> the code are now found in many other projects/products.  Over 10
> years, the IPSEC code has gone through many changes and fixes, so it
> is unclear what the true impact of these allegations are.
> 
> The mail came in privately from a person I have not talked to for
> nearly 10 years.  I refuse to become part of such a conspiracy, and
> will not be talking to Gregory Perry about this.  Therefore I am
> making it public so that
>     (a) those who use the code can audit it for these problems,
>     (b) those that are angry at the story can take other actions,
>     (c) if it is not true, those who are being accused can defend themselves.
> 
> Of course I don't like it when my private mail is forwarded.  However
> the "little ethic" of a private mail being forwarded is much smaller
> than the "big ethic" of government paying companies to pay open source
> developers (a member of a community-of-friends) to insert
> privacy-invading holes in software.
[/snip]

Discussions:
http://marc.info/?t=129236639300001&r=1&w=2
http://bsd.slashdot.org/comments.pl?sid=1910704
http://news.ycombinator.com/item?id=2006128

A useful comment about the code audit under way:
http://bsd.slashdot.org/comments.pl?sid=1910704&cid=34559172


-- 
Pranesh Prakash
Programme Manager
Centre for Internet and Society
W: http://cis-india.org | T: +91 80 40926283

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20101215/b27563b5/attachment.asc>


More information about the liberationtech mailing list