Slashdot Mirror
Richard Stallman Speaks About Back Doors After NSA Documents Leak
An anonymous reader writes "Companies such as Microsoft, Facebook, Apple, and Google are scrambling to restore trust amid fresh litigation over the PRISM surveillance program. Richard Stallman, the founder of the Free Software Foundation and a newly-inducted member of the 2013 Internet Hall of Fame, speaks about not only abandoning the cloud, which he warned about 5 years ago, but also escaping software with back doors. 'I don't think the US government should use operating systems made in China,' he says in this new interview, 'for the same reason that most governments shouldn't use operating systems made in the US and in fact we just got proof since Microsoft is now known to be telling the NSA about bugs in Windows before it fixes them.'"
Stallman is right, in sofar that any sensible engineer should never have had his works, artefacts, algorithms and data "in" the cloud. Period.
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
His record for being correct is rather unusual.
Stallman's position isn't a surprise. I expect him to advocate open source software over any proprietary software. He has for thirty plus years. Why would he change now? There is one thing he overlooks when he says:
'I don't think the US government should use operating systems made in China,' ... 'for the same reason that most governments shouldn't use operating systems made in the US
Stallman overlooks the fact that various foreign governments already have access to the Windows source.
Microsoft to Share Source Code With Governments
Microsoft Corp. announced this week it is making the programming code for its Office 2003 software suite available to government agencies around the globe, a move partly aimed at allowing them to inspect the product for flaws and security problems.
Though Microsoft usually guards such software coding tightly, the step is an extension of an initiative the company began in January 2003 giving about 60 governments access to the inner workings of the Windows operating system. This is the first time the software giant has shared the source code for Office, which includes the Word text processing, Excel spreadsheet, and PowerPoint presentation programs.
Microsoft Grants Governments Access to Windows
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
No its not. There are distros based in all parts of the world. Also the difference here is that the source code is freely available for all to see.
Linux was made in Finland.
Yet another Yank taking claim for other's achievements.
You're not allowed to build your own version of the software from the source. This is why one of the FSF rights is the ability to compile the program for use.
Seems in pointing out what Stallman "forgot", you forgot something yourself.
“...the result of having the secret key inside your Windows operating system “is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system“. The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onwards”
GNU/Linux is open source, so you can (in theory) verify for yourself that there aren't any back doors. And if there are, you can fix them
That's true, but not if you're among the 99+ % that installs a binary distribution.
The point is not that everyone needs to verify the code, but that anyone can do so, and that someone is likely to have done so.
In Murphy We Turst
But equally there are thousands of really talented programmers who examine the source code very thoroughly, many of whom contribute back. If there were back doors then there is a high chance that they would have been detected. Plus anyone really paranoid about it CAN go and check the source code to make sure for themselves.
With propriety operating systems you do not have that luxury.
While it is true that Microsoft is agreeing in certain cases to give access to the source code to Windows, it appears actually getting your hands on the code is sometimes harder than expected.
Point in case, Éric Filiol, an ex French intelligence officer from DGSE (the Directorate-General for External Security) recently explained that
“The French State can't obtain certain pieces of technical information on the WIndows kernel. A country that has nuclear fire and is a member of the UN's Security Council can't make Microsoft reveal necessary informations on a système that is absolutely everywhere.”
("L’État français n’arrive pas à obtenir certaines informations techniques précises sur le noyau Windows. Un pays doté de l’arme nucléaire et membre du conseil de sécurité des Nations-Unies ne peut pas contraindre Microsoft de lui donner des informations nécessaire sur un système qui est absolument partout".)
Source:
http://www.numerama.com/magazine/26360-la-france-n-arrive-pas-a-avoir-des-informations-sur-le-noyau-windows.html
So there seems to be a difference between what is announced and what happens.
The kernel work started in Finland, but most of the work and most of the GNU system originated in other countries and most prominently the USA.
It does when you compile, compare md5 hash, and verify that they're bit-for-bit identical. Jeez, it's like someone already thought of this.
Only on
RMS's comments about OS back-doors are rather dated, since M$ made Win2K source available to governments many years ago. It gave a whole new meaning to the Windows joke, "That's not a bug, that's a feature!"
He is, however, spot on about "the cloud". No engineer or admin in his right mind would entrust his/her organization's data to a medium riddled with security, privacy, and reliability flaws.
Bean counters are all for the cost savings of "the cloud" until you clearly spell out the risks involved. Accountants and executives hate taking big risks for only a tiny commensurate potential for gain.
Scruting the inscrutable for over 50 years.
But who compiled the compiler?
http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
Some Microsoft bugs take a ridiculous amount of time to get fixed and all the reports seem to fall on deaf ears. We bash Microsoft for this behaviour but doesn't having a reporting relationship with the NSA help it all to make sense? Taking a long time to fix? Well, they may not be done exploiting it yet. Falls on deaf ears? Well maybe it's not a "bug" but a back door that no one was supposed to know about and Microsoft cannot comment on it without NSA approval.
I remember Microsoft's denials about intercepting Skype, yet the PRISM leak shows they can fully intercept everything:
http://gizmodo.com/what-is-prism-511875267
There are two worlds here, companies that cooperated with NSA illegal spying and those that didn't. They chose their sides, they chose the side against the constitution. That's not my side, I need to secure my data against NSA and its corporate allies.
Skype leak shows they can intercept voice communications, the files you sent, the text messages, the video of your conversations, the lot, and it's a live intercept, so its a live connection too. I bet they can even turn on the camera and mic remotely on Skype.
Then we find out Stuxnet is confirmed as NSA. So no doubt where all those zero day exploits came from, Microsoft themselves:
http://www.guardian.co.uk/world/2013/jun/28/general-cartwright-investigated-stuxnet-leak
So all the scary hackers out there making Stuxnet? They're the NSA itself.
I don't trust this Windows box in front of me currently, my server is being moved out of the USA, this Windows box is next.
This wasn't about the win2k NSA key, it is about Microsoft passing info about zero day exploits to the NSA instead of fixing them, so the NSA can use them to break into people's computers and spy on them. This came out in the news in just the past few days (not sure if revealed by Snowden or someone else). It would seem to explain why Microsoft is so damn slow about fixing bugs.
I'm afraid you've got it wrong. At least Australia can build from source. I doubt they got a special deal.
Australia to see Windows source code
The ability to build from source would seem to be a key aspect of verifying the code. I'm not sure why you think they wouldn't be able to do it. What they probably can't do is distribute the binaries for free - they still have to pay Microsoft for the distribution of software.
Also, it seems likely that by providing their code to foreign governments, Microsoft is picking up what to them is free services of what are no doubt some of the best software engineers in government looking over their code, and probably sending in the occasional bug report. What's that saying? Many eyes makes for shallow bugs? Or maybe not.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
Remember this?
http://yro.slashdot.org/story/13/05/14/1516247/microsoft-reads-your-skype-chat-messages?utm_source=commentcnt&utm_medium=feed#comments
A german user noticed that if he passed a link in a skype message, the link was accessed by Skype servers?
Microsoft claimed it was to protect from malware. But now we know they're in the NSA's pocket, and the NSA is data mining all communications and storing them in the big database, the obvious conclusion to come to, is that this is part of NSA's data mining effort.
If you look at 'Boundless Informant' leak, Germany is very heavily spied on by the NSA, and so German Skype chatter is likely a major target for interception. Germany is a big commercial competitors to the USA.
Also notice the fake 'RC Plane bomb plot in Germany' from yesterday... part of the marketing to try to quieten down German anger.
... [A]nyone can [ verify the code], and ... someone is likely to have done so.
Yes. The NSA guy who wrote the patch, and three of his astroturfing friends.
The "Many Eyes" fallacy is important here. Unless you can verify the authenticity of the code yourself, you need to verify the authenticity of the person verifying the code. Do you know all of the kernel devs personally? How about the X / Mir / $module devs? How many people actually write code for kernelspace? How many modify it for their particular distribution of choice? Do you trust those people?
Finally had enough. Come see us over at https://soylentnews.org/
And how do you know that mind control isn't perfected by the government?
How do you know that you are actually alive and not just dreaming?
The point is not that everyone needs to verify the code, but that anyone can do so, and that someone is likely to have done so.
Anyone can do so in theory but not in practice. I'm an engineer but software isn't my specialty. I have absolutely no way to evaluate personally if there is a backdoor in any of the software I'm using. I simply don't have the skillset and for various reasons am not going to develop it either. Even if I was a really plugged in software engineer like Mr. Torvalds, I simply wouldn't have the time to review every single line of code before compiling it all myself. Don't forget to check the compiler and the firmware.
Additionally while you are correct that someone is likely to have done so, the question is who? Is it someone we trust or is it someone we don't or both? I have absolutely no way to know. I simply have to trust. Don't get me wrong, I think open source is fantastic but pretending that the code is somehow immune from backdoors is pretty naive.
Microsoft has been installing the NSAKey in Windows since Windows 98; a special root key that grants them access to Windows cryptography services, ability to generate their own keys, decrypt things, and maybe install rootkits, bypassing the user. Some people think it's Trojan that even gives them stealth remote control capabilities. Microsoft has always been working with the NSA, and in turn, the NSA has always been getting into whatever they could possibly get their hands into. Welcome to the ultimate rootkit in society, next to Remote Neural Monitoring and Electronic Brain Link.
http://www.washingtonsblog.com/2013/06/microsoft-programmed-in-nsa-backdoor-in-windows-by-1999.html
and nsa.pdf @ http://www.oregonstatehospital.net/
He keeps hammering on the same message still, because people still didn't act, even when they know exactly what they ought to do.
Next time you're out and about, go ask some random person who is Richard Stallman.
Now ask yourself, if they never heard of him, what makes you think they're getting the message?
WE have heard of him and his message, but the general public hasn't. AND his warnings and claims come across as paranoia. I mean, before the NSA leaks, no one would ever believe our government would do such a thing - even here on Slashdot. How many times have folks said that the government is watching us only to have someone "point out" that it's "impossible" - here on Slashdot - supposedly the home of the most knowledgeable people on the Internet.
How can we expect John Q. Public to act when WE don't even believe half of it?
I'm telling you next we will find out that the NSA/FBI has the ability to create instantaneous dossiers on people by just hitting the: Medical Information Bureau, Credit Bureaus, Google (I don't a shit wtf they say in public!), ChoicePoint, state DMVs, IRS, state tax departments, and I bet quite a bit of internal databases, too. All through those backdoors.
FUCK! Anyone of us could code that!
One thing people keep neglecting to mention is that for the stuff we WANT to be public (e.g. source code), the cloud is a GREAT place to put it (but certainly not the only place we should put it).
BTW, "the cloud" is far too nebulous of a term for this discussion.
But equally there are thousands of really talented programmers who examine the source code very thoroughly, many of whom contribute back.
Not really, most of each of thousands of projects have at most a few core developers and extraneous people who occasionally submit patches to fix specific itches. There is no "A team" scouring all open source for vulnerabilities from the simple fact such vulnerabilities most certainly do exist as innocent bugs and have not been reported by such teams.
To illustrate this point the linux kernel is developed by armies of smart people yet an automated tool found a laundry list of shit that has been around for years nobody noticed.
http://www.coverity.com/library/pdf/linux_report.pdf
If there were back doors then there is a high chance that they would have been detected.
There is no difference between a backdoor and a vulnerability. The logic that deliberate backdoors would be detectable in source code when we know from experience innocent bugs having the same effect as a backdoor have a proven track record of not being detectable is simply wishful thinking and wrong.
Plus anyone really paranoid about it CAN go and check the source code to make sure for themselves.
I suppose anyone can drain the earths oceans with an eye dropper as well.
Since Microsoft and other companies are telling the NSA about bugs before they fix them, then Microsoft and those other companies will no longer need a grace period when Anonymous or other hackers find vulnerabilities. They should be published right away for all to see.
Given recent developments I have no reason to trust made in usa either...
Privacy is terrorism.
do they have access to the source code for the entire toolchain?
For the benefit of those who don't know why this is important, this is a good explanation.