Slashdot Mirror
Richard Stallman Speaks About Back Doors After NSA Documents Leak
An anonymous reader writes "Companies such as Microsoft, Facebook, Apple, and Google are scrambling to restore trust amid fresh litigation over the PRISM surveillance program. Richard Stallman, the founder of the Free Software Foundation and a newly-inducted member of the 2013 Internet Hall of Fame, speaks about not only abandoning the cloud, which he warned about 5 years ago, but also escaping software with back doors. 'I don't think the US government should use operating systems made in China,' he says in this new interview, 'for the same reason that most governments shouldn't use operating systems made in the US and in fact we just got proof since Microsoft is now known to be telling the NSA about bugs in Windows before it fixes them.'"
Stallman is right, in sofar that any sensible engineer should never have had his works, artefacts, algorithms and data "in" the cloud. Period.
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
His record for being correct is rather unusual.
Stallman's position isn't a surprise. I expect him to advocate open source software over any proprietary software. He has for thirty plus years. Why would he change now? There is one thing he overlooks when he says:
'I don't think the US government should use operating systems made in China,' ... 'for the same reason that most governments shouldn't use operating systems made in the US
Stallman overlooks the fact that various foreign governments already have access to the Windows source.
Microsoft to Share Source Code With Governments
Microsoft Corp. announced this week it is making the programming code for its Office 2003 software suite available to government agencies around the globe, a move partly aimed at allowing them to inspect the product for flaws and security problems.
Though Microsoft usually guards such software coding tightly, the step is an extension of an initiative the company began in January 2003 giving about 60 governments access to the inner workings of the Windows operating system. This is the first time the software giant has shared the source code for Office, which includes the Word text processing, Excel spreadsheet, and PowerPoint presentation programs.
Microsoft Grants Governments Access to Windows
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
No its not. There are distros based in all parts of the world. Also the difference here is that the source code is freely available for all to see.
That's different. GNU/Linux is open source, so you can (in theory) verify for yourself that there aren't any back doors. And if there are, you can fix them.
They call it BSD and Open, because it's always free and open...
For historical reasons OpenBSD is based in Canda...
And on the Final day, St IGNUcious declared Gentoo be the system by which all operates. His will be done, on Earth as it is on silicon.
Linux was made in Finland.
Yet another Yank taking claim for other's achievements.
it is far better that RMS talk about backdoors than pick his on stage and pop whatever he pulls out of it into his mouth to chew.
here's one https://tails.boum.org/
I recall reading about a hushed up brouhaha ages ago concerning backdoored USA compiled software run on Australian government systems in the 80's or early 90's. Google seems to disavow all knowledge damnit.
You're not allowed to build your own version of the software from the source. This is why one of the FSF rights is the ability to compile the program for use.
Seems in pointing out what Stallman "forgot", you forgot something yourself.
That's true, but not if you're among the 99+ % that installs a binary distribution.
Is there a GNU/OpenBSD available?
GNU/Linux is made by a community of developers from about every single developed country in the world, and possibly has had patches done by people who were at the time in less developed places. So there isn't one single government telling the contributors what to do. It either has no backdoors (because it's opensource and supposedly someone has reviewed the patches), or it has backdoors from all over the world.
I may not like GNU much, or Stallman, but that's a fact regardless.
GNU/Linux is open source, so you can (in theory) verify for yourself that there aren't any back doors. And if there are, you can fix them
That's true, but not if you're among the 99+ % that installs a binary distribution.
The point is not that everyone needs to verify the code, but that anyone can do so, and that someone is likely to have done so.
In Murphy We Turst
But equally there are thousands of really talented programmers who examine the source code very thoroughly, many of whom contribute back. If there were back doors then there is a high chance that they would have been detected. Plus anyone really paranoid about it CAN go and check the source code to make sure for themselves.
With propriety operating systems you do not have that luxury.
While it is true that Microsoft is agreeing in certain cases to give access to the source code to Windows, it appears actually getting your hands on the code is sometimes harder than expected.
Point in case, Éric Filiol, an ex French intelligence officer from DGSE (the Directorate-General for External Security) recently explained that
“The French State can't obtain certain pieces of technical information on the WIndows kernel. A country that has nuclear fire and is a member of the UN's Security Council can't make Microsoft reveal necessary informations on a système that is absolutely everywhere.”
("L’État français n’arrive pas à obtenir certaines informations techniques précises sur le noyau Windows. Un pays doté de l’arme nucléaire et membre du conseil de sécurité des Nations-Unies ne peut pas contraindre Microsoft de lui donner des informations nécessaire sur un système qui est absolument partout".)
Source:
http://www.numerama.com/magazine/26360-la-france-n-arrive-pas-a-avoir-des-informations-sur-le-noyau-windows.html
So there seems to be a difference between what is announced and what happens.
Well most of the (most active) kernel developpers do live in usa (including Linus), also many (if not most) of the GNU developpers live in usa (including Stallman), so you could say GNU/Linux is developped in usa currently.
btw. i'm not from usa.
But that still just verifies the source. As long as you get a binary from someone you have to trust that other person. Verifying the source does not verify the binary.
Bullshit. GNU/Linux is an international effort with contributors from many different countries. It is constantly peer reviewed by all kind of people, e.g. security researchers all over the world, and the source is open so you can check it yourself.
The kernel work started in Finland, but most of the work and most of the GNU system originated in other countries and most prominently the USA.
Yes but you can't trust binaries which may include modifications not available in the original source code.
Access to source compiled binary currently in use.
Do you trust that whatever you compile from the source code they send will result in an equal file to those currently in use? I seriously doubt that most entities bother to check.
My bleary memory now recalls it was probably about PROMIS and INSLAW. Read about this: http://en.wikipedia.org/wiki/Danny_Casolaro
It does when you compile, compare md5 hash, and verify that they're bit-for-bit identical. Jeez, it's like someone already thought of this.
Only on
No. As BSD is a Unix branch, and the GNU/* only applies to the Linux branch.
Only on
This is incorrect. Again. For the same reasons given to you above, you can compare compiled binaries to the source and verify that they're identical via hashing.
Only on
To build windows, you have the use the windows compiler, I guess. Well, that's that then:
Self-referencing C Compiler
While this is correct, it requires the exact same compiler settings, and the exact same compiler version.
You know, like, sending NSA agents to get cover jobs in Microsoft, and purposely plant in obscure security bugs, that can only be exploited by the NSA . . . ? I know that they are not supposed to do that, but the new description of work for the NSA seems to be something like:
Question: "What does the NSA do?
Answer: "Things that it is not supposed to do."
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
RMS's comments about OS back-doors are rather dated, since M$ made Win2K source available to governments many years ago. It gave a whole new meaning to the Windows joke, "That's not a bug, that's a feature!"
He is, however, spot on about "the cloud". No engineer or admin in his right mind would entrust his/her organization's data to a medium riddled with security, privacy, and reliability flaws.
Bean counters are all for the cost savings of "the cloud" until you clearly spell out the risks involved. Accountants and executives hate taking big risks for only a tiny commensurate potential for gain.
Scruting the inscrutable for over 50 years.
But who compiled the compiler?
http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
CPUs on the other hand (Loongson) are kosher!
Who logs in to gdm? Not I, said the duck.
Closed source, open source, it doesn't matter when you can just give them access to a database, an admin account or access to logs.
The fear of backdoors into your OS is out of date in today's society. Why would they need wait for you to be online then risk detection by using a backdoor when they can just make a call to facebook, your ISP or your mobile phone network and probably get far more valuable information?
It's also very naive to think that intelligence organisations don't have a catalogue of undisclosed exploits and security holes that they keep secret in case they need to attack someone, Whether it's Linux, Windows or whatever.
Some Microsoft bugs take a ridiculous amount of time to get fixed and all the reports seem to fall on deaf ears. We bash Microsoft for this behaviour but doesn't having a reporting relationship with the NSA help it all to make sense? Taking a long time to fix? Well, they may not be done exploiting it yet. Falls on deaf ears? Well maybe it's not a "bug" but a back door that no one was supposed to know about and Microsoft cannot comment on it without NSA approval.
You can do that with cmp or diff. Why do you mention hashing?
But to compile and compare the binaries you have to use at some point a compiled binary from some source, which you can't trust.
Not as far as I know, but Debian do actually do GNU/FreeBSD and GNU/NetBSD distros in addition to their usual GNNU/Linux.
Incorrect. GNU userland utilities can theoretically be made to work with any Unix-like kernel. It's just that Linux is what it's most commonly paired with.
Wrong.
GNU is the userland (libc, gcc, bash), while Linux is the kernel.
There is also a GNU kernel, called Hurd. GNU userland + Hurd kernel is called GNU/Hurd, just like GNU userland + Linux kernel is called GNU/Linux.
GNU is pretty cross platform, and it should be possible to combine GNU userland with the OpenBSD kernel, giving you GNU/OpenBSD, but I think he's going to need to do it himself if he wants it. Debian has done so with FreeBSD, calling the result Debian GNU/kFreeBSD - the "k" indicating FreeBSD kernel, rather than all of FreeBSD.
The opposite should also be possible, though I don't know of anyone having done so. BSD userland on Linux, giving you BSD/Linux (now will people understand why that "GNU/" in front of Linux matters?). I don't know how portable BSD userland is, some of it may not be - at least that was the impression I got when I was looking at replacing udev with devd when udev was absorbed by systemd.
Because I am most familiar with using md5 for this purpose. I am sure that "I'm doing it wrong", and there are more inspired/better ways to do this. I only speka from what I've done.
Only on
Ehm, what are you blathering about? There's a project known as the Hurd, maybe you've not heard of? With the GNU software coupled with the Hurd kernel you get something called the GNU/Hurd. Nothing stops you from compiling GNU software on BSD systems. So what was that about GNU being only Linux?
Should be called Finux.
http://michaelsmith.id.au
I remember Microsoft's denials about intercepting Skype, yet the PRISM leak shows they can fully intercept everything:
http://gizmodo.com/what-is-prism-511875267
There are two worlds here, companies that cooperated with NSA illegal spying and those that didn't. They chose their sides, they chose the side against the constitution. That's not my side, I need to secure my data against NSA and its corporate allies.
Skype leak shows they can intercept voice communications, the files you sent, the text messages, the video of your conversations, the lot, and it's a live intercept, so its a live connection too. I bet they can even turn on the camera and mic remotely on Skype.
Then we find out Stuxnet is confirmed as NSA. So no doubt where all those zero day exploits came from, Microsoft themselves:
http://www.guardian.co.uk/world/2013/jun/28/general-cartwright-investigated-stuxnet-leak
So all the scary hackers out there making Stuxnet? They're the NSA itself.
I don't trust this Windows box in front of me currently, my server is being moved out of the USA, this Windows box is next.
And despite it being a smaller group, there are thousands of developers around the world with access to closed source systems like Windows who also verify them. There are thousands more who reverse engineer the binaries themselves constantly looking for vulnerabilities. While I prefer open source, it is a complete myth that closed source OS's aren't also under considerable talented scrutiny.
You are doing correctly. It's just that the step of hashing is unnecessary. You can just compile the stuff and compare it, instead of compiling the stuff, hashing both stuffs and compare the hashes.
This wasn't about the win2k NSA key, it is about Microsoft passing info about zero day exploits to the NSA instead of fixing them, so the NSA can use them to break into people's computers and spy on them. This came out in the news in just the past few days (not sure if revealed by Snowden or someone else). It would seem to explain why Microsoft is so damn slow about fixing bugs.
I'm afraid you've got it wrong. At least Australia can build from source. I doubt they got a special deal.
Australia to see Windows source code
The ability to build from source would seem to be a key aspect of verifying the code. I'm not sure why you think they wouldn't be able to do it. What they probably can't do is distribute the binaries for free - they still have to pay Microsoft for the distribution of software.
Also, it seems likely that by providing their code to foreign governments, Microsoft is picking up what to them is free services of what are no doubt some of the best software engineers in government looking over their code, and probably sending in the occasional bug report. What's that saying? Many eyes makes for shallow bugs? Or maybe not.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
Binary distributions should be a little more risky but there is nothing like a back-door hiding in plain site, there for anyone to see in the source code but not getting detected in most source code audits.
Everything I write is lies, read between the lines.
Remember this?
http://yro.slashdot.org/story/13/05/14/1516247/microsoft-reads-your-skype-chat-messages?utm_source=commentcnt&utm_medium=feed#comments
A german user noticed that if he passed a link in a skype message, the link was accessed by Skype servers?
Microsoft claimed it was to protect from malware. But now we know they're in the NSA's pocket, and the NSA is data mining all communications and storing them in the big database, the obvious conclusion to come to, is that this is part of NSA's data mining effort.
If you look at 'Boundless Informant' leak, Germany is very heavily spied on by the NSA, and so German Skype chatter is likely a major target for interception. Germany is a big commercial competitors to the USA.
Also notice the fake 'RC Plane bomb plot in Germany' from yesterday... part of the marketing to try to quieten down German anger.
true. I use to download and install gnu-tar on aix...
Everything I write is lies, read between the lines.
Luke, concentrate on the force instead.
Everything I write is lies, read between the lines.
The difference is that the scrutinisers of closed-source software are most often motivated *not* to disclose their findings to the public.
Right, the perfect way to gain the opposite results.
Everything I write is lies, read between the lines.
... [A]nyone can [ verify the code], and ... someone is likely to have done so.
Yes. The NSA guy who wrote the patch, and three of his astroturfing friends.
The "Many Eyes" fallacy is important here. Unless you can verify the authenticity of the code yourself, you need to verify the authenticity of the person verifying the code. Do you know all of the kernel devs personally? How about the X / Mir / $module devs? How many people actually write code for kernelspace? How many modify it for their particular distribution of choice? Do you trust those people?
Finally had enough. Come see us over at https://soylentnews.org/
do they have access to the source code for the entire toolchain?
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
You are aware that probably the most important current kernel developer, a certain Linus Torvalds, is a naturalized citizen of the U.S.A.?
Plus anyone really paranoid about it CAN go and check the source code to make sure for themselves. With propriety operating systems you do not have that luxury.
On a personal level, no. But many governments can, as well as some corporations.
Microsoft to Share Source Code With Governments
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
No if you find the exploit they can tell and you mysteriously disappear, don't look for it
And how do you know that mind control isn't perfected by the government?
How do you know that you are actually alive and not just dreaming?
Then you know that the compile has no known backdoors in it and won't put any in your code.
The C standard is available.
Yes but still a Finnish citizen also AND the idea and foundation grounding for the kernal was written in Finland it would not exist if it wasnt written there, as the real GNU kernel was not even finished yet, and Linux was just there at the right time, kinda like MS-DOS
Just because you can read a book doesn't mean you're allowed to write it out and use that copy you created to read.
The agreement given does not include that. The report is in error, that wasn't made available, though there was the intent to do so *by the Australian government*. Microsoft didn't give them that right.
Sounds pretty hard since that information is not provided with the binary or source.
Change is certain; progress is not obligatory.
You misspelled "kernel".
However, that isn't true.
Are the computers Chinese or Taiwanese because most of the manufacturing by weight is done by them? No? why not?
Not to mention the original linux kernel was written in Finland.
Many other free software projects are likewise non-American. Hell OpenBSD is developed by a South African living in Canada.
Unicode killed the ASCII-art *
Cold you have to understand Australia. ... or accessing their own information stored in other countries’’...
They love MS, MS giving them code to look over at after generational buy in is just a trinket.
What was Australia going to do if it finds a project related hole? File it with MS and hope its fixed in weeks? Months? Many months?
Australia was just feeling bad over its lack of sufficient software source code and IP to allow its airforce to understand some aircraft systems.
Source code became a political and defence issue with huge political efforts to try and get the US gov to be nice over the issue.
So for the US and MS to be seen to be offering Australia something was cute, but with todays insights, MS at a VOIP, server, cloud, code, consumer or filesystem level seems a tame tool of US gov interests.
http://www.smh.com.au/national/public-service/trade-war-up-in-the-clouds-20120529-1zhpg.html
Comments like this from the US:
‘‘...governments should not prevent service suppliers of other countries, or customers of those suppliers, from electronically transferring information internally or across borders
seem a bit of a LOL given the other line about 'a careful set of constraints to protect individual privacy"
Domestic spying is now "Benign Information Gathering"
I don't use threads -- I use multiple asynchronous processes, you insensitive clod!
This, right here, is the single best case for open source that has ever come along. The fact that neither government nor large corporations can be trusted has never been more clear.
The point is not that everyone needs to verify the code, but that anyone can do so, and that someone is likely to have done so.
Anyone can do so in theory but not in practice. I'm an engineer but software isn't my specialty. I have absolutely no way to evaluate personally if there is a backdoor in any of the software I'm using. I simply don't have the skillset and for various reasons am not going to develop it either. Even if I was a really plugged in software engineer like Mr. Torvalds, I simply wouldn't have the time to review every single line of code before compiling it all myself. Don't forget to check the compiler and the firmware.
Additionally while you are correct that someone is likely to have done so, the question is who? Is it someone we trust or is it someone we don't or both? I have absolutely no way to know. I simply have to trust. Don't get me wrong, I think open source is fantastic but pretending that the code is somehow immune from backdoors is pretty naive.
Android uses the Linux kernel but none of the GNU userland; they forked BSD libc into a project called "Bionic".
The Linux kernel is the only thing in Android licensed under the GPL; everything else is under the Apache license.
Please guys, stop that "my father (country) is stronger that yours attitude. ;-)
Everything I write is lies, read between the lines.
Governments are only allowed to view the source code to make sure their backdoors are properly in place - as per the contract.
Microsoft has been installing the NSAKey in Windows since Windows 98; a special root key that grants them access to Windows cryptography services, ability to generate their own keys, decrypt things, and maybe install rootkits, bypassing the user. Some people think it's Trojan that even gives them stealth remote control capabilities. Microsoft has always been working with the NSA, and in turn, the NSA has always been getting into whatever they could possibly get their hands into. Welcome to the ultimate rootkit in society, next to Remote Neural Monitoring and Electronic Brain Link.
http://www.washingtonsblog.com/2013/06/microsoft-programmed-in-nsa-backdoor-in-windows-by-1999.html
and nsa.pdf @ http://www.oregonstatehospital.net/
Wow, you really are out of the loop.
Slashdot, June 20th 2013 - "Are you sure this is the source code?"
Translation: You clearly dont know what you are actually talking about, but rather you just think that you do because in your world things really are as simple as you think rather than the real world where things are not.
"His name was James Damore."
There are known ways around this, although they start to get complicated.
http://www.acsa-admin.org/2005/abstracts/47.html
Basically, there's a difference between just talking about this on /. and what the professionals do that have really serious security issues. If you're just thinking 'ah, open source means someone will catch any bugs', then NSA is way out of your league.
He keeps hammering on the same message still, because people still didn't act, even when they know exactly what they ought to do.
Next time you're out and about, go ask some random person who is Richard Stallman.
Now ask yourself, if they never heard of him, what makes you think they're getting the message?
WE have heard of him and his message, but the general public hasn't. AND his warnings and claims come across as paranoia. I mean, before the NSA leaks, no one would ever believe our government would do such a thing - even here on Slashdot. How many times have folks said that the government is watching us only to have someone "point out" that it's "impossible" - here on Slashdot - supposedly the home of the most knowledgeable people on the Internet.
How can we expect John Q. Public to act when WE don't even believe half of it?
I'm telling you next we will find out that the NSA/FBI has the ability to create instantaneous dossiers on people by just hitting the: Medical Information Bureau, Credit Bureaus, Google (I don't a shit wtf they say in public!), ChoicePoint, state DMVs, IRS, state tax departments, and I bet quite a bit of internal databases, too. All through those backdoors.
FUCK! Anyone of us could code that!
Historical CERT advisories. Notice the transition from predominantly windows-platform vulnerabilities to predominantly unix-platform vulnerabilities as one goes back in time, to a period where few windows machines were on the internet.
Being open source didnt prevent souce packages like sendmail from being exploited again and again, repeatedly, throughout its history. BSD witnessed vulnerability after vulnerability also.
"His name was James Damore."
No?
I guess he's a nobody, then.
... [A]nyone can [ verify the code], and ... someone is likely to have done so.
Yes. The NSA guy who wrote the patch, and three of his astroturfing friends.
The "Many Eyes" fallacy is important here. Unless you can verify the authenticity of the code yourself, you need to verify the authenticity of the person verifying the code. Do you know all of the kernel devs personally? How about the X / Mir / $module devs? How many people actually write code for kernelspace? How many modify it for their particular distribution of choice? Do you trust those people?
Old proverb: "Three people can keep a secret if two of them are dead."
We see that proven time and again by things such as Watergate, WikiLeaks and the Snowden affair among many, many others.
Few people have read every part of the OS source, but quite a few people have read individual parts of various OS components in detail and more have dipped into them superficially, for example when doing in-depth debugging. This makes it extremely difficult for a conspiracy to hold together very long.
And that's not counting the complexity that comes from the heterogeneous mix of apps, processors and peripherals that make up the world-wide set of users. Stuff like that tends to break things that are operating on the sly.
One thing people keep neglecting to mention is that for the stuff we WANT to be public (e.g. source code), the cloud is a GREAT place to put it (but certainly not the only place we should put it).
BTW, "the cloud" is far too nebulous of a term for this discussion.
Makes sense, if you have one of the rare good source code auditor at your disposal then, it is obviously easier to find holes or at least easier to get a hand on the source code when the sources are open. Remember that we are in the context of finding back-doors hiding in plain site, in the source code. Note that it doesn't necessarily mean the back-door was planted there on purpose.
You couldn't give a better example than sendmail or at least none that I can't think of.
Everything I write is lies, read between the lines.
I know use all there hardware , all kinds a software made by htem and hten whine when the enemy hacks you...
yup that rank 31 marth avg and 21 reading skill really is starting to show up aint it...
now imagine if there are loads a smart people in the public then real stupid people must be workin for the gubermint
I'm sure you'll understand if I remain agnostic on the question, Mr. Huxley.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
But equally there are thousands of really talented programmers who examine the source code very thoroughly, many of whom contribute back.
Not really, most of each of thousands of projects have at most a few core developers and extraneous people who occasionally submit patches to fix specific itches. There is no "A team" scouring all open source for vulnerabilities from the simple fact such vulnerabilities most certainly do exist as innocent bugs and have not been reported by such teams.
To illustrate this point the linux kernel is developed by armies of smart people yet an automated tool found a laundry list of shit that has been around for years nobody noticed.
http://www.coverity.com/library/pdf/linux_report.pdf
If there were back doors then there is a high chance that they would have been detected.
There is no difference between a backdoor and a vulnerability. The logic that deliberate backdoors would be detectable in source code when we know from experience innocent bugs having the same effect as a backdoor have a proven track record of not being detectable is simply wishful thinking and wrong.
Plus anyone really paranoid about it CAN go and check the source code to make sure for themselves.
I suppose anyone can drain the earths oceans with an eye dropper as well.
Since Microsoft and other companies are telling the NSA about bugs before they fix them, then Microsoft and those other companies will no longer need a grace period when Anonymous or other hackers find vulnerabilities. They should be published right away for all to see.
Given recent developments I have no reason to trust made in usa either...
Privacy is terrorism.
Yes you can.
There is no such thing as a license to use software in any law book. Software is protected by copyright only, so you can't profit from that, but you can modify it all you like.
So when I installed GNU Emacs on my Windows NT 3.51 system, it should have been called a GNU/NT box?
For example: my girlfriend the other night told me that she is "on the rag".... So... I took a back door!
The NSA is not a big worry, they aren't supposed to be using data for civilian law enforcement because the collect it ILLEGALLY. That is one thing the Patriot Act got horribly wrong.. The NSA are not police, and police don't get to spy like the NSA. Because the NSA is chartered and designed to go WHEREVER, WHENEVER they want, they aren't required to ask for warrants because judges aren't placed high enough to know what they can crack. The main problem is that the NSA is a SPY agency.. It's not SUPPOSED to be easy for them... They don't get to ask for secret rooms and software backdoors publicly because they're SECRET... They are supposed to TAKE what they want, and NOT GET CAUGHT.
They are supposed to be three steps ahead of the rest of us and the bad guys. That they are resorting to public data collection openly is beneath what they were founded to do.
Yes. Yes it should.
That's GNU/Finux, to you, pal.
The book Unix-haters Handbook devotes an entire chapter to the notorious sendmail. A link the the book is found at the end of the wikipedia article, in unfortunately PDF format.
Perhaps its time for an Adobe-Haters Handbook.
"His name was James Damore."
do they have access to the source code for the entire toolchain?
For the benefit of those who don't know why this is important, this is a good explanation.
While everyone else focuses on your incorrect statement, I will criticize your signature. You don't get Karma for Funny.
I'm just happy to be corrected / learn something new.
Only on
Thanks for linking. I don't think that stands so strongly against what I've said, but rather supports it. His conclusion is that with minor tweaks to tools we could better achieve matching compiles from source. So, he substantiates what I've said as the goal, and says that we have a few issues - but they can be fixed. Sounds simple enough to me.
Only on
Actually, that, too, has been thought of and worked out. The trusting-trust attack can be fully countered through Diverse Double-Compiling. It's all over my head but the material is there at several levels of detail for those who would read it.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Here is a little SSL/TLS based server to protect your text chatting from government snooping and archiving forever:
https://bitbucket.org/hroll/alternative-f-r-unschuldige/src
@Ex-Company Wahabist nut-assets: AFU was made using Schweineschnitzel, so you won't get virgins if you use it !
What's wrong with keeping your FOSS code in the cloud, like on SourceForge or GitHub? The old "If you have nothing to hide" (paraphrased) argument is usually a fallacy, but it seems to apply well here.
i for one laud our friendly neighborhood Chinese hackers. ..errr ... fix new vulnerabilities.
it keeps windblows/NSA on the tiptoes to introduce
in a way, hackers (read:black) contribute to the "many eyes are good(tm)" paradigm.
with the economy going down the drain i wonder how many "researchers" don't feel
aligned to the community anymore, but more to the person with the FAT wallet.
and though crime can make you rich, it will never make you as rich as when
your business it's NOT classified as a crime.
you know what, i could just yell "GO chinese hackers! do your thing!" but i think
it will just unleash some NSA controlled response from compromised windblows
computers at some china university : )
lol, captcha: renegade
Its simple to match compiler version, static library versions, and the static libraries linker version, and each library modules compiler version and options.....?
Really?
"His name was James Damore."
You are aware that probably the most important current kernel developer, a certain Linus Torvalds, is a naturalized citizen of the U.S.A.?
look, I let in a little secret here. the "american dream" in Finland isn't really a house and a summer cottage, if that's what you've been let to believe. Plenty of people have those. the dream is to be able to afford to move somewhere else for most of the year. Perfectly legitimate to stay Finnish and do that. It's like going pillaging.
Hell, our most famous sportsmen ALL live elsewhere. The pay levels are just that much better - and the taxes lower pretty much almost anywhere.
some militaries use(or have used) customized windows versions at source level.
a fucking mess if you ask me, imagine running a custom branch of NT 4.0 as the backbone of your network.
world was created 5 seconds before this post as it is.
it seems like there should be a simple and effective way to prevent the NSA from collecting metadada on you with a properly configured HOSTS file. If there were only some smart cookie that could explain it to us.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
True, we should stop this infantile bickering, because it's obvious to everyone that Finland is better than the USA, so there's nothing to fight about. Besides, my UID is twice a prime, so nyah nyah nyah!
Escher was the first MC and Giger invented the HR department.
This is not even an academic question - there was actually a backdoor discovered in some software used by the Australian government provided by a US company. I believe it was in the late '90's, and it was news at the time... and I think it made Slashdot too. I can't seem to find a Google or Slashdot reference to it so I couldn't fault you if you decided to doubt the veracity of my story. I'm still searching though so I'll post if I find it.
I don't have any data under my personal control that I care if the government intercepts.
Really? Are you certain of that? Here's the thing. Information you have can look circumstantially damning for reasons beyond your control. Sometimes people's identity is mistaken or they are in the wrong place at the wrong time. Messages that are entirely innocent can at times be used against you in a court of law. Maybe you have communicated with someone you don't know
Is it likely that the government will come after you? Of course not. Like you say your information probably is completely uninteresting. But it's not inconceivable that it might be more interesting than you think.
My email is boring as hell.
Probably true but it doesn't follow that it could not be used against you under the right circumstances.
I suddenly remembered about xterm witch used to be pretty good at it since it was set uid root by default on most distros on top of the holes back then...
I did not read the PDF, It must be mentioned within it.
Everything I write is lies, read between the lines.
> They call it BSD and Open, because it's always free and open...
Until someone decides to turn it into a commercial product and deny you any rights whatsoever.
A Pirate and a Puritan look the same on a balance sheet.
Yea because I've read and understand all the millions of lines of Linux code and all the millions if lines of code in all of the 100's of open source packages that I have installed and all the millions of lines of code in all the other software packages I evaluated be for choosing the ones I wanted to install. I also read and understand all the source code changes that go into a the software that gets updated every day. Then I fixed all those obscure back doors that the cyber warfare experts from every country in the world inserted. While I was at it, I fixed all those security bugs that the open source maintainers didn't know about or hadn't had time to fix. You know that's why open source software is so secure. After all everyone reads the code. Much more than those pesky 100 line EULA's. I mean who would bother reading that shit.
What about vPro in all intel haswell mobile chips
Hardware backdoor with ram access over the cell network and lan, hardware vlc client, etc. Remotely reenableable. Runs regardless of OS.
They almost always say that your info is not protected from authorities and that they comply with laws or even say directly they will volunteer info if authorities ask (no warrant or whatever required)
Democracy Now! - uncensored, anti-establishment news
omg Finlux 111
Your post is made up of FUD and closed source shill bs.
First, there is no surprise there are uncaught bugs in anything. Bugs do not equal exploits, only some bugs can be exploited and different bugs can only be exploited in certain ways, requiring different access, and achieving different severities from crashing to resource hogging to root access.
Second, whatever Coverity is, it apparently works by analyzing the source code in the first place. If you don't see the irony in using evidence against open source from a source code analyzing program that find bugs in available open source code then please kick your own ass out the door.
Why people try so hard to pretend that open source has no security benefits over closed source is beyond me.
Cloud hosting is extremely useful some things, some of which i'd expect RMS to approve of.
For instance, if you are hosting GPL code then hosting it on a public cloud service makes sense. So what if the NSA can access it, so can everyone else and the license terms explicitly allow that.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Getting to the point of usability is going to be hard (unlikely that 3D printers are going to be able to replicate anything within the ballpark of a chip fab anytime soon, for example) but the more of the stack that's independently reproducible and open to public inspection the better.
I remember sigs. Oh, a simpler time!
Backdoor does not need a space in the middle.
Heh. Haha. BWAHAHAHAHAHAHAH!
First, from the very report that you linked to:
You want a real eye opener? Check out Coverity's current press release:
The real conclusion that you should draw is twofold. First, if you're relying on software that isn't doing static code analysis, you're probably relying upon insecure code.
Second, Every. Single. App. Has. Bugs. The difference is that open source lets anyone do the analysis and fix the bugs. The same can't be said when of any closed source package.
So, which is safer? The OSS app where everything is publicly discussed and bug fixes generally get acted upon fast, or the closed source app where the vendor may be handing the known vulnerabilities off to the NSA or its equivalent in the country of your choice? I know which way I choose. :-)
What's wrong with PDF format? (genuinely curious).
To be, or not to be: isn't that quite logical, Slashdot Beta?
Right about what? He is a Left wing conspiracy nut, who makes wild charges about anybody he doesn't like. Check out his website http://stallman.org/ before one mods me down.
For starters, which OS does the US government use that is made in China? Windows? Made in Redmond. Linux? Well, the US government tends to prefer RHEL derivatives, such as Scientific Linux, and even SE Linux features have made it back to the major Linux distros. So made in Raleigh, or Portland or Helsinki. I don't know how much of the government uses Apple, but that too is written in Cupertino, and if one is talking NeXT or Mach, it originated in Redwood Shores or Carnegie Mellon. BSD? OBSD is Canadian based, but thanks to Theo, the US government has blacklisted BSD and doesn't use it in anything. GNU? Okay, how much of it is developed in China?
So which Chinese made OS does the US government use, according to the man who judges a Lemote Yeedong to be the only acceptably free system he can get his hands on? Does he actually think that the US government uses Red Flag Linux? Reading TFA, the interviewer referred to Huawei, which is a company blacklisted by a number of governments, and they don't write OSs - although they may well have written in back doors to that OS. But the solution in that case is what is already happening - blacklist Huawei, and let the US government ban their products from being used.
The flip side of his comments - that other countries shouldn't use OSs made in the US - is laughable. What OSs should they then use? Let's assume for a moment that his accusations against MS are true. Anything else they use would still be largely made in the US, unless any country chose to pick a pretty obscure OS made outside, such as L4, Minix, QNX, Haiku, and so on. If he were to say that governments should only use liberated OSs and not proprietary ones, one can agree w/ him, since there would be no way of embedding backdoors into such systems. But to say that an OS should not be made in China or the US or anywhere else is just his usual deranged self talking.
You should put your head out of the Windows box some day. Processes are not slow, and there is no reason for IPC to be slower than multi-thread data access (altough a few implementations are).
Rethinking email
Memories...
Malvin: I can't believe it, Jim. That girl's standing over there listening and you're telling him about our back doors?
Jim Sting: [yelling] Mister Potato Head! Mister Potato Head! Back doors are not secrets!
Malvin: Yeah, but Jim, you're giving away all our best tricks!
Jim Sting: They're not tricks.
Nowhere in the article it's stated that they can compile the source.
I got an offer to read Windows source code once. That condition was there, I wouldn't have the environment needed to actualy compile it. But I work in Brazil, it's possible that Australia got a special deal, there is just no evidence of that.
Rethinking email
there is absolutely no way to process it in the cloud properly
Sure there is. It's called homomorphic encryption.
....Aaand now I'm thinking of some new kids' TV show hero figure, the Mighty Morphin Gay Ranger. He's rainbow-colored, naturally, so he has all the powers of all the other Rangers.
Not really what I wanted to be thinking about, but there you go.
"What in the name of Fats Waller is that?"
"A four-foot prune."
No, Stallman has never "advocate[d] open source software over any proprietary software" as he is not now nor has he ever been a part of the open source movement.
Stallman founded the free software movement over 10 years before the open source movement began. Since the open source movement began he has spent time explaining how the open source philosophy and practical outcomes are distinctly different from his older movement (an older version of this essay is also online). Every talk I've heard him give contains a cogent explanation about these differences.
Perhaps if you understood the differences you'd understand why "various foreign governments already hav[ing] access to the Windows source" doesn't respect a user's software freedom (not even for the governments that are allowed to read said source code as merely having and reading source code is insufficient to be considered "free software" or "open source" despite the confusion with the latter) and therefore does not actually address any of the salient issues he's raising. One of his recent talks, "What Makes Digital Inclusion Good or Bad?" from October 19, 2011 covers this ground and related issues quite well.
Digital Citizen
richard stallman is the biggest troll on the csail listserv. he's right some of the time, but all other times he trolls endlessly. guy has "antisocial" written in his dna.
why do people take him so seriously? it amazes me. obviously you haven't read the constant stream of spam he generates on the csail listserv...
Well if you're talking on a countrywide scale, only one group in each country needs to verify that the code is suitable for use by that country and build binaries from it. The cost of hiring a few developers to go through the code is nothing in the budget of most countries.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Although unix was originally developed with a security model, individual code often wasn't... People who wrote code weren't thinking that buffer overflows or format string bugs could be exploitable, and many things were designed based on being connected to a largely trusted network of academics where there would be very little to gain anyway.
People developed clear text protocols like telnet, operating systems included remotely accessible unpassworded guest accounts by default, and then you have relatively naive protocols like smtp which has resulted in many of the spam problems we see today and could have been avoided with better protocol design.
People learned and improved, and then microsoft came along very late to the party with a lot of code that was designed for an environment where there was simply no security model whatsoever.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
The american democracy's secrets feed the idea
that if you're not american the web is a web and
just dont try to agitate your goodwill online because
dumb american contractors monitor you.
I think that Obama takes very seriously his oath
to protect only the american people the best he can.
He has just published a picture of himself in Goree
but it is not executive, it is symbolic.
"our Ukrainian QA team"
Privacy is terrorism.
Finland was made in the USA therefore Linux is made in the USA! :-)
Does it bother anyone else that NSA wrote code that is in the kernel of most linux distributions? I dont know what it does, but it has something to do with basic security. I think it is called Selinux. I am not saying it is a backdoor, just that the NSA wrote it and last time I checked the default kernel settings for compiling a Ubuntu kernel, all the NSA modules had checkboxes next to them.
Can someone assure me that this code is "safe"? Or do all linux kernels have code in them that allows the NSA to do as it likes with my security?
So you think compiling clean windows code on Visual C++ makes it safe? Security holes aside, a hacked compiler will produce hacked compilers even if all the source everywhere is clean. A clear chain of trust is required. With the time and effort, a breach can be placed at lower levels in the chain and obfuscated at multiple points ensuring decades of access without requiring to be notified of security holes. (you'd think an org bigger than the CIA would have people capable of finding holes on their own let alone getting them put in.)
A security breach in the 90s in Visual C++ at MS themselves could likely continue to this day - they use their old software to compile their new software.
Democracy Now! - uncensored, anti-establishment news
Yeah, and that trick works only as long as you're limited to one compiler. Once you have two, you can compile your compilers with other compilers (both of them, plus compilers you've compiled yourself with various compilers). They don't have to be trustworthy, as long as they don't have the exact same subterfuges. Use different targets, also, if you've got an ARM box you can use or a PPC.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Hello Everyone! This is my first time posting to slashdot in all the years I've been reading.
I have to ask a question: why is this article gone now? Why is techrights.org completely unreachable?
I don't mean to panic, but seriously, what is going on?? I'm getting error 503 (server error) when I try to go there.
What's wrong with PDF format? (genuinely curious).
Nothing more than with anything really. It's all related with categorizing your level of security and acting along. Click on my uid and read if you want to know more on how I feel about this. I do not want to repeat myself.
As a risk reducing measure, you can use alternative pdf viewers depending, again, on the levels of security you are comfortable with.
Everything I write is lies, read between the lines.