Richard Stallman Speaks About Back Doors After NSA Documents Leak 332
An anonymous reader writes "Companies such as Microsoft, Facebook, Apple, and Google are scrambling to restore trust amid fresh litigation over the PRISM surveillance program. Richard Stallman, the founder of the Free Software Foundation and a newly-inducted member of the 2013 Internet Hall of Fame, speaks about not only abandoning the cloud, which he warned about 5 years ago, but also escaping software with back doors. 'I don't think the US government should use operating systems made in China,' he says in this new interview, 'for the same reason that most governments shouldn't use operating systems made in the US and in fact we just got proof since Microsoft is now known to be telling the NSA about bugs in Windows before it fixes them.'"
No surprises (Score:5, Interesting)
Stallman's position isn't a surprise. I expect him to advocate open source software over any proprietary software. He has for thirty plus years. Why would he change now? There is one thing he overlooks when he says:
'I don't think the US government should use operating systems made in China,' ... 'for the same reason that most governments shouldn't use operating systems made in the US
Stallman overlooks the fact that various foreign governments already have access to the Windows source.
Microsoft to Share Source Code With Governments [washingtonpost.com]
Microsoft Corp. announced this week it is making the programming code for its Office 2003 software suite available to government agencies around the globe, a move partly aimed at allowing them to inspect the product for flaws and security problems.
Though Microsoft usually guards such software coding tightly, the step is an extension of an initiative the company began in January 2003 giving about 60 governments access to the inner workings of the Windows operating system. This is the first time the software giant has shared the source code for Office, which includes the Word text processing, Excel spreadsheet, and PowerPoint presentation programs.
Microsoft Grants Governments Access to Windows [techhive.com]
Re:No surprises (Score:2, Interesting)
If current state-of-the-art software engineering methodologies are not sufficient for producing bug free code, what makes you think a government can spot "bugs" that were planted there as backdoors?
Re:USA has form (Score:4, Interesting)
“...the result of having the secret key inside your Windows operating system “is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system“. The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onwards”
That explains the slow fixes (Score:5, Interesting)
Some Microsoft bugs take a ridiculous amount of time to get fixed and all the reports seem to fall on deaf ears. We bash Microsoft for this behaviour but doesn't having a reporting relationship with the NSA help it all to make sense? Taking a long time to fix? Well, they may not be done exploiting it yet. Falls on deaf ears? Well maybe it's not a "bug" but a back door that no one was supposed to know about and Microsoft cannot comment on it without NSA approval.
Re:Abandoning the cloud ? (Score:5, Interesting)
Disclaimer: I am an IT Security professional.
It all depends on your thread scenario. Most of the smaller side-projects I work on are of no interest to any entity able to intercept the data transfers, so I don't mind storing stuff in, say, Evernote or Dropbox where it is more convenient to do so.
The stuff that the survival of my small company depends on, running my own servers is worth the effort. For my holiday pictures, iCloud is perfectly acceptable.
Re:Abandoning the cloud ? (Score:4, Interesting)
Re:GNU/Linux is made in the USA (Score:4, Interesting)
... [A]nyone can [ verify the code], and ... someone is likely to have done so.
Yes. The NSA guy who wrote the patch, and three of his astroturfing friends.
The "Many Eyes" fallacy is important here. Unless you can verify the authenticity of the code yourself, you need to verify the authenticity of the person verifying the code. Do you know all of the kernel devs personally? How about the X / Mir / $module devs? How many people actually write code for kernelspace? How many modify it for their particular distribution of choice? Do you trust those people?
Open source not immune to backdoors (Score:4, Interesting)
The point is not that everyone needs to verify the code, but that anyone can do so, and that someone is likely to have done so.
Anyone can do so in theory but not in practice. I'm an engineer but software isn't my specialty. I have absolutely no way to evaluate personally if there is a backdoor in any of the software I'm using. I simply don't have the skillset and for various reasons am not going to develop it either. Even if I was a really plugged in software engineer like Mr. Torvalds, I simply wouldn't have the time to review every single line of code before compiling it all myself. Don't forget to check the compiler and the firmware.
Additionally while you are correct that someone is likely to have done so, the question is who? Is it someone we trust or is it someone we don't or both? I have absolutely no way to know. I simply have to trust. Don't get me wrong, I think open source is fantastic but pretending that the code is somehow immune from backdoors is pretty naive.
Re:dudes, don't you know about.. the NSAKey? (Score:5, Interesting)
there are also those famous secret debug modes in AMD and Intel's chips, that grants above operating system level control, and unlocks hidden CPU resources. this has got to be the under workings of a secret NSA toolkit for full hardware and software control. I give you the AMD CPU password, which was exposed and documented in 2010:
http://hardware.slashdot.org/story/10/11/12/047243/hidden-debug-mode-found-in-amd-processors [slashdot.org]
don't you think this was all put in there for a reason? The NSA gets what they want and they want it all, they want to know everything going on inside everyone's home, in every square inch of America - this was all done by design. no one is doing anything to challenge or stop them. look at how none of these companies bothers to complain before years later something about the program they're running, which they now claim to have been against, is exposed. it's crazy, and we're not even getting to the half of it. most of this was done without warrants or any involvement from any court...
How to get the public on board? (Score:4, Interesting)
He keeps hammering on the same message still, because people still didn't act, even when they know exactly what they ought to do.
Next time you're out and about, go ask some random person who is Richard Stallman.
Now ask yourself, if they never heard of him, what makes you think they're getting the message?
WE have heard of him and his message, but the general public hasn't. AND his warnings and claims come across as paranoia. I mean, before the NSA leaks, no one would ever believe our government would do such a thing - even here on Slashdot. How many times have folks said that the government is watching us only to have someone "point out" that it's "impossible" - here on Slashdot - supposedly the home of the most knowledgeable people on the Internet.
How can we expect John Q. Public to act when WE don't even believe half of it?
I'm telling you next we will find out that the NSA/FBI has the ability to create instantaneous dossiers on people by just hitting the: Medical Information Bureau, Credit Bureaus, Google (I don't a shit wtf they say in public!), ChoicePoint, state DMVs, IRS, state tax departments, and I bet quite a bit of internal databases, too. All through those backdoors.
FUCK! Anyone of us could code that!
Re:Abandoning the cloud ? (Score:5, Interesting)
Disclaimer: I am an IT Security professional.
It all depends on your thread scenario. Most of the smaller side-projects I work on are of no interest to any entity able to intercept the data transfers, so I don't mind storing stuff in, say, Evernote or Dropbox where it is more convenient to do so.
The stuff that the survival of my small company depends on, running my own servers is worth the effort. For my holiday pictures, iCloud is perfectly acceptable.
I might go along with that except for the fact that the US Government is heavily involved with metadata. Metadata is still data and there are things that can be done with that data or they wouldn't be be collecting it. You may not like some of the things they do with that data.
And, for your sake, I hope that your holidays were all spent in good solid loyal patriotic places in the USA so that there's nothing treasonous that they can infer from the pictures once they use the metadata to get a FISA warrant to look at the actual data.
In an era when almost everyone either deals with offshore companies or has immigrant friends or neighbours, the assurance that "only foreign communications are examined" doesn't give much comfort.
Re:Abandoning the cloud ? (Score:5, Interesting)
Are you kidding? The cloud is just a rebranding of networked systems. If you fear the cloud you might as well disconnect your networks.
No it isn't. Cloud servers - excepting the in-house clouds - are owned and operated by third parties. Who can be silently descended on by grim suit-wearing individuals with badges and pried open without your permission. Or your knowledge, since many of these programs make it a criminal offense to even mention the prying.
You don't even have to be the primary target, since you are sharing the resources with who knows what other questionable characters. More than one innocent business has been bitten because it turned out the next rack over leased space to Arab charities or hosted some sort of downloading service.
Re:Abandoning the cloud ? (Score:5, Interesting)
Disclaimer: I am an IT Security professional.
It all depends on your thread scenario. Most of the smaller side-projects I work on are of no interest to any entity able to intercept the data transfers, so I don't mind storing stuff in, say, Evernote or Dropbox where it is more convenient to do so.
The stuff that the survival of my small company depends on, running my own servers is worth the effort. For my holiday pictures, iCloud is perfectly acceptable.
I am also a security professional, and I mirrored your attitude until just a few weeks ago. Silly me, I figured that nobody cared to which political party I belonged, nor what religious group, nor that I am military and actually believe in the constitution. Unfortunately, it turns out that in our government, you may indeed be targeted based upon any of the above.
And now, there are indications (I can't find the article), that you will be targeted if you attempt to maintain your privacy from the government on these things by using encryption, etc. (And I'll probably go up on several watch-lists due to this post. *sigh*.)
To be honest, I'm not really sure what to do. You're damned if you do, and damned if you don't.
Turn About (Score:3, Interesting)
Since Microsoft and other companies are telling the NSA about bugs before they fix them, then Microsoft and those other companies will no longer need a grace period when Anonymous or other hackers find vulnerabilities. They should be published right away for all to see.
Re:As usual. Stallman was right all along. (Score:5, Interesting)
The thing being missed in the current privacy fuss is that right now everyone is only worrying about the US government. That leaves out two other classes of players...
1 - I know that the US government is far from perfect, but compared to some other governments out there they're downright benign. That's not to excuse their behavior in any way, that's just to point out that there are bigger threats to be aware of.
2 - Don't forget corporations, particularly multinational corporations. At some theoretical level, the US government has the best interests of US citizens as its motivation. (I'll agree that it may be "theoretical" and one may have to say "SOME US citizens', but there is still that element there.) Corporations have their own profit and revenue as their primary motivation, the good of their customers is secondary, important as a continuing source of profit and revenue. As for non-customers, their importance is as a future source of profit and revenue. Nothing there about peoples' best interests if they don't align with the companies'.
While the boogeyman of the US government is certainly present, one should not forget that they are probably not the worst boogeyman, there are probably much worse out there. In other words, it's worse than you think.
On backdoors, don't forget this one:
http://scienceblogs.com/goodmath/2007/04/15/strange-loops-dennis-ritchie-a/ [scienceblogs.com]
Re:Skype NSA surveillance from Microsoft (Score:5, Interesting)
SIP software, point to point VPN.
Heh, I set my parents up with Jitsi a few months ago and configured their gateway to openvpn to mine - at the time purely for reliable addressing and networking ports, but it turns out to be pretty secure as well.
Now then, the traffic consists almost entirely of my kids telling their grandmother about a new bike or that girl at school who is sooooooo mean, but that's none of the NSA's damn business either. I don't want some creep analyst in Hawaii watching my daughter any more than I do some creep on a park bench.
Oh, the point - Jitsi is perfectly usable for an AOL grandmother. We actually started on this path when the Microsoft version of Skype became unstable on their Mac (the pre-MS version was pretty decent).