" The claim that the FBI inserted backdoors into OpenBSD's IPsec code originated from an email sent by Gregory Perry, former CTO of NETSEC, to OpenBSD project leader Theo de Raadt in December 2010. Perry alleged that the FBI paid developers to implement backdoors and side-channel key-leaking mechanisms into the OpenBSD cryptographic framework for monitoring site-to-site VPN systems. This claim has not been confirmed, and the OpenBSD project conducted an investigation into the allegations, working to clean up the code. Security expert Bruce Schneier has expressed skepticism, calling the claim likely FUD (Fear, Uncertainty, and Doubt), noting that OpenBSD has one of the most thorough code auditing communities in open source, making undetected backdoors highly improbable.
Regarding FreeBSD, there is no direct evidence or credible claim in the provided sources that the FBI inserted backdoors into FreeBSD itself. However, since FreeBSD's IPsec stack was partly derived from OpenBSD code, there is a theoretical possibility that vulnerabilities or backdoors present in the shared code could have affected FreeBSD. The sources do not confirm that such backdoors were present in FreeBSD or that the FBI targeted FreeBSD specifically. The focus of the allegations remains on OpenBSD, and the broader implications for other systems like FreeBSD, macOS (which uses a FreeBSD-derived kernel), or other BSD variants are speculative and unverified.
In summary, while the OpenBSD backdoor allegations are a matter of public discussion and investigation, there is no substantiated evidence that FreeBSD has FBI backdoors like those claimed for OpenBSD. The potential risk to FreeBSD stems only from shared code, not from direct evidence of FBI involvement.
in Open Source software, being vigilant about security is priority One.
These articles cover a lot of ground (and are welcome here) as they ask the hard questions and they raise critical observations.
However, they also rely on numerous logical fallacies.
The allegations must be taken seriously.
But, salt must be thrown into the mix. What is decidedly lacking is any real evidence presented. And... Evidence is more compelling than gossip.
I think the first hard question most readers will ask, in reading some of this is:
If this stuff is Open Source... And can be independently audited...
How come no one really knows if the claims are true?
Open source code is just that. It does not come with a cover letter explaining what it does. It's just code and an auditor must really know the code in order to spot something malicious.
Keep in mind, the event was claimed to be turn of 2000's with the actual statement made in 2010. It did lead to independent auditing.
Nothing has surfaced to provide any evidence, in the fifteen years since the article @Bourne references was first published. There is a stark absence of any sign of malicious backdoor coding.
I think Bourne's post if you read it all (the link) clearly states no evidence was found in relation to OpenBSD. In regard to SELinux the author of that article states it would take years to audit every line of code in respect of SELinux. We (Debian, Ubuntu) have AppArmor which does it's job.
Just stumbled on this excellent video, a well-rounded calm explanation of what led up to the .xz vulnerability and how it was created and how it was prevented from bringing the internet down - nice closing comment by the RHEL guy about Lasse, the maintainer of .xz not being given thanks or support from the wider community:
An interesting article on The Register about Iran's cyberattacks:
What is concerning is that they used multiple exit nodes of commercial VPN's such as Mullvad, ProtonVPN, Surfshark, and NordVPN.
I can now envisage a new law that will prevent ordinary users from using VPN's and if they do, being classed as terrorists, and covertly referred to Online Safety precautions!
I was in town today after dropping off vehicle for a service and repair. I picked up a copy of Linux Magazine to see what DVD was present - I put it down after I found it was EndeavourOS and Rocky Linux minimal, but not before reading latest headlines:
There has been a fresh attack on IRC channels which uses Command and Conquer (C2) and can take over a machine very rapidly.
I stopped using IRC many years ago after such threats became apparent.
The level of zero-days that Mythos found is alarming because similar technology in the hands of bad actors could "break the internet." If I could, I'd just hop off the internet for the next several months while people work this stuff out.
I can't believe that he stated that Defender is a good AV. I can remember the headline where Defender was infecting itself or something similar a few years back!
It seems that Windows Defender has improved. It might not be the best what You can get but from what I've read it isn't any longer as bad as it was in the Past.
As we know on the earth don't exist perfect operating system. Propably we exist on the deeper harder security because AI helped hackers and atackers. I know on earth exist diffrent's a hat.
Well there was an American Tech journalist on mid-day news talking about A.I. and Mythos. The Tech journalist said that nobody knows the inner machinations of A.I. works and the news presenter mentioned the incident where the lead developer of Mythos had an email sent to him by Mythos using his account while he was eating a sandwich in the park during his lunch break!
I disagree. The whole concept of A.I. is for it to learn stuff then based on what it has learned, to think for itself - it's what we do to kids in school. What they do with that knowledge can be good or evil. As machines don't have a moral code, they will decide what it thinks provides the best outcome based on probabilities (or whatever it decides to use as its moral benchmark).
I watched a programme on TV years ago where an A.I. fledgling was force fed gobblydegook words, no sentences, just words. Several days later in a human sounding voice it said "Good morning Grandma. How are you today?" It had probably been fed Little Red Riding Hood!