By now you’ve probably heard of the allegations Theo forwarded to the OpenBSD-tech mailing list about the FBI introducing back doors in early versions of the OpenBSD IPSec code. I’d like to offer my opinion, in the spirit of the Christmas season:
It’s possible, but unlikely. Like me winning the lottery is unlikely. I’d need to buy a ticket, and that isn’t going to happen any time soon.
The OpenBSD group examines every line of code that goes into their tree. Any obvious back door would be caught. Any subtle back door would be fragile — so subtle that it probably wouldn’t survive the intervening ten years of code churn and IPSec improvements. Maybe someone has an appliance based on, say, OpenBSD 2.8 or 3.2, which could have contained the back door. If true, we need to know about it. But those users need to upgrade anyway.
And the FBI? Nope, don’t believe it. Ten years ago, the FBI was having lots of trouble understanding the Internet. The NSA, maybe.
Bugs? Sure, there’s probably bugs. I expect we’ll find some, now that many eyes have turned to the code. Exploitable bugs? Maybe. But that’s not the same as a back door.
OpenBSD has claimed to be the best for many years. That claim motivates people to take them down. The claims have hopefully inspired many people to examine the current and historical IPSec stack. Theo and company have done nothing to discourage such audits: they’ve even offered pointers on where to look. If you’re a programmer looking to make a splash, you could do worse than to join in on auditing the code. Finding the alleged back door would make your reputation. And we can always use more IPSec hackers.
The real impact might be, as Jason Dixon points out, the cost in OpenBSD developer time. You know that some of their committers are examining the IPSec code today, trying to find potential back doors.Stalk me on social media