OpenBSD claims no threat: Aussie industry
Explosive allegations from a claimed former Federal Bureau of Investigations agent that United States government spy agencies had planted backdoors in the supposed secure OpenBSD platform are overblown, according to Australian industry boffins.
(Trap image by Judit Klien, CC BY-ND 2.0)
The claims have nonetheless rocked the open-source community. Private communications between the alleged former agent and former NETSEC CTO Gregory Perry, as well as BSD project leader Theo de Raadt, were published on a public website yesterday at sometime around 2pm AEDST.
The OpenBSD community soon began trawling through codes to locate the rumoured backdoors. If they exist, government agencies or criminals with knowledge of the holes could access computers and sensitive data using one of many applications touted as secure but built on the compromised software.
Australian pundits, however, have thrown cold water on the forum flamers, saying that even if such a backdoor survived the many critical codes reviews by the open-source community, it would likely be of little threat to businesses and individuals.
FreeBSD veteran developer Greg Lehey said it is unlikely the backdoor exploit exists, given allegations by the FBI agent that the projects' "extremely short" 10-year non-disclosure agreement had ended.
"The general feeling that I get from the whole issue, and what the others tend to agree, is that it's some kind of publicity stunt or an attempt to generate FUD. I think it might also have been intended as a way to annoy Theo personally," Lehey said.
"There's a question: why bother? There are easier ways to compromise security. Apart from direct personal contact [social engineering], there's the issue of pre-compiled binary objects. Code that is available in source form is the most difficult way to go.
"If this work was done under NDA, why did it expire after 10 years? I've done work in the past that I'm never allowed to divulge, and it had nothing like this level of impact. But if it's under NDA, the FBI would have known that it would come out. This, in particular, doesn't ring true."
Lehey disagreed with one security critic who claimed the truth could be reasonably and definitively discovered within a month of hard code review.
"You almost must possess a clairvoyant view of the code … to connect links. Anyone thinks [a backdoor's] absence can be determined is kidding themselves."
Australian Linux Foundation president John Ferlito was unfazed about a possible backdoor.
"If it survived code review by the OpenBSD community — and these guys are smart and very focused on security — it would surely be too complex for black hackers to notice or they would have exploited already," Ferlito said.
"While Australia is one of the biggest users of [Open]BSD, [IPSEC] tunnels are usually a corporate thing ... those using IPSEC tunnels and [Open]BSD might be worried, but it doesn't mean there is sensitive data travelling those tunnels."
Well-known Internode network engineer Mark Newton said the effect on businesses would be minimal, if anything.
While the internet provider does not use OpenBSD, it does use FreeBSD, Solaris and flavours of Linux which he and many others acknowledged could contain backdoor code, should its existence prove true.
"There is a lot of cross-pollination of open-source code bases so little snippets of code go from one form to another fairly freely," he said.
Newton believed it would be a long time until the community really knew whether the backdoor was there. "Or maybe, Wikileaks will tell us," he said.