Ten years ago, the FBI planted "a number of backdoors" in OpenBSD's IPSEC (Internet Protocol Security) stack, a secure communication protocol that is used in sites all around the world. That's what the person who was paid to do it says:

I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF (OpenBSD/FreeBSD Cryptographic Framework), for the express purpose of monitoring the site to site VPN (Virtual Private Network) encryption system implemented by EOUSA (Executive Office for United States Attorneys), the parent organization to the FBI. This is also probably the reason why you lost your DARPA funding, they more than likely caught wind of the fact that those backdoors were present and didn't want to create any derivative products based upon the same.


If these allegations—made by NETSEC's former Chief Technology Officer Gregory Perry—are true, everyone using this communication protocol could have been exposed to the FBI's electronic spies without being aware of it.

In a mail sent to the OpenBSD project leader Theo de Raadt, Perry claims that they were paid by the FBI to do this dirty—or patriotic, depending on who you ask—job. After ten years, Perry says that his Non Disclosure Agreement with the FBI is over, and that's why he wanted everyone to know.


Theo de Raadt sent the mail to the OpenBSD community, which has already started the hunt for the FBI backdoors allegedly placed by Perry's NETSEC developers:

It is alleged that some ex-developers (and the company they worked for) accepted US government money to put backdoors into our network stack. Since we had the first IPSEC stack available for free, large parts of the code are now found in many other projects/products. Over 10 years, the IPSEC code has gone through many changes and fixes, so it is unclear what the true impact of these allegations are.

The problem, however, may be a lot bigger than that. If this has happened once, how many more of these backdoors exist in other allegedly secure protocols and internet tools? That's what I want to know. [Ars Technica]