Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linus Torvalds Admits He's Been Asked To Insert Backdoor Into Linux

Posted by samzenpus on from the getting-in dept.

darthcamaro writes "At the Linuxcon conference in New Orleans today, Linus Torvalds joined fellow kernel developers in answering a barrage of questions about Linux development. One question he was asked was whether a government agency had ever asked about inserting a back-door into Linux. Torvalds responded 'no' while shaking his head 'yes,' as the audience broke into spontaneous laughter. Torvalds also admitted that while he as a full life outside of Linux he couldn't imagine his life without it. 'I don't see any project coming along being more interesting to me than Linux,' Torvalds said. 'I couldn't imagine filling the void in my life if I didn't have Linux.'"

32 of 576 comments (clear)

  1. Would probably be found by MadX · · Score: 5, Funny

    *If* such a mechanism was coded in, the nature of open source would mean it would be found by others. This in turn would compromise the trust of the ENTIRE kernel. That trust can take years to build up - but be detroyed in a heartbeat.

    1. Re:Would probably be found by phantomfive · · Score: 5, Insightful

      The issue here, is that there is a backdoor being built-in deliberately. That could compromise trust.

      There is that possibility. Once again, this is a possibility we've known about for a while, and it hasn't caused people to leave Windows in droves. I think it's something most people just must not care about.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Would probably be found by jma05 · · Score: 5, Insightful

      It's unlikely that such a backdoor, should it exist, would be coded so obviously, since the source is published. Instead, it would more likely be in the form of a subtle buffer overflow that results in previlige escalation or such, such that when found, it could simply be labeled as a bug rather than an backdoor... plausible deniability.

    3. Re:Would probably be found by Jeremi · · Score: 5, Insightful

      *If* such a mechanism was coded in, the nature of open source would mean it would be found by others. This in turn would compromise the trust of the ENTIRE kernel. That trust can take years to build up - but be detroyed in a heartbeat.

      If it was obviously a deliberate back door, sure. Which is why the clever hacker/government-agency would be a lot more subtle -- rather than a glaring "if (username == "backdoor") allowRootAccess();", they'd put a very subtle mistake into the code instead. If the mistake was detected, they could then simply say "oops, my bad", and it would be fixed for the next release, but other than that nobody would be any the wiser. Repeat as necessary, and the visible results might not look too different from what we actually have.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    4. Re:Would probably be found by AlphaWoIf_HK · · Score: 5, Insightful

      You don't even need to have something to hide; you just need to anger the wrong people at the wrong time. What the government thinks is 'bad' is not necessarily what you think is 'bad,' so you're always in danger, no matter how unimportant you believe yourself to be.

      --
      Da derp dee derp da teedly derpee derpee dum. Rated PG-13.
    5. Re:Would probably be found by dmcq · · Score: 5, Informative

      Have a look at some of the code from the 'Underhanded C Contest' at http://underhanded.xcott.com/ where people write code that looks straightforward and nice and clear but contains deliberate evil bugs. I think that should remove any complacency and the NSA has a lot of money to spend on people posing as developers never mind the ones they stick onto standards bodies.

      --
      thou discernest my thoughts from afar
    6. Re:Would probably be found by Talar · · Score: 5, Insightful

      This, and add to it that whatever is 'bad' doesn't have to be 'bad' today since the data will be kept practically forever for any future government to analyze. If you still don't have anything to hide you must have a confidence in both the current and all future governments that is so unshakeable I'd almost call it stupidity.

    7. Re:Would probably be found by michelcolman · · Score: 5, Interesting

      Then again, the back door would be easier to find by criminals. I don't personally care that much about the NSA snooping through my e-mails. But if some criminal can read them just as easily, it's a different story.

    8. Re:Would probably be found by Anonymous Coward · · Score: 5, Insightful

      You seem to assume that there are no criminals at all part of "the NSA". Considering the number of employees they have with most having fairly complete access it is almost certain that there are criminals with access to a lot of NSA data.

    9. Re:Would probably be found by AlphaWoIf_HK · · Score: 5, Insightful

      It is foolish to assume that the people working for the government are perfect angels who could never mean you any harm; this has never been true and never will be true.

      --
      Da derp dee derp da teedly derpee derpee dum. Rated PG-13.
    10. Re:Would probably be found by Joining+Yet+Again · · Score: 5, Interesting

      From the description of the study, it seems to me that people who have formed an opinion won't change it just because they see a single piece of potentially falsified or misleading evidence. For example (looking at one of the experiments), if someone has an opinion on joblessness in the US - which might bring in factors of job stability, hours worked or attainment of a living wage - seeing a single graph on number of employed people in recent years does not allow us to conclude that joblessness has been reduced under Obama, unless you have a very primitive interpretation of "joblessness".

      The only damning conclusion is that some academics are so arrogant that they assume test subjects must be faulty if they don't immediately believe the academic's interpretation of some data presented to them.

    11. Re:Would probably be found by Millennium · · Score: 5, Insightful

      But if the NSA can get in, then it is only a matter of time before someone else figures out how. Whether or not I trust the NSA barely even matters, because I certainly don't trust this next entity.

      This is why I prefer something the NSA can't get into: there's probably nobody else who can either. The NSA's cracking efforts hold considerable value for that reason: they can, and should, be letting us know when our machines are not secure enough. The problem arises when they fail to do this, which seems to have been the case in recent years.

    12. Re:Would probably be found by RabidReindeer · · Score: 5, Insightful

      I think the fact that people (myself) actually don't care is that most of us (99.99%) wouldn't have a problem, since we're not doing anything illegal. I know that it is still wrong, but i just don't care

      No, you only think that you're not doing anything illegal. You have no concept of just how many laws cover every single thing you do. Or, for that matter, don't do. Legal experts know better. So do the people who monitor the street cameras when you step off the curb prematurely.

      THAT is the problem. If someone for whatever reason decides that they don't like you, they can pull that data and metadata and use it as supporting evidence for whatever transgressions they deem suitable to nail you for. At a minimum they can make your life difficult in a thousand ways (no-fly lists, for example). In extreme cases, you could be labelled an "Enemy Combatant" and wake up in Gitmo. Especially if someone "accidentally" tagged the data with aggravating information.

      The problem with "Innocent People Have Nothing To Hide", as I've said before, is that you aren't the one that gets to decide what makes people "innocent".

    13. Re:Would probably be found by Yvanhoe · · Score: 5, Insightful

      Snowden could snoop through emails and is considered a criminal by the US government.

      --
      The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
    14. Re: Would probably be found by felix+rayman · · Score: 5, Insightful

      Read the constitution.

    15. Re:Would probably be found by felix+rayman · · Score: 5, Informative

      You are doing something illegal - everyone is. You may not even know what you are doing that is illegal, but if the NSA knows everything you do, they know what you are doing that is illegal.

      They aren't going to do anything about it until you do some thing that is legal that they don't want you to do.

      If you run for office, they own you.

    16. Re:Would probably be found by Hatta · · Score: 5, Insightful

      You seem to assume that there are no criminals at all part of "the NSA".

      The NSA itself is comprised of criminals. From the agent who accesses data he has no legitimate right to, to James Clapper who lies about it to Congress. The NSA is a criminal organization.

      --
      Give me Classic Slashdot or give me death!
    17. Re:Would probably be found by timholman · · Score: 5, Interesting

      No, you only think that you're not doing anything illegal. You have no concept of just how many laws cover every single thing you do. Or, for that matter, don't do. Legal experts know better. So do the people who monitor the street cameras when you step off the curb prematurely.

      THAT is the problem. If someone for whatever reason decides that they don't like you, they can pull that data and metadata and use it as supporting evidence for whatever transgressions they deem suitable to nail you for.

      It isn't just online. The average U.S. citizen breaks (by some estimates) about three federal laws each day, not to mention countless state and local laws. A cop who knows his laws can stop and detain you just about any time he chooses, because he'll be able to cite at least one law that you broke.

      My own anecdote: many years back, when I first began working at my current job, I was commuting back and forth from a relative's house while my wife and I were looking for our own place to buy. I would travel about 20 minutes by interstate every morning and evening, and always observed a lot of state troopers pulling people over in the evenings. What I did not realize at the time was that this particular stretch of road was a major drug corridor, and that the troopers were looking for mules hauling large stashes.

      One night I had to work late and was driving home after dark. Knowing how active the patrols were, I made certain to set my cruise control at the speed limit, so I wasn't particularly concerned when I saw a state trooper in my rear-view mirror - until the lights started flashing.

      At the time I still had my Arizona license plates on my car, and the cops were sure they had a hot one. After a 15-minute stop and search of my car, I was on my way home. But what was the state trooper's excuse for stopping me?

      You know those little plastic frames that auto dealers put around your license plate, with the dealer's name on it? Well, as it turns out, where I live it is illegal to obscure any part of your license plate, which means that I was breaking the law by having that plastic frame overlap my plate along the edges and corners. It gave the state trooper probable cause to stop me. At least he didn't give me a ticket.

      The moral? Don't assume that this sort of behavior by the authorities is anything new, just because it happens online.

    18. Re:Would probably be found by Zero__Kelvin · · Score: 5, Insightful
      Stop spreading ridiculous myths:

      "Yes, that's the conventional wisdom with open-source. But tell me: when was the last time you went inspect the code deep in the kernel? "

      From the latest Linux Foundation report: Kernel: 2.6.30 Number od developers: 1,150 Number of known companies: 240

      3,300 eyes is a lot of eyes (apologies to any kernel devs who have lost an eye or are blind.) And that is only the count of the actual contributors. There are many more who look at it, and write code for it, that don't submit their code at all, or don't have their code accepted into the kernel proper.

      Before you make such a ridiculous statement, please learn about the Linux Kernel development process. Nothing, and I mean nothing gets into the kernel without highly skilled devs reviewing it first. Sure, they could make a mistake, but saying that it might happen because nobody is really looking is ridiculous.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  2. Re:Shaking? by Pikewake · · Score: 5, Informative

    Unless you're in Albania, Bulgaria or Macedonia ;)

  3. Re:Shaking? by waitamin · · Score: 5, Interesting

    This is so weird to most Europeans and Americans.... A common question by American teachers in my high-school in Bulgaria was, "does it make sense", usually followed by about half the people shaking their heads and half the people nodding, to the obvious (yet silent) horror of the teacher. They got used to it eventually.

    What is best however is the never-ending rotational head movement that some people from the Indian subcontinent use.

  4. No, it might not by bitbucketeer · · Score: 5, Insightful

    Reflections on Trusting Trust

  5. The Pragmatics of the Truth by Zanadou · · Score: 5, Insightful

    One question he was asked was whether a government agency had ever asked about inserting a back-door into Linux. Torvalds responded 'no' while shaking his head 'yes,'

    That's actually quite a cunning answer: possibly, regardless of his answer to the back-door request (I hope the answer was something like "No, fuck you"), like others in comparable situations have hinted at, maybe he's being held accountable to some kind of on-going government "Non-disclosure clause" concerning such a request/conversation.

    But can body language and gestures be held up to the same legal gagging? I'm sure no legal precedent been held for that yet, and Linus probably is aware of that.

    A cunning, cunning way of answering the question.

  6. Slip the backdoor into a precompiled GCC instead by GauteL · · Score: 5, Interesting

    Seems we need reminding of this classic by Ken Thompson.

    Slip a backdoor into a RHEL 6.x (or any other major Linux distribution) version of GCC and make it do two major things:
    1. Slip a backdoor into any Linux kernel it compiles.
    2. Replicate itself in any version of GCC it compiles.

    Choose some entry point which changes very rarely so the chances of incompatibility with new code is small.

    This would probably keep RHEL with any kernel version tainted for generations of releases without very little chance of being spotted, because there are no changes in the distributed source code of either project

  7. Yes by FatLittleMonkey · · Score: 5, Insightful

    The nature of open source means it MAY be found by others. Sure you have a higher chance and an audit trail but you're making multiple assumptions here:

    The difference is that with a closed source OS, if the other devs with access to the code find the backdoor, they can be ordered by the company to STFU or lose their jobs. The NSA only needs to compromise (either legally or illegally) the head of the company and that also gets them every single dev with access to the source.

    There's no way for even Linus at his most shouty to completely control what other Linux devs discover. (And, as the previous poster noted, that makes it easy for Linus to tip off another dev on the sly to publicly "discover" and patch the "bug", without exposing Linus to legal issues from not cooperating with the NSA.)

    Given the difference between "effortless to compromise" and "insanely difficult to compromise", which would you pick as the safest?

    --
    Science is all about firing a drunk pig out of a cannon just to see what happens.
  8. if Linux was asked, the MS were asked by Anonymous Coward · · Score: 5, Insightful

    If the Govenrment asked for Linux, then certainly they asked for Windows, and whereas I trust Torvalds, I don't trust Microsoft - not in a nasty way, just in the sense that they're a very large company over whom the Government has a great deal of power and where very large companies typically are not morally motivated. I don't mean that in a nasty sense, I just mean there's so many people, taking a moral stance - e.g. accepting a cost for a benefit you personally do not see - is in practical terms very, very unlikely.

    So I think I have to assume there is a backdoor in Windows. In fact, it's hard to imagine anything anyone could say to reassure me. If the NSA said it was not so, I'd laugh. They twist words with the pure purpose of deception. If MS said so, I'd be thinking they were legally compelled, such that they could not even say that uch a request had occurred. The NSA surely now have a problem, in that I absolutely cannot trust their word - and indeed I cannot see how that trust can be re-established. If there was a full disclosure, that would be a start, followed by a credible reform programme. I don't think either even remotely likely; and by that, I rather think the NSA has either sealed its doom, or *our* doom. The NSA has gone too far. Either they will be replaced, in which case the problem is addressed, or, if they are not replaced, then *we* have a problem, because the NSA is too powerful to remove (and violates all privacy and security).

    So, what do you know? turns out this *will* hurt MS sales, because now I *have* to move to Linux. I've been thinking about it for a while, but the cost of learning a new system to do only exactly what you can do already means where I'm very busy, it hasn't happened; but now there is a *need* for me to do, privacy.

  9. Re:Some people ... by trewornan · · Score: 5, Insightful

    Many a true word is spoken in jest.

  10. Are you fine with China getting in and snooping? by Anonymous Coward · · Score: 5, Insightful

    How about just the UK and France? Both have a "special relationship" with the USA, so can easily be getting the same information on how to snoop on your stuff as the NSA do.

    So are you fine with the UK government, a foreighn power, snooping through your e-mails?

    No?

    THEN WHY THE FUCK IS IT OK FOR THE NSA TO SNOOP THROUGH MINE?

    Morons.

    You even say of your spying agencies "Well, I expect the agency to be spying on foreigners, but NOT to spy on me!!!". Except where they're spying on you, in which case "It's OK for them to spy on me".

  11. Re:Well, did he do it? by Ash+Vince · · Score: 5, Funny

    Who cares if he got asked. I can ask for a lot of things too, but what I actually get is what matters. What did the government get?

    Probably a rude explanation about why they know fuck all about how kernel development works :)

    --
    I dont read /. to RTFA, I read /. to offend people in ignorance.
  12. legal != ok, UK not busting US pot smokers by raymorris · · Score: 5, Insightful

    It's ILLEGAL for the NSA to spy on Americans, and for good reason. That doesn't mean it's OKAY for them to spy on everyone else, but at least it's LEGAL.

    As a US citizen, I'd rather China spy on me than the NSA. The reason is because China isn't going to try to "bust" me on a minor and erroneous charge. For example, there is a porn star named Ann Howe aka Melissa who started in porn when she was 20. She looks young, so several people have been busted for "child porn" for having pics of her when she was 20-25 years old. I don't want my government spying on my internet usage because my government will charge me with child porn based on a chick in her twenties. The Chinese government doesn't give a shit what porn I see. Therefore yes, it's less bad for a government to spy on foreigners - even when I am the foreigner.

  13. Re:judges are pissed NSA lied to get their okay by causality · · Score: 5, Insightful

    Judges have ruled that the NSA could do these things - when the NSA lied to the judges about what they were doing and how. Some of those judges are pretty pisses off now that they know how the subpoenas were abused, so I wouldn't think think those rulings definitively say what NSA is doing is in fact legal. The judges who made the rulings don't think they approved what was actually going on.

    This happened because to become a judge, one must generally be a "believe in the system" type. This is why judges will automatically take the word of a police officer over yours, being impressed by the fact he/she is a "sworn officer", because this type of mentality doesn't consider that cops and other members of government could lie to get what they want. So now it finally bit the judge(s) and made them look bad, feel a little angry? It's been doing that to regular citizens for a long time now.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  14. Re:judges are pissed NSA lied to get their okay by Hatta · · Score: 5, Insightful

    Secret rulings by secret courts never were never legitimate in the first place.

    --
    Give me Classic Slashdot or give me death!