By Mathew J. Schwartz, InformationWeek
Special to Dark Reading
Dec 22, 2010
The OpenBSD project has found two bugs in how OpenBSD, a Unix-like open
source operating system, implements Internet protocol security (IPsec).
The bugs are of interest given the recent allegation made by Gregory
Perry, former CTO of now-defunct Federal Bureau of Investigation
contractor Network Security Technology (NetSec), that the FBI created a
backdoor in the OpenBSD code base, specifically in how it implements
IPsec. He also alleged that multiple developers involved in contributing
code to OpenBSD were on the payroll of NetSec, and that the FBI had
hired it to create the backdoors.
Are the bugs a smoking gun? According to Theo de Raadt, the founder and
leader of the OpenBSD project, one IPsec bug in OpenBSD relates to a
"CBC oracle problem," and was fixed in the software crypto stack by
Angelos Keromytis, the architect and primary developer for its IPsec,
but ignored in device drivers, overseen by device driver author Jason
Wright. Interestingly, both men had worked for NetSec, at different
"Neither Jason nor Angelos were working for NetSec at that time, so I
think this was just an accident," said de Raadt. "Pretty serious
Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery
Network, Cisco Switches, SAS 70 Type II Datacenter.
Find peace of mind, Defend your Critical Infrastructure.