14 DAY TRIAL // As unlikely as it might sound, the FBI is being accused of paying open source developers to implement a backdoor in the OpenBSD Cryptographic Framework (OCF), when it was being developed ten years ago.
The allegation was made recently in an email to OpenBSD founder Theo de Raadt by Gregory Perry, who used to work as Chief Technology Officer at NETSEC, a former FBI and NSA contractor which at that time donated equipment and engineers to the OpenBSD project.
"My NDA [non-disclosure] agreement with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI," Perry, who is now the CEO of company called GoVirtual Education, wrote.
"Jason Wright and several other developers were responsible for those backdoors, and you would be well advised to review any and all code commits by Wright as well as the other developers he worked with originating from NETSEC," he warned.
Perry went on to say that the backdoors are probably the reason why the Defense Advanced Research Projects Agency (DARPA) mysteriously stopped funding OpenBDS in 2003.
He also claims that virtualization expert and recent OpenBSD advocate Scott Lowe is on the FBI's payroll, something Lowe denies in a post on his blog.
While the backdoor rumor has taken the information security community by storm and is a hot subject, a lot of people doubt Perry's claims are true.
"Gregory Perry's credibility seems to get worse the further I dig, I am calling this a troll and moving on," commented renowned security researcher HD Moore, who is also the chief architect of the Metasploit penetration testing framework.
"I was one of the few FBI cyber agents when the coding supposedly happened. Experiment yes. Success No," wrote E.J. Hilbert, a former FBI special agent, on Twitter.
He later clarfied that the "OpenBSD backdoor 'experiment' [was] for internal pre-use review not public deploy" and pointed out that an FBI NDA is for 70 years not 10 as Perry said.
Theo de Raadt said that he will not participate in this conspiracy theory and made Perry's email public so that people can audit the code and discover if the allegations are true.