[daghamm]

Even further back, someone claimed that a three letter agency had paid some developer to introduce backdoor to openbsd (or possibly openssh).

Theo did not belive this and publicly disputed these claim and even revealed the name of the whistle-blower. But I have always felt the story rang true and Theo sound not have been so dismissing.

Can't find the story, but it should be on the mailing lists somewhere

[daneel_w]

It was talk about a backdoor in OpenBSD's IPsec stack. The software was audited and nothing was found. The person who stepped forward (after being named) claimed on Twitter to have been formerly involved with the FBI and a supposed project of theirs looking into the feasibility of infiltrating the OpenBSD developer sphere in order to plant a backdoor, but that the project never reached planning.

Edit: the discussions and auditing of the IPsec stack happened around 2011 if memory serves me right. The supposed backdoor "happened" a decade earlier. The "agent" was named Greg Perry.

[jmclnx]

I remember this, it was the FBI. OpenBSD people did a huge audit and nothing was found. That was also like 20 years ago.

Also, other articles stated that never happened.

Plus, the "backdoor" in OpenSSH was a Linux only thing possibly related to systemd. It never affected OpenBSD. That is because of Linux people patching OpenSSH with "dependency hell". I believe systemd people is doing something about these dependency chains.

[Arch-TK]

The "thing to do" about the dependencies is not to have them in the first place. Distributions where patching OpenSSH to add a libsystemd dependency instead of adding 15 lines of code.

[fijiaarone]

So you’re saying more than 1 person was paid to put the back door in.

[bigiain]

And at least one of them was intentionally whistleblown to create an OpenBSD witchhunt wasting both OpenBSD developers time and distraction all the other *BSD and Linux security/devs, while the _real_ target slid under the radar...