FBI OpenBSD IPSEC Backdoors / Le FBI a paye pour creer des failles de securite dans OpenBSD IPSEC
Date: Sat, 11 Dec 2010 23:55:25 +0000 [...] My [Gregory Perry, CEO, GoVirtual Education, "VMware Training Products & Services"] NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI. Jason Wright and several other developers were responsible for those backdoors, and you would be well advised to review any and all code commits by Wright as well as the other developers he worked with originating from NETSEC. [...] This is also why several inside FBI folks have been recently advocating the use of OpenBSD for VPN and firewalling implementations in virtualized environments, for example Scott Lowe is a well respected author in virtualization circles who also happens top be on the FBI payroll, and who has also recently published several tutorials for the use of OpenBSD VMs in enterprise VMware vSphere deployments.
20 December 2010. Gregory Perry responds:
[...] Almost every operating system on the planet uses the OpenSSH server suite, which Theo and his team created with almost zero remuneration from the many operating systems and commercial products that use it without credit to the OpenBSD Project. Given the many thousands of lines of code that the IPSEC stack, OCF, and OpenSSL libraries consist of, it will be several months before the dust settles and the true impact of any vulnerabilities can be accurately determined; it's only been about 96 hours since their source code audit commenced and your recent article points to at least two vulnerabilities discovered so far. [...]