Can Open Source Be Trusted?
Published 09:23, 15 December 10
Theo de Raadt is one of the key hackers outside the mainstream GNU/Linux world. Here's his self-penned bio:
I am the founder of OpenBSD -- a freely redistributable 4.4BSD-based operating system with an emphasis on security. Donations allow me to put my efforts into OpenBSD and related projects. In 1999, I created OpenSSH with other members of OpenBSD. It is now incorporated into all Unix systems plus hundreds of other network enabled products. It is now the most "vendor re-used" piece of open source software, with more than 90% of the SSH market.
Unfortunately, de Raadt raises the disturbing possibility that there is a big problem with part of OpenBSD - and one that undermines that “emphasis on security” in a deeply troubling way:
I have received a mail regarding the early development of the OpenBSD IPSEC stack. It is alleged that some ex-developers (and the company they worked for) accepted US government money to put backdoors into our network stack, in particular the IPSEC stack. Around 2000-2001.
Since we had the first IPSEC stack available for free, large parts of the code are now found in many other projects/products. Over 10 years, the IPSEC code has gone through many changes and fixes, so it is unclear what the true impact of these allegations are.
This serious stuff - not just because it means that open source code may have been unwittingly complicit in who knows how many acts of surveillance, but because it calls into question the basic development model of open source, which places a high value on trust. If it is confirmed that hackers put a backdoor in open source code for money - and some doubts have already been expressed - then that will cast some doubt on that principle.
Moreover, if eventually such backdoors are found, it will raise questions about the whole “given enough eyeballs, all bugs are shallow” philosophy. It's true that backdoors aren't exactly bugs, but there is still the issue of how something this serious - if confirmed - could lay undetected for a decade.
The first priority will be to go through the relevant code extremely carefully to ascertain whether or not there really are backdoors there. Depending on what is found, the open source community may then need to consider carefully some of its most cherished beliefs about trust and security. Even in the best case that nothing is found - as we must all hope - a little thought about both would be advisable so as to minimise, if not avoid, such problems in the future.
Update: see this recent post for an interesting, detailed discussion of a vulnerability that has been found, and why.