Claims of a possible FBI backdoor in OpenBSD's IPSec implementation

Theo Deraadt published an email sent to him claiming that some developers involved in the development of this first-open-source IPSec implementation were on paylist of the FBI and inserted a backdoor in the code. OpenBSD's primary focus is in security and has a very good track record in this domain (I personally am a huge fan and user of it). The news of a vulnerability in OpenBSD is high-profile ("if it can happen to them, the ultra-security focussed, then..."). The dust on the claim still needs to settle and we don't know much now, but at first glance it seems to be more of a troll / slander attempt. The author still stands by his statements, the engineers involved deny it.

All kind of aspects to this email sound unrealistic. I'll focus on the NDA and classification part here, as the technical and personal sides will doubtlessly be researched in the coming time by others.

Leaking Top Secret compartimentalized information??

The claim "My NDA with the FBI has recently expired," in combination with the statement that work was done to "the FBI implemented a number of backdoors and side channel key leaking mechanisms" sounds highly dubious. The technical capabilities to eavesdrop and decrypt are always classified as Top Secret and further compartimentalized (compartimentalization are further restrictions on who gets to see the information, here one would expect only the people involved plus some overseers to have that need to know). Arguably these kind of secrets are the highest secrets such an organization can hold and are very strongly protected. See the secrecy surrounding the Enigma for an excellent example. Top Secret classification generally holds for 30 years and is independent of any NDA (it is the law about state secrets).

So if we assume this sender is indeed involved and right about this, he just exposed a very valuable Top Secret compartimentalized secret. We are not talking about somewhat embaressing gossip of diplomats like the current WikiLeaks hype, no these are really valuable in the eyes of these organizations. On top of that, this is politically also sensitive, interfering with product development to insert weaknesses will by many be interpreted as an offensive activity. In short, this is serious loss of face of the organization that did this and they are not going to take that.

If this is a true warning from a real wistleblower, he is now in deep trouble. I would also seriously doubt his ethical mindset in either direction:

• If he is in the "information should be free" camp, why did he wait 10+ years to expose this? After all, all those years the users would be have in danger.
• If he is in the "secrets stay secret (for at least they expiry date)" camp, he released this 20 years or so too early and he should know. And why did he participate if he was so opposed to it?

(If it isn't obvious from my background, I used to work in these environments and still do occasional jobs for them. For me secrets stay secret. If you do not agree with the activities, do not participate. You can always walk away. I've done this. It is often not easy to do, but always possible.)