Slashdot Mirror
Richard Stallman Speaks About Back Doors After NSA Documents Leak
An anonymous reader writes "Companies such as Microsoft, Facebook, Apple, and Google are scrambling to restore trust amid fresh litigation over the PRISM surveillance program. Richard Stallman, the founder of the Free Software Foundation and a newly-inducted member of the 2013 Internet Hall of Fame, speaks about not only abandoning the cloud, which he warned about 5 years ago, but also escaping software with back doors. 'I don't think the US government should use operating systems made in China,' he says in this new interview, 'for the same reason that most governments shouldn't use operating systems made in the US and in fact we just got proof since Microsoft is now known to be telling the NSA about bugs in Windows before it fixes them.'"
His record for being correct is rather unusual.
Stallman's position isn't a surprise. I expect him to advocate open source software over any proprietary software. He has for thirty plus years. Why would he change now? There is one thing he overlooks when he says:
'I don't think the US government should use operating systems made in China,' ... 'for the same reason that most governments shouldn't use operating systems made in the US
Stallman overlooks the fact that various foreign governments already have access to the Windows source.
Microsoft to Share Source Code With Governments
Microsoft Corp. announced this week it is making the programming code for its Office 2003 software suite available to government agencies around the globe, a move partly aimed at allowing them to inspect the product for flaws and security problems.
Though Microsoft usually guards such software coding tightly, the step is an extension of an initiative the company began in January 2003 giving about 60 governments access to the inner workings of the Windows operating system. This is the first time the software giant has shared the source code for Office, which includes the Word text processing, Excel spreadsheet, and PowerPoint presentation programs.
Microsoft Grants Governments Access to Windows
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
You're not allowed to build your own version of the software from the source. This is why one of the FSF rights is the ability to compile the program for use.
Seems in pointing out what Stallman "forgot", you forgot something yourself.
GNU/Linux is open source, so you can (in theory) verify for yourself that there aren't any back doors. And if there are, you can fix them
That's true, but not if you're among the 99+ % that installs a binary distribution.
The point is not that everyone needs to verify the code, but that anyone can do so, and that someone is likely to have done so.
In Murphy We Turst
But equally there are thousands of really talented programmers who examine the source code very thoroughly, many of whom contribute back. If there were back doors then there is a high chance that they would have been detected. Plus anyone really paranoid about it CAN go and check the source code to make sure for themselves.
With propriety operating systems you do not have that luxury.
While it is true that Microsoft is agreeing in certain cases to give access to the source code to Windows, it appears actually getting your hands on the code is sometimes harder than expected.
Point in case, Éric Filiol, an ex French intelligence officer from DGSE (the Directorate-General for External Security) recently explained that
“The French State can't obtain certain pieces of technical information on the WIndows kernel. A country that has nuclear fire and is a member of the UN's Security Council can't make Microsoft reveal necessary informations on a système that is absolutely everywhere.”
("L’État français n’arrive pas à obtenir certaines informations techniques précises sur le noyau Windows. Un pays doté de l’arme nucléaire et membre du conseil de sécurité des Nations-Unies ne peut pas contraindre Microsoft de lui donner des informations nécessaire sur un système qui est absolument partout".)
Source:
http://www.numerama.com/magazine/26360-la-france-n-arrive-pas-a-avoir-des-informations-sur-le-noyau-windows.html
So there seems to be a difference between what is announced and what happens.
The kernel work started in Finland, but most of the work and most of the GNU system originated in other countries and most prominently the USA.
RMS's comments about OS back-doors are rather dated, since M$ made Win2K source available to governments many years ago. It gave a whole new meaning to the Windows joke, "That's not a bug, that's a feature!"
He is, however, spot on about "the cloud". No engineer or admin in his right mind would entrust his/her organization's data to a medium riddled with security, privacy, and reliability flaws.
Bean counters are all for the cost savings of "the cloud" until you clearly spell out the risks involved. Accountants and executives hate taking big risks for only a tiny commensurate potential for gain.
Scruting the inscrutable for over 50 years.
But who compiled the compiler?
http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
Some Microsoft bugs take a ridiculous amount of time to get fixed and all the reports seem to fall on deaf ears. We bash Microsoft for this behaviour but doesn't having a reporting relationship with the NSA help it all to make sense? Taking a long time to fix? Well, they may not be done exploiting it yet. Falls on deaf ears? Well maybe it's not a "bug" but a back door that no one was supposed to know about and Microsoft cannot comment on it without NSA approval.
Duh ;-)
Everything I write is lies, read between the lines.
Disclaimer: I am an IT Security professional.
It all depends on your thread scenario. Most of the smaller side-projects I work on are of no interest to any entity able to intercept the data transfers, so I don't mind storing stuff in, say, Evernote or Dropbox where it is more convenient to do so.
The stuff that the survival of my small company depends on, running my own servers is worth the effort. For my holiday pictures, iCloud is perfectly acceptable.
Assorted stuff I do sometimes: Lemuria.org
I remember Microsoft's denials about intercepting Skype, yet the PRISM leak shows they can fully intercept everything:
http://gizmodo.com/what-is-prism-511875267
There are two worlds here, companies that cooperated with NSA illegal spying and those that didn't. They chose their sides, they chose the side against the constitution. That's not my side, I need to secure my data against NSA and its corporate allies.
Skype leak shows they can intercept voice communications, the files you sent, the text messages, the video of your conversations, the lot, and it's a live intercept, so its a live connection too. I bet they can even turn on the camera and mic remotely on Skype.
Then we find out Stuxnet is confirmed as NSA. So no doubt where all those zero day exploits came from, Microsoft themselves:
http://www.guardian.co.uk/world/2013/jun/28/general-cartwright-investigated-stuxnet-leak
So all the scary hackers out there making Stuxnet? They're the NSA itself.
I don't trust this Windows box in front of me currently, my server is being moved out of the USA, this Windows box is next.
No it's not. A classical networked system belongs to a single company, and there's a clear separation between the inside (which is mostly trusted) and the outside (which is not trusted). A cloud system blurs the distinction, so you never know if the stuff you're accessing is actually being used by untrusted people who are going to steal your secrets, blackmail you, etc.
And how do you know that mind control isn't perfected by the government?
How do you know that you are actually alive and not just dreaming?
there are also those famous secret debug modes in AMD and Intel's chips, that grants above operating system level control, and unlocks hidden CPU resources. this has got to be the under workings of a secret NSA toolkit for full hardware and software control. I give you the AMD CPU password, which was exposed and documented in 2010:
http://hardware.slashdot.org/story/10/11/12/047243/hidden-debug-mode-found-in-amd-processors
don't you think this was all put in there for a reason? The NSA gets what they want and they want it all, they want to know everything going on inside everyone's home, in every square inch of America - this was all done by design. no one is doing anything to challenge or stop them. look at how none of these companies bothers to complain before years later something about the program they're running, which they now claim to have been against, is exposed. it's crazy, and we're not even getting to the half of it. most of this was done without warrants or any involvement from any court...
He keeps hammering on the same message still, because people still didn't act, even when they know exactly what they ought to do.
Next time you're out and about, go ask some random person who is Richard Stallman.
Now ask yourself, if they never heard of him, what makes you think they're getting the message?
WE have heard of him and his message, but the general public hasn't. AND his warnings and claims come across as paranoia. I mean, before the NSA leaks, no one would ever believe our government would do such a thing - even here on Slashdot. How many times have folks said that the government is watching us only to have someone "point out" that it's "impossible" - here on Slashdot - supposedly the home of the most knowledgeable people on the Internet.
How can we expect John Q. Public to act when WE don't even believe half of it?
I'm telling you next we will find out that the NSA/FBI has the ability to create instantaneous dossiers on people by just hitting the: Medical Information Bureau, Credit Bureaus, Google (I don't a shit wtf they say in public!), ChoicePoint, state DMVs, IRS, state tax departments, and I bet quite a bit of internal databases, too. All through those backdoors.
FUCK! Anyone of us could code that!
it may end up up costing you more money to put stuff on the cloud if you want to do it properly.
If your data is sensitive, there is absolutely no way to process it in the cloud properly. The data has to be decrypted to a usable form before it can be processed. Cloud storage? OK, but why would you do that without actually doing your processing in the cloud, too? There's other solutions for backups which would cost less and leave you less confused about where your data is located.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Disclaimer: I am an IT Security professional.
It all depends on your thread scenario. Most of the smaller side-projects I work on are of no interest to any entity able to intercept the data transfers, so I don't mind storing stuff in, say, Evernote or Dropbox where it is more convenient to do so.
The stuff that the survival of my small company depends on, running my own servers is worth the effort. For my holiday pictures, iCloud is perfectly acceptable.
I might go along with that except for the fact that the US Government is heavily involved with metadata. Metadata is still data and there are things that can be done with that data or they wouldn't be be collecting it. You may not like some of the things they do with that data.
And, for your sake, I hope that your holidays were all spent in good solid loyal patriotic places in the USA so that there's nothing treasonous that they can infer from the pictures once they use the metadata to get a FISA warrant to look at the actual data.
In an era when almost everyone either deals with offshore companies or has immigrant friends or neighbours, the assurance that "only foreign communications are examined" doesn't give much comfort.
Are you kidding? The cloud is just a rebranding of networked systems. If you fear the cloud you might as well disconnect your networks.
No it isn't. Cloud servers - excepting the in-house clouds - are owned and operated by third parties. Who can be silently descended on by grim suit-wearing individuals with badges and pried open without your permission. Or your knowledge, since many of these programs make it a criminal offense to even mention the prying.
You don't even have to be the primary target, since you are sharing the resources with who knows what other questionable characters. More than one innocent business has been bitten because it turned out the next rack over leased space to Arab charities or hosted some sort of downloading service.
With all due deference to a slashdotter with a 3 digit UID, I'd like to point out the danger of your last statement.
Primarily, the risk is that your smaller, side-projects may indeed pan out to be your primary revenue stream in the business environment of the future. But the consolidation affect is at least as dangerous. The conclusions that can be drawn by a talented analysts from the sum total of your small, seemingly insignificant data leaks can be staggeringly powerful. And if you think that your company is not worth the time of a talented analyst, then you may not have been paying attention to the cultural make-up of our current competitors in the world today. -- They take the time to analyze everything they can.
Now, I don't want to go off on a rant... but I did want to throw that out.
That said... Sure. Holiday pics fit nicely into a cloud.
___ I don't respond to Anonymous Cowards, and I Never Mod them UP.
One thing people keep neglecting to mention is that for the stuff we WANT to be public (e.g. source code), the cloud is a GREAT place to put it (but certainly not the only place we should put it).
BTW, "the cloud" is far too nebulous of a term for this discussion.
In an era where the NSA lied about the existence of the program, lied about the level of oversight, lied about the effectiveness of the program, and lied about what data was collected, ANY assurance from the executive branch doesn't give much comfort.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
But equally there are thousands of really talented programmers who examine the source code very thoroughly, many of whom contribute back.
Not really, most of each of thousands of projects have at most a few core developers and extraneous people who occasionally submit patches to fix specific itches. There is no "A team" scouring all open source for vulnerabilities from the simple fact such vulnerabilities most certainly do exist as innocent bugs and have not been reported by such teams.
To illustrate this point the linux kernel is developed by armies of smart people yet an automated tool found a laundry list of shit that has been around for years nobody noticed.
http://www.coverity.com/library/pdf/linux_report.pdf
If there were back doors then there is a high chance that they would have been detected.
There is no difference between a backdoor and a vulnerability. The logic that deliberate backdoors would be detectable in source code when we know from experience innocent bugs having the same effect as a backdoor have a proven track record of not being detectable is simply wishful thinking and wrong.
Plus anyone really paranoid about it CAN go and check the source code to make sure for themselves.
I suppose anyone can drain the earths oceans with an eye dropper as well.
Disclaimer: I am an IT Security professional.
It all depends on your thread scenario. Most of the smaller side-projects I work on are of no interest to any entity able to intercept the data transfers, so I don't mind storing stuff in, say, Evernote or Dropbox where it is more convenient to do so.
The stuff that the survival of my small company depends on, running my own servers is worth the effort. For my holiday pictures, iCloud is perfectly acceptable.
I am also a security professional, and I mirrored your attitude until just a few weeks ago. Silly me, I figured that nobody cared to which political party I belonged, nor what religious group, nor that I am military and actually believe in the constitution. Unfortunately, it turns out that in our government, you may indeed be targeted based upon any of the above.
And now, there are indications (I can't find the article), that you will be targeted if you attempt to maintain your privacy from the government on these things by using encryption, etc. (And I'll probably go up on several watch-lists due to this post. *sigh*.)
To be honest, I'm not really sure what to do. You're damned if you do, and damned if you don't.
Given recent developments I have no reason to trust made in usa either...
Privacy is terrorism.
I would like to point out that the assertion that the NSA collects metadata is a strawman. A fictitious scenario that was constructed by relabeling plain data as "metadata", because it is perceived to be not as awful as pilfering through personally identifiable information. In fact, phone numbers, Identifying numbers, account numbers, names, times, and dates are all just data. An example of metadata would be something describing the format of a displayed phone number, but the number itself is just pure data. I only bring it up it up because I see even people here on slashdot, who are normally smarter on these issues than the mainstream, are starting to take these falsehoods at face value.