Richard Stallman Speaks About Back Doors After NSA Documents Leak 332
An anonymous reader writes "Companies such as Microsoft, Facebook, Apple, and Google are scrambling to restore trust amid fresh litigation over the PRISM surveillance program. Richard Stallman, the founder of the Free Software Foundation and a newly-inducted member of the 2013 Internet Hall of Fame, speaks about not only abandoning the cloud, which he warned about 5 years ago, but also escaping software with back doors. 'I don't think the US government should use operating systems made in China,' he says in this new interview, 'for the same reason that most governments shouldn't use operating systems made in the US and in fact we just got proof since Microsoft is now known to be telling the NSA about bugs in Windows before it fixes them.'"
Abandoning the cloud ? (Score:4, Insightful)
As usual. Stallman was right all along. (Score:5, Insightful)
His record for being correct is rather unusual.
So how do you know the binary matches the source? (Score:4, Insightful)
You're not allowed to build your own version of the software from the source. This is why one of the FSF rights is the ability to compile the program for use.
Seems in pointing out what Stallman "forgot", you forgot something yourself.
Re:GNU/Linux is made in the USA (Score:5, Insightful)
GNU/Linux is open source, so you can (in theory) verify for yourself that there aren't any back doors. And if there are, you can fix them
That's true, but not if you're among the 99+ % that installs a binary distribution.
The point is not that everyone needs to verify the code, but that anyone can do so, and that someone is likely to have done so.
Re:No surprises (Score:5, Insightful)
Your point about source code is interesting enough on the surface, but how many organizations compile Windows from source code?
I'm not convinced that what's in the [quasi-public] source code matters a lot when pretty much everyone runs the distributed binaries. Those are the things that need to be analyzed from a security perspective, along with the rest of the functional system that ends up in place. C'mon, you don't test food for poison by obtaining the recipe.
Re:GNU/Linux is made in the USA (Score:5, Insightful)
But equally there are thousands of really talented programmers who examine the source code very thoroughly, many of whom contribute back. If there were back doors then there is a high chance that they would have been detected. Plus anyone really paranoid about it CAN go and check the source code to make sure for themselves.
With propriety operating systems you do not have that luxury.
He's right about one thing. (Score:5, Insightful)
RMS's comments about OS back-doors are rather dated, since M$ made Win2K source available to governments many years ago. It gave a whole new meaning to the Windows joke, "That's not a bug, that's a feature!"
He is, however, spot on about "the cloud". No engineer or admin in his right mind would entrust his/her organization's data to a medium riddled with security, privacy, and reliability flaws.
Bean counters are all for the cost savings of "the cloud" until you clearly spell out the risks involved. Accountants and executives hate taking big risks for only a tiny commensurate potential for gain.
Re:No surprises (Score:2, Insightful)
Having access to source code is not enough. You need access to ALL the source code and data AND the build tools for converting it to the final binary the computer will run. And the source for the tools too. Then you have to actually BUILD that source code and VERIFY that the binaries match (or use only what you build).
With Linux or BSD this is routine. There are thousands (millions?) of people that build their OS from scratch (Arch and Gentoo are two popular Linux distributions that work like this). With Windows? I seriously doubt it's even possible.
Skype NSA surveillance from Microsoft (Score:5, Insightful)
I remember Microsoft's denials about intercepting Skype, yet the PRISM leak shows they can fully intercept everything:
http://gizmodo.com/what-is-prism-511875267
There are two worlds here, companies that cooperated with NSA illegal spying and those that didn't. They chose their sides, they chose the side against the constitution. That's not my side, I need to secure my data against NSA and its corporate allies.
Skype leak shows they can intercept voice communications, the files you sent, the text messages, the video of your conversations, the lot, and it's a live intercept, so its a live connection too. I bet they can even turn on the camera and mic remotely on Skype.
Then we find out Stuxnet is confirmed as NSA. So no doubt where all those zero day exploits came from, Microsoft themselves:
http://www.guardian.co.uk/world/2013/jun/28/general-cartwright-investigated-stuxnet-leak
So all the scary hackers out there making Stuxnet? They're the NSA itself.
I don't trust this Windows box in front of me currently, my server is being moved out of the USA, this Windows box is next.
Re:As usual. Stallman was right all along. (Score:5, Insightful)
No, his record for being correct is not unusual.
It's pathetic.
And by that I mean that it is pathetic that you need to be a pessimist and paranoiac to even get halfway to predicting government and industry trends.
We need to work towards a world where Stallman is wrong more often.
Re:As usual. Stallman was right all along. (Score:5, Insightful)
What I respect about Stallman is his persistence. He just keeps hammering home the same message, over and over again, decade after decade. As opposed to politicians or talking-heads, he doesn't budge nor compromise. And then, ten or twenty years later, people realise he was right all along. And what does he do? He keeps hammering on the same message still, because people still didn't act, even when they know exactly what they ought to do. I think that is what makes him unusual.
Re:Abandoning the cloud ? (Score:5, Insightful)
it may end up up costing you more money to put stuff on the cloud if you want to do it properly.
If your data is sensitive, there is absolutely no way to process it in the cloud properly. The data has to be decrypted to a usable form before it can be processed. Cloud storage? OK, but why would you do that without actually doing your processing in the cloud, too? There's other solutions for backups which would cost less and leave you less confused about where your data is located.
Re:Abandoning the cloud ? (Score:5, Insightful)
With all due deference to a slashdotter with a 3 digit UID, I'd like to point out the danger of your last statement.
Primarily, the risk is that your smaller, side-projects may indeed pan out to be your primary revenue stream in the business environment of the future. But the consolidation affect is at least as dangerous. The conclusions that can be drawn by a talented analysts from the sum total of your small, seemingly insignificant data leaks can be staggeringly powerful. And if you think that your company is not worth the time of a talented analyst, then you may not have been paying attention to the cultural make-up of our current competitors in the world today. -- They take the time to analyze everything they can.
Now, I don't want to go off on a rant... but I did want to throw that out.
That said... Sure. Holiday pics fit nicely into a cloud.
The Cloud is good for Free Software (Score:5, Insightful)
One thing people keep neglecting to mention is that for the stuff we WANT to be public (e.g. source code), the cloud is a GREAT place to put it (but certainly not the only place we should put it).
BTW, "the cloud" is far too nebulous of a term for this discussion.
Re:Abandoning the cloud ? (Score:5, Insightful)
In an era where the NSA lied about the existence of the program, lied about the level of oversight, lied about the effectiveness of the program, and lied about what data was collected, ANY assurance from the executive branch doesn't give much comfort.
Re:GNU/Linux is made in the USA (Score:5, Insightful)
But equally there are thousands of really talented programmers who examine the source code very thoroughly, many of whom contribute back.
Not really, most of each of thousands of projects have at most a few core developers and extraneous people who occasionally submit patches to fix specific itches. There is no "A team" scouring all open source for vulnerabilities from the simple fact such vulnerabilities most certainly do exist as innocent bugs and have not been reported by such teams.
To illustrate this point the linux kernel is developed by armies of smart people yet an automated tool found a laundry list of shit that has been around for years nobody noticed.
http://www.coverity.com/library/pdf/linux_report.pdf [coverity.com]
If there were back doors then there is a high chance that they would have been detected.
There is no difference between a backdoor and a vulnerability. The logic that deliberate backdoors would be detectable in source code when we know from experience innocent bugs having the same effect as a backdoor have a proven track record of not being detectable is simply wishful thinking and wrong.
Plus anyone really paranoid about it CAN go and check the source code to make sure for themselves.
I suppose anyone can drain the earths oceans with an eye dropper as well.
Made in China? (Score:5, Insightful)
Given recent developments I have no reason to trust made in usa either...
Re:Abandoning the cloud ? (Score:5, Insightful)
I would like to point out that the assertion that the NSA collects metadata is a strawman. A fictitious scenario that was constructed by relabeling plain data as "metadata", because it is perceived to be not as awful as pilfering through personally identifiable information. In fact, phone numbers, Identifying numbers, account numbers, names, times, and dates are all just data. An example of metadata would be something describing the format of a displayed phone number, but the number itself is just pure data. I only bring it up it up because I see even people here on slashdot, who are normally smarter on these issues than the mainstream, are starting to take these falsehoods at face value.