Perry initially contacted de Raadt with his claims by email in early December. He stated that he was only coming forward now because the nondisclosure agreement he signed with the FBI had recently expired, leaving him free to talk about whatever he wished. He advised de Raadt to review any code contributed by Jason Wright or other Netsec developers, then closed his note with "Merry Christmas."
What de Raadt would do next, however, Perry did not anticipate. De Raadt did not attempt to discuss the matter with Perry, nor contact him directly in any way. Instead, he posted Perry's email to a public OpenBSD mailing list, in its entirety, for all the world to see.
Coding cloak and dagger
De Raadt's stated reasons for his decision were several. First, he said, if he had kept quiet about an alleged conspiracy to plant back doors in OpenBSD code, he would in effect become part of such a conspiracy, which he refused to do. Second, by publicizing the claims, he made it possible for those who used the affected code to review it for evidence of an exploit; for those who are angry about the nature of the story to take whatever actions they felt necessary; and for those accused of wrongdoing to defend themselves.
At least one of the accused wasted little time in doing just that. Within days of de Raadt's disclosure, Scott Lowe, a virtualization expert at EMC, categorically denied that he had ever been employed by the FBI or any other government organization.
Cynics will argue that even if Lowe had been contracted by the FBI, he would still deny it. Indeed, an FBI spokesman contacted by IDG News Service declined to comment on the matter, but former FBI agent E.J. Hilbert told IDG's Robert McMillan that planting a back door in OpenBSD would be "idiotic" and described Perry as "a nut." Because OpenBSD is open source and anyone can read the code, Hilbert said, inserting a back door intentionally would be tantamount to giving criminals free run of OpenBSD systems, which would hardly serve the FBI's broader goals.
Still, it would be foolhardy to assume that intelligence agencies are not actively involved in cyber espionage. The Stuxnet worm, which recently caused serious damage to Iran's uranium enrichment program, was stealthy and highly sophisticated. It is widely suspected to have been created by the Israeli intelligence agency.
Security out in the open
Debate over the veracity of Perry's claims continues. While the general feeling among the OpenBSD community seems to be that Perry is not credible, this issue is far too important to take lightly. Review of the affected sections of the code is underway, and two previously unknown bugs have already been identified (although neither is thought to be a back door).
What developers should take away from this episode, however, is that openness and honesty is essential to software security. Open source offers one form of openness; because the code is available for anyone to review, the combined efforts of users around the world ensure that vulnerabilities can be quickly identified and addressed.
But just because the code is available doesn't mean anyone is actively reviewing it. For open source to really work, it has to be accompanied by open dialog. When issues are discovered, they should be aired in a forum that allows all affected parties to participate in crafting solutions. If developers are afraid to reveal the presence of flaws in their code, they effectively stifle this dialog and undermine the security of their products.
Theo de Raadt has demonstrated time and again that he has no such qualms about the OpenBSD code tree. On the contrary, as he told IDG's McMillan, "I am happy that people are taking the opportunity to audit an important part of the tree which many had assumed -- for far too long -- to be safe as it is."
I wonder: Does your organization's software development group handle its own security issues as honestly and openly? And if not, are you sure you know what security issues you have?