Slashdot Mirror
Red Flag Linux Forced On Chinese Internet Cafes
iamhigh writes "Reports are popping up that Chinese Internet Cafes are being required to switch to Red Flag Linux. Red Flag is China's biggest Linux distro and recently received headlines for their Olympic Edition release. The regulations, effective Nov. 5th, are aimed at combating piracy and require only that cafes install either a legal version of Windows or Red Flag. However, Radio Free Asia says that cafes are being forced to install Red Flag even if they have legal versions of Windows. Obviously questions about spying and surveillance have arisen, with no comment from the Chinese Government."
Obviously questions about spying and surveillance have arisen ...
Um, it uses RPM as a package manager so as long as the government isn't forcing Cafes to use a certain package repository or use certain packages, where does the danger of surveillance lie? I mean, I wouldn't trust the Chinese government either but I am confused why a mandate of Red Flag Linux upsets people in this case ... and a recommendation from the DoD is probably heralded?
Yeah, they're running an industry's tech core, yeah they're stating exactly what OSS to use but where is the danger?
My work here is dung.
The year of Linux on the desktop, right?
Linux for YOU!
Seven Days with Ubuntu Unity
You know Microsoft has been pushing for the Chinese government to do something about the rampant piracy in China... They no doubt expected reduced piracy to lead to more legal installations of Windows but it has backfired on them hugely with this move to allow Internet Cafés to use Red Flag Linux.
Also the spying claims are meh. We already know the Chinese Gov. watch the pipes closely there really is no advantage in further monitoring within Internet Cafés.
A red flag should go up when you are forced to use an operating system designated by the government.
If you don't think Red Flag is meant to be a Windows replacement, take a look at Wikipedia's screen shot of Version 6 (presumably out of the box).
...
Isn't this the part where Gates shits his gourd and asks to meet with Hu Jintao? Then baits the large part of greater China with free software that he writes off as a goodwill donation? I mean, we are talking a serious part of the world's population
My work here is dung.
Perhaps Microsoft will complain less about piracy if governments force people to replace pirated versions of Windows with Linux instead of forcing them to buy Windows licenses.
In this case, though, I suspect that there are some other motives at work besides curbing piracy--namely supporting a local software developer/distributor over a foreign one and possibly the ability to better control/monitor internet access in the future.
So what's with the FUD?
Seriously, this is about the Chinese government wanting to break MS dominance over the computer OS in china. If anyone was worried about "surveilance" they could install packages compiled from source so they knew what was in there.
Windows market share suddenly drops below 50%
Some drink at the fountain of knowledge. Others just gargle.
Who do you think controls the RPM repository that Red Flag uses? A company in league with the PRC government.
In China, because a large number of the players do not own the computer they use to play games (e.g. Internet cafes), the CD keys required to create an account can be purchased independently of the software package. In order to play the game, players must also purchase prepaid game cards that can be played for 66 hours and 40 minutes.[43] A monthly fee model is not available to players of this region. The Chinese government and The9, the licensee for World of Warcraft in China, have imposed a modification on Chinese versions of the game which places flesh on bare-boned skeletons and transforms dead character corpses into tidy graves. These changes were imposed by the Chinese government in an attempt to "promote a healthy and harmonious online game environment" in World of Warcraft.
My work here is dung.
Maybe it is so the cafes are limited to software that runs on Linux? Does Red Flag Linux have/support WINE or an equivalent?
V for Vendetta: People should not be afraid of their governments. Governments should be afraid of their people.
... looks like Red Flag Linux ("RFL"), acts like RFL, but ... well, it isn't RFL. Aren't forks wonderful things!
In communist China, Opensource codes you.
They have put all sorts of backdoors into products sold in the rest of the world. So, they are making sure that they are safe from MS doing the same to them. My guess is that they are about to call it quit with buying goods from USA even though it is already low.
If I were some non-american government then I would prefer people to use Linux. Not because of any backdoors that I could put in it, but because I could be reasonably sure that there were no backdoors put in it by the US government.
I've been into some of China's small town Internet Cafe's and almost everyone was under 20 and gaming. I sure hope those games have been ported with proper language support or the cafe's will be hurting.
Why not look at the source for govt backdoors, rootkits, or whatever?
Grandpa: My Homer is not a communist. He may be a liar, a pig, an idiot, a communist, but he is not a porn star.
More Linux adoption is always a good thing.
As long as I can compile it myself, I don't see the problem.
The internet cafes in China are not going to run Linux anytime soon.
Why?
Because the cafe users are gamers, mostly. They use the *cheap* internet connection to play one of tons of different windows only MMORPGs(And that includes World of Warcraft.) or Online shooters.(Used to be counterstrike.)
To ask those internet cafes to run Linux is to ask them to get rid of their source of profits.
...raise any red flags for anyone?
2009 - Year of Linux. One of the things that set Linux behind is lack of promotion, if Linux and commie China becomes connected somehow, it won't be a good thing.
It has to be an hoax, or there is a lack of information on the article.
Why the fee? This governamental fee is compatible with GPL? It's sound strange.
I know that "linux is free" doesn't means that you don't have to pay nothing but... yo don't have to pay anything for a copy if the other person gives you free
Danger depends on your perspective.
It's not like the DoD and MS don't get along very well....
http://www.microsoft.com/presspass/press/1999/feb99/cohenpr.mspx
Any sane govt with unlimited resources will want to keep the OS at home.
Besides they might have developed some anxiety from past reports.
http://edition.cnn.com/TECH/computing/9909/03/windows.nsa.02/
Funny how this thing just won't die.
http://news.bbc.co.uk/2/hi/science/nature/437967.stm
I'm guessing that Bill shot the goose that could have laid a billion golden eggs back in '99.
It just took a while to die.
So, how much MS stock do you have in your wallet???
Good.
Now, dear Chinese, please increase your contributions to Linux. We need bugfixing and polishing (badly).
I guess though that english-oriented programming languages are a trouble for Chinese to start hacking.
Anyone can download (or otherwise acquire) the source RPM's from other sites and set up their own silo that still other people can point to instead of the official government silos.
Does this mean we will get a Linux client for World of Warcraft?
Red Flag Linux opensources YOU!
It's not like the DoD and MS don't get along very well....
http://www.microsoft.com/presspass/press/1999/feb99/cohenpr.mspx
Any sane govt with unlimited resources will want to keep the OS at home.
Besides they might have developed some anxiety from past reports.
http://edition.cnn.com/TECH/computing/9909/03/windows.nsa.02/
Funny how this thing just won't die.
http://news.bbc.co.uk/2/hi/science/nature/437967.stm
I'm guessing that Bill shot the goose that could have laid a billion golden eggs back in '99.
It just took a while to die.
So, how much MS stock do you have in your wallet???
I have had the occasion to visit MII in China. They can already get a screenshot of what any iCafe user is doing in real time. I saw it with my own eyes. Combine that with their requirement that iCafe users need to show their ID card when they rent a computer and there is effectively zero privacy. These were windows PC's so I'm not sure why the hurry to switch to Linux. It probably has less to do with the actual operating system and more to do with the vendor who is supporting the switchover backhanding some government lackey a Benz or three. Welcome to China.
From the link,
Whose $700 fee? Can anybody in Nanchang or China fill us in on detail here? (Or is able to read relevant forum threads for us?)
Sounds like the anti-piracy legislation has been 'shanghaied' into being a cash-cow for local government. Which is business as usual is modern China, but still a presumption. We need more detail.
...play well together. Surprised?
Why don't *you* switch over to Red Flag Linux.....then you'll be sure there are no possible backdoors put in by the Satanic US Government. Of course the Chinese might have put a few in.
Let us know how it works out for you.
That's going to be a lot of new Linux users.
Imagine Linux on the desktop taking off due to support from a totalitarian regime!
Btw. does anyone know if Red Flag contributes any code back to the community? It would be interesting if they've submitted any of their changes to KDE, Gnome, or OpenSSH...
I stole this Sig
I just got it for shits and giggles. This is a rather old version (from 2002 or so) and I see from a screenshot that it comes with KDE.
Strangely enough, it seems to come with a CD key, and a longish one, at that.
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
you support an authoritarian government imposing its prescription for surveillance on ITS PEOPLE
why? because the us govt might spy on that authoritarian government
i am sorry, but i am not diplomatic person: you are a fucking retard
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
They would sure like to have an OS in which they have a saying rather than having to trust American corporations, it is probably about control but not of the population but of their tech infrastructure. They are probably also looking in advance the sorts of issues TPM is going to cause them if they keep in MS' domain, not to mention all the annoying anti piracy harass they are to deal with,
if they want to stop piracy and still have an actual tech infra estructure, they will have to move out of windows and any sort of American-controlled software, and they know that with cybercafes they have something that is easy to enforce and effective to introduce their brand new Chinese OS to people so they can prepare further migrations later - worse case scenario, some gamers will be unable to play WoW anymore... something that the Chinese gov. would be happy to see, since they basically hate WoW...
. They chose Linux as a base, mostly because they can.
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
Personally I'm eagerly awaiting ObamaLinux.
up comments is confusing.
that which was started to cricumvent corporate control, is used as a tool for authoritarian control
this is not in any way good for linux
it cuts to the very core of the rationale we all use for saying linux and open source software is a superior approach
if the software is coopted and subverted by an authoritarain regime, where is the inherent freedom that makes open software ideologically superior?
a corporate controlled software can make deals with an authoritarian regime, and withhold support for certain functionality. not that they do, but that they can. but with open source, the devil doesn't need to make deals with you, he just ignores you completely, and uses the software for dominance and control as the authoritarian regime sees fit
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
The new rules that went into effect Nov. 5 are aimed at cracking down on the use of pirated software, said Hu Shenghua, a spokesman for the Culture Bureau in the city of Nanchang.
Welcome to China!
Whoa.. wait.. i'm seeing little red flags going up everywhere...
I guess we screwed up guys. Apparently having a solid security model also allows the government to put in monitors and back doors at superuser level that a normal user cannot bypass.
Free as in...speech?
Isn't that a GPL violation? A requirement to use only Red Flag Linux is an additional requirement, which the GPL prohibits. China is presumably signed up to the Berne convention, so bound by the copyright law which governs the GPL.
how the US sabotaged a Russian oil pump station
Well, technically Soviet Russia pretty well that the softwares they were getting were sabotaged (the situation isn't unique at all. Several companies had pulled such trick in the hope of earning money by subsequently selling support for fixing the sabotage).
Lots of programmers were employed to reverse engineer and fix similar "bugs" slipped in various US softwares. My mother was one of them.
The oil network incident was much more probably due to negligence and careless ignorance of proper safety procedure.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I wonder how long before the Lenovo laptop series come with Red Flag Linux as default OS?
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
FINALLY, 2009 will be the year of Linux on the desktop. If Linux goes on every desktop in China then how long until Windows is the #2 OS in the world? There are a lot of people in China.
Slightly off-topic, but how in hell could you hope to succeed secretly be doing surveillance in an OPEN SOURCE software ? (GPL, in this case)
- As the source is accessible, surveillance functionality hidden in the source code would soon be discovered and published about. (Just as exploitable bugs are regularily cleaned)
- People would be free as per GPL to make surveillance-free forks of the code and publish "clean" versions of RFL (even more easy if these fix are done under non-Chinese jurisdictions)
Even if *indeed* there was surveillance in RFL, at least something could be done against it, thanks to the GPL. The Chinese would only be vulnerable if :
- either they are too lazy
- or the government explicitly states that the surveillance modules are mandatory (in which case it won't be a secret anymore).
Whereas, with proprietary Windows, the US could pretty much be already spying on the Chinese and nothing could be done against it to either prevent it or even detect it. The Chinese would be completely vulnerable to some foreign developers.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Wait... how is this Linux version combating piracy? Its combating the use of stolen software, yes (assuming they don't put windows back on)but the act of pirating the software took place already. And besides, I guarantee there is more than one CD copy of windows hidden somewhere in those cafe's. I would be curious if the distro has been modified for easier...*ahm* monitoring. Course, it doesn't stop getting on red flag and pirate windows from a cafe. Or an mp3, or whatever else.
The GPL only applies in the USA.
Do you really think you can get a clean copy of Debian off the Chinese internet? The view from the average citizen's perspective remains grim.
As long as they are using FOSS software, the integrity should be quite easy to verify.
"When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
It's Linux, right?
Build red Flag from source and compare the binaries.
I doubt the source code for any spyware is actually released in the src.rpm files they provide to satisfy the GPL, but that's easy enough to check.
There are enough paranoid geeks with time on their hands to do this and catching China at something nefarious (and violating the GPL!) would be a hoot. That's what it would be.
"Cake or Death!"
"Uh, Cake please."
"Very well. Give him cake!"
This is NOT what I expected the year of desktop linux to be like...
But look at the bright side, that's lots of user testing!!
But... the future refused to change.
That move is against "free" in the spirit of open source movement.
Everyone should against it.
Really. Unless youv'e been asleep for the last 10 years, can there be any question?
Commie bastards: http://news.slashdot.org/article.pl?sid=06/05/19/1238255
Anyone cares to read the referred articles? This is only a move of a insignificant local government and is already criticized in many Chinese forums and online media sites. As a big country, things much weirder than this happens all the time. It is surprising why it gets singled out here. Yes, Chinese government heavily filters Internet connections and suppress any sites that it sees inappropriate, but it does NOT have to force linux on Internet cafe simply to spy on citizens. Believe me, it is much easier and inexpensive to spy on Windows machines. My suggestion: next time before you bring up something about a monarchy/communist/evil China, do some research.
Non-sequitur. The fact that the integrity is easy to verify does not change the fact that they cannot get a clean copy. Knowing your copy isn't clean does you no good if there are no clean copies.
it's an AUTHORITARIAN GOVERNMENT
do any of you understand the fucking concept?
"oh, we trust an authoritarian government to never FORK the source of an open source project! they might jail you for political dissent, but heavens forbid they fork an open soruce project!"
seriously, what the hell is wrong with you morons?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
For anyone who is really concerned, the Chinese government can provide a compiler and they can build their own copy directly from source.
[Insert pithy quote here]
Comment removed based on user account deletion
While it's good for Linux adoption, what's the point here?
One of the main reason for using an open source OS is for its owners to inspect its source code and be confident enough that no backdoor is being hidden in there. But why would a visitor of a cyber cafe want to inspect the machine he'll be using there? After all, such machines are by definition unsecure public terminals par excellence, in free and non-free countries alike, no matter what OS they are running. Stuff like OPIE et. al. has been invented for exactly this purpose.
And as to fears from the Chinese government of US government spying on them: I could understand they'd forbid the use of Windows on their own military, or civil installations, and even enact a policy to encourage their private companies to avoid it, but internet cafes? Seriously, what kind of secrets are hidden on those machines besides credit card numbers of unsuspecting visitors and the whole enchilada of malware, keyloggers, viruses, trojans and worms?
cpghost at Cordula's Web.
But... knowing is half the battle! GI Joooooe!
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
but since we're talking about CHINA, what's the fucking point exactly?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
If you know it's not clean and it's FOSS you can pretty much remove the parts you don't want and its clean again. Unless I'm missing something here and you some how aren't getting access to the source code...
would rather be Chinese than a nation of unethical dick-shooters.
Not only they live under a dictatorship, they're now forced to use a KDE-based distro! =(
Circumcision is child abuse.
thank god the average chinese citizen has their freedoms fully protected. all they have to do is HACK THE OPERATING SYSTEM. they're protected, no problem
there are some seriously stupid people around here
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I suppose he could play Chromium or Armegetron.
Better still, he could actually pretend he has a life and leave the basement once in a while.
There are always, ALWAYS alternatives.
"...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."
This is true, but I'm also not completely sure what need the Chinese government would need for installing a root kit in all Chinese Internet cafes. After all, the Chinese government already has an authoritarian control over what ISPs can and can't do. There's also an ingrained culture of censorship which is an accepted part of daily life, as well as a substantial amount of loyalty (perhaps misguided) to the government from much of the Chinese population. Even many Chinese people who've moved overseas still hold much loyalty to the state, either because they just do or perhaps because it's those with closer connections and cooperation with the Chinese Communist Party who are more likely to be able to afford to travel, or whatever.
I'm not an insider and would be interested to hear from anyone with more experience, but I get the impression that if the Chinese government required that all internet cafes must install some specific kind of monitoring software and report the logs back to a government monitoring department, 99% of them would simply do it without question. It doesn't affect their core business, and it's an accepted part of the way of life and of doing business in China. The other 1% would be forcibly shut down without recourse.
Yes, there can and should be questions.
The first one to ask is "who would want this rumour, true or not, to be spread?"
The second one to ask is "do those who might benefit have a history of disinformation?"
The third one to ask is "if country X monitors hundreds of millions of PCs, where are all the millions of people doing the monitoring?"
China is a new capitalist society with roots in communism, and has quite a bit of baggage to deal with. Among them a propensity to overregulate everything, and likewise for the citizens to ignore all the regulations as long as no-one is watching.
I don't doubt for a second that the Chinese government can and will spy on some of its citizens, just like CIA, FBI, NSA and SS will over here. But they quite frankly don't have the infrastructure to do full scale computer surveillance, nor any need to -- if they want someone arrested, they simply arrest him or her. They don't need to collect evidence and convince a judge first.
And just like here, if they want to monitor internet traffic, doing it at the ISP or confiscating equipment is far easier than backdooring individual systems. For one thing, you don't need highly skilled agents capable of accessing back doors with the required finesse and understanding.
This whole article smells of FUD and agitprop. Sure, China is designated the new Big Evil, and the US needs another Enemy to believe in right now. But seeing Chinese government conspiracies in everything doesn't make it true, any more than seeing communist conspiracies in the 50s and 60s made that propaganda true.
My guess: A canton or city government decided to go linux, and chose Red Flag as their distro. Some zealous and cerebrally challenged bureaucrats (I know, a tautology) then interpreted that as an order. And a newspaper picked up the blunder, and wrote a note about it, which was then picked up and massaged to fit the desired perception by their western colleagues who like to post propaganda against the enemy du jour, because it sells ads. Our local Ministry of Truth won't interfere, as long as the bashing is against this year's designated foe.
ICBW, but it seems like a much simpler explanation.
And personally, I think China is on the road towards freedom, even if they stumble every now and then. But we need to keep in mind that it's going to be a long march.
"They cannot get a clean copy" is simply an invention. Have you been to China?
"When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
Do you really think you can get a clean copy of Debian off the Chinese internet? The view from the average citizen's perspective remains grim.
I don't know but it cant be that hard to find out
1) get debian ssh certs
2) go to china
3) apt-get update
or
1) hack a us box
2) compare ssh certs
or
1) phone a friend in another country and get them to read the cert to you
I mean im all for paranoia and tin foilhattery but seriously your just blindly speculating
IranAir Flight 655 never forget!
Really ? What if they choose to send an infected compiler, that will enter a predefined exploit as binary into any binary you try to compile ...
(btw : an adaptation of gcc that does just that exists)
What are you going to do then ? Compile by hand ?
A CITY IN CHINA has required Internet café operators to replace pirated software with legitimate versions - the officials primarily pushing Linux.
Nanchang, the capital of China's Jiangxi province has around 600 Internet cafés which will be affected by the order - yet some are moaning about the cost of legal software.
Cafes which don't adhere to this order however, will lose their licence to operate.
"We recommend the use of Red Flag Linux server operating system or Microsoft Windows Server operating system," said the directive issued by Nanchang's Cultural Department.
Although Windows will be an option for the cafes, Linux seems to be the preferred OS as officials seem to have struck a deal with a local Red Flag Linux distributor to install licensed software and provide two years of support.
Ren Xiaojie, general manager of a software distribution company said, "We're using domestically produced Red Flag software, and have set a standard one-time fee of 5,000 yuan (about £150) for each Internet cafe, which includes a lifetime license, and we will provide all Internet cafe owners two years of maintenance support for free."
The Business Software Alliance, established to fight software piracy, estimated that the rate of software piracy in China was more than 80 percent last year which highlights the intensity of the problem.
for saying open source is superior to closed corporate source?
it is: if you have completely control over the source code, there are no "secrets" about the code that a corporation retains control of
this makes it very different when the chinese use access: there is still an outside hand in what china does. with open source, an authoritarian regime doesn't have to listen to you or consult you at all
it completely inverts the supposed ideological superiority of open source
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Bait:
Parent's concern for their kids is a major issue.
Hook:
A policy came out a few years back requires all internet cafe to obtain a license, and no new license would be issued; Also under aged people are not allowed to enter internet cafe during weekdays unless accompanied by parent; All users are required to register wit h their ID before using internet cafe.
So "Think Of The Childen" works in China too?
You sure it couldn't have anything to do with monitoring and controlling access to the internet?
A goose-step march, you mean.
and bush did 9/11.... Get serious or get the fuck out.
http://cm.bell-labs.com/who/ken/trust.html
http://en.wikipedia.org/wiki/Thompson_hack#Reflections_on_Trusting_Trust
it is very hard to analyze the security of a system even with open source, but it at least becomes possible.
This very situation is what the Stallmanistas have been dreaming their entire lives: forcing people, en masse, to convert to FOSS... or be thrown in prision.
Stallman always dreamed of forcing everyone to use FOSS, and using the GPL to dictate what software people are and are not allowed to install. But in China... that pipedream is a reality!
Worst of all, and sadly enough for the Stallmanistas, is they have absolutely zero say in the process. It must be like watching someone you don't like go out and buy the car you always wanted, then start dating the girl you always loved but never had a chance with.
It would be funny... except for all the people having their ability to chose their own OS and software taken away.
No, I think I meant a Long March, just like I said.
As in the communists retreating from Kuomintang in a slow and painful process, just like the last time.
If this means nothing to you, your history teacher should be fired.
First let me say that whoever modded the parent post offtopic is a moron. Let the meta-moderation begin....
Of course it's an invasion of the rights of the owners of internet cafes to MAKE them install any particular software, but this is China, and that is small potatos.
I wonder, though, if Red Flag becomes ubiquitous in China, how soon spamware/spyware/botnet creators will start to target that platform, and Linux in general. The Linux home user who may not be as up-to-date on patches or careful security wise as they would be using Windows ( That's part of the appeal of Linux at home ) may have to clean up their acts soon.
Sigh... Then again, I think there is less incentive for OSS to leave open holes at the behest of the ( nonexistant in the case of OSS ) marketing department.
...
95% of users will be prevented from modifying and recompiling the source files, because you'll have to know how to tunnel through a proxy to one of the banned repositories to get clean source code.
Still, I takes only 1 single person, to compare the "officially accessible" binaries from the only repository to actual "original binaries" from outside the Greate Wall or even to binary that the single person produced from the source (SRPM), and see if they are 1:1 identical, or not.
If they are not 1:1 identical, the Government is violating the GPL anyway (they didn't publish the modification of the source together with the modified binaries), and everyone will know that something fishy is going on.
This simple comparison is as fucking trivial as comparing MD5SUMs of the file available inside and outside the Greate FireWall.
And the person that does the comparison doesn't even have to live under Chinese juridiction.
You just CAN'T HIDE ANYTHING in GPL software. That's it. End of story.
No way to put a *secret* spyware in Linux.
Now, please, try doing exactly the same thing with Windows. You just can't prove that the NSA/CIA/FBI/whatever hasn't put back-doors inside Windows Vista. Because the source isn't public, so you can't at least track one single guaranteed version.
Even if you don't live in a totalitarian state, you can't prove anything concerning a proprietary binary junk.
Finding a secret spyware in Windows would require advanced reverse engineering.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Someone linked to the trusting trust speech earlier, but here it is again:
No, sorry, the situation isn't the same:
The speech tells how some evil people inside the GNU team could design a hacked GCC compiler that automatically inject evil code inside its output (and as the compiler is a C program itself...)
When the first step in a chain is it self a result of the chain, you can't trust it 100%.
Whereas in the current situation we are speaking about one country playing tricks onto its population, while outside there still exist a set of good software.
Even if the chinese GCC is hacked, you could still compare it to stock non-Chinese GCC.
You have a set of tools that you can trust.
Also, they could just distribute modified libraries and not tell anyone they don't match the source. Granted, some people might slip through, but who really builds their entire OS from source repeatedly?
It takes one single person to compare the MD5sums of binaries available inside China, to sums of binaries coming from outside and/or compiled from source.
On single test and the whole planet (well, at least those reading the news from outside the Great FireWall) knows that something fishy has been done to the binaries.
Given how some paranoid geek suspect China, you know that this *will* happen.
Plus, that is a clear violation of the GPL. Which would bring bad publicity to China. Something that they won't appreciate much.
This won't protect magically the population, but could make think twice a government which want to look as much perfect as possible.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Get serious? Seriously?
The compiler he's talking about was written ... something like 20 years ago. If it was compiling /bin/login, it added a back door. It was more of a proof of concept than a real cracker tool, but in the twenty or so years since, crackers have gotten much more clever than that.
How many millions of code went into Red Flag Linux? Do you have the time and skill to audit every one for back doors? And even if you do and you do, but you get the binary version, what's to ensure that the binary version was compiled from the same source that you audited?\
By mandating a specific distribution, the Chinese government is acting very strangely. It could just be a national pride thing, use what was made in China, but there are other possible reasons.
As Berners-Lee pointed out when he wrote that version of gcc, your only real solution is write your own disassembler that will not be recognized by the tainted compiler so you can test it to try and catch it in the act of inserting the exploit into the binary. Time to brush up on your assembly language.
If the compiler is compromised there is no other solution because any tool you might try can be compromised by the compiler in compiling it. It's a vastly more sophisticated version of a trojan that disables your anti-virus. All you can do is write everything in binary yourself.
Now you've got me all paranoid.
I didn't say for a fact that they couldn't, I said IF they couldn't.
My point was simply that the ability to spot the problem is not itself a solution.
Correction: I did say they couldn't, I meant to say IF they couldn't.
Ok then :)
"When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
Show me the code in GCC which adds exploits or shut the fuck up. I'm sick of reading you people's paranoid delusions about compiler exploits.
If it complies with the GPL, it means that the source code for whatever they changed there must be available. Therefore anyone will be able to take a look at it and remove the offending parts.
If they won't offer the source code, how will they be forced to reveal it? In other words, if China violates the GPL, what will be done?
The saddest poem
The code is (I assume) not a part of the proper gcc (or other compiler) distribution. It was a proof of concept, written and then immediately pointed to and then the author said `see?!?!?!' It was never added to any released software (that I'm aware of.)
But you wanted a citation? Here ya go, read the `27.1.2 Trusting Trust' section. Looks like I was wrong about the date -- it wasn't 20 years ago, it was at least 24 years ago.
OeLeWaPpErKe may have gotten the compiler wrong (since gcc came out in 1987, and this hacked compiler was written about in 1984, it couldn't have been gcc.) But I'd say that the odds are approximately 100% that somebody has made a similar alteration to gcc, which would make what OeLeWaPpErKe said correct. Now, hopefully that change (or anything similar) never made it into the gcc or egcs distributions, but it's possible, and if done skillfully (or with the collaboration of the other people in a position to detect it) it could be difficult to detect.
In any event, read the entire page I cited, and the next few pages in the book. It might help you explain why people are suspicious of the Chinese government's motives here. Or if you want to read the original 1984 paper, here ya go.