Slashdot Mirror
Richard Stallman Speaks About Back Doors After NSA Documents Leak
An anonymous reader writes "Companies such as Microsoft, Facebook, Apple, and Google are scrambling to restore trust amid fresh litigation over the PRISM surveillance program. Richard Stallman, the founder of the Free Software Foundation and a newly-inducted member of the 2013 Internet Hall of Fame, speaks about not only abandoning the cloud, which he warned about 5 years ago, but also escaping software with back doors. 'I don't think the US government should use operating systems made in China,' he says in this new interview, 'for the same reason that most governments shouldn't use operating systems made in the US and in fact we just got proof since Microsoft is now known to be telling the NSA about bugs in Windows before it fixes them.'"
Stallman is right, in sofar that any sensible engineer should never have had his works, artefacts, algorithms and data "in" the cloud. Period.
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
His record for being correct is rather unusual.
So which operating system should we use?
Stallman's position isn't a surprise. I expect him to advocate open source software over any proprietary software. He has for thirty plus years. Why would he change now? There is one thing he overlooks when he says:
'I don't think the US government should use operating systems made in China,' ... 'for the same reason that most governments shouldn't use operating systems made in the US
Stallman overlooks the fact that various foreign governments already have access to the Windows source.
Microsoft to Share Source Code With Governments
Microsoft Corp. announced this week it is making the programming code for its Office 2003 software suite available to government agencies around the globe, a move partly aimed at allowing them to inspect the product for flaws and security problems.
Though Microsoft usually guards such software coding tightly, the step is an extension of an initiative the company began in January 2003 giving about 60 governments access to the inner workings of the Windows operating system. This is the first time the software giant has shared the source code for Office, which includes the Word text processing, Excel spreadsheet, and PowerPoint presentation programs.
Microsoft Grants Governments Access to Windows
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
And on the Final day, St IGNUcious declared Gentoo be the system by which all operates. His will be done, on Earth as it is on silicon.
it is far better that RMS talk about backdoors than pick his on stage and pop whatever he pulls out of it into his mouth to chew.
I recall reading about a hushed up brouhaha ages ago concerning backdoored USA compiled software run on Australian government systems in the 80's or early 90's. Google seems to disavow all knowledge damnit.
You're not allowed to build your own version of the software from the source. This is why one of the FSF rights is the ability to compile the program for use.
Seems in pointing out what Stallman "forgot", you forgot something yourself.
While it is true that Microsoft is agreeing in certain cases to give access to the source code to Windows, it appears actually getting your hands on the code is sometimes harder than expected.
Point in case, Éric Filiol, an ex French intelligence officer from DGSE (the Directorate-General for External Security) recently explained that
“The French State can't obtain certain pieces of technical information on the WIndows kernel. A country that has nuclear fire and is a member of the UN's Security Council can't make Microsoft reveal necessary informations on a système that is absolutely everywhere.”
("L’État français n’arrive pas à obtenir certaines informations techniques précises sur le noyau Windows. Un pays doté de l’arme nucléaire et membre du conseil de sécurité des Nations-Unies ne peut pas contraindre Microsoft de lui donner des informations nécessaire sur un système qui est absolument partout".)
Source:
http://www.numerama.com/magazine/26360-la-france-n-arrive-pas-a-avoir-des-informations-sur-le-noyau-windows.html
So there seems to be a difference between what is announced and what happens.
Access to source compiled binary currently in use.
Do you trust that whatever you compile from the source code they send will result in an equal file to those currently in use? I seriously doubt that most entities bother to check.
My bleary memory now recalls it was probably about PROMIS and INSLAW. Read about this: http://en.wikipedia.org/wiki/Danny_Casolaro
To build windows, you have the use the windows compiler, I guess. Well, that's that then:
Self-referencing C Compiler
You know, like, sending NSA agents to get cover jobs in Microsoft, and purposely plant in obscure security bugs, that can only be exploited by the NSA . . . ? I know that they are not supposed to do that, but the new description of work for the NSA seems to be something like:
Question: "What does the NSA do?
Answer: "Things that it is not supposed to do."
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
RMS's comments about OS back-doors are rather dated, since M$ made Win2K source available to governments many years ago. It gave a whole new meaning to the Windows joke, "That's not a bug, that's a feature!"
He is, however, spot on about "the cloud". No engineer or admin in his right mind would entrust his/her organization's data to a medium riddled with security, privacy, and reliability flaws.
Bean counters are all for the cost savings of "the cloud" until you clearly spell out the risks involved. Accountants and executives hate taking big risks for only a tiny commensurate potential for gain.
Scruting the inscrutable for over 50 years.
CPUs on the other hand (Loongson) are kosher!
Who logs in to gdm? Not I, said the duck.
Closed source, open source, it doesn't matter when you can just give them access to a database, an admin account or access to logs.
The fear of backdoors into your OS is out of date in today's society. Why would they need wait for you to be online then risk detection by using a backdoor when they can just make a call to facebook, your ISP or your mobile phone network and probably get far more valuable information?
It's also very naive to think that intelligence organisations don't have a catalogue of undisclosed exploits and security holes that they keep secret in case they need to attack someone, Whether it's Linux, Windows or whatever.
Some Microsoft bugs take a ridiculous amount of time to get fixed and all the reports seem to fall on deaf ears. We bash Microsoft for this behaviour but doesn't having a reporting relationship with the NSA help it all to make sense? Taking a long time to fix? Well, they may not be done exploiting it yet. Falls on deaf ears? Well maybe it's not a "bug" but a back door that no one was supposed to know about and Microsoft cannot comment on it without NSA approval.
I remember Microsoft's denials about intercepting Skype, yet the PRISM leak shows they can fully intercept everything:
http://gizmodo.com/what-is-prism-511875267
There are two worlds here, companies that cooperated with NSA illegal spying and those that didn't. They chose their sides, they chose the side against the constitution. That's not my side, I need to secure my data against NSA and its corporate allies.
Skype leak shows they can intercept voice communications, the files you sent, the text messages, the video of your conversations, the lot, and it's a live intercept, so its a live connection too. I bet they can even turn on the camera and mic remotely on Skype.
Then we find out Stuxnet is confirmed as NSA. So no doubt where all those zero day exploits came from, Microsoft themselves:
http://www.guardian.co.uk/world/2013/jun/28/general-cartwright-investigated-stuxnet-leak
So all the scary hackers out there making Stuxnet? They're the NSA itself.
I don't trust this Windows box in front of me currently, my server is being moved out of the USA, this Windows box is next.
This wasn't about the win2k NSA key, it is about Microsoft passing info about zero day exploits to the NSA instead of fixing them, so the NSA can use them to break into people's computers and spy on them. This came out in the news in just the past few days (not sure if revealed by Snowden or someone else). It would seem to explain why Microsoft is so damn slow about fixing bugs.
I'm afraid you've got it wrong. At least Australia can build from source. I doubt they got a special deal.
Australia to see Windows source code
The ability to build from source would seem to be a key aspect of verifying the code. I'm not sure why you think they wouldn't be able to do it. What they probably can't do is distribute the binaries for free - they still have to pay Microsoft for the distribution of software.
Also, it seems likely that by providing their code to foreign governments, Microsoft is picking up what to them is free services of what are no doubt some of the best software engineers in government looking over their code, and probably sending in the occasional bug report. What's that saying? Many eyes makes for shallow bugs? Or maybe not.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
Remember this?
http://yro.slashdot.org/story/13/05/14/1516247/microsoft-reads-your-skype-chat-messages?utm_source=commentcnt&utm_medium=feed#comments
A german user noticed that if he passed a link in a skype message, the link was accessed by Skype servers?
Microsoft claimed it was to protect from malware. But now we know they're in the NSA's pocket, and the NSA is data mining all communications and storing them in the big database, the obvious conclusion to come to, is that this is part of NSA's data mining effort.
If you look at 'Boundless Informant' leak, Germany is very heavily spied on by the NSA, and so German Skype chatter is likely a major target for interception. Germany is a big commercial competitors to the USA.
Also notice the fake 'RC Plane bomb plot in Germany' from yesterday... part of the marketing to try to quieten down German anger.
do they have access to the source code for the entire toolchain?
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
And how do you know that mind control isn't perfected by the government?
How do you know that you are actually alive and not just dreaming?
Then you know that the compile has no known backdoors in it and won't put any in your code.
The C standard is available.
Just because you can read a book doesn't mean you're allowed to write it out and use that copy you created to read.
The agreement given does not include that. The report is in error, that wasn't made available, though there was the intent to do so *by the Australian government*. Microsoft didn't give them that right.
However, that isn't true.
Are the computers Chinese or Taiwanese because most of the manufacturing by weight is done by them? No? why not?
Cold you have to understand Australia. ... or accessing their own information stored in other countries’’...
They love MS, MS giving them code to look over at after generational buy in is just a trinket.
What was Australia going to do if it finds a project related hole? File it with MS and hope its fixed in weeks? Months? Many months?
Australia was just feeling bad over its lack of sufficient software source code and IP to allow its airforce to understand some aircraft systems.
Source code became a political and defence issue with huge political efforts to try and get the US gov to be nice over the issue.
So for the US and MS to be seen to be offering Australia something was cute, but with todays insights, MS at a VOIP, server, cloud, code, consumer or filesystem level seems a tame tool of US gov interests.
http://www.smh.com.au/national/public-service/trade-war-up-in-the-clouds-20120529-1zhpg.html
Comments like this from the US:
‘‘...governments should not prevent service suppliers of other countries, or customers of those suppliers, from electronically transferring information internally or across borders
seem a bit of a LOL given the other line about 'a careful set of constraints to protect individual privacy"
Domestic spying is now "Benign Information Gathering"
I don't use threads -- I use multiple asynchronous processes, you insensitive clod!
that RMS knows about, it's having his backdoor probed and leaking.
This, right here, is the single best case for open source that has ever come along. The fact that neither government nor large corporations can be trusted has never been more clear.
The point is not that everyone needs to verify the code, but that anyone can do so, and that someone is likely to have done so.
Anyone can do so in theory but not in practice. I'm an engineer but software isn't my specialty. I have absolutely no way to evaluate personally if there is a backdoor in any of the software I'm using. I simply don't have the skillset and for various reasons am not going to develop it either. Even if I was a really plugged in software engineer like Mr. Torvalds, I simply wouldn't have the time to review every single line of code before compiling it all myself. Don't forget to check the compiler and the firmware.
Additionally while you are correct that someone is likely to have done so, the question is who? Is it someone we trust or is it someone we don't or both? I have absolutely no way to know. I simply have to trust. Don't get me wrong, I think open source is fantastic but pretending that the code is somehow immune from backdoors is pretty naive.
Microsoft has been installing the NSAKey in Windows since Windows 98; a special root key that grants them access to Windows cryptography services, ability to generate their own keys, decrypt things, and maybe install rootkits, bypassing the user. Some people think it's Trojan that even gives them stealth remote control capabilities. Microsoft has always been working with the NSA, and in turn, the NSA has always been getting into whatever they could possibly get their hands into. Welcome to the ultimate rootkit in society, next to Remote Neural Monitoring and Electronic Brain Link.
http://www.washingtonsblog.com/2013/06/microsoft-programmed-in-nsa-backdoor-in-windows-by-1999.html
and nsa.pdf @ http://www.oregonstatehospital.net/
He keeps hammering on the same message still, because people still didn't act, even when they know exactly what they ought to do.
Next time you're out and about, go ask some random person who is Richard Stallman.
Now ask yourself, if they never heard of him, what makes you think they're getting the message?
WE have heard of him and his message, but the general public hasn't. AND his warnings and claims come across as paranoia. I mean, before the NSA leaks, no one would ever believe our government would do such a thing - even here on Slashdot. How many times have folks said that the government is watching us only to have someone "point out" that it's "impossible" - here on Slashdot - supposedly the home of the most knowledgeable people on the Internet.
How can we expect John Q. Public to act when WE don't even believe half of it?
I'm telling you next we will find out that the NSA/FBI has the ability to create instantaneous dossiers on people by just hitting the: Medical Information Bureau, Credit Bureaus, Google (I don't a shit wtf they say in public!), ChoicePoint, state DMVs, IRS, state tax departments, and I bet quite a bit of internal databases, too. All through those backdoors.
FUCK! Anyone of us could code that!
No?
I guess he's a nobody, then.
One thing people keep neglecting to mention is that for the stuff we WANT to be public (e.g. source code), the cloud is a GREAT place to put it (but certainly not the only place we should put it).
BTW, "the cloud" is far too nebulous of a term for this discussion.
I know use all there hardware , all kinds a software made by htem and hten whine when the enemy hacks you...
yup that rank 31 marth avg and 21 reading skill really is starting to show up aint it...
now imagine if there are loads a smart people in the public then real stupid people must be workin for the gubermint
I'm sure you'll understand if I remain agnostic on the question, Mr. Huxley.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
Since Microsoft and other companies are telling the NSA about bugs before they fix them, then Microsoft and those other companies will no longer need a grace period when Anonymous or other hackers find vulnerabilities. They should be published right away for all to see.
Given recent developments I have no reason to trust made in usa either...
Privacy is terrorism.
Yes you can.
There is no such thing as a license to use software in any law book. Software is protected by copyright only, so you can't profit from that, but you can modify it all you like.
For example: my girlfriend the other night told me that she is "on the rag".... So... I took a back door!
As a Linux user (note the non-use of the GNU prefix), I do not want Richard Stallman entering my back door.
The NSA is not a big worry, they aren't supposed to be using data for civilian law enforcement because the collect it ILLEGALLY. That is one thing the Patriot Act got horribly wrong.. The NSA are not police, and police don't get to spy like the NSA. Because the NSA is chartered and designed to go WHEREVER, WHENEVER they want, they aren't required to ask for warrants because judges aren't placed high enough to know what they can crack. The main problem is that the NSA is a SPY agency.. It's not SUPPOSED to be easy for them... They don't get to ask for secret rooms and software backdoors publicly because they're SECRET... They are supposed to TAKE what they want, and NOT GET CAUGHT.
They are supposed to be three steps ahead of the rest of us and the bad guys. That they are resorting to public data collection openly is beneath what they were founded to do.
do they have access to the source code for the entire toolchain?
For the benefit of those who don't know why this is important, this is a good explanation.
Actually, that, too, has been thought of and worked out. The trusting-trust attack can be fully countered through Diverse Double-Compiling. It's all over my head but the material is there at several levels of detail for those who would read it.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Here is a little SSL/TLS based server to protect your text chatting from government snooping and archiving forever:
https://bitbucket.org/hroll/alternative-f-r-unschuldige/src
@Ex-Company Wahabist nut-assets: AFU was made using Schweineschnitzel, so you won't get virgins if you use it !
What's wrong with keeping your FOSS code in the cloud, like on SourceForge or GitHub? The old "If you have nothing to hide" (paraphrased) argument is usually a fallacy, but it seems to apply well here.
i for one laud our friendly neighborhood Chinese hackers. ..errr ... fix new vulnerabilities.
it keeps windblows/NSA on the tiptoes to introduce
in a way, hackers (read:black) contribute to the "many eyes are good(tm)" paradigm.
with the economy going down the drain i wonder how many "researchers" don't feel
aligned to the community anymore, but more to the person with the FAT wallet.
and though crime can make you rich, it will never make you as rich as when
your business it's NOT classified as a crime.
you know what, i could just yell "GO chinese hackers! do your thing!" but i think
it will just unleash some NSA controlled response from compromised windblows
computers at some china university : )
lol, captcha: renegade
some militaries use(or have used) customized windows versions at source level.
a fucking mess if you ask me, imagine running a custom branch of NT 4.0 as the backbone of your network.
world was created 5 seconds before this post as it is.
it seems like there should be a simple and effective way to prevent the NSA from collecting metadada on you with a properly configured HOSTS file. If there were only some smart cookie that could explain it to us.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
This is not even an academic question - there was actually a backdoor discovered in some software used by the Australian government provided by a US company. I believe it was in the late '90's, and it was news at the time... and I think it made Slashdot too. I can't seem to find a Google or Slashdot reference to it so I couldn't fault you if you decided to doubt the veracity of my story. I'm still searching though so I'll post if I find it.
I don't have any data under my personal control that I care if the government intercepts.
Really? Are you certain of that? Here's the thing. Information you have can look circumstantially damning for reasons beyond your control. Sometimes people's identity is mistaken or they are in the wrong place at the wrong time. Messages that are entirely innocent can at times be used against you in a court of law. Maybe you have communicated with someone you don't know
Is it likely that the government will come after you? Of course not. Like you say your information probably is completely uninteresting. But it's not inconceivable that it might be more interesting than you think.
My email is boring as hell.
Probably true but it doesn't follow that it could not be used against you under the right circumstances.
What about vPro in all intel haswell mobile chips
Hardware backdoor with ram access over the cell network and lan, hardware vlc client, etc. Remotely reenableable. Runs regardless of OS.
They almost always say that your info is not protected from authorities and that they comply with laws or even say directly they will volunteer info if authorities ask (no warrant or whatever required)
Democracy Now! - uncensored, anti-establishment news
Cloud hosting is extremely useful some things, some of which i'd expect RMS to approve of.
For instance, if you are hosting GPL code then hosting it on a public cloud service makes sense. So what if the NSA can access it, so can everyone else and the license terms explicitly allow that.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Getting to the point of usability is going to be hard (unlikely that 3D printers are going to be able to replicate anything within the ballpark of a chip fab anytime soon, for example) but the more of the stack that's independently reproducible and open to public inspection the better.
I remember sigs. Oh, a simpler time!
Backdoor does not need a space in the middle.
Right about what? He is a Left wing conspiracy nut, who makes wild charges about anybody he doesn't like. Check out his website http://stallman.org/ before one mods me down.
For starters, which OS does the US government use that is made in China? Windows? Made in Redmond. Linux? Well, the US government tends to prefer RHEL derivatives, such as Scientific Linux, and even SE Linux features have made it back to the major Linux distros. So made in Raleigh, or Portland or Helsinki. I don't know how much of the government uses Apple, but that too is written in Cupertino, and if one is talking NeXT or Mach, it originated in Redwood Shores or Carnegie Mellon. BSD? OBSD is Canadian based, but thanks to Theo, the US government has blacklisted BSD and doesn't use it in anything. GNU? Okay, how much of it is developed in China?
So which Chinese made OS does the US government use, according to the man who judges a Lemote Yeedong to be the only acceptably free system he can get his hands on? Does he actually think that the US government uses Red Flag Linux? Reading TFA, the interviewer referred to Huawei, which is a company blacklisted by a number of governments, and they don't write OSs - although they may well have written in back doors to that OS. But the solution in that case is what is already happening - blacklist Huawei, and let the US government ban their products from being used.
The flip side of his comments - that other countries shouldn't use OSs made in the US - is laughable. What OSs should they then use? Let's assume for a moment that his accusations against MS are true. Anything else they use would still be largely made in the US, unless any country chose to pick a pretty obscure OS made outside, such as L4, Minix, QNX, Haiku, and so on. If he were to say that governments should only use liberated OSs and not proprietary ones, one can agree w/ him, since there would be no way of embedding backdoors into such systems. But to say that an OS should not be made in China or the US or anywhere else is just his usual deranged self talking.
You should put your head out of the Windows box some day. Processes are not slow, and there is no reason for IPC to be slower than multi-thread data access (altough a few implementations are).
Rethinking email
Memories...
Malvin: I can't believe it, Jim. That girl's standing over there listening and you're telling him about our back doors?
Jim Sting: [yelling] Mister Potato Head! Mister Potato Head! Back doors are not secrets!
Malvin: Yeah, but Jim, you're giving away all our best tricks!
Jim Sting: They're not tricks.
Nowhere in the article it's stated that they can compile the source.
I got an offer to read Windows source code once. That condition was there, I wouldn't have the environment needed to actualy compile it. But I work in Brazil, it's possible that Australia got a special deal, there is just no evidence of that.
Rethinking email
there is absolutely no way to process it in the cloud properly
Sure there is. It's called homomorphic encryption.
....Aaand now I'm thinking of some new kids' TV show hero figure, the Mighty Morphin Gay Ranger. He's rainbow-colored, naturally, so he has all the powers of all the other Rangers.
Not really what I wanted to be thinking about, but there you go.
"What in the name of Fats Waller is that?"
"A four-foot prune."
No, Stallman has never "advocate[d] open source software over any proprietary software" as he is not now nor has he ever been a part of the open source movement.
Stallman founded the free software movement over 10 years before the open source movement began. Since the open source movement began he has spent time explaining how the open source philosophy and practical outcomes are distinctly different from his older movement (an older version of this essay is also online). Every talk I've heard him give contains a cogent explanation about these differences.
Perhaps if you understood the differences you'd understand why "various foreign governments already hav[ing] access to the Windows source" doesn't respect a user's software freedom (not even for the governments that are allowed to read said source code as merely having and reading source code is insufficient to be considered "free software" or "open source" despite the confusion with the latter) and therefore does not actually address any of the salient issues he's raising. One of his recent talks, "What Makes Digital Inclusion Good or Bad?" from October 19, 2011 covers this ground and related issues quite well.
Digital Citizen
richard stallman is the biggest troll on the csail listserv. he's right some of the time, but all other times he trolls endlessly. guy has "antisocial" written in his dna.
why do people take him so seriously? it amazes me. obviously you haven't read the constant stream of spam he generates on the csail listserv...
The american democracy's secrets feed the idea
that if you're not american the web is a web and
just dont try to agitate your goodwill online because
dumb american contractors monitor you.
I think that Obama takes very seriously his oath
to protect only the american people the best he can.
He has just published a picture of himself in Goree
but it is not executive, it is symbolic.
"our Ukrainian QA team"
Privacy is terrorism.
Does it bother anyone else that NSA wrote code that is in the kernel of most linux distributions? I dont know what it does, but it has something to do with basic security. I think it is called Selinux. I am not saying it is a backdoor, just that the NSA wrote it and last time I checked the default kernel settings for compiling a Ubuntu kernel, all the NSA modules had checkboxes next to them.
Can someone assure me that this code is "safe"? Or do all linux kernels have code in them that allows the NSA to do as it likes with my security?
So you think compiling clean windows code on Visual C++ makes it safe? Security holes aside, a hacked compiler will produce hacked compilers even if all the source everywhere is clean. A clear chain of trust is required. With the time and effort, a breach can be placed at lower levels in the chain and obfuscated at multiple points ensuring decades of access without requiring to be notified of security holes. (you'd think an org bigger than the CIA would have people capable of finding holes on their own let alone getting them put in.)
A security breach in the 90s in Visual C++ at MS themselves could likely continue to this day - they use their old software to compile their new software.
Democracy Now! - uncensored, anti-establishment news
Hello Everyone! This is my first time posting to slashdot in all the years I've been reading.
I have to ask a question: why is this article gone now? Why is techrights.org completely unreachable?
I don't mean to panic, but seriously, what is going on?? I'm getting error 503 (server error) when I try to go there.