A developing story reported by Phoronix alleges that the FBI paid OpenBSD developers to insert backdoors into the IPsec stack. According to the report, OpenBSD’s Theo de Raadt recently received an email from former NetSec CTO Gregory Perry informing de Raadt about the FBI’s effort 10 years ago to monitor the site-to-site VPN traffic via IPsec backdoors.
“My NDA with the FBI has recently expired,” Perry, now the CEO of GoVirtual Education said, “and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI. Jason Wright and several other developers were responsible for those backdoors, and you would be well advised to review any and all code commits by Wright as well as the other developers he worked with originating from NETSEC.”
De Raadt said he didn’t want to get involved in a conspiracy, but he thought it was important to let everyone know that there could possibly be suspicious code still in IPsec, so he published the email from Perry in its entirety.
“Over 10 years,” de Raadt said, “the IPSEC code has gone through many changes and fixes, so it is unclear what the true impact of these allegations are.”