The founder of the security-centric UNIX-inspired OpenBSD operating system Theo De Raadt has said that there may have been efforts made to plant backdoors in the open-source operating system. Suggesting that OpenBSD may have been compromised by a former "government contractor," the operating system is normally held in high regard by developers who themselves typically audit the source code and perform necessary debugging steps as a matter of course.
In a letter that De Raadt has made public here Gregory Perry, who is now CEO of GoVirtual Education, wrote: "My NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI. Jason Wright and several other developers were responsible for those backdoors, and you would be well advised to review any and all code commits by Wright as well as the other developers he worked with originating from NETSEC."
De Raadt has subsequently been quoted here as saying that, “I believe that NETSEC was probably contracted to write backdoors as alleged. If those [backdoors] were written, I don’t believe they made it into our tree. They might have been deployed as their own product." The OpenBSD founder also said the developers associated with NETSEC worked on drivers for the operating system and wrote security code that used these drivers.
Taking the opportunity to detail his own direct response, De Raadt said, "The mail came in privately from a person I have not talked to for nearly 10 years. I refuse to become part of such a conspiracy and will not be talking to Gregory Perry about this. Therefore I am making it public so that: (a) those who use the code can audit it for these problems; (b) those that are angry at the story can take other actions; (c) if it is not true, those who are being accused can defend themselves."
To close the lid on this story, OpenBSD is undertaking a comprehensive audit of the crypto code and its developers have discovered and repaired several bugs saying that there were in fact no signs of backdoor code.