Richard Stallman Speaks About Back Doors After NSA Documents Leak 332
An anonymous reader writes "Companies such as Microsoft, Facebook, Apple, and Google are scrambling to restore trust amid fresh litigation over the PRISM surveillance program. Richard Stallman, the founder of the Free Software Foundation and a newly-inducted member of the 2013 Internet Hall of Fame, speaks about not only abandoning the cloud, which he warned about 5 years ago, but also escaping software with back doors. 'I don't think the US government should use operating systems made in China,' he says in this new interview, 'for the same reason that most governments shouldn't use operating systems made in the US and in fact we just got proof since Microsoft is now known to be telling the NSA about bugs in Windows before it fixes them.'"
Abandoning the cloud ? (Score:4, Insightful)
Re:Abandoning the cloud ? (Score:4, Funny)
Duh ;-)
Re:Abandoning the cloud ? (Score:5, Interesting)
Disclaimer: I am an IT Security professional.
It all depends on your thread scenario. Most of the smaller side-projects I work on are of no interest to any entity able to intercept the data transfers, so I don't mind storing stuff in, say, Evernote or Dropbox where it is more convenient to do so.
The stuff that the survival of my small company depends on, running my own servers is worth the effort. For my holiday pictures, iCloud is perfectly acceptable.
Re:Abandoning the cloud ? (Score:5, Interesting)
Disclaimer: I am an IT Security professional.
It all depends on your thread scenario. Most of the smaller side-projects I work on are of no interest to any entity able to intercept the data transfers, so I don't mind storing stuff in, say, Evernote or Dropbox where it is more convenient to do so.
The stuff that the survival of my small company depends on, running my own servers is worth the effort. For my holiday pictures, iCloud is perfectly acceptable.
I might go along with that except for the fact that the US Government is heavily involved with metadata. Metadata is still data and there are things that can be done with that data or they wouldn't be be collecting it. You may not like some of the things they do with that data.
And, for your sake, I hope that your holidays were all spent in good solid loyal patriotic places in the USA so that there's nothing treasonous that they can infer from the pictures once they use the metadata to get a FISA warrant to look at the actual data.
In an era when almost everyone either deals with offshore companies or has immigrant friends or neighbours, the assurance that "only foreign communications are examined" doesn't give much comfort.
Re:Abandoning the cloud ? (Score:5, Insightful)
In an era where the NSA lied about the existence of the program, lied about the level of oversight, lied about the effectiveness of the program, and lied about what data was collected, ANY assurance from the executive branch doesn't give much comfort.
Re:Abandoning the cloud ? (Score:5, Insightful)
I would like to point out that the assertion that the NSA collects metadata is a strawman. A fictitious scenario that was constructed by relabeling plain data as "metadata", because it is perceived to be not as awful as pilfering through personally identifiable information. In fact, phone numbers, Identifying numbers, account numbers, names, times, and dates are all just data. An example of metadata would be something describing the format of a displayed phone number, but the number itself is just pure data. I only bring it up it up because I see even people here on slashdot, who are normally smarter on these issues than the mainstream, are starting to take these falsehoods at face value.
Re:Abandoning the cloud ? (Score:5, Insightful)
With all due deference to a slashdotter with a 3 digit UID, I'd like to point out the danger of your last statement.
Primarily, the risk is that your smaller, side-projects may indeed pan out to be your primary revenue stream in the business environment of the future. But the consolidation affect is at least as dangerous. The conclusions that can be drawn by a talented analysts from the sum total of your small, seemingly insignificant data leaks can be staggeringly powerful. And if you think that your company is not worth the time of a talented analyst, then you may not have been paying attention to the cultural make-up of our current competitors in the world today. -- They take the time to analyze everything they can.
Now, I don't want to go off on a rant... but I did want to throw that out.
That said... Sure. Holiday pics fit nicely into a cloud.
Re: (Score:3)
Sure. Holiday pics fit nicely into a cloud.
Actually even pictures can be a security risk depending on who sees them. If they are recent holiday pics in the snow, while your house is in a location with no snow, it may tell people you are not home and they may decide to rob you.
If there are no tell tale signs of your location in the picture, are you sure you cleaned the metadata? Even a mythbuster can be caught leaving gps information [nytimes.com] in their pictures.
Even discounting the "Please Rob Me" mentality for a minute... What if you play hooky from work? Is
Re: (Score:3)
Disclaimer: I am an IT Security professional.
It all depends on your thread scenario. Most of the smaller side-projects I work on are of no interest to any entity able to intercept the data transfers, so I don't mind storing stuff in, say, Evernote or Dropbox where it is more convenient to do so.
The stuff that the survival of my small company depends on, running my own servers is worth the effort. For my holiday pictures, iCloud is perfectly acceptable.
I don't have any data under my personal control that I care if the government intercepts. My email is boring as hell. The most interesting thing in my email is when Blizzard locks my Battle.net account because I tried to log in from work and they think my IP changed. My Dropbox is full of junk I want to transfer between computers and nightly binaries that I want to share with our Ukrainian QA team. Really exciting stuff. Hack away, people, hack away. I care not. The pieces of data that I wouldn't wan
Re:Abandoning the cloud ? (Score:4, Informative)
If you include embedded devices, quite a lot of it uses OS from China. Anything from Huawei for a start - that alone has some people in Congress and the military concerned.
Don't be so sure (Score:3)
I don't have any data under my personal control that I care if the government intercepts.
Really? Are you certain of that? Here's the thing. Information you have can look circumstantially damning for reasons beyond your control. Sometimes people's identity is mistaken or they are in the wrong place at the wrong time. Messages that are entirely innocent can at times be used against you in a court of law. Maybe you have communicated with someone you don't know
Is it likely that the government will come after you? Of course not. Like you say your information probably is completely uninterest
Re:Abandoning the cloud ? (Score:5, Interesting)
Disclaimer: I am an IT Security professional.
It all depends on your thread scenario. Most of the smaller side-projects I work on are of no interest to any entity able to intercept the data transfers, so I don't mind storing stuff in, say, Evernote or Dropbox where it is more convenient to do so.
The stuff that the survival of my small company depends on, running my own servers is worth the effort. For my holiday pictures, iCloud is perfectly acceptable.
I am also a security professional, and I mirrored your attitude until just a few weeks ago. Silly me, I figured that nobody cared to which political party I belonged, nor what religious group, nor that I am military and actually believe in the constitution. Unfortunately, it turns out that in our government, you may indeed be targeted based upon any of the above.
And now, there are indications (I can't find the article), that you will be targeted if you attempt to maintain your privacy from the government on these things by using encryption, etc. (And I'll probably go up on several watch-lists due to this post. *sigh*.)
To be honest, I'm not really sure what to do. You're damned if you do, and damned if you don't.
Re: (Score:3)
Even if one has an insecure, but reliable service, that can come in handy, factoring in a threat model:
1: Before sending files to a cloud provider with an archival service, I use an archiving program, split the files up into segments (100-200 megs), then encrypt the segments with GPG and a decent passphrase. Not 100%, but it would force someone who manages to get access to have to try to compromise my endpoint or me (not hard, but it is a lot tougher than just passively guzzling out goodies.
2: TrueCrypt
Re: (Score:2)
Re:Abandoning the cloud ? (Score:4, Interesting)
Re: (Score:3)
Well, I do not "hate" the hype, I just find it funny. Along the same way as the GP has said, and one poster above disclaiming he was an " IT Security professional":
If you are planning doomsday scenarios, then don't have you computers connected to anything. I have been running my systems for 20 years without any intrusion that I am aware of. This doesn't mean I am not owned. So yes, you could put some stuff on the cloud. From an "IT Security professional" point of view: you categorize the levels of security
Re:Abandoning the cloud ? (Score:5, Informative)
Re: (Score:3)
It just makes it a tad harder to categorize your levels of security. Since brains to do that properly are rather seldom, it may end up up costing you more money to put stuff on the cloud if you want to do it properly.
Re:Abandoning the cloud ? (Score:5, Insightful)
it may end up up costing you more money to put stuff on the cloud if you want to do it properly.
If your data is sensitive, there is absolutely no way to process it in the cloud properly. The data has to be decrypted to a usable form before it can be processed. Cloud storage? OK, but why would you do that without actually doing your processing in the cloud, too? There's other solutions for backups which would cost less and leave you less confused about where your data is located.
Re:Abandoning the cloud ? (Score:4, Informative)
there is absolutely no way to process it in the cloud properly
Sure there is. It's called homomorphic encryption.
Re: (Score:2)
Anyone that has a secure network does just that.
It's not fear, it's trust. and no, I do not TRUST the cloud with things that if they are lost I lose money. Only a complete fool would trust another company with their critical data and a TOS that says ,"we are not liable"
Re:Abandoning the cloud ? (Score:5, Interesting)
Are you kidding? The cloud is just a rebranding of networked systems. If you fear the cloud you might as well disconnect your networks.
No it isn't. Cloud servers - excepting the in-house clouds - are owned and operated by third parties. Who can be silently descended on by grim suit-wearing individuals with badges and pried open without your permission. Or your knowledge, since many of these programs make it a criminal offense to even mention the prying.
You don't even have to be the primary target, since you are sharing the resources with who knows what other questionable characters. More than one innocent business has been bitten because it turned out the next rack over leased space to Arab charities or hosted some sort of downloading service.
Skype NSA surveillance from Microsoft (Score:5, Insightful)
I remember Microsoft's denials about intercepting Skype, yet the PRISM leak shows they can fully intercept everything:
http://gizmodo.com/what-is-prism-511875267
There are two worlds here, companies that cooperated with NSA illegal spying and those that didn't. They chose their sides, they chose the side against the constitution. That's not my side, I need to secure my data against NSA and its corporate allies.
Skype leak shows they can intercept voice communications, the files you sent, the text messages, the video of your conversations, the lot, and it's a live intercept, so its a live connection too. I bet they can even turn on the camera and mic remotely on Skype.
Then we find out Stuxnet is confirmed as NSA. So no doubt where all those zero day exploits came from, Microsoft themselves:
http://www.guardian.co.uk/world/2013/jun/28/general-cartwright-investigated-stuxnet-leak
So all the scary hackers out there making Stuxnet? They're the NSA itself.
I don't trust this Windows box in front of me currently, my server is being moved out of the USA, this Windows box is next.
Skype Link Spying Germany (Score:3, Informative)
Remember this?
http://yro.slashdot.org/story/13/05/14/1516247/microsoft-reads-your-skype-chat-messages?utm_source=commentcnt&utm_medium=feed#comments
A german user noticed that if he passed a link in a skype message, the link was accessed by Skype servers?
Microsoft claimed it was to protect from malware. But now we know they're in the NSA's pocket, and the NSA is data mining all communications and storing them in the big database, the obvious conclusion to come to, is that this is part of NSA's data minin
Re: (Score:2)
Want secure skype?
SIP software, point to point VPN. Good luck NSA decoding that encrypted tunnel.
Re:Skype NSA surveillance from Microsoft (Score:5, Interesting)
SIP software, point to point VPN.
Heh, I set my parents up with Jitsi a few months ago and configured their gateway to openvpn to mine - at the time purely for reliable addressing and networking ports, but it turns out to be pretty secure as well.
Now then, the traffic consists almost entirely of my kids telling their grandmother about a new bike or that girl at school who is sooooooo mean, but that's none of the NSA's damn business either. I don't want some creep analyst in Hawaii watching my daughter any more than I do some creep on a park bench.
Oh, the point - Jitsi is perfectly usable for an AOL grandmother. We actually started on this path when the Microsoft version of Skype became unstable on their Mac (the pre-MS version was pretty decent).
Re: (Score:3)
Actually, the cloud is perfect for any open development.
As usual. Stallman was right all along. (Score:5, Insightful)
His record for being correct is rather unusual.
Re:As usual. Stallman was right all along. (Score:5, Insightful)
No, his record for being correct is not unusual.
It's pathetic.
And by that I mean that it is pathetic that you need to be a pessimist and paranoiac to even get halfway to predicting government and industry trends.
We need to work towards a world where Stallman is wrong more often.
Re: (Score:2)
What you are suggesting is a global waking up. Be careful, posting as anon ain't that safe ;-)
Re:As usual. Stallman was right all along. (Score:5, Interesting)
The thing being missed in the current privacy fuss is that right now everyone is only worrying about the US government. That leaves out two other classes of players...
1 - I know that the US government is far from perfect, but compared to some other governments out there they're downright benign. That's not to excuse their behavior in any way, that's just to point out that there are bigger threats to be aware of.
2 - Don't forget corporations, particularly multinational corporations. At some theoretical level, the US government has the best interests of US citizens as its motivation. (I'll agree that it may be "theoretical" and one may have to say "SOME US citizens', but there is still that element there.) Corporations have their own profit and revenue as their primary motivation, the good of their customers is secondary, important as a continuing source of profit and revenue. As for non-customers, their importance is as a future source of profit and revenue. Nothing there about peoples' best interests if they don't align with the companies'.
While the boogeyman of the US government is certainly present, one should not forget that they are probably not the worst boogeyman, there are probably much worse out there. In other words, it's worse than you think.
On backdoors, don't forget this one:
http://scienceblogs.com/goodmath/2007/04/15/strange-loops-dennis-ritchie-a/ [scienceblogs.com]
Re:As usual. Stallman was right all along. (Score:4)
Your post displays a naiveté so stunning that I would think you have never been around people.
For you to even say aloud that your stasi government is less of a threat than xyz really shows how ignorant you are of the fact that information is power and a monitored human is not a Free human.
Not to mention how you have no fucking concept that your economic Freedom is worse than a peasant in the 1300's.
A percentage of the harvest went to the lord of the manor (the land's lord, or landlord) the amount varied, but it was between 10% - 25% - an additional 10% went to the local church as a tithe. Compare that 20-35% tax rate to the combined 50-80% tax rate many in the developed world pay (the ones that don't suck on the government's tits).
How you doin' Eloi? is the food good? are you happy and eating well? Hey what do you care if we take some people away every now and again, it's not you!
Just keep grazing on your grass like a fat happy cow all the way to the slaughter, telling other people around you how it's not so bad after all, it could be worse.
Re:As usual. Stallman was right all along. (Score:5, Informative)
> Multi-national companies don't have the power to imprison me, make things I'm doing illegal in order to harass me or silence my speech by unequal protection of the law as in the IRS abuses scandal.
Sure they do. They can use their vast resources to influence national governments, distort laws, and influence local prosecutors.
Some companies are larger than some nations and have the resources and influence to match.
This is not unprecedented. One of the things that the US was rebelling against was one such company.
Re:As usual. Stallman was right all along. (Score:5, Insightful)
What I respect about Stallman is his persistence. He just keeps hammering home the same message, over and over again, decade after decade. As opposed to politicians or talking-heads, he doesn't budge nor compromise. And then, ten or twenty years later, people realise he was right all along. And what does he do? He keeps hammering on the same message still, because people still didn't act, even when they know exactly what they ought to do. I think that is what makes him unusual.
How to get the public on board? (Score:4, Interesting)
He keeps hammering on the same message still, because people still didn't act, even when they know exactly what they ought to do.
Next time you're out and about, go ask some random person who is Richard Stallman.
Now ask yourself, if they never heard of him, what makes you think they're getting the message?
WE have heard of him and his message, but the general public hasn't. AND his warnings and claims come across as paranoia. I mean, before the NSA leaks, no one would ever believe our government would do such a thing - even here on Slashdot. How many times have folks said that the government is watching us only to have someone "point out" that it's "impossible" - here on Slashdot - supposedly the home of the most knowledgeable people on the Internet.
How can we expect John Q. Public to act when WE don't even believe half of it?
I'm telling you next we will find out that the NSA/FBI has the ability to create instantaneous dossiers on people by just hitting the: Medical Information Bureau, Credit Bureaus, Google (I don't a shit wtf they say in public!), ChoicePoint, state DMVs, IRS, state tax departments, and I bet quite a bit of internal databases, too. All through those backdoors.
FUCK! Anyone of us could code that!
Re: (Score:3, Funny)
No surprises (Score:5, Interesting)
Stallman's position isn't a surprise. I expect him to advocate open source software over any proprietary software. He has for thirty plus years. Why would he change now? There is one thing he overlooks when he says:
'I don't think the US government should use operating systems made in China,' ... 'for the same reason that most governments shouldn't use operating systems made in the US
Stallman overlooks the fact that various foreign governments already have access to the Windows source.
Microsoft to Share Source Code With Governments [washingtonpost.com]
Microsoft Corp. announced this week it is making the programming code for its Office 2003 software suite available to government agencies around the globe, a move partly aimed at allowing them to inspect the product for flaws and security problems.
Though Microsoft usually guards such software coding tightly, the step is an extension of an initiative the company began in January 2003 giving about 60 governments access to the inner workings of the Windows operating system. This is the first time the software giant has shared the source code for Office, which includes the Word text processing, Excel spreadsheet, and PowerPoint presentation programs.
Microsoft Grants Governments Access to Windows [techhive.com]
Re: (Score:2, Interesting)
If current state-of-the-art software engineering methodologies are not sufficient for producing bug free code, what makes you think a government can spot "bugs" that were planted there as backdoors?
So how do you know the binary matches the source? (Score:4, Insightful)
You're not allowed to build your own version of the software from the source. This is why one of the FSF rights is the ability to compile the program for use.
Seems in pointing out what Stallman "forgot", you forgot something yourself.
Re:So how do you know the binary matches the sourc (Score:4, Informative)
I'm afraid you've got it wrong. At least Australia can build from source. I doubt they got a special deal.
Australia to see Windows source code [cnet.com]
The ability to build from source would seem to be a key aspect of verifying the code. I'm not sure why you think they wouldn't be able to do it. What they probably can't do is distribute the binaries for free - they still have to pay Microsoft for the distribution of software.
Also, it seems likely that by providing their code to foreign governments, Microsoft is picking up what to them is free services of what are no doubt some of the best software engineers in government looking over their code, and probably sending in the occasional bug report. What's that saying? Many eyes makes for shallow bugs? Or maybe not.
Re: (Score:2)
do they have access to the source code for the entire toolchain?
Re:So how do you know the binary matches the sourc (Score:4)
do they have access to the source code for the entire toolchain?
For the benefit of those who don't know why this is important, this [bell-labs.com] is a good explanation.
Re: (Score:2)
They love MS, MS giving them code to look over at after generational buy in is just a trinket.
What was Australia going to do if it finds a project related hole? File it with MS and hope its fixed in weeks? Months? Many months?
Australia was just feeling bad over its lack of sufficient software source code and IP to allow its airforce to understand some aircraft systems.
Source code became a political and defence issue with huge political efforts to try and get the US
Re:No surprises (Score:5, Insightful)
Your point about source code is interesting enough on the surface, but how many organizations compile Windows from source code?
I'm not convinced that what's in the [quasi-public] source code matters a lot when pretty much everyone runs the distributed binaries. Those are the things that need to be analyzed from a security perspective, along with the rest of the functional system that ends up in place. C'mon, you don't test food for poison by obtaining the recipe.
Re: (Score:2)
It looks like at least Australia can build the source. I doubt they got a special deal. Also, the governments receiving the source code didn't get the "recipe," they got the ingredients - that's what source code is.
Australia to see Windows source code [cnet.com]
The agreement will enable Australian government officials to view the source code for Windows 2000, XP, Server 2003 and CE. They can also use the code to build those versions of Windows, see Microsoft security documentation the company doesn't otherwise share, speak with Microsoft developers and perform their own tests on the code.
Yes, but (Score:5, Informative)
While it is true that Microsoft is agreeing in certain cases to give access to the source code to Windows, it appears actually getting your hands on the code is sometimes harder than expected.
Point in case, Éric Filiol, an ex French intelligence officer from DGSE (the Directorate-General for External Security) recently explained that
“The French State can't obtain certain pieces of technical information on the WIndows kernel. A country that has nuclear fire and is a member of the UN's Security Council can't make Microsoft reveal necessary informations on a système that is absolutely everywhere.”
("L’État français n’arrive pas à obtenir certaines informations techniques précises sur le noyau Windows. Un pays doté de l’arme nucléaire et membre du conseil de sécurité des Nations-Unies ne peut pas contraindre Microsoft de lui donner des informations nécessaire sur un système qui est absolument partout".)
Source:
http://www.numerama.com/magazine/26360-la-france-n-arrive-pas-a-avoir-des-informations-sur-le-noyau-windows.html
So there seems to be a difference between what is announced and what happens.
Self-referencing C compiler (Score:2)
To build windows, you have the use the windows compiler, I guess. Well, that's that then:
Self-referencing C Compiler [scienceblogs.com]
Re: (Score:3)
While it is true that Microsoft is agreeing in certain cases to give access to the source code to Windows, it appears actually getting your hands on the code is sometimes harder than expected.
“The French State can't obtain certain pieces of technical information on the WIndows kernel.
Is that referring to getting the source code? I interpreted it to mean getting some additional technical information, or perhaps a clarification, on the functioning of the kernel.
Re: (Score:2, Insightful)
Having access to source code is not enough. You need access to ALL the source code and data AND the build tools for converting it to the final binary the computer will run. And the source for the tools too. Then you have to actually BUILD that source code and VERIFY that the binaries match (or use only what you build).
With Linux or BSD this is routine. There are thousands (millions?) of people that build their OS from scratch (Arch and Gentoo are two popular Linux distributions that work like this). With Wi
Re: (Score:2)
Linux has such an un-even and scattershot userland that I doubt it's regularly built all the way up from source as a unified system in that many instances. BSD, on the other hand (or, at least NetBSD which I am most familiar with) can be built, the whole kernel and core userland, from a single CVS tag checkout.
Re:No surprises (Score:4, Informative)
So what? Those governments don't have the right to compile the code.
However, government users will not be allowed to make modifications to the code or compile the source code into Windows programs themselves, Simon Conant, a Microsoft security specialist based in Munich, said.
"Governments under the GSP are allowed to view the code in a debugger, but not compile, redistribute, or actually modify the code," Conant, said. A debugger is a tool used to evaluate software code.
If you can't compile the code, there is no guarantee that you'll be auditing the right code base. If you dig down deep enough, the debugger will start taking you to the wrong lines (as it happens with most software projects, even open source ones), but Microsoft will just explain away those discrepancies by saying that they had to remove some of their testing code and some of their logging statements (an explanation which is sensible enough, but that you can't workaround, because you're not allowed to compile the code yourself, nor have you been provided the exact compiling recipe/code snapshot they've used for their official release).
So whatever you do audit of the code base, Microsoft or the NSA can then modify before it gets compiled for your own citizens, and the chain of custody will have been broken thereby completely circumventing your audit in the first place.
Re: (Score:2)
Apparently the Australians are allowed to compile the code. Maybe there is more than one set of terms.
Re: (Score:3)
Do you have a citation for that?
Australia, the UK, the US, and Canada are all senior partners in the NSA ECHELON [nsawatch.org] program, so the fact that any of those countries are allowed to compile the code (but other countries are not) wouldn't inspire much confidence in me in either case.
USA has form (Score:2)
Re:USA has form (Score:4, Interesting)
“...the result of having the secret key inside your Windows operating system “is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system“. The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onwards”
Nah it was PROMIS and INSLAW (Score:3)
Maybe the NSA has infiltrated Microsoft . . . ? (Score:2)
You know, like, sending NSA agents to get cover jobs in Microsoft, and purposely plant in obscure security bugs, that can only be exploited by the NSA . . . ? I know that they are not supposed to do that, but the new description of work for the NSA seems to be something like:
Question: "What does the NSA do?
Answer: "Things that it is not supposed to do."
Re: (Score:2)
anything that works fits the bill.
He's right about one thing. (Score:5, Insightful)
RMS's comments about OS back-doors are rather dated, since M$ made Win2K source available to governments many years ago. It gave a whole new meaning to the Windows joke, "That's not a bug, that's a feature!"
He is, however, spot on about "the cloud". No engineer or admin in his right mind would entrust his/her organization's data to a medium riddled with security, privacy, and reliability flaws.
Bean counters are all for the cost savings of "the cloud" until you clearly spell out the risks involved. Accountants and executives hate taking big risks for only a tiny commensurate potential for gain.
His backdoor remark is VERY CURRENT (Score:3, Informative)
This wasn't about the win2k NSA key, it is about Microsoft passing info about zero day exploits to the NSA instead of fixing them, so the NSA can use them to break into people's computers and spy on them. This came out in the news in just the past few days (not sure if revealed by Snowden or someone else). It would seem to explain why Microsoft is so damn slow about fixing bugs.
US government should use OSes made in China (Score:3)
CPUs on the other hand (Loongson) are kosher!
Re: (Score:2)
good one!
Irrelevant (Score:2)
The fear of backdoors into your OS is out of date in today's society. Why would they need wait for you to be online then risk detection by using a backdoor when they can just make a call to facebook, your ISP or your mobile phone network and probably get far more valuable information?
It's also very naive to think that intelligence organisations don't have a catalogue of un
Re: (Score:3)
Why would they need wait for you to be online then risk detection by using a backdoor when they can just make a call to facebook, your ISP or your mobile phone network and probably get far more valuable information?
Neither Facebook nor your ISP has any information about your network that you didn't volunteer. Unless you're not smart enough to put a hardware firewall between your modem and router (as well as other measures) they're not going to easily get your private data. Data you give your ISP, facebook,
That explains the slow fixes (Score:5, Interesting)
Some Microsoft bugs take a ridiculous amount of time to get fixed and all the reports seem to fall on deaf ears. We bash Microsoft for this behaviour but doesn't having a reporting relationship with the NSA help it all to make sense? Taking a long time to fix? Well, they may not be done exploiting it yet. Falls on deaf ears? Well maybe it's not a "bug" but a back door that no one was supposed to know about and Microsoft cannot comment on it without NSA approval.
dudes, don't you know about.. the NSAKey? (Score:3, Informative)
Microsoft has been installing the NSAKey in Windows since Windows 98; a special root key that grants them access to Windows cryptography services, ability to generate their own keys, decrypt things, and maybe install rootkits, bypassing the user. Some people think it's Trojan that even gives them stealth remote control capabilities. Microsoft has always been working with the NSA, and in turn, the NSA has always been getting into whatever they could possibly get their hands into. Welcome to the ultimate rootkit in society, next to Remote Neural Monitoring and Electronic Brain Link.
http://www.washingtonsblog.com/2013/06/microsoft-programmed-in-nsa-backdoor-in-windows-by-1999.html [washingtonsblog.com]
and nsa.pdf @ http://www.oregonstatehospital.net/ [oregonstatehospital.net]
Re:dudes, don't you know about.. the NSAKey? (Score:5, Interesting)
there are also those famous secret debug modes in AMD and Intel's chips, that grants above operating system level control, and unlocks hidden CPU resources. this has got to be the under workings of a secret NSA toolkit for full hardware and software control. I give you the AMD CPU password, which was exposed and documented in 2010:
http://hardware.slashdot.org/story/10/11/12/047243/hidden-debug-mode-found-in-amd-processors [slashdot.org]
don't you think this was all put in there for a reason? The NSA gets what they want and they want it all, they want to know everything going on inside everyone's home, in every square inch of America - this was all done by design. no one is doing anything to challenge or stop them. look at how none of these companies bothers to complain before years later something about the program they're running, which they now claim to have been against, is exposed. it's crazy, and we're not even getting to the half of it. most of this was done without warrants or any involvement from any court...
The Cloud is good for Free Software (Score:5, Insightful)
One thing people keep neglecting to mention is that for the stuff we WANT to be public (e.g. source code), the cloud is a GREAT place to put it (but certainly not the only place we should put it).
BTW, "the cloud" is far too nebulous of a term for this discussion.
Turn About (Score:3, Interesting)
Since Microsoft and other companies are telling the NSA about bugs before they fix them, then Microsoft and those other companies will no longer need a grace period when Anonymous or other hackers find vulnerabilities. They should be published right away for all to see.
Made in China? (Score:5, Insightful)
Given recent developments I have no reason to trust made in usa either...
Re: (Score:3, Informative)
No its not. There are distros based in all parts of the world. Also the difference here is that the source code is freely available for all to see.
Re: (Score:3)
Not to mention the original linux kernel was written in Finland.
Many other free software projects are likewise non-American. Hell OpenBSD is developed by a South African living in Canada.
Re: (Score:3, Informative)
Linux was made in Finland.
Yet another Yank taking claim for other's achievements.
Re: GNU/Linux is made in the USA (Score:5, Informative)
The kernel work started in Finland, but most of the work and most of the GNU system originated in other countries and most prominently the USA.
Re: (Score:2)
Should be called Finux.
Re: (Score:2)
Luke, concentrate on the force instead.
Re: (Score:3)
GNU/Linux is made by a community of developers from about every single developed country in the world, and possibly has had patches done by people who were at the time in less developed places. So there isn't one single government telling the contributors what to do. It either has no backdoors (because it's opensource and supposedly someone has reviewed the patches), or it has backdoors from all over the world.
I may not like GNU much, or Stallman, but that's a fact regardless.
Re: (Score:3)
Bullshit. GNU/Linux is an international effort with contributors from many different countries. It is constantly peer reviewed by all kind of people, e.g. security researchers all over the world, and the source is open so you can check it yourself.
Re: (Score:2)
Re: (Score:2)
But to compile and compare the binaries you have to use at some point a compiled binary from some source, which you can't trust.
Re: (Score:2)
Re:GNU/Linux is made in the USA (Score:5, Insightful)
GNU/Linux is open source, so you can (in theory) verify for yourself that there aren't any back doors. And if there are, you can fix them
That's true, but not if you're among the 99+ % that installs a binary distribution.
The point is not that everyone needs to verify the code, but that anyone can do so, and that someone is likely to have done so.
Re:GNU/Linux is made in the USA (Score:4, Interesting)
... [A]nyone can [ verify the code], and ... someone is likely to have done so.
Yes. The NSA guy who wrote the patch, and three of his astroturfing friends.
The "Many Eyes" fallacy is important here. Unless you can verify the authenticity of the code yourself, you need to verify the authenticity of the person verifying the code. Do you know all of the kernel devs personally? How about the X / Mir / $module devs? How many people actually write code for kernelspace? How many modify it for their particular distribution of choice? Do you trust those people?
Open source not immune to backdoors (Score:4, Interesting)
The point is not that everyone needs to verify the code, but that anyone can do so, and that someone is likely to have done so.
Anyone can do so in theory but not in practice. I'm an engineer but software isn't my specialty. I have absolutely no way to evaluate personally if there is a backdoor in any of the software I'm using. I simply don't have the skillset and for various reasons am not going to develop it either. Even if I was a really plugged in software engineer like Mr. Torvalds, I simply wouldn't have the time to review every single line of code before compiling it all myself. Don't forget to check the compiler and the firmware.
Additionally while you are correct that someone is likely to have done so, the question is who? Is it someone we trust or is it someone we don't or both? I have absolutely no way to know. I simply have to trust. Don't get me wrong, I think open source is fantastic but pretending that the code is somehow immune from backdoors is pretty naive.
Re: GNU/Linux is made in the USA (Score:4, Informative)
Re: GNU/Linux is made in the USA (Score:5, Informative)
But who compiled the compiler?
http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
And who knows what they put in your water... (Score:4, Funny)
And how do you know that mind control isn't perfected by the government?
How do you know that you are actually alive and not just dreaming?
Diverse Double-Compiling as a countermeasure (Score:3)
Actually, that, too, has been thought of and worked out. The trusting-trust attack can be fully countered [dwheeler.com] through Diverse Double-Compiling. It's all over my head but the material is there at several levels of detail for those who would read it.
Re: (Score:2)
Re: (Score:3)
Really?
Re:GNU/Linux is made in the USA (Score:5, Insightful)
But equally there are thousands of really talented programmers who examine the source code very thoroughly, many of whom contribute back. If there were back doors then there is a high chance that they would have been detected. Plus anyone really paranoid about it CAN go and check the source code to make sure for themselves.
With propriety operating systems you do not have that luxury.
Re: (Score:2)
Plus anyone really paranoid about it CAN go and check the source code to make sure for themselves. With propriety operating systems you do not have that luxury.
On a personal level, no. But many governments can, as well as some corporations.
Microsoft to Share Source Code With Governments [washingtonpost.com]
Re:GNU/Linux is made in the USA (Score:5, Insightful)
But equally there are thousands of really talented programmers who examine the source code very thoroughly, many of whom contribute back.
Not really, most of each of thousands of projects have at most a few core developers and extraneous people who occasionally submit patches to fix specific itches. There is no "A team" scouring all open source for vulnerabilities from the simple fact such vulnerabilities most certainly do exist as innocent bugs and have not been reported by such teams.
To illustrate this point the linux kernel is developed by armies of smart people yet an automated tool found a laundry list of shit that has been around for years nobody noticed.
http://www.coverity.com/library/pdf/linux_report.pdf [coverity.com]
If there were back doors then there is a high chance that they would have been detected.
There is no difference between a backdoor and a vulnerability. The logic that deliberate backdoors would be detectable in source code when we know from experience innocent bugs having the same effect as a backdoor have a proven track record of not being detectable is simply wishful thinking and wrong.
Plus anyone really paranoid about it CAN go and check the source code to make sure for themselves.
I suppose anyone can drain the earths oceans with an eye dropper as well.
Re: (Score:2)
Binary distributions should be a little more risky but there is nothing like a back-door hiding in plain site, there for anyone to see in the source code but not getting detected in most source code audits.
Re: (Score:3)
> They call it BSD and Open, because it's always free and open...
Until someone decides to turn it into a commercial product and deny you any rights whatsoever.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
true. I use to download and install gnu-tar on aix...
Re: (Score:2)
Re: (Score:2)
Right, the perfect way to gain the opposite results.