"FBI Alleged To Have Backdoored OpenBSD's IPSEC Stack"

http://bsd.slashdot.org/story/10/12/15/004235/FBI-Alleged-To-Have-Backdoored-OpenBSDs-IPSEC-Stack (bsd.slashdot.org)

Aggrajag and Mortimer.CA, among others, wrote to inform us that Theo de Raadt has made public an email sent to him by Gregory Perry, who worked on the OpenBSD crypto framework a decade ago. The claim is that the FBI paid contractors to insert backdoors (marc.info) into OpenBSD's IPSEC stack. Mr. Perry is coming forward now that his NDA with the FBI has expired. The code was originally added ten years ago, and over that time has changed quite a bit, "so it is unclear what the true impact of these allegations are" says Mr. de Raadt. He added: "Since we had the first IPSEC stack available for free, large parts of the code are now found in many other projects/products." (Freeswan and Openswan are not based on this code (twitter.com).)

---

This is a little crazy. These are simply allegations, and have yet to be verified, but the mere accusation is devastating.

IPSEC is a way to secure communications on internal organizational networks, as well as provide access over secure remote connections to an internal IPSEC connection.

This means that the FBI has potentially had access (via hidden backdoors) to all IPSEC traffic for the last 10 years on systems that run the OpenBSD operating system. OpenBSD is one of a number of open source systems that are used in large deployment networks, specifically in VPN appliances that support IPSEC.

This means that companies who relied on IPSEC as a secure means of communicating on their internal network can no longer be certain that their internal network is invulnerable to potential traffic sniffing. It also puts the spotlight on all open source software that may have borrowed source code from the OpenBSD IPSEC software libraries.