Former contractor says FBI put back door in OpenBSD

IPsec code was developed 10 years ago, says Gregory Perry

A former government contractor says that the U.S. Federal Bureau of Investigation installed a number of back doors into the encryption software used by the OpenBSD operating system.

The allegations were made public Tuesday by Theo de Raadt, the lead developer in the OpenBSD project. DeRaadt posted an e-mail sent by the former contractor, Gregory Perry, so that the matter could be publicly scrutinized.

"The mail came in privately from a person I have not talked to for nearly 10 years," he wrote in his a posting to an OpenBSD discussion list. "I refuse to become part of such a conspiracy, and will not be talking to Gregory Perry about this. Therefore I am making it public."

No one has come forward to corroborate Perry's story, but the allegations are remarkable. If they're true -- and at present they're being greeted with skepticism by the security community -- they mean that the FBI may have developed secret ways to snoop on encrypted traffic and then hidden them in source code submissions accepted by OpenBSD.

Perry is now CEO with a VMware services company called GoVirtual, but 10 years ago -- when the backdoor code was allegedly added to OpenBSD's IPsec stack -- he was a government contractor working for the FBI, he said.

In an e-mail interview, Perry said that the back door code was developed to give the FBI a way to monitor encrypted communications within the U.S. Department of Justice. Perry says he worked with the FBI while he was chief technology officer at a company called Netsec, and was a contractor at the FBI's Technical Support Center, which was set up in the late 1990s to help law enforcement circumvent encryption techniques used by criminals.

There, Perry helped develop encryption cracking techniques, including what are known as side channel attacks -- these are ways of finding secret information by looking in unexpected places -- figuring out passwords by looking at the amount of time it takes the computer to process different characters, for example.

One project Perry worked on, a virtual private network (VPN) system used by the U.S. Department of Justice "later proved to have been backdoored by the FBI so that they could recover (potentially) grand jury information from various US Attorney sites across the United States and abroad," Perry said.

An FBI spokesman was unable to comment on the matter.

Perry said he sent the e-mail to de Raadt because his non-disclosure agreement with the FBI had expired.

Perhaps the most remarkable thing about the whole matter is that de Raadt decided to go public with claims that could undermine the credibility of his software. OpenBSD is open source software and its components are widely used in other Unix-based operating systems.

"I don't know many people or many companies who would have done this," said Dan Kaminsky, a well-known security consultant, who has worked with the OpenBSD project on security issues.

In his e-mail, de Raadt said that by going open with the allegations, he's giving users a chance to audit their code, and the people accused of writing the back doors a chance to defend themselves.

One person quickly came forward Tuesday to say he never worked for the FBI, as alleged by Perry. "I don't know where the person who started this rumor got his information, but he is sadly mistaken regarding my involvement," wrote Scott Lowe, a virtualization expert at EMC.

It's possible that Perry's claims of an FBI backdoor are true, Kaminsky said, but he's skeptical. "There's no way of really knowing. I guess the big question I have is is this guy going to be speaking publicly about his accusations?" he said. "Can anyone even trace back that he would conceivably have been under this NDA."

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags unixopenbsdsecurityFederal Bureau of Investigationsoftwaregovernmentoperating systems

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert McMillan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts