Slashdot Mirror
Linus Torvalds Admits He's Been Asked To Insert Backdoor Into Linux
darthcamaro writes "At the Linuxcon conference in New Orleans today, Linus Torvalds joined fellow kernel developers in answering a barrage of questions about Linux development. One question he was asked was whether a government agency had ever asked about inserting a back-door into Linux. Torvalds responded 'no' while shaking his head 'yes,' as the audience broke into spontaneous laughter. Torvalds also admitted that while he as a full life outside of Linux he couldn't imagine his life without it. 'I don't see any project coming along being more interesting to me than Linux,' Torvalds said. 'I couldn't imagine filling the void in my life if I didn't have Linux.'"
Code does not have to be fully reviewed for the open source development process to discipline attempts at compromise. There is a nonzero probability that any given piece of code will be reviewed for reasons other than looking for a back door, and if the probability is higher than trivial, it would dissuade parties from attempting to surreptitiously put in a back door. If a back door were found, the contributor would be known and repercussions would follow.
Moreover, I would not be at all surprised if foreign governments who have a national security interest in running uncompromised operating systems have devoted time and resources specifically to code review of the kernel for potential compromises.
-- My choice of computing platform is a symbol of my individuality and belief in personal freedom.
This is so weird to most Europeans and Americans.... A common question by American teachers in my high-school in Bulgaria was, "does it make sense", usually followed by about half the people shaking their heads and half the people nodding, to the obvious (yet silent) horror of the teacher. They got used to it eventually.
What is best however is the never-ending rotational head movement that some people from the Indian subcontinent use.
Most of us don't feel important enough to worry about some government knowing our secrets. Yes, we know this gives a means for those governments to identify the people who have something to hide, and that isn't always a good thing, but it's easier than being paranoid.
Seems we need reminding of this classic by Ken Thompson.
Slip a backdoor into a RHEL 6.x (or any other major Linux distribution) version of GCC and make it do two major things:
1. Slip a backdoor into any Linux kernel it compiles.
2. Replicate itself in any version of GCC it compiles.
Choose some entry point which changes very rarely so the chances of incompatibility with new code is small.
This would probably keep RHEL with any kernel version tainted for generations of releases without very little chance of being spotted, because there are no changes in the distributed source code of either project
According to the recent human brain study, facts do not matter. So no wonder people still believe in things like Windows (or open-source) safety and security...
I can't recall where I saw that stated, and I have no idea how that would work.
It was a potential exploit on Intel's Ivy Bridge RNGs, and it wouldn't work on Linux, as /dev/random etc mix RDRAND with many other sources of entropy.
"I've got more toys than Teruhisa Kitahara."
Then again, the back door would be easier to find by criminals. I don't personally care that much about the NSA snooping through my e-mails. But if some criminal can read them just as easily, it's a different story.
From the description of the study, it seems to me that people who have formed an opinion won't change it just because they see a single piece of potentially falsified or misleading evidence. For example (looking at one of the experiments), if someone has an opinion on joblessness in the US - which might bring in factors of job stability, hours worked or attainment of a living wage - seeing a single graph on number of employed people in recent years does not allow us to conclude that joblessness has been reduced under Obama, unless you have a very primitive interpretation of "joblessness".
The only damning conclusion is that some academics are so arrogant that they assume test subjects must be faulty if they don't immediately believe the academic's interpretation of some data presented to them.
I wonder if anyone actually takes the responsibility to do this check. Maybe there are GCC binaries in the wild which replicate a backdoor.
Even if there were, you need only recompile your gcc source with llvm, icc, visual studio, or basically anything that isn't gcc to get a new compiler that won't replicate the backdoor any more. For extra fun, randomise the order of this compiling that compiling something else so that even backdoor reinsertions that cross the vendor boundary will eventually fail. Or write your own C++ interpreter in Python/Perl/whatever and use it to (very slowly) run gcc on itself - even if it takes a week you'll have a clean binary at the end. Yes, hiding such a backdoor seems scary to the untrained eye. It's also trivial to get rid of if you're paranoid enough to care.
I guess you probably think search warrants are stupid too, I mean what citizen wants the police to jump through hoops to catch criminals? If you have nothing to hide you should have no problem getting rid of police obstacles to ensuring our safety, right?
Read the constitution.
Many people have, and there are constitutional lawyers that have decided that it isn't against the law. Of course, they work for the government, but until someone can prove them wrong, you've got an opinion, they've got an opinion, and they're operating under the power of the people who make the decision about who is right and wrong.
I'm not saying your opinion is worthless, and I'm not saying you're wrong. I AM saying that if you're right, and they're wrong, you're not going to make change by crying about it on slashdot.
Comment removed based on user account deletion
What has been snuck past linus and the other code reviewers. Honestly Linus needs to do a call for people to comb through and look specifically for sneaky things. It's not hard to make something look innocent in C but instead it does evil. http://www.ioccc.org/ for example. or more scary... http://underhanded.xcott.com/
Linux needs a security team that is double checked by a team outside the USA so it can be the ONLY OS that can state, "Not compromised by the NSA"
Do not look at laser with remaining good eye.
As someone who used to work for the U.S. government, I can say that not everyone there is pure evil. I worked in the DoD, and it was more or less a normal workplace. If anything we were more sticklers for obeying the law there then we were anywhere else I've worked. Maybe because the lack of profit pressure removed one possible temptation to break the law.
It isn't just online. The average U.S. citizen breaks (by some estimates) about three federal laws each day, not to mention countless state and local laws. A cop who knows his laws can stop and detain you just about any time he chooses, because he'll be able to cite at least one law that you broke.
My own anecdote: many years back, when I first began working at my current job, I was commuting back and forth from a relative's house while my wife and I were looking for our own place to buy. I would travel about 20 minutes by interstate every morning and evening, and always observed a lot of state troopers pulling people over in the evenings. What I did not realize at the time was that this particular stretch of road was a major drug corridor, and that the troopers were looking for mules hauling large stashes.
One night I had to work late and was driving home after dark. Knowing how active the patrols were, I made certain to set my cruise control at the speed limit, so I wasn't particularly concerned when I saw a state trooper in my rear-view mirror - until the lights started flashing.
At the time I still had my Arizona license plates on my car, and the cops were sure they had a hot one. After a 15-minute stop and search of my car, I was on my way home. But what was the state trooper's excuse for stopping me?
You know those little plastic frames that auto dealers put around your license plate, with the dealer's name on it? Well, as it turns out, where I live it is illegal to obscure any part of your license plate, which means that I was breaking the law by having that plastic frame overlap my plate along the edges and corners. It gave the state trooper probable cause to stop me. At least he didn't give me a ticket.
The moral? Don't assume that this sort of behavior by the authorities is anything new, just because it happens online.
In reality, slipping a backdoor into Linux is much easier: just code it into a proprietary wireless firmware blob which is already a part of the (non-free) kernel distributed at linux.org. The mal-firmware can then spy and report directly from the network card, or use DMA to elevate itself to ring 0 on the main CPU. What makes this scenario most FUN is the sheer likelihood of such a backdoor being in place RIGHT NOW, within the official Linux git repo, since no approval or knowledge by Linus would be required to slip it in.
I never "trusted" windows, apple, google, or really any for-profit company, but I assumed because of their rational self-interest, they would not deliberately fuck me over in egregious ways to a third party, like a government, because the knowledge they had done so would be bad for business. So while I have always preferred free software, I would still use closed software because, meh, why not?
Since the PRISM slides, no. No. I have already or am in the process of eliminating from my life every closed platform I was using.
Except for video games. I have a computer that will boot windows for games and I own an Xbox, but that's it.
We don't have a state-run media we have a media-run state.
No, what that study proved is that people are lied to so often, that once they form an opinion they simply refuse to believe anything new.
Gamingmuseum.com: Give your 3D accelerator a rest.