>My NDA with the FBI has recently expired, and I wanted to make you
aware of the fact that the FBI implemented a number of backdoors and
side channel key leaking mechanisms into the OCF, for the express
purpose of monitoring the site to site VPN encryption system
implemented by EOUSA, the parent organization to the FBI. Jason
Wright and several other developers were responsible for those
backdoors, and you would be well advised to review any and all code
commits by Wright as well as the other developers he worked with
originating from NETSEC.
Basically, he is saying the DOJ planted a back door so that it could spy on its own internal network.
What’s the real story here?
I remember this causing a huge stink at the time, with various petty reasons as the alleged cause (like Theo's less-than-friendly communication style).
> I actually am fairly uncomfortable about it, even if our firm stipulation was that they cannot tell us what to do. We are simply doing what we do anyways — securing software — and they have no say in the matter. I try to convince myself that our grant means a half of a cruise missile doesn't get built.
I don't have a date at hand but it was around the time of the war in Iraq.
A while after the quote was made (IIRC in a newspaper) the DARPA funding was cut.
a, there is nothing there to be found
b, being opensource is not enough to find security related bugs and backdoors
If you remember the OpenSSH Challenge Response vulnerability was found by ISS in 2002. OpenBSD's advisory can be found here 
This was the first remote vulnerability found in OpenBSD's default installation (which they used to advertise with). Back then, it was very normal to have all kind of bloated daemons enabled by default and vulnerabilities were found in C code and were easily exploited (no ASLR, on x86-32 for example).
Of particular interest is "section 6. Release Process" because it has details about how the OpenBSD team dealt with the situation at that time. Also, the patches are from 26 june 2002.
Now, if you look at  (source of FOIA documents), you can notice the date is 14 august 2002. This indicates the FBI's document is made after the vulnerability was known to the public.
What are the indications that the FBI knew about this beforehand? Is that the part listed on the bottom where they say contact X has administrative control over the internet host cvs.openbsd.org and Y has administrative control over the internet host ftp.openbsd.org? We don't know who these people were, who they worked for.
I remember there being some kind of feud between OpenBSD team and Grsecurity/PaX team (Brad Spengler aka Spender and a Hungarian I suppose by the nickname pipops). I always wondered about the relation of these, and the blackhat community. Who were these people with the gobble gobble memes, and the "Theo why is syslog running on port 514 I want to see SSH and nothing else"?
I also recall cvs.openbsd.org being owned but I no longer remember how that happened. There's a high chance it was made possible thanks to a remote CVS exploit that was making rounds in some hacker circles. FWIW, cvs.openbsd.org is mentioned under "memorable places I've been" in the Phrack #65 prophile of the UNIX terrorist.
2002 was a particular bad year for OpenSSH and OpenBSD. In March, 2002, it was found that OpenSSH 2.x/3.0.1/3.0.2 had an exploitable (post-auth IIRC) integer overflow in its channels handling. In June, 2002 that preauth Challenge-Response vulnerability was made public and shortly afterwards GOBBLES Security made public an exploit (sshutuptheo) for the vulnerability that among other things targeted OpenBSD 3.1 default installations. Early August, 2002 it was discovered that several OpenSSH packages had been backdoored on ftp.openbsd.org on June 30th, 2002 (google: "openssh 3.4p1 trojan").
Incidently the sshutuptheo exploit was written by the Australia division of GOBBLES Security. Later postings on public mailing lists suggests that this division fell off the earth shortly afterwards (can't link).
Some of these things had ties to the community around #phrack and the autonomous Phrack High Council "movement". PHC had nothing to do with the official Phrack magazine and instead was similar (in actions) to the Global Hell (gH) movement that happened earlier (around 2000, I think). PHC kind of spun out of the anti-sec movement that existed at the time, but really it was just a setup to trick kids into thinking they have a common purpose and do damage for the lulz; think early "anonymous" or lulzsec and you'll get the idea.
I know FBI had at least one informant in the #phrack and PHC circles at the time: soupnazi a.k.a segvec a.k.a . So perhaps those contacts mentioned in a child post aren't OpenBSD developers but.. other people?
The nickname of the Hungarian wasn't pipops but I'll leave it out since you got the reference right the first time: "PaX Team" ;) Regarding the feud, you can find some pointers in this poster defacement attributed to the Micke Mouse Hacking Squadron. The picture is from the OpenBSD tent at the Chaos Communication Camp in Berlin, Germany in August of 2003. MMHS was one of several GOBBLES Security copycats. They generally lacked the effort but MMHS was the only one that, like GOBBLES, produced a few (arguably funny) comic strips.
Grsecurity/PaX team did a hell of a job identifying vulnerabilities and working around them or hardening code long before anyone else. It's not surprising that they would've mingled with others interested in that sort of things, possibly sharing hints of vulnerable code paths or having discussions around the vulnerabilities and/or workarounds.
The government does have plenty of tools for writing correct code. OpenSSH was written with available tools, if available tools to write correct code weren’t used, there’d be very little burden for anyone to make an accusation.
>Currently, most Commercial Off-the-Shelf (COTS) software contains about one to five bugs per thousand lines of code.
>DARPA created the Crowd Sourced Formal Verification (CSFV) program to overcome these challenges.
(The above was a project that led to formal verifications that wasn’t open sourced)
Of course, if that sort of thing is what you're looking for, there's always SELinux.