Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linus Torvalds Admits He's Been Asked To Insert Backdoor Into Linux

Posted by samzenpus on from the getting-in dept.

darthcamaro writes "At the Linuxcon conference in New Orleans today, Linus Torvalds joined fellow kernel developers in answering a barrage of questions about Linux development. One question he was asked was whether a government agency had ever asked about inserting a back-door into Linux. Torvalds responded 'no' while shaking his head 'yes,' as the audience broke into spontaneous laughter. Torvalds also admitted that while he as a full life outside of Linux he couldn't imagine his life without it. 'I don't see any project coming along being more interesting to me than Linux,' Torvalds said. 'I couldn't imagine filling the void in my life if I didn't have Linux.'"

78 of 576 comments (clear)

  1. Would probably be found by MadX · · Score: 5, Funny

    *If* such a mechanism was coded in, the nature of open source would mean it would be found by others. This in turn would compromise the trust of the ENTIRE kernel. That trust can take years to build up - but be detroyed in a heartbeat.

    1. Re:Would probably be found by phantomfive · · Score: 4, Insightful

      That trust can take years to build up - but be detroyed in a heartbeat.

      You'd think so, but somehow people still trust Windows, even though it most certainly has been compromised.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Would probably be found by DerPflanz · · Score: 4, Insightful

      Being compromised isn't the issue. The Linux kernel has been compromised as well.

      The issue here, is that there is a backdoor being built-in deliberately. That could compromise trust.

      --
      -- The Internet is a too slow way of doing things, you'd never do without it.
    3. Re:Would probably be found by Rosco+P.+Coltrane · · Score: 4, Insightful

      Yes, that's the conventional wisdom with open-source. But tell me: when was the last time you went inspect the code deep in the kernel? How many open-source code users do you think have the time, desire and ability - and probably paranoia - to go and inspect the code in *any* open-source project of reasonable size, let alone something as complex as the kernel?

      I don't think someone could slip funny code in the main kernel tree - too many specialists reviewing the patches - but I'm convinced that if Canonical, SuSE or RH wanted to distribute a tainted kernel, they could do it undetected for a very long time, if not indefinitely.

      --
      "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    4. Re:Would probably be found by phantomfive · · Score: 5, Insightful

      The issue here, is that there is a backdoor being built-in deliberately. That could compromise trust.

      There is that possibility. Once again, this is a possibility we've known about for a while, and it hasn't caused people to leave Windows in droves. I think it's something most people just must not care about.

      --
      "First they came for the slanderers and i said nothing."
    5. Re:Would probably be found by mwvdlee · · Score: 4, Insightful

      If anybody were somehow forced to submit a backdoor, it would be very easy to just tip off a random fellow developer to "discover" it.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    6. Re:Would probably be found by jma05 · · Score: 5, Insightful

      It's unlikely that such a backdoor, should it exist, would be coded so obviously, since the source is published. Instead, it would more likely be in the form of a subtle buffer overflow that results in previlige escalation or such, such that when found, it could simply be labeled as a bug rather than an backdoor... plausible deniability.

    7. Re:Would probably be found by Jeremi · · Score: 5, Insightful

      *If* such a mechanism was coded in, the nature of open source would mean it would be found by others. This in turn would compromise the trust of the ENTIRE kernel. That trust can take years to build up - but be detroyed in a heartbeat.

      If it was obviously a deliberate back door, sure. Which is why the clever hacker/government-agency would be a lot more subtle -- rather than a glaring "if (username == "backdoor") allowRootAccess();", they'd put a very subtle mistake into the code instead. If the mistake was detected, they could then simply say "oops, my bad", and it would be fixed for the next release, but other than that nobody would be any the wiser. Repeat as necessary, and the visible results might not look too different from what we actually have.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    8. Re:Would probably be found by Starky · · Score: 4, Interesting

      Code does not have to be fully reviewed for the open source development process to discipline attempts at compromise. There is a nonzero probability that any given piece of code will be reviewed for reasons other than looking for a back door, and if the probability is higher than trivial, it would dissuade parties from attempting to surreptitiously put in a back door. If a back door were found, the contributor would be known and repercussions would follow.

      Moreover, I would not be at all surprised if foreign governments who have a national security interest in running uncompromised operating systems have devoted time and resources specifically to code review of the kernel for potential compromises.

      --
      -- My choice of computing platform is a symbol of my individuality and belief in personal freedom.
    9. Re:Would probably be found by rioki · · Score: 4, Insightful

      Do you compile your programs from source and check that it is the last valid version from the project or do you install rpm or deb binary packages? Even if the actual project is vetted, it is near impossible to validate everything that comes though the automatic updates. This is definitely a point of failure, since you only need one person, the person that has access to the signing keys and the update server. So you trust canonical, red hat, SuSe to be fully vetted? Open source is better than closed source vendors, but in the end, if you download binaries you are in the mercy of the person who built them.

    10. Re:Would probably be found by AlphaWoIf_HK · · Score: 5, Insightful

      You don't even need to have something to hide; you just need to anger the wrong people at the wrong time. What the government thinks is 'bad' is not necessarily what you think is 'bad,' so you're always in danger, no matter how unimportant you believe yourself to be.

      --
      Da derp dee derp da teedly derpee derpee dum. Rated PG-13.
    11. Re: Would probably be found by Anonymous Coward · · Score: 3, Informative

      As Thompson explains in his Reflections on trusting Trust (http://cm.bell-labs.com/who/ken/trust.html) even if you download everything in source form, and review it, you are still susceptible to manipulation if you use the compiler binary and haven't reviewed it's source.

      Or the source of the compiler compiling that compiler, and so on.

    12. Re:Would probably be found by Mr.+Freeman · · Score: 4, Insightful

      You raise a good point, and there's actually a lot of evidence proving you correct. There have been more than a few security vulnerabilities that have persisted in the code for various widely-used pieces of open-source software for years. One was even found and patched but then quickly reverted without anyone noticing.

      What people fail to understand is that proper security reviews are more than "let's just take a look at the code and make sure that it's not sending email to the NSA." You also can't perform a proper review with a bunch of hobbyist coders, you need highly-trained experts. Every single line of code needs to be checked, double checked, and triple checked against every single other line in the code to make sure that there isn't anything that could possibly compromise the security of the system. These failures are always subtle and usually unintentional.

      This is best summed up with an example. Any idiot can look at the code and say "wait a second, this code copies the decryption key and sends an email to the NSA!" Only a very methodical search with a lot of people can say "hey, we've determined that this implementation of this specific part of this specific algorithm probably doesn't have a large amount of randomness over a long period of time. It likely decays such that the complexity is reduced to such and such a number of bits after such and such an amount of time and in these specific situations. This is a problem!"

      --
      -1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
    13. Re:Would probably be found by jamesh · · Score: 4, Insightful

      How many open-source code users do you think have the time, desire and ability - and probably paranoia - to go and inspect the code in *any* open-source project of reasonable size, let alone something as complex as the kernel?

      There's a whole industry evolved around finding exploitable holes in Windows, and there's no source available for that at all[1]. You can be sure the bad guys have given it a thorough going over and if there was a generic hole (I doubt you could slip an "if password = NSA then accept" style patch by the gatekeeper so it would need to be subtle and generic) it would be found. Admittedly this is not ideal but as soon as the bad guys use their exploit it will be effectively disclosed and then fixed.

      [1] actually it would be reasonable to assume that at least some source for windows is in the hands of the bad guys...

    14. Re:Would probably be found by vague+regret · · Score: 4, Interesting

      According to the recent human brain study, facts do not matter. So no wonder people still believe in things like Windows (or open-source) safety and security...

    15. Re:Would probably be found by dmcq · · Score: 5, Informative

      Have a look at some of the code from the 'Underhanded C Contest' at http://underhanded.xcott.com/ where people write code that looks straightforward and nice and clear but contains deliberate evil bugs. I think that should remove any complacency and the NSA has a lot of money to spend on people posing as developers never mind the ones they stick onto standards bodies.

      --
      thou discernest my thoughts from afar
    16. Re:Would probably be found by ozmanjusri · · Score: 3, Interesting

      I can't recall where I saw that stated, and I have no idea how that would work.

      It was a potential exploit on Intel's Ivy Bridge RNGs, and it wouldn't work on Linux, as /dev/random etc mix RDRAND with many other sources of entropy.

      --
      "I've got more toys than Teruhisa Kitahara."
    17. Re:Would probably be found by Talar · · Score: 5, Insightful

      This, and add to it that whatever is 'bad' doesn't have to be 'bad' today since the data will be kept practically forever for any future government to analyze. If you still don't have anything to hide you must have a confidence in both the current and all future governments that is so unshakeable I'd almost call it stupidity.

    18. Re:Would probably be found by michelcolman · · Score: 5, Interesting

      Then again, the back door would be easier to find by criminals. I don't personally care that much about the NSA snooping through my e-mails. But if some criminal can read them just as easily, it's a different story.

    19. Re:Would probably be found by Anonymous Coward · · Score: 5, Insightful

      You seem to assume that there are no criminals at all part of "the NSA". Considering the number of employees they have with most having fairly complete access it is almost certain that there are criminals with access to a lot of NSA data.

    20. Re:Would probably be found by AlphaWoIf_HK · · Score: 5, Insightful

      It is foolish to assume that the people working for the government are perfect angels who could never mean you any harm; this has never been true and never will be true.

      --
      Da derp dee derp da teedly derpee derpee dum. Rated PG-13.
    21. Re:Would probably be found by ObsessiveMathsFreak · · Score: 4, Insightful

      What a lot of people fail to recognise is that the people in charge of governments and the state tend to have the mentality and vindictiveness of very small children. Unfortunately, they also have an adults guile. Assumming that small children will behave rationally, reasonably, or for the common good is not a legitimate strategy.

      --
      May the Maths Be with you!
    22. Re:Would probably be found by Joce640k · · Score: 4, Insightful

      What if it was your neighbor reading your mail? Would you still shrug it off?

      --
      No sig today...
    23. Re:Would probably be found by Joining+Yet+Again · · Score: 5, Interesting

      From the description of the study, it seems to me that people who have formed an opinion won't change it just because they see a single piece of potentially falsified or misleading evidence. For example (looking at one of the experiments), if someone has an opinion on joblessness in the US - which might bring in factors of job stability, hours worked or attainment of a living wage - seeing a single graph on number of employed people in recent years does not allow us to conclude that joblessness has been reduced under Obama, unless you have a very primitive interpretation of "joblessness".

      The only damning conclusion is that some academics are so arrogant that they assume test subjects must be faulty if they don't immediately believe the academic's interpretation of some data presented to them.

    24. Re:Would probably be found by Millennium · · Score: 5, Insightful

      But if the NSA can get in, then it is only a matter of time before someone else figures out how. Whether or not I trust the NSA barely even matters, because I certainly don't trust this next entity.

      This is why I prefer something the NSA can't get into: there's probably nobody else who can either. The NSA's cracking efforts hold considerable value for that reason: they can, and should, be letting us know when our machines are not secure enough. The problem arises when they fail to do this, which seems to have been the case in recent years.

    25. Re:Would probably be found by Anonymous Coward · · Score: 3, Insightful

      Few people are more expert on C and the x86 memory architecture than the Linux kernel devs, and none are more expert on Linux than the kernel devs themselves.

      But I can tell you're one of 'those' people, who can't conceive that people are capable of learning and becoming experts without some certificate granting jerkoff/circlejerk club to sanctify their alleged expertness with a wax stamped piece of paper.

      "hey, we've determined that this implementation of this specific part of this specific algorithm probably doesn't have a large amount of randomness over a long period of time."

      An algorithm doesn't, by definition, have any randomness, so it's clear you yourself don't know what the fuck you're talking about, and are not such an expert. "Random number generator" code doesn't actually generate random numbers, it mixes deterministically numbers from a probabilistic source, which ideally has a normal distribution, but generally doesn't, and thus uses a spreading function (of a specific class: trapdoor function) that is designed to make it computationally expensive and/or information expensive (needs a long run of output), to approximate a normal distribution from it's input(s).

      And the Linux and BSD random number "generators" (though filter or conditioner is a more apt name), are two of the most well studied and audited filters. Besides the kernel developers, there are many independent, professional auditors who have reviewed the Linux crypto code, and granted various criteria certifications for specific versions of it.

      And despite both these groups, professional auditors and kernel developers, spending serious time, effort and money on validating the security of Linux and BSD, security defects are still found from time to time, sometimes in very old code. There really is no "highly-trained experts" capable of completely proving the security of these kernels, ignoring the near-impossible task of proving hardware secure (can always make a more sensitive SQUID), and you are certainly not anything like the experts who DO audit them.

    26. Re:Would probably be found by RabidReindeer · · Score: 5, Insightful

      I think the fact that people (myself) actually don't care is that most of us (99.99%) wouldn't have a problem, since we're not doing anything illegal. I know that it is still wrong, but i just don't care

      No, you only think that you're not doing anything illegal. You have no concept of just how many laws cover every single thing you do. Or, for that matter, don't do. Legal experts know better. So do the people who monitor the street cameras when you step off the curb prematurely.

      THAT is the problem. If someone for whatever reason decides that they don't like you, they can pull that data and metadata and use it as supporting evidence for whatever transgressions they deem suitable to nail you for. At a minimum they can make your life difficult in a thousand ways (no-fly lists, for example). In extreme cases, you could be labelled an "Enemy Combatant" and wake up in Gitmo. Especially if someone "accidentally" tagged the data with aggravating information.

      The problem with "Innocent People Have Nothing To Hide", as I've said before, is that you aren't the one that gets to decide what makes people "innocent".

    27. Re:Would probably be found by Yvanhoe · · Score: 5, Insightful

      Snowden could snoop through emails and is considered a criminal by the US government.

      --
      The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
    28. Re: Would probably be found by fuzzyfuzzyfungus · · Score: 3, Insightful

      Hah. Assume they are. What god complexes people have to assume they are worthy of the NSA snooping on them. Be a good person and you have nothing to worry about. Government agencies have snooped on their citizens for decades, remember the analog phone system? Digital cellular still uses the same backbone.

      And, of course, advances in technology have had no effect whatsoever on how cheap, per person, surveillance is over the past few decades. None at all, nope, you still have to be radical enough to get three guys wearing headphones and looking real intense allocated to listening to you. Idiot.

    29. Re: Would probably be found by felix+rayman · · Score: 5, Insightful

      Read the constitution.

    30. Re:Would probably be found by felix+rayman · · Score: 5, Informative

      You are doing something illegal - everyone is. You may not even know what you are doing that is illegal, but if the NSA knows everything you do, they know what you are doing that is illegal.

      They aren't going to do anything about it until you do some thing that is legal that they don't want you to do.

      If you run for office, they own you.

    31. Re:Would probably be found by buck-yar · · Score: 4, Insightful

      People get very mad when an average person spies on them (check out that surveillance man http://www.youtube.com/watch?v=CONgeNlxVug)

      But govt doing the same thing is ok in most people's book. Look at many cities and the CCTV cameras everywhere, nobody has much issue with those, but if a private citizen points a camera at someone, that's terrifying / criminal to people.

    32. Re:Would probably be found by KiloByte · · Score: 3

      Uhm no, that's merely a flimsy far-fetched excuse. "Because NSA reminded us about something" is not a reason a sane programmer would name that symbol NSAKEY. If you believe that, I have a slightly-used bridge to sell.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    33. Re: Would probably be found by buck-yar · · Score: 4, Interesting

      I guess you probably think search warrants are stupid too, I mean what citizen wants the police to jump through hoops to catch criminals? If you have nothing to hide you should have no problem getting rid of police obstacles to ensuring our safety, right?

    34. Re:Would probably be found by Austerity+Empowers · · Score: 3

      test subjects must be faulty if they don't immediately believe the academic's interpretation of some data presented to them.

      Probably the actual discovery in this experiment: There were a lot of faulty test subjects.

    35. Re: Would probably be found by techprophet · · Score: 4, Insightful

      Open source is kind of like democracy: the worst possible distribution method except for all the others.

    36. Re:Would probably be found by bytesex · · Score: 4, Insightful

      Where in the article does it say that he declined?

      --
      Religion is what happens when nature strikes and groupthink goes wrong.
    37. Re:Would probably be found by Hatta · · Score: 5, Insightful

      You seem to assume that there are no criminals at all part of "the NSA".

      The NSA itself is comprised of criminals. From the agent who accesses data he has no legitimate right to, to James Clapper who lies about it to Congress. The NSA is a criminal organization.

      --
      Give me Classic Slashdot or give me death!
    38. Re:Would probably be found by DoofusOfDeath · · Score: 4, Funny

      According to the recent human brain study, facts do not matter. So no wonder people still believe in things like Windows (or open-source) safety and security...

      Then why are you presenting a fact?

    39. Re:Would probably be found by DoofusOfDeath · · Score: 4, Interesting

      As someone who used to work for the U.S. government, I can say that not everyone there is pure evil. I worked in the DoD, and it was more or less a normal workplace. If anything we were more sticklers for obeying the law there then we were anywhere else I've worked. Maybe because the lack of profit pressure removed one possible temptation to break the law.

    40. Re:Would probably be found by timholman · · Score: 5, Interesting

      No, you only think that you're not doing anything illegal. You have no concept of just how many laws cover every single thing you do. Or, for that matter, don't do. Legal experts know better. So do the people who monitor the street cameras when you step off the curb prematurely.

      THAT is the problem. If someone for whatever reason decides that they don't like you, they can pull that data and metadata and use it as supporting evidence for whatever transgressions they deem suitable to nail you for.

      It isn't just online. The average U.S. citizen breaks (by some estimates) about three federal laws each day, not to mention countless state and local laws. A cop who knows his laws can stop and detain you just about any time he chooses, because he'll be able to cite at least one law that you broke.

      My own anecdote: many years back, when I first began working at my current job, I was commuting back and forth from a relative's house while my wife and I were looking for our own place to buy. I would travel about 20 minutes by interstate every morning and evening, and always observed a lot of state troopers pulling people over in the evenings. What I did not realize at the time was that this particular stretch of road was a major drug corridor, and that the troopers were looking for mules hauling large stashes.

      One night I had to work late and was driving home after dark. Knowing how active the patrols were, I made certain to set my cruise control at the speed limit, so I wasn't particularly concerned when I saw a state trooper in my rear-view mirror - until the lights started flashing.

      At the time I still had my Arizona license plates on my car, and the cops were sure they had a hot one. After a 15-minute stop and search of my car, I was on my way home. But what was the state trooper's excuse for stopping me?

      You know those little plastic frames that auto dealers put around your license plate, with the dealer's name on it? Well, as it turns out, where I live it is illegal to obscure any part of your license plate, which means that I was breaking the law by having that plastic frame overlap my plate along the edges and corners. It gave the state trooper probable cause to stop me. At least he didn't give me a ticket.

      The moral? Don't assume that this sort of behavior by the authorities is anything new, just because it happens online.

    41. Re:Would probably be found by Anonymous Coward · · Score: 4, Insightful

      The State is nothing more nor less than a bandit gang writ large

        -- Murray Rothbard

    42. Re:Would probably be found by OakDragon · · Score: 4, Funny

      But how can we take the word of a criminal?

      --
      Dark Reflection
    43. Re:Would probably be found by DoofusOfDeath · · Score: 4, Funny

      Touché. Excuse me while I go knock over a liquor store.

    44. Re:Would probably be found by DoofusOfDeath · · Score: 4, Insightful

      The point I was trying to make was that the GP referred to "the government", almost as though it were a monolithic entity.

      When civil servants in the DoD break the law, it usually involves stuff like accepting bribes for contract steering, timecard fraud, etc. And most of the civil servants in the DoD didn't do that stuff. It's annoying, and they definitely deserve some jail time, but it's kind of a normal part of life that's to be expected.

      When civil servants in the NSA or CIA to bad stuff, it can (and has) involved spying on all Americans, kidnapping, and torture. My point is that I think we should treat NSA/CIA criminals as probably more dangerous to our country than most DoD wrongdoing.

    45. Re:Would probably be found by Zero__Kelvin · · Score: 5, Insightful
      Stop spreading ridiculous myths:

      "Yes, that's the conventional wisdom with open-source. But tell me: when was the last time you went inspect the code deep in the kernel? "

      From the latest Linux Foundation report: Kernel: 2.6.30 Number od developers: 1,150 Number of known companies: 240

      3,300 eyes is a lot of eyes (apologies to any kernel devs who have lost an eye or are blind.) And that is only the count of the actual contributors. There are many more who look at it, and write code for it, that don't submit their code at all, or don't have their code accepted into the kernel proper.

      Before you make such a ridiculous statement, please learn about the Linux Kernel development process. Nothing, and I mean nothing gets into the kernel without highly skilled devs reviewing it first. Sure, they could make a mistake, but saying that it might happen because nobody is really looking is ridiculous.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    46. Re:Would probably be found by meta-monkey · · Score: 3, Interesting

      I never "trusted" windows, apple, google, or really any for-profit company, but I assumed because of their rational self-interest, they would not deliberately fuck me over in egregious ways to a third party, like a government, because the knowledge they had done so would be bad for business. So while I have always preferred free software, I would still use closed software because, meh, why not?

      Since the PRISM slides, no. No. I have already or am in the process of eliminating from my life every closed platform I was using.

      Except for video games. I have a computer that will boot windows for games and I own an Xbox, but that's it.

      --
      We don't have a state-run media we have a media-run state.
    47. Re:Would probably be found by Dcnjoe60 · · Score: 4, Informative

      test subjects must be faulty if they don't immediately believe the academic's interpretation of some data presented to them.

      Probably the actual discovery in this experiment: There were a lot of faulty test subjects.

      Actually the similar studies have been repeated numerous times with the same result, so it is unlikely to be a fault of the subjects or the methodology. What the tests do show is that information that we hold to be technical types of information we are readily willing to concede that we could be wrong. Information that we hold as a belief or ideological position, we hold on to vehemently. Technical issues responds to logic. Ideological ones are usually emotionally based and processed in a different part of the brain. Most social views including politics and religion fall into the ideological camp and is why it is very difficult to get people to change their position using logic. It's also why, things like prejudice and bigotry are so hard to eradicate, because they, too are ideological positions.

      The old adage used to be to not discuss politics or religion when having company. The tests just confirm what we already knew.

    48. Re:Would probably be found by operagost · · Score: 3, Interesting

      No, what that study proved is that people are lied to so often, that once they form an opinion they simply refuse to believe anything new.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    49. Re:Would probably be found by Archangel+Michael · · Score: 4, Insightful

      Good people allowing bad things to happen because they believe the lies that the bad things are actually good, allowing their consciences to be eased. If you saw one thing that was evil, and did nothing, you are as complicit as the evil people the rest of us believe are running those organizations.

      Liberty takes eternal vigilance. Anything less, walks us slowly down the path of tyranny. We've walked down that path so long that people crying for liberty seem like the loons while those people who are usurping liberty look like our saviors.

      And the tyrants always cloak their deeds in legality.

      People like you, who did nothing, saw nothing, are the ones I hate the most. You allowed evil in the false premise that it was "good" . But I understand, you were just following orders.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    50. Re:Would probably be found by Hatta · · Score: 3, Insightful

      "Criminal" means that what is done does not comply with the law and is not sanctioned by a ruling body.

      I agree, but I'd add "legitimate" to the second condition. Congress does not have the authority to authorize generalized surveillance as it is specifically prohibited by the 4th amendment. Since nothing else authorizes the NSA to eavesdrop, they are commiting crimes just as surely as if I were to eavesdrop on your email.

      The three branches of government are above the law by definition and necessity.

      Absolutely false.

      The executive branch is tasked with enforcing the law. It can only do so by means of potentially-lethal force, which is otherwise illegal

      That potentially lethal force is legal because it is authorized by the Constitution which has been ratified by the people. Similarly, NSA eavesdropping is not legal because it is specifically prohibited by the very same Constitution.

      There will not be any accountability for the NSA's actions

      Of course not, because there is no longer any rule of law in the US.

      --
      Give me Classic Slashdot or give me death!
  2. Re:Shaking? by Pikewake · · Score: 5, Informative

    Unless you're in Albania, Bulgaria or Macedonia ;)

  3. Re:Shaking? by waitamin · · Score: 5, Interesting

    This is so weird to most Europeans and Americans.... A common question by American teachers in my high-school in Bulgaria was, "does it make sense", usually followed by about half the people shaking their heads and half the people nodding, to the obvious (yet silent) horror of the teacher. They got used to it eventually.

    What is best however is the never-ending rotational head movement that some people from the Indian subcontinent use.

  4. Some people ... by daveime · · Score: 4, Insightful

    ... can't tell the difference between humour and reality.

    Torvalds said no while nodding his head yes is a JOKE people, not a fucking admission. Please, save the tinfoil paranoia for Reddit, and keep the serious tech discussions here.

    1. Re:Some people ... by Anonymous Coward · · Score: 4, Insightful

      ... can't tell the difference between humour and reality.
      Torvalds said no while nodding his head yes is a JOKE people, not a fucking admission. Please, save the tinfoil paranoia for Reddit, and keep the serious tech discussions here.

      I don't know if you've been following the news lately, but when it comes to backdoors a lot of the "tinful paranoia" of years past has turned out to actually be true. Statistically speaking it is no longer such a certainty that it's just paranoia anymore. The true tinfoil cynic might say that agencies like the NSA are actually depending on "serious tech people" discounting stuff like this as tinfoil paranoia.

    2. Re:Some people ... by trewornan · · Score: 5, Insightful

      Many a true word is spoken in jest.

  5. No, it might not by bitbucketeer · · Score: 5, Insightful

    Reflections on Trusting Trust

  6. The Pragmatics of the Truth by Zanadou · · Score: 5, Insightful

    One question he was asked was whether a government agency had ever asked about inserting a back-door into Linux. Torvalds responded 'no' while shaking his head 'yes,'

    That's actually quite a cunning answer: possibly, regardless of his answer to the back-door request (I hope the answer was something like "No, fuck you"), like others in comparable situations have hinted at, maybe he's being held accountable to some kind of on-going government "Non-disclosure clause" concerning such a request/conversation.

    But can body language and gestures be held up to the same legal gagging? I'm sure no legal precedent been held for that yet, and Linus probably is aware of that.

    A cunning, cunning way of answering the question.

  7. Slip the backdoor into a precompiled GCC instead by GauteL · · Score: 5, Interesting

    Seems we need reminding of this classic by Ken Thompson.

    Slip a backdoor into a RHEL 6.x (or any other major Linux distribution) version of GCC and make it do two major things:
    1. Slip a backdoor into any Linux kernel it compiles.
    2. Replicate itself in any version of GCC it compiles.

    Choose some entry point which changes very rarely so the chances of incompatibility with new code is small.

    This would probably keep RHEL with any kernel version tainted for generations of releases without very little chance of being spotted, because there are no changes in the distributed source code of either project

  8. Yes by FatLittleMonkey · · Score: 5, Insightful

    The nature of open source means it MAY be found by others. Sure you have a higher chance and an audit trail but you're making multiple assumptions here:

    The difference is that with a closed source OS, if the other devs with access to the code find the backdoor, they can be ordered by the company to STFU or lose their jobs. The NSA only needs to compromise (either legally or illegally) the head of the company and that also gets them every single dev with access to the source.

    There's no way for even Linus at his most shouty to completely control what other Linux devs discover. (And, as the previous poster noted, that makes it easy for Linus to tip off another dev on the sly to publicly "discover" and patch the "bug", without exposing Linus to legal issues from not cooperating with the NSA.)

    Given the difference between "effortless to compromise" and "insanely difficult to compromise", which would you pick as the safest?

    --
    Science is all about firing a drunk pig out of a cannon just to see what happens.
  9. if Linux was asked, the MS were asked by Anonymous Coward · · Score: 5, Insightful

    If the Govenrment asked for Linux, then certainly they asked for Windows, and whereas I trust Torvalds, I don't trust Microsoft - not in a nasty way, just in the sense that they're a very large company over whom the Government has a great deal of power and where very large companies typically are not morally motivated. I don't mean that in a nasty sense, I just mean there's so many people, taking a moral stance - e.g. accepting a cost for a benefit you personally do not see - is in practical terms very, very unlikely.

    So I think I have to assume there is a backdoor in Windows. In fact, it's hard to imagine anything anyone could say to reassure me. If the NSA said it was not so, I'd laugh. They twist words with the pure purpose of deception. If MS said so, I'd be thinking they were legally compelled, such that they could not even say that uch a request had occurred. The NSA surely now have a problem, in that I absolutely cannot trust their word - and indeed I cannot see how that trust can be re-established. If there was a full disclosure, that would be a start, followed by a credible reform programme. I don't think either even remotely likely; and by that, I rather think the NSA has either sealed its doom, or *our* doom. The NSA has gone too far. Either they will be replaced, in which case the problem is addressed, or, if they are not replaced, then *we* have a problem, because the NSA is too powerful to remove (and violates all privacy and security).

    So, what do you know? turns out this *will* hurt MS sales, because now I *have* to move to Linux. I've been thinking about it for a while, but the cost of learning a new system to do only exactly what you can do already means where I'm very busy, it hasn't happened; but now there is a *need* for me to do, privacy.

  10. I couldn't imagine filling the void in my life if by TheGratefulNet · · Score: 3, Funny

    yeah, he's a "char star" alright. yup.

    if you have char-stars you don't care about voids, really.

    --

    --
    "It is now safe to switch off your computer."
  11. Re:Slip the backdoor into a precompiled GCC instea by rhysweatherley · · Score: 4, Interesting

    I wonder if anyone actually takes the responsibility to do this check. Maybe there are GCC binaries in the wild which replicate a backdoor.

    Even if there were, you need only recompile your gcc source with llvm, icc, visual studio, or basically anything that isn't gcc to get a new compiler that won't replicate the backdoor any more. For extra fun, randomise the order of this compiling that compiling something else so that even backdoor reinsertions that cross the vendor boundary will eventually fail. Or write your own C++ interpreter in Python/Perl/whatever and use it to (very slowly) run gcc on itself - even if it takes a week you'll have a clean binary at the end. Yes, hiding such a backdoor seems scary to the untrained eye. It's also trivial to get rid of if you're paranoid enough to care.

  12. Are you fine with China getting in and snooping? by Anonymous Coward · · Score: 5, Insightful

    How about just the UK and France? Both have a "special relationship" with the USA, so can easily be getting the same information on how to snoop on your stuff as the NSA do.

    So are you fine with the UK government, a foreighn power, snooping through your e-mails?

    No?

    THEN WHY THE FUCK IS IT OK FOR THE NSA TO SNOOP THROUGH MINE?

    Morons.

    You even say of your spying agencies "Well, I expect the agency to be spying on foreigners, but NOT to spy on me!!!". Except where they're spying on you, in which case "It's OK for them to spy on me".

  13. Re:Slip the backdoor into a precompiled GCC instea by PhilHibbs · · Score: 4, Insightful

    Seems we need reminding of this classic by Ken Thompson... there are no changes in the distributed source code of either project

    Someone would have found it with a debugger. Sure, they could change the compiler to insert code into a debugger to hide the patch. But this rapidly gets so complex and error-prone that the bloat would be noticed and it would fail to spot all debuggers and patch them all. It's an interesting theoretical attack, but not practical in the long run.

  14. Backdoors... by fabrica64 · · Score: 4, Insightful

    Why bother asking Linus to put a backdoor in Linux when it's just easier to ask Intel putting a backdoor in their processors?

  15. Re:Well, did he do it? by Ash+Vince · · Score: 5, Funny

    Who cares if he got asked. I can ask for a lot of things too, but what I actually get is what matters. What did the government get?

    Probably a rude explanation about why they know fuck all about how kernel development works :)

    --
    I dont read /. to RTFA, I read /. to offend people in ignorance.
  16. Look, first, to the boot time device drivers by eer · · Score: 4, Informative

    Worrying about compromise of the Linux or Windows kernel is foolish - they're so large, they could have anything hidden inside and you'd never find it (searching for such is literally uncomputable). Begin your concerns with the device drivers from who knows where that are put into place by your motherboard BIOS or EFI boot systems. Conventional operating systems are entirely dependent on them, and they're completely beyond your ability to inspect or trust. And the Open Source variations have the same issue as the operating systems - large, monolithic blocks of code impenetrable to analysis.

    You fear what you know about. Fear, instead, what you don't.

  17. Comment removed by account_deleted · · Score: 4, Interesting

    Comment removed based on user account deletion

  18. judges are pissed NSA lied to get their okay by raymorris · · Score: 4, Insightful

    Judges have ruled that the NSA could do these things - when the NSA lied to the judges about what they were doing and how. Some of those judges are pretty pisses off now that they know how the subpoenas were abused, so I wouldn't think think those rulings definitively say what NSA is doing is in fact legal. The judges who made the rulings don't think they approved what was actually going on.

    1. Re:judges are pissed NSA lied to get their okay by causality · · Score: 5, Insightful

      Judges have ruled that the NSA could do these things - when the NSA lied to the judges about what they were doing and how. Some of those judges are pretty pisses off now that they know how the subpoenas were abused, so I wouldn't think think those rulings definitively say what NSA is doing is in fact legal. The judges who made the rulings don't think they approved what was actually going on.

      This happened because to become a judge, one must generally be a "believe in the system" type. This is why judges will automatically take the word of a police officer over yours, being impressed by the fact he/she is a "sworn officer", because this type of mentality doesn't consider that cops and other members of government could lie to get what they want. So now it finally bit the judge(s) and made them look bad, feel a little angry? It's been doing that to regular citizens for a long time now.

      --
      It is a miracle that curiosity survives formal education. - Einstein
    2. Re:judges are pissed NSA lied to get their okay by Hatta · · Score: 5, Insightful

      Secret rulings by secret courts never were never legitimate in the first place.

      --
      Give me Classic Slashdot or give me death!
  19. What I want to know. by Lumpy · · Score: 3, Interesting

    What has been snuck past linus and the other code reviewers. Honestly Linus needs to do a call for people to comb through and look specifically for sneaky things. It's not hard to make something look innocent in C but instead it does evil. http://www.ioccc.org/ for example. or more scary... http://underhanded.xcott.com/

    Linux needs a security team that is double checked by a team outside the USA so it can be the ONLY OS that can state, "Not compromised by the NSA"

    --
    Do not look at laser with remaining good eye.
  20. legal != ok, UK not busting US pot smokers by raymorris · · Score: 5, Insightful

    It's ILLEGAL for the NSA to spy on Americans, and for good reason. That doesn't mean it's OKAY for them to spy on everyone else, but at least it's LEGAL.

    As a US citizen, I'd rather China spy on me than the NSA. The reason is because China isn't going to try to "bust" me on a minor and erroneous charge. For example, there is a porn star named Ann Howe aka Melissa who started in porn when she was 20. She looks young, so several people have been busted for "child porn" for having pics of her when she was 20-25 years old. I don't want my government spying on my internet usage because my government will charge me with child porn based on a chick in her twenties. The Chinese government doesn't give a shit what porn I see. Therefore yes, it's less bad for a government to spy on foreigners - even when I am the foreigner.

  21. What, no bench warrants? by Marrow · · Score: 3, Insightful

    If a judge feels he was deliberately misled, then he could issue a bench warrant for the arrest of the person who misled him. He could put the man on the stand and compel his testimony.
    Apparently, the judges are only pissed enough to say they are pissed.

  22. Re:Slip the backdoor into a precompiled GCC instea by melikamp · · Score: 3, Interesting

    In reality, slipping a backdoor into Linux is much easier: just code it into a proprietary wireless firmware blob which is already a part of the (non-free) kernel distributed at linux.org. The mal-firmware can then spy and report directly from the network card, or use DMA to elevate itself to ring 0 on the main CPU. What makes this scenario most FUN is the sheer likelihood of such a backdoor being in place RIGHT NOW, within the official Linux git repo, since no approval or knowledge by Linus would be required to slip it in.

  23. It all depends... by Dcnjoe60 · · Score: 4, Insightful

    From the description of the study, it seems to me that people who have formed an opinion won't change it just because they see a single piece of potentially falsified or misleading evidence. For example (looking at one of the experiments), if someone has an opinion on joblessness in the US - which might bring in factors of job stability, hours worked or attainment of a living wage - seeing a single graph on number of employed people in recent years does not allow us to conclude that joblessness has been reduced under Obama, unless you have a very primitive interpretation of "joblessness".

    The only damning conclusion is that some academics are so arrogant that they assume test subjects must be faulty if they don't immediately believe the academic's interpretation of some data presented to them.

    Learning math, and being shown that an equation is incorrect, one readily accepts that. Things like unemployment, climate change, etc., aren't about concrete objective things, but instead are really various facets of one's ideology. Ideology, like religion is hard to change and pretty much for the same reason. It is not based on knowledge, but instead on belief.

    That can be good or bad, depending on how it is used, but most often, it turns out to be bad. Ideologies often force us to characterize others by stereotypes, not individuals. What is happening in the US Congress and many parts of the world politically, is all based on people holding on to their ideologies and not not listening to the other side. Holding to ideologies instead of the underlying principles leads to the notion of if you aren't with me you are against me and that ultimately leads to disaster for a society by concentrating the power in the hands of a few at the expense of many.

    One thing is for certain, you don't change people's ideology with facts. Facts appeal to the rational, logical part of our psyche. Ideology, on the other hand is an emotional response and like love is often anything but logical.

  24. You can joke about serious matters by sjbe · · Score: 4, Insightful

    Torvalds said no while nodding his head yes is a JOKE people, not a fucking admission.

    I agree it is a joke but making a joke does not mean there is nothing serious being communicated. The best jokes are usually about topics that are very serious. Maybe it was a joke and nothing more (I certainly hope so) but without more information you cannot actually be certain either way. If he was asked to put a back door in that would hardly be a surprising revelation.

    Please, save the tinfoil paranoia for Reddit, and keep the serious tech discussions here.

    You think the idea of a backdoor in linux is not a serious tech topic? Besides it's only paranoia if "they" are not actually after you. Recent revelations about the NSA and other government activities clearly demonstrates that being concerned over government snooping is actually quite reasonable.