European Police Plan to Remote-Search Hard Drives 260
Smivs points out a blandly-worded story from the BBC with scary implications, excerpting "Remote searches of suspect computers will form part of an EU plan to tackle hi-tech crime. The five-year action plan will take steps to combat the growth in cyber theft and the machines used to spread spam and other malicious programs. It will also encourage better sharing of data among European police forces to track down and prosecute criminals. Europol will co-ordinate the investigative work and also issue alerts about cyber crime sprees."
lol (Score:5, Funny)
Wow, good thing I have a firewall, built right into my router.
Re:lol (Score:5, Insightful)
That's funny. I tend to keep my highly illegal terrorism-and-kiddie-porn related files on disconnected usb drives.
Re: (Score:2)
What are you? A terror... hmmm, you just said that...
Summary is confused as usual (Score:5, Informative)
The summary takes the decision somewhat out of context.
They're not planning to remotely connect to any old joes computer they can and search it, they're planning to connect to zombie computers that have been hijacked by criminals to try and trace back where the criminals are coming from.
Apparently, there will be strict rules on what they can do on said machine too, that is, they're not allowed to start rummaging through people's personal data. Don't think I'm naive by saying that- I'm just repeating what I read on the issue, I don't believe for a minute those rules will be enforceable and I truly think as soon as they have access to these machines and their boss aint looking they're going to start rummaging like crazy.
I'm not sure how I feel about the general idea, if a machine has a backdoor and they can manage to connect to it also then in a way I feel they should just temporarily patch it for the user and inform the user at absolute worse although I'm not sure this is ideal- what if they patch some security researcher's honey pot for instance!
It certainly concerned me a bit when I read it but it's certainly not a plan to just use 0-day exploits to connect to everyone and anyone's PC or anything.
Re: (Score:3, Insightful)
I don't believe for a minute those rules will be enforceable and I truly think as soon as they have access to these machines and their boss aint looking they're going to start rummaging like crazy.
Right. Because police tracking down criminal networks are more than willing to risk their careers to sneak a peak at some random person's emails to their grandmother, pictures of their friends, and last year's Christmas wish list.
I'm not saying that nobody will ever overstep their snooping mandate, but I think we can all loosen the tinfoil hats just a bit. If your computer is one of these zombies, I'd be more concerned about the snooping that may have been done by the people who zombified it in the first pl
Re:Summary is confused as usual (Score:5, Interesting)
You are wrong. First, because yes, people will risk their careers to snoop on the privacy of total strangers, just because they can. Since they work in secrecy, it's even debatable if they feel their careers at at risk for doing so: http://abcnews.go.com/print?id=5987804 [go.com]
Second, because as alarming as the linked story is, privacy is ultimately not about the police reading your shopping list. It's always about money - the money someone is willing to pay to access personal data on a political opponent (to discredit her or him), a dissident group (to penetrate and spy on them), or a competing business (obvious).
Therefore, it's also about human rights.
Once the technology is available, it *will* be abused, and we know this, because such abuses have always happened. I don't know of a government (or a business) that had a technology available and decided not to use it because doing so would be unethical or even illegal. How many times must the same stories repeat before we learn?
Re:Summary is confused as usual (Score:5, Insightful)
Once the technology is available, it *will* be abused, and we know this, because such abuses have always happened. I don't know of a government (or a business) that had a technology available and decided not to use it because doing so would be unethical or even illegal. How many times must the same stories repeat before we learn?
An old saying puts it best: "What the government wants to do, and has the means to do, it will do -- logic, ethics, and common sense notwithstanding."
Re: (Score:3, Informative)
Sadly, this is not quite correct.
Here in Germany, they plan (and already have) to simply control you. Are you an eeeeeevil terrarist? Do you think of possibly considering, at some time in the far future, if you might want to do something which might bother some state bureaucrats? Do you Obey The RIAA?
It's not about spam, and zombie computers, and stuff like that. It's about control.
And, by the way, they are allowed to secretly enter your home, install some crap on your PC, and leave again. The might need a
Re:Summary is confused as usual (Score:5, Insightful)
Someone in the arts or business is permitted to think 'The chances of that happening are remote, therefore it is unlikely, therefore I will ignore it. If it should arise, I'll see it and deal with it then.'
People in a technical disciple are obligated to think 'The possibility of that happening is there, therefore it is inevitable that it will happen, therefore the whole thing is wrong until I address it.'
Bogus statistical claims. (Score:5, Insightful)
In a statement outlining the strategy the EU claimed "half of all internet crime involves the production, distribution and sale of child pornography".
And the other half is copyright infringement?
Re:Bogus statistical claims. (Score:4, Funny)
I get MY statistics from /dev/random
Oh look, IE usage has dropped to less than 1% and the US is no longer in debt.
Re: (Score:2)
Well, if you want to get pendantic then maybe they don't count criminal copyright infringement. While a civil suit can cost you a lot of money and can be very serious in itself, it doesn't leave you a criminal record. Or maybe they counted reported crime figures, you can be fairly sure kiddie porn is reported but you could report thepiratebay.org torrents all day long and noone would care. In other words, there's a million ways to cheat with statistics without making things up. There's a reason they say whi
Re: (Score:3, Insightful)
Here's a dumb but not entirely theoretical question: how do you count copyright infringement of kiddie porn images??
After all, doesn't the porn industry claim it's the most infringed of all copyrighted material??
Re: (Score:3, Insightful)
That might actually be a viable solution... no shit, do you see these kids signing any waivers? No?? Then they're owed royalties.
Re: (Score:3, Insightful)
Leaving the 419 scams, eBay fraud, phishing for financial details, and violating the MySpace TOS all lost in the noise.
Re: (Score:3, Funny)
HAHAHAHAHAHAHA (Score:3, Funny)
Can you repeat after me?
When this is implemented, it will be....
duh du duhnnn
Wait for it.....
"The year of Linux on the desktop"!
propaganda and hysteria works both ways (Score:2, Insightful)
you frequently here discussions on slashdot about grey hat activities: going to computers hosting worms, and shutting down the worm remotely, for example. and you hear many people here supporting that
now in europe, this is exactly what they are going to do: shut down zombies, shut down spam relays, and everyone on slashdot babbles incoherently about teh ev1l gubmint invading our computers. when such european effort sprobably sprang directly from the kind of strategizing peopl ehere on slashdot frequnetly en
Re: (Score:2)
I want the same rights the police have. I want to be remote searching their hard drives, and the hard drives of corporate executives, and of politicians. I have no more reason to trust them than they have to trust me, and neither do any of you. We should all have the right to know what is going on. If we don't, corruption is a systemic inevitability. Which should be abundantly obvious to anyone who has been paying attention to the events of the last few years.
Re: (Score:2)
I also want access to every tool that the police and other gov't agencies have access to, from weapons to forensics.
Without this parity, We The People are at their mercy.
Re: (Score:2)
If we don't, corruption is a systemic inevitability. Which should be abundantly obvious to anyone who has been paying attention to the events of humanity.
Fixed that for you.
Re:propaganda and hysteria works both ways (Score:5, Funny)
now in europe, this is exactly what they are going to do: shut down zombies, shut down spam relays, and everyone on slashdot babbles incoherently about teh ev1l gubmint invading our computers.
You've got the eighth comment! And judging by the length of your comment you probably didn't even see half of the previous ones before you posted.
if you instead spastically flail out everytime someone words an article in a propagandistic manner
Oh hi.
Re: (Score:2)
do you care about rights and freedoms?
you do?
then react to REAL and GENUINE threats to them
if you instead spastically flail out everytime someone words an article in a propagandistic manner, you are no defender of rights and freedoms, you are merely a manipulated hysterical fool. and, in fact, someone useful for the suppression of our rights, by proving to those who wish to restrict our rights that people don't even understand what their rights are
defend your rights and freedoms
against genuine threats
The government is the only entity that can actually take your rights away. The reason this is so is because they are the only entity that can legitimately use force on you.
Well technically, nobody can *take* a right because nobody can *grants* a right, rights are unalienable, and they can never be legitimate to infringe upon someones rights no matter if they are the government or not. However if you try to say "No" to the government, you will find yourself in a jail cell. If you continue to try say "No" to
Re:yeah (Score:5, Insightful)
Indeed...one need only look at the last eight years in the U.S. for the proof of this statement.
Oh, wait...
Re: (Score:3, Informative)
I find it interesting that you are complaining about the last eight years in the US, yet the article is about Europe...
IMO, it shows the anti-US sentiment, apparently because of the US's more or less high position in the world, as opposed to many European countries that are trying to rival it with the EU, etc., but failing.
And yet, The UK and Europe have far worse "wire-tapping" sorts of things than the US. But it's not in vogue to complain about it anywhere but in the US, it seems.
Re: (Score:2)
I'm referencing the U.S. because I'm a resident of the U.S., and have more knowledge of the U.S. government's various malfeasances than I do of the U.K.'s.
And no one was "complaining". I was merely pointing out that the OP's claim that a government is somehow more trustworthy than a "grey hat" is patently absurd.
Re: (Score:2)
because with the government there is accountablity, responsilibty, a paper trail, transparency
You have obviously never been fucked over by government. This means you are a) not rich and/or b) have never been in the wrong place at the wrong time.
The government's JOB is to screw you. How else do you think they make money?
Re:yeah (Score:4, Interesting)
A grey hat in his basement can give me a trojan, perhaps fuck up my computer. The government can send hordes of armed men round to my house and lock me up for the rest of my life. Although I do probably trust the government more than some random, I know which one I am more scared of.
This can't be right (Score:5, Insightful)
how how how? (Score:2, Insightful)
how would this work? since to access my hard drive to search it, they would need.
1. me to be on the internet at the time they want to search my drive.
2. my to give them access to my machine via a remote desktop style connection, which would involve me giving them a username and password to my machine.
or
1. me to be on the internet at some point
2. mandating that EVERYONE in the EU runs an application that indexes the entire of all the hard drives connected to a machine, and transmits the index to a central lo
Re:how how how? (Score:4, Interesting)
Please see my earlier post [slashdot.org] regarding this...apparently, they plan to infect your system with a remote access Trojan.
But don't worry...it's for your own good.
Re: (Score:2, Funny)
...apparently, they plan to infect your system with a remote access Trojan. But don't worry...it's for your own good.
Oh! That feels so much better with a Trojan. Should we all oil our hard drives beforehand to increase the pleasure?
or... (Score:3, Insightful)
or
1. search your computer through backdoor built into closed-source operating system.
Re: (Score:2)
or
1. search your computer through backdoor built into closed-source operating system.
or
1. search your computer through a backdoor injected in one of your repository package upgrades built into the conveniently open-source operating system.
I'm a Linux user and fan myself but in this case it would be even easier for governments to secretly slip someone a manipulated file.
Re: (Score:2)
MD5 does not provide security.
All MD5 is good for is checking that the package is complete and wasn't corrupted in transit. For actual security you need GPG signatures, made by a safely kept, trusted key.
First, you need to know that you really have the official Gentoo key, and not something else. This is not that easy. How do you know your ISP isn't spoofing DNS for gentoo.org, and that you got the right key when you downloaded the install .iso? If you downloaded over HTTPS (doubtful), are you sure the Secr
Re: (Score:2)
Not only that, but if no one *sufficiently expert* =happens= to review the source, how do you know what's really in that obfuscated code? Remember, it's not like all the source code is queued up for a panel of experts to ensure that no unreviewed code ever reaches the public!
Hence I suspect there is a LOT of opensource code that no one (other than the original author) has ever inspected, or that has only been inspected by people not sufficiently expert to find backdoors and such. Does someone vet every triv
Re: (Score:2)
Not only that, but if no one *sufficiently expert* =happens= to review the source, how do you know what's really in that obfuscated code? Remember, it's not like all the source code is queued up for a panel of experts to ensure that no unreviewed code ever reaches the public!
Hence I suspect there is a LOT of opensource code that no one (other than the original author) has ever inspected, or that has only been inspected by people not sufficiently expert to find backdoors and such. Does someone vet every trivial plugin offered for $CommonApp ??
And backdoors need neither large nor obvious... I'm reminded of a trojan SMTP server of some years back that was a mere 3000 BYTES.
Depends on the project. For something large and important like, say, the Linux kernel, that's being reviewed all the time. For something small and less important like, say, SpeedCrunch, it's probably not reviewed very often.
But that's the thing, BECAUSE it's open source it CAN be reviewed. And not just by one or two people who might miss it but by anyone who wants to.
With closed-source this isn't even possible. We just have to take the vendor's word for it which I trust vastly less given that they
Re: (Score:2)
Don't the md5s come from he same place as the packages? I'm sure the black hats would never think of spoofing the hash in addition to the source.
If it's not signed, it's not signed.
Wow! (Score:5, Insightful)
You know, it's awfully hard to not be yet again reminded of Orwell here. Constant surveillance and no privacy from the government so they can monitor everything you do.
But, of course, if your machine is behind a firewall, they'll just outlaw having firewall because it impedes their ability to investigate you for crimes. At which point if you need to be insecure enough to ensure that law enforcement can get in and do this, your machine will be hosed within the hour as the actual bad people break through as well.
This will either fall apart as un-doable, or spark some absurd laws to enforce it.
Cheers
Re: (Score:2)
This would apply to pretty much any other security mechanism out there as well. AV scanners that ignore s
Re: (Score:2)
Translation, a government mandated backdoor to all forms of security that they promise will only be accessible by them.
The reality would be that we'd set computer security back by a decade or more, and we'd leave a hole big enough to drive a truck
Re: (Score:2)
No, no, no... you have it all wrong. The police simply have to co-opt the Evil bit [wikipedia.org] to differentiate their traffic from the "bad guys," n00b!
Re: (Score:2)
Load up your computer with files named "LondonBombingPlans05May2009.doc" or "HOT13YOPUSSY!!!!.JPG" and have them be copies of George Orwell's books.
Then leave your computer "vulnerable" on the Internet, er, I mean, leave it running Microsoft Windows without a hardware firewall, and leak it somewhere that your computer may be up to no good.
Come to think of it, if I put some "questionable" files on the computer at work will they start listening on those too? At some point the argument will be "But terrorists secretly work from their R&D department, of course we'll have to check their data".
Re: (Score:3, Funny)
With mild encryption so it gives them some time to kill.
Could be fun, could also backfire, I mean if they are allowed to do this they'll eventually be allowed to arrest you for wasting their time by doing something like that.
Blah.
I'm moving to Russia.
Re: (Score:2)
>Load up your computer with files named "LondonBombingPlans05May2009.doc" or "HOT13YOPUSSY!!!!.JPG" and have them be copies of George Orwell's books.
The drawback to this plan being that jackbooted Thought Police kick your door in at 3:00 am, haul your ass off, and throw you into a dank, unlit hole full of rats where you are buggered with cattle prods until you provide the decryption key to Chapter 14 of 1984.
Re: (Score:2)
Why? The analysis you link to is a joke.
219a.1.b essentially outlaws phreaking. It says you can't use an unlawful telecom access device to avoid your line & data charges. A firewall doesn't try to avoid those. No problem.
540c.1.c says you can't tap into the telecom network without the provider's permission. You pay them a fee, they give you access, now you have the actual consent to use the line in the ways their contract allows for. Of course, if their AUP prohibits running a web server but you
Re:Wow! (Score:4, Informative)
If you don't care for that analysis, here's another [securityfocus.com].
More Information? (Score:5, Informative)
Unfortunately, the article cited is maddeningly vague as to how this initiative will be implemented. A little digging turns up this Register article [theregister.co.uk] on the subject, which contains slightly more info.
From the Register article:
So, in short, here's just one more compelling argument for ditching Windows for Linux...
Re:More Information? (Score:4, Informative)
thank german minister for the interior for that shit. he introduced the law, the law was modded down by young social democrats, he was pretty pissed and so he tries to push the law through this way.
Re: (Score:2)
So, in short, here's just one more compelling argument for ditching Windows for Linux...
Thinking of the manifold ways repositories can mess up your system and will bring the unexperienced users to tears I would doubt that statement. Read up on the Automatixx hoax a while back and you will know what I mean.
Re: (Score:2)
Granted....I'm just making the suggestion based upon the available information that says a Trojan will be involved, which will almost certainly be only written in the M$ flavor...90% of market share and all...
However, as interest in Linux increases, it's only a matter of time before The Powers That Be take notice, and mucking with a repository would be a great way to snare an unsuspecting Linux user. All the more reason to support the growing Paranoid Linux [paranoidlinux.org] movement...I don't know exactly how effective thi
Re: (Score:2)
Police in Germany are most enthusiastic about pushing this tactic, the sort of approach even Vic Mackey from The Shield might baulk at...
Off-topic and all, but didn't Vic Mackey routinely murder people? I somehow doubt that this would bother him...
Linux is vulnerable too (sort of) (Score:3, Interesting)
So, in short, here's just one more compelling argument for ditching Windows for Linux...
With more and more Linux users running proprietary binary blobs for convenience reasons or just out of pure laziness (video drivers, flash players and what not), it would be rather easy for $GOVERNMENT to remotely substitute one of those blobs with a "policeware"-augmented one with a classic man-in-the-middle attack. How could you check the code of those binary blobs to be sure that $THEY aren't already listening in wh
Worried? (Score:4, Funny)
I would be worried that this would be badly worded and over-broad.
But, being a citizen of the UK, I know that even if legislation were made like this, then Her Majesty's Government would never abuse its powers and apply it to situations which were not originally intended.
Just like the anti-terrorism legislation.
Oh, hang on...
Re: (Score:2)
Her Brittanic [Don't you mean Germanic - Ed] Majesty's government probably think they wouldn't need to search your machine to get your data.
Because if their experience is anything to go by, everyone just leaves it lying around in taxis, trains, pub car parks and so on for anyone to find.
Re: (Score:2)
just like the dont shoot people who dont remotely not look like terrorists between they eyes on public transport
oh wait
Go ahead (Score:5, Insightful)
as I sit here in a cafe, my laptop connected to some unsecured AP far awqay with a biquad wifi antenna, I say go right ahead, search my hard-drive, but don't forget to bring a good map and a gonio antenna to find me in case you realize I'm not the poor guy whose house you're about to raid.
This will never work, there are way too many anonymous internet connections around for this 1984 scheme to work, and people who have something to hide usually don't leave stuff hanging around unencrypted on their hard disks.
What's next, mandated backdoors? (Score:2)
I have a great idea for new security software... "Guaranteed to keep out those nosy government agents!"
Searching and FPS (Score:2)
Data Protection Laws (Score:2)
The EU said controls were in place to ensure that data protection laws were not breached as this information was gathered and shared.
I'll go out on a limb here and say the controls aren't going to ensure this.
EU data protection laws [europa.eu]
What do they mean "remote searches" ? (Score:2)
Re: (Score:2)
...as usual this will only affect the people least likely to be the people they are looking for, and the ones they could easily catch with old fashioned methods, the people they want to catch will simply block and bypass it easily ....
They will however inadvertently catch other criminals they were not intentionally trying to find and this will be hailed as a success and function creep will ensue ...
Re: (Score:2)
And eventually, it will become mandated software, giving you the option of becoming either a criminal, or a specimen under glass.
Meanwhile, the real criminals hire expert programmers to create circumvention and false-data-stream tools. (And don't think there aren't enough programmers willing to do that ... even if not for their own protection, who do you think writes the many for-profit trojans right now??)
Disconcerting possibility: (Score:5, Insightful)
In the short term, that means some flavor of spyware. The disconcerting bit, though, is that said spyware would look and act like normal spyware; but be part of a police investigation. Generally, interfering with those is a crime. Will removing that spyware be considered obstruction of justice? Will blocking its operations or reporting be considered obstruction of justice? "Your honor, the defendant did maliciously configure his router to drop outbound justice on port 315..." In order to be effective, spyware has to be covert and subtle, so it will be damn difficult to distinguish fedware from ordinary spyware.
Worse, of course, is the medium to long term: if "remote search" is the law of the land, it will soon enough seem like a good idea to mandate a few features from hardware and software manufacturers to make it easier. Make an antivirus program? Well, you'd better be sure that it ignores the activities of any app signed by $AUTHORITY, if you want to stay out of jail. OSes could easily do similar things with process listings, priviledge escalations and the like. Even hardware could get in on the act. In principle, you could build obedience to cryptographically signed orders into all sorts of devices. This would be bad in all the ways that DRM usually is, only worse.
Unfortunately, this sort of turn doesn't seem entirely unlikely. Digital surveillance is all the rage these days, and unlikely to get any less popular, and there are few jurisdictions that have any terribly encouraging history of resisting it. Specifically, the EU has comparatively strong privacy legislation; but it is written from the basic philosophy that privacy is having the state control other's access to the data it collects, rather than privacy being having those data never collected. The US is stronger on that score(at least in theory, and as long as drugs, kiddie porn, and terrorism aren't involved); but the state of private sector privacy is absolutely miserable and there is nothing stopping the state from simply buying surveillance from said private sector(which it indeed does, on a fairly massive scale).
Re: (Score:2)
And what happens when the remote search itself is compromised, and whatever some 3rd party wants is inserted into the data stream??
Re: (Score:3, Insightful)
That's why.(among other reasons)
so what? (Score:2)
yeah. it might hit botnets, spam, copy-right infringement (guess who will fund it) and other nefarious stuff - but the public will never allow it off the ground.
Right to be informed (Score:2)
The person whose data are processed - the data subject - enjoys a number of enforceable rights. This includes, for instance, the right to be informed about the processing and the right to correct data.
Now how do you apply that to remote searches? Will they inform people they mistakenly "search" due to incorrect information?
Trust (Score:2)
Isn't this a way to claim to the brainless masses that they should dump all their computers and buy ones with the "trusted computing" platform? THEN the sh*t really would begin. Digitally signed and trusted trojans you can't to anything about.
Can't they just solve real crimes instead? (Score:2)
I mean like, come on?
Copied information vs stolen property, personal assault, rape, murder, ?
Re: (Score:2)
It's not in the government's best interest to solve violent crime. They WANT you to be afraid and lock your doors at night. It makes you nice and docile and grateful that the government is there to "protect" you - not that they will. So governments around the world make token efforts at catching real criminals, and usually give them a slap on the wrist before letting them go again - unless they are REALLY bad.
Besides, it's much easier to do data mining to find "child pornographers"
Re: (Score:3, Insightful)
Not stealing imaginary property, smoking in a bar, drinking outside a bar, making juvenile jokes on an airplane...
If firewalls are outlawed... (Score:2)
However, because the press usually get wrong any story on a subject that I know something about, I have a feeling they've got this wrong too. I wonder what is *really* being p
Prosecution over Investigation (Score:2)
I think we need to look at this from a lawyer's perspective. IANAL, but I think it might be easier to get a conviction on something like kiddie porn than on something like trafficking in stolen goods or illegally downloading 1000 songs.
Think Al Capone. Murder? Smuggling? Racketeering? Naw, just get him on income tax evasion.
NO (Score:3, Funny)
Re: (Score:2)
Free Internet Access + EULA (Score:3, Insightful)
It's real easy for them to do.
Step 1 : Hand out free or discounted internet access. This may include higher than average datarates or fiber access making it really attractive to the end user. The caviout is that you must also run a software package on the machine or the connection is revoked. Said software includes the drive scanner and identification credentials.
Step 2 : Pass regulation that makes traditional anonymous internet access prohibitivly expensive for the individual user.
Ta da! The net is no longer anonymous and big brother is watching.
HALF of all net crime is child porn??? (Score:4, Insightful)
From TFA: "In a statement outlining the strategy the EU claimed "half of all internet crime involves the production, distribution and sale of child pornography"
What? Half of all internet crime??
Hmmm. Bullshit detector's gone off the scale on this one. I think this is the work of industry lobbyists playing the child porn card to sell snakeoil to clueless, greedy politicians.
Re: (Score:2, Insightful)
...to roll-your-own OS. Or use one that's been built by and for the community with all the source code visible for all to see. Proprietary binaries? You don't know what's squirrelled away in there...
You don't know what's squirreled away in the Linux kernel, or any other open-source product you didn't entirely write yourself.
It's very easy to hide something nefarious in just a few lines of C (see the obfesicated C contesr for examples). If the NSA or a group of smart enough criminals wanted to hide something in a major open-source project, they almost definately could.
Re:All the more reason... (Score:4, Insightful)
Re:All the more reason... (Score:4, Insightful)
Oh, the irony of this is hilarious. Linux is now more cumbersome to work with than the operating system which caused Linus to write the Linux kernel in the first place. I'm sure Tanenbaum will be proud that he's come full circle. :-P
Besides, all of the stuff one layer up from the microkernel would still need to be checked for security, so I don't really think it buys you anything. The operating system is more than just the kernel.
Cheers
You just moved the problem (Score:3, Interesting)
Because the minix kernel doesn't do squat useful. So you need an application to do that. And the application will need to be bigger, more monolothic and easier to pwn like this because you haven't got the capability in the kernel.
Nice job.
Re: (Score:3, Interesting)
The problem is, there's still a nonzero number of people who are most likely not on the NSA's payroll, who are reviewing every line that comes in, and who may help reject a given patch if it can't be understood.
So yes, it's possible, but it's considerably harder -- you not only have to ensure that it's obfuscated, you have to ensure that it looks like it's not, that it appears to do something benign instead.
And you can't simply do that by adding complexity -- after all, the more complex it is, the more scru
Re:All the more reason... (Score:5, Insightful)
Even visible source code isn't entirely safe:
http://cm.bell-labs.com/who/ken/trust.html [bell-labs.com]
Always a fun read.
Re: (Score:2)
5. Compare the resulting binaries. They should be identical.
No they shouldn't. That's the whole point of paying good money for the Intel compiler: it's supposed to create faster binaries that are of course different from gcc's output.
In general, there are myriad ways to create functionally equivalent code with different machine code sequences. The odds of two unrelated compilers producing identical output are essentially nil.
Re: (Score:3, Informative)
Actually, he's right. The intel-compiled gcc might be faster than the gcc-compiled gcc, but their (the 2nd generation compiler's) outputs should be identical.
Re: (Score:3, Interesting)
They're not two unrelated compilers.
Reread the GP.
Compare the output of GCC compiled with GCC to the output of GCC compiled with ICC.
The compiler doing the final output is the same - GCC. The compiler doing the intermediate compile is different, but it's compiling the same GCC source code for the compiler for the last step. Which means, functionally - but not binary - icc_gcc_gcc and gcc_gcc_gcc should be identical. It would then follow that they'd produce identical output from the same source code.
Now,
Re: (Score:2)
No, because GCC is what is doing the final compile, so the result should be identical. The version of GCC compiled with ICC may be better optimized, but the program itself should run the same. In fact you answer this point in your own post: there are myriad ways to create functionally equivalent code with different machine code sequences. gcc_gcc_gcc and icc_gcc_gcc are functionally equivalent in this example.
So assuming no tampering gcc_gcc_gcc and icc_gcc_gcc are functionally equivalent. Now assuming
Re: (Score:3, Insightful)
That is an arms race which doesn't end, though -- how do you know you can trust icc, either? How did you obtain it in the first place -- did you download it and compile it with your own gcc?
Suppose you downloaded a trusted binary -- alright, how do you know you aren't rootkitted, with something which checks a predefined list of compilers, and thus modifies icc again?
Granted, it becomes unlikely. It is, however, impossible to ever truly know. Your method could prove that you are compromised, but it cannot pr
Re:All the more reason... (Score:4, Funny)
(I have designed my own processor, and frankly, getting it to run 8 instructions was more than enough for me, lol)
Re: (Score:2)
Certainly. [slashdot.org]
Re: (Score:2)
Re:Go right ahead.... (Score:5, Funny)
If they search your /dev/random long enough they'll eventually find kiddie-porn so the joke's on you.
Enjoy prison
Re: (Score:2)
Re: (Score:3, Funny)
Dude, I am so spending tonight checking /dev/random to see if Half Life 7 has been releasd yet :)
Re: (Score:2)
Naw, you just need to do it from a Xen hypervisor.
OK, OK, I'll shut up now.
Re: (Score:2)
!@$@^#!!1!
@#%#ing thing won't compile, AGAIN!!!!
Re: (Score:2)
Yeah, but all that mouse-twiddling and artificial network activity might be considered tampering with evidence.
In your scenario, imagine a room full of black-suit-and-tie-wearing drones doing nothing but furiously shaking mice, mashing the keyboard, and refreshing the google home page...forensically, of course.
Re: (Score:2)
Have you built your Slackware packages from source? Have you inspected the compiler output to be sure it's not adding anything illicit? Have you inspected the source itself and followed all the logic trees, code paths, etc? Do you trust Patrick Volkerding ultimately with your security?
If you answered no to ANY of those questions, you have no more security vs backdoor access than you would with Windows.
Re: (Score:2)
I think some politicians have seen too many episodes of CSI or NCIS where you have one person who "just hacks" into everything in minutes
Not to mention the bandwidth involved in searching several thousand megabytes multiplied by several million people, all at the same time. And they say "Bittorrent" is the cause of all bandwidth problems?