December 14, 2010, 10:32 PM —
Update: This story was updated at 0920 on Dec. 15 to include comments from the second Scott Lowe, and expand on additional questions now sent to Gregory Perry.
Amidst startling accusations revealed by OpenBSD founder and lead developer Theo de Raadt today that 10 years ago the US Federal Bureau of Investigations paid developers to insert security holes into OpenBSD code, some confusion about the accusations has already emerged, with one named party strongly denying any involvement.
According to a post by de Raadt on the [openbsd-tech] mailing list, he received an email from Gregory Perry, CEO of GoVirtual Education, a Florida-based VMWare training firm, in which Perry told de Raadt he was "aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA [an acronym for the US Dept. of Justice], the parent organization to the FBI."
In his message to de Raadt, Perry stated that while Perry was the CTO at NETSEC, "Jason Wright and several other developers were responsible for those backdoors." Perry said that he was now able to share this information with de Raadt because his non-disclosure agreement with the FBI had "recently expired."
If true, this type of government involvement would enhance the already present concerns free and open source developers tend to have about government policies concerning privacy.
But there are already challenges about the accuracy of Perry's statements.
For instance, at the close of his message to de Raadt, Perry stated that the presence of these backdoors were why "several inside FBI folks have been recently advocating the use of OpenBSD for VPN and firewalling implementations in virtualized environments."
"For example," Perry concluded, "Scott Lowe is a well respected author in virtualization circles who also happens top [sic] be on the FBI payroll, and who has also recently published several tutorials for the use of OpenBSD VMs in enterprise VMWare vSphere deployments."
I contacted Scott Lowe, VMWare-Cisco Solutions Principal at EMC this evening to ask if he had a comment about Perry's statement to de Raadt. Lowe quickly responded via e-mail his denial:
"Mr. Perry is mistaken. I am not, nor have I ever been, affiliated with or employed by the FBI or any other government agency. Likewise, I have not ever contributed a single line of code to OpenBSD; my advocacy is strictly due to appreciation of the project and nothing more," Lowe replied.
When I followed up with the question of why Perry might want to implicate Lowe for assisting the FBI in promoting OpenBSD, Lowe replied, "I do not know why Mr. Perry mentioned my name. I do know that there is another Scott Lowe, who also writes about virtualization, to whom Mr. Perry might be referring; I don't have any information as to whether that individual is or is not involved."
Update:Mr. Lowe of Missouri was contacted for comment late last night, and did reply to my questions via e-mail early this morning.
"I am not, nor have I ever been, on the FBI's payroll, nor do I use or advocate the use of OpenBSD either personally or in my writing," Lowe of Missouri replied.
Perry may have gotten his Scott Lowes confused; stranger things have happened. Earlier in my own career, I was often confused with Brian Proffit, a prolific and excellent writer about OS/2 who is also a Baptist minister (trust me, I'm the evil twin).
The North Carolina Lowe has published articles and books on VMWare, while the Missouri Lowe has published his work primarily on TechRepublic, with more of a focus on Microsoft technologies, rather than VMware.
With the response of both Lowes on record, the question of mistaken identity becomes moot. It now becomes Perry's word against two Scott Lowes' that one of these gentlemen was promoting of OpenBSD happening on behalf of the FBI. It makes me wonder if Perry was speculating about Lowe's alleged involvement with the FBI.
I have reached out to Perry for comment; specifically to elaborate the evidence he has regarding the involvement of a Scott Lowe, and to identify the Scott Lowe to which he was referring. As of 0920 EST on December 15, no reply from Perry has been received.