Every developer knows the importance of issuing security patches. Unexpected bugs that lead to software vulnerabilities are virtually unavoidable; the key is to acknowledge them when they're discovered and issue fixes before they can be widely exploited. But what do you do when you believe vulnerabilities may have been introduced into your code base intentionally?
That's the issue facing the maintainers of OpenBSD, in light of allegations made in December by a former government contractor named Gregory Perry, who claims knowledge of an FBI plan to insert back doors into the open source operating system. If they exist, the back doors would provide the FBI a means to monitor encrypted communications sent from OpenBSD systems.
[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]
Theo de Raadt, lead developer of the OpenBSD project, initially responded to Perry's claims with skepticism, as did many others in the OpenBSD community. Some of those Perry mentioned by name have flatly denied his accusations. But de Raadt has since admitted that he believes there was in fact a concerted effort to introduce back doors into OpenBSD code at one time, even if no compromising code actually made it into the official code base.
What should happen next in this case is up to the OpenBSD maintainers. More important for the broader software development community are the actions de Raadt took as soon as the allegations surfaced. Few developers will ever confront a problem of this nature. But if they do, de Raadt's method presents a valuable case study for how to respond in such a delicate -- if unlikely -- scenario.
Netsec: The FBI's Trojan horse?
OpenBSD is a particular target for security exploit attempts, owing to its pedigree. An open source derivative of Berkeley Unix, the OpenBSD project was conceived from the start to have a special focus on security. Because of this, it has become a favorite among companies and government agencies for whom data security is a particular concern. Naturally, these organizations' systems number among the choicest targets for data thieves and spies, so planting a back door in OpenBSD would be quite a coup. Worse, many other software packages have incorporated encryption code borrowed from OpenBSD, so the true scope of such a vulnerability -- if it did exist -- would be difficult to measure.
According to Perry, in the late 1990s he was CTO of a company called Netsec, which arranged funding for development of OpenBSD cryptography frameworks. At the same time, he says, he was a consultant to the FBI's GSA Technical Support Center, the goal of which was to plant back doors into a variety of hardware-based security systems. As part of that project, he says, a Netsec developer named Jason Wright, along with "several others," intentionally introduced back door code into OpenBSD.