Has anyone else heard of this?

http://lwn.net/Articles/419865/

"I have received a mail regarding the early development of the OpenBSD
IPSEC stack. It is alleged that some ex-developers (and the company
they worked for) accepted US government money to put backdoors into
our network stack, in particular the IPSEC stack. Around 2000-2001."

No I haven't but the discussion here seems interesting wrt different POVs: http://marc.info/?l=openbsd-security...7531405260&w=2

Interesting, quite a bit of it beyond me I'm afraid. :-)

Indeed the task of having to audit the IPSEC stack doesn't look appealing. Can't we just pay Bruce?

It seems to me that paying a former openbsd person to claim to have knowledge of the governments interest in and placing of back-doors in a meticulously audited OSs would be an easy, and cheap, way to discredit the OS (or at least make people think "well even OpenBSD has security problems"). It would, if not an easily discredited claim (ie not a hoax: if this guy was the guy who did work on the OpenBSD project) have a very high impact/cost ratio,especially if they are frustrated with the crypto capabilities of OpenBSD.

If it turns out that this email came from someone other than the claimed sender, then clearly its not a govt interest thing: too easily discredited. However if this guy did send the email, then I would bet its just a discred campaign. But who knows. Praise to the OpenBSD people for being transparent.

Note: I wonder how likely it is that his NDA would have really expired so soon? Perhaps another thing pointing to a hoax?

some update material:
http://www.itworld.com/open-source/1...ed-participant

..then again if I had to trust anything or anyone I'd rather place trust in Bruce Schneier than whatever IDG or its affiliates spit out onto the 'net. They're not exactly renowned for their reporter and "author" "quality" or capabilities to do "research" let alone have any "news" that wasn't posted elsewhere. I mean, do you really expect anyone to honestly confirm having been on a FBI or affiliate payroll? And tell IDG? Yeah right.

Indeed for it to be DOD I would expect a more robust plan than simply attributing a letter to someone, from whom it did not come.

Well and NDAs for such things don't usually expire when the information is still important, unless expected it to be irrelevant at the expiration time, or if it becomes irrelivant for example if they can now crack.....DUM DUM DAAAAAA..... tin foil hats....won't even finish that thought

Yup seems a hoax though at some link on the chain of this story.

I'm confused.

Was there really a backdoor, or is the accusation false?

The point is that we don't know. There is a claim but no actual evidence, at least in the 'will stand up in court' sense of evidence. Now you might think '...well, all anyone has to do is to audit it...after all, the code is open and many eyes make all bugs shallow (yadda, yadda)...' but this is not exactly a trivial thing to do.

(My guess is that anyone who thinks 'well, I'll just do it then, how hard can it be...' is on a sharp-ish learning curve, but if you do do it, and you make a thorough job, your results would be welcomed.)

At this point, my bet would be on hoax/misunderstanding, but then I'm not in a position in which it directly affects me, so I can afford to be a bit more casual than someone who is directly affected.

There have been stories/updates on-line that include reference to 'two bugs found' in the code, and that they are being inspected for how they might have played out over time.

The following quote seems to be the one most spread around. This is found in the itwire story linked below.

I can neither vouch for the authenticity of the stories, nor the reliability of the authors or websites and take no responsibility for the content therin, but here are a few that reference it

edit: to be clear I am not pushing a particular point of view, just letting those here know what I have read.

Thank you salasi, it is appreciated. I was having trouble getting a short, concise, to-the-point assessment of the situation.