The nature of open-source software makes it possible for several developers to contribute to it. There are people who contribute during their free time and there are those who do it professionally – the majority belongs to the former section. The fact that anyone can see the source code means that any malicious code can be spotted by anyone – many eyes are always better than one. This has always been considered as one of the best features of open-source software.
However, a new development is threatening this very belief. According to Gregory Perry, the former CTO of NETSEC, the FBI has implemented numerous backdoors in OpenBSD’s IPsec stack. This was allegedly done by paying developers working on it. This was revealed to Theo de Raadt, founder and leader of the Open BSD, by Perry in an email.
I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI. Jason Wright and several other developers were responsible for those backdoors, and you would be well advised to review any and all code commits by Wright as well as the other developers he worked with originating from NETSEC.
According to Perry the backdoors were implemented around a decade ago. Because of a non disclosure agreement with the FBI, he could not speak out before.
Right now the codes are being audited and we will only know if Gregory Perry’s allegations are true only after it has been finished.
If his allegations are proved to be true, the consequences will be far reaching. For years, we have been using open-source software with the belief that the software we are using is secure. We have always believed, as I have mentioned before, that with all the eyeballs looking at the codes someone will spot any attempt at inserting any malicious code. It will call into question the code-base of every major open-source software out there, including Linux, no doubt. However, more damaging than that could be the loss of confidence in Linus’ Law. Linus’ Law is basically one of the main guiding points open-source software uses to stays secure.
Paradoxically, this also highlights one of the strongest points of open-source software. If you believe that an open-source software has been compromised, everything is available to you – you can investigate it yourself. With closed-sourced software, say Windows, there is simply no way you can do that.