al Qaeda Hacks XP?

acaird writes "According to this article at Newbytes, members of al Qaeda may have worked for Microsoft and planted "trojans, trapdoors, and bugs in Windows XP"." This stuff screams of hoax to me, but it is showing up on the Washington Post.

not as easy as you might think

[psyklopz]

Speaking as a programmer who works for a big software company, it's unlikely that anything like that would be able to get through.

Code generally goes through peer reviews and quality assurance before it is accepted into the main stream. Say waht you want about MS, but I'm sure they do these things (they can afford it!)

To bypass these failsafes would require a lot of people along the line allowing it to slip through.

Re:not as easy as you might think

Yeah, right. All code gets peer reviewed, and it's also verified that the version that's peer reviewed is exactly what's under source control, and QA reads code? That's a fucking joke.

QA generally does not read any code at all, they take the specs for how a routine works, and maybe write some regression tests to make sure it does what it's supposed to, and breaks properly. There's no digging around in the code itself.

As for peer review, when it happens (which it doesn't for every line of code by a long shot) they don't make sure that nobody ever updates that code again without more peer review.

While I don't believe the allegation for a second, it's definitely extremely possible.

Re:not as easy as you might think

[Ami+Ganguli]

This thing is clearly a hoax, but..

I don't think this would be all that difficult. It's not like the hack has to be obvious. You wouldn't put something like:

if( strcmp( username, "osama" ) ) { uid=0; }

That would be too obvious.

But something more subtle in the logic could easily get through, given the number of such bugs that have made it through without deliberate sabotage.

Re:not as easy as you might think

[benedict]

People who are willing to eat flaming death aren't
likely to be daunted by the Microsoft interview process.

Re:not as easy as you might think

[Ratbert42]

I worked for a software company and put a time bomb into one of their products, just to show it could be done. Even when they knew it was in there and what it did, they couldn't find it for hours. I pointed to the exact code and they still didn't understand what it did, but someone said "oh yeah, I saw that last week and thought it looked odd." I doubt he did (such a bullshitter), but even if he had, he wouldn't have figured it out. He would have given up and ignored it. Not anymore. And that's with a team of under 5 people touching that product. Imagine a team the size of the WinXP one.

Re:not as easy as you might think

[morcego]

After some obtuse comments on my post, I stopped to think what I would do if I was a terrorist and decided to do this kind of stuff (sabotage WinXP).
That lead me to some considerations:

1- The sabotage would have to be enough so it's usage (or saying I would use it) would cause terror
2- The sabotage would have to be small enough it would pass quality assurance without arousing a flag
3- The sabotage would have to be generic enough so nobody would spot it at a first glance
4- The exploit would have to be complicated enough so nobody else would be able to exploit it before I do
5- This sabotage would have to take a form, or permit some kind of use, that would let me claim responsability for the terrorist act
6- If I could do something misleading, so that when I first attacked, the the original sabotage
would not be found, even after the attack, the better

So, considering all this point, I want to reduce my rating from "Very Probable" to simply "Technicaly Factible".

Unless they are very stupid. Which maybe they are, just like me posting this kind of thing with the FBI sensors and such monitoring everything.

If they arest me for this post, please, let the slashdotters know about it.

Or could it be I'm simply violating the DMCA ?

Re:not as easy as you might think

[hawk]

>Speaking as a programmer who works for a big
>software company, it's unlikely that anything
> like that would be able to get through.

Speaking as a director of the Federal Aviation Authority, it's unlikely that four planes could be simultaneuously hijacked and . . .

hawk, not really an FAA official

Right idea, wrong perps.

[ka9dgx]

Ok, the clue is right in the idea... backdoors into the operating systems, but the perpetrators are more likely to owe allegence to the Mossad, NSA, CIA, Jesuits, or some other representative of authority.

I'm starting to believe the FBI are actually the good guys these days... YIKES!

--Mike--

*sigh*

[szcx]

It screams of a hoax, so let's put it on the front page. Way to be part of the problem, Taco.

Not as easy as you might think

[Transient0]

Not to mention that the whole story is hanging on very tentative ground.

In the first place, I notice that man is a "suspected" Al Qaeda member. From what I've been seeing lately, anyone who has the wrong kind of accent or a copy of the Koran is a suspected Al Qaeda Member.

Secondly, if this man really is a member of the organization, it should be noted that bravado and misinformation are prime terrorist tactics. It's a lot easier to spread rumours about having planted bombs, or for that matter created software bugs, than it is to actually do it. And you still get the result of people being afraid to fly or afraid to use Windows.

Thirdly, as you said, even if some programmers with less than noble intentions did manage to get employed at Microsoft, the chance that they would be able to intentionally slip in a trojan horse without it being caught in testing are pretty low.

On the other hand, i suppose they couls just sabotage the american way of life by writing bad code, but then Microsoft pays people to do that anyway.

What's next? You guessed it...

[wrinkledshirt]

Hacking will become synonymous with terrorism (MS was already hoping it would be), and before long will be prosecuted as such.

It's a good thing Skylarov got out of the country when he did. With Bin Laden nowhere to be found in Tora Bora, the hawks have GOT to be hungry for whatever scapegoats they can get their hands on.

Re:Where the hell is Microsoft's PR agency?

[Black+Parrot]

> Well the way I figure it, they are paranoid enough that someone at MS will try to find out if this is ture or not

> And they will find that there is no way to tell...

Yes, but at least they will qualify for 3 or 4 billion dollars of disaster relief funding, and a play for sympathy may get them a reduced wrist slap from the DoJ.

Re:Doesn't work this way

[Melantha_Bacchae]

WildBeast wrote:

> Al Qaeda members aren't supposed to know what the other members
> are doing. Their own mission is revealed to them at the last moment.

That is exactly right. Bin Laden himself said that none of the 9/11 groups (except the leader) knew the others existed or what they were doing. They didn't know what they themselves were doing until they were getting on the plane.

> This guy is probably not even a member of Al Qaeda, he's just a crazy
> guy who's probably too dumb to even be a terrorist.

Oh, he's a terrorist alright, and if Walker is saying what he has been reported to say (attack yesterday), then he is one too. When one of these people have been captured and can do nothing else to support their cause, they use their mouths in one last terrorist attack: spreading wild (but at least remotely believable) rumors to terrify their enemies. After all, the real business of terrorists is not high body counts, but *TERROR*.

Afroze's claims are false, but Microsoft's all consuming greed was leading them to engage in terror marketing (those "buy more or be audited" postcards) prior to 9/11. Greed, terror, and cruelty are all three heads of one terrible monster.

Wisdom overcomes greed.
Courage sends terror running.
Compassion, the greatest power, conquers cruelty.

Mothra, you were right! Heart can reach!

Al Qaeda Tactic?

[istartedi]

Perhaps these guys have been instructed that if they feel the need to "spill the beans" they should spill 3 or 4 phony beans along with the real ones. That way, our security has to track multiple potential threats. I'm sure nothing would please them more than to see us spend the time and money required to audit all of the Windows code.

Perhaps there is a rational way to tell which threats are real; some kind of "threat profiling".

Re:Two counterpoints take two

[spudnic]

So what are the QA procedures for Solitaire? I'm sure that gets almost as much runtime on most office machines as the networking stack.

I don't think they would have had to put a backdoor into the kernel for them to cause problems.
.

Re:*barf*

[szcx]

Let's just whine about it instead of moving on. Way to fill the page up with trash.

Yeah, be sure and keep that advice in mind the next time you see FUD coming from Microsoft. The only way to stop problem behavior is by pointing it out. You think the antitrust case would have been filed if people just "moved on"? Are the Slashdot editors immune from scrutiny simply because they're anti-Microsoft?

Hypocracy, see above.

Don't believe this!!

[snake_dad]

It's al just FUD to cover up the Magic Lantern introduction. Really.

Bugs?! ...

[degauss]

Could this just posibly be Microsoft's latest ploy to disguise all the bugs and problems that already exist in their programs?