IDG News Service - A former government contractor says that the FBI installed a number of back doors into the encryption software used by the OpenBSD operating system.
The allegations were made public Tuesday by Theo de Raadt, the lead developer in the OpenBSD project. DeRaadt posted an e-mail sent by the former contractor, Gregory Perry, so that the matter could be publicly scrutinized.
No one has come forward to corroborate Perry's story, but the allegations are remarkable. If they're true -- and at present they're being greeted with skepticism by the security community -- they mean that the FBI may have developed secret ways to snoop on encrypted traffic and then hidden them in source code submissions accepted by OpenBSD.
Perry is now CEO with a VMware services company called GoVirtual, but 10 years ago -- when the backdoor code was allegedly added to OpenBSD's IPsec stack -- he was a government contractor working for the FBI, he said.
In an e-mail interview, Perry said that the back door code was developed to give the FBI a way to monitor encrypted communications within the U.S. Department of Justice. Perry says he worked with the FBI while he was chief technology officer at a company called Netsec, and was a contractor at the FBI's Technical Support Center, which was set up in the late 1990s to help law enforcement circumvent encryption techniques used by criminals.
There, Perry helped develop encryption cracking techniques, including what are known as side channel attacks -- these are ways of finding secret information by looking in unexpected places -- figuring out passwords by looking at the amount of time it takes the computer to process different characters, for example.
One project Perry worked on, a virtual private network (VPN) system used by the U.S. Department of Justice
An FBI spokesman was unable to comment on the matter.
Perry said he sent the e-mail to de Raadt because his non-disclosure agreement with the FBI had expired.
Perhaps the most remarkable thing about the whole matter is that de Raadt decided to go public with claims that could undermine the credibility of his software. OpenBSD is open source software and its components are widely used in other Unix-based operating systems.
"I don't know many people or many companies who would have done this," said Dan Kaminsky, a well-known security consultant, who has worked with the OpenBSD project on security issues.
In his e-mail, de Raadt said that by going open with the allegations, he's giving users a chance to audit their code, and the people accused of writing the back doors a chance to defend themselves.
One person quickly came forward Tuesday to say he never worked for the FBI, as alleged by Perry.
It's possible that Perry's claims of an FBI backdoor are true, Kaminsky said, but he's skeptical.
Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is email@example.com