FreeBSD Security Officer
2010-Dec-16 08:26 UTC
Claims of FBI backdoors in OpenBSD cryptographic code
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, We are aware of the email forwarded by Theo de Raadt to the openbsd-tech mailing list concerning alleged backdoor(s) in OpenBSD's IPSec stack and/or other cryptographic code. The FreeBSD operating system contains code derived from OpenBSD, including the crypto(4) driver, the IPSec stack, OpenSSH, and the pf firewall. As we do with all such derived code, we keep an eye on the upstream projects so that we can respond promptly to any vulnerabilities which are found. It is worth noting, however, that vulnerabilities are found in upstream codebases on a regular basis, and even if some are found in the alleged areas it does not necessarily imply that they were deliberately inserted. One of the great advantages of open source software is that it is possible for many people to audit it; the "many eyes" theory, however, depends on having many people who actually _do_ look at the code, not merely having many people who _can_ look at the code, and to that end we always encourage more independent auditing of code in FreeBSD. In the case of code which came to FreeBSD via other projects, this is no less important: For a variety of reasons, the code in FreeBSD is almost never identical to the code in upstream projects, and in bringing code to FreeBSD it is entirely possible for bugs to be added or removed. As always, anyone who believes that they have found a vulnerability affecting FreeBSD is requested to contact secteam@freebsd.org. - -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAk0JzVAACgkQFdaIBMps37JnkgCfeK8w1BFQwbDeYNRcZUYuAVuJ uJAAnA7F/utOgkkHWI9mB2fh7oB/6ZPd =EUq1 -----END PGP SIGNATURE-----