Slashdot Mirror
Snowden: What Happened In 2013 Couldn't Have Happened Without Free Software (networkworld.com)
An anonymous reader writes from a NetworkWorld article: NSA whistleblower Edward Snowden spoke at Free Software Foundation's LibrePlanet 2016 on free software, privacy, and security. He credited free software for his ability to help disclose the U.S. government's far-reaching surveillance projects. "What happened in 2013 couldn't have happened without free software," he said, particularly citing projects like Tor, Tails (a highly secure Linux distribution) and Debian. "I didn't use Microsoft machines when I was in my operational phase, because I couldn't trust them," Snowden stated. "Not because I knew that there was a particular back door or anything like that, but because I couldn't be sure."
No but other people have. Your strawman not withstanding, the biggest problem is backdoored hardware, proprietary binary blobs and cellular sideband processors...
Thanks Snowden for pointing this out, now we will see a movement against open source software because it aids terrorists, just like unlockable iphones or other means of secure communications.
MSX Basic was quite secure due MSX not supporting any sort of networking.
Of course, if your Datassette was the loud annoying kind, NSA probably can record your data with a hidden mic.
You can see Edward Snowden's talk for yourself.
There are no configuration changes you can make, programs you can install, or other changes you can make to make proprietary (user-subjugating, nonfree) software trustworthy. It won't matter what the "privacy" settings say you can do; the proprietor has the upper hand and can easily write software to rat you out. Software freedom is a prerequisite for computer privacy and security and all of the other things that go into treating computer users ethically. All computer users deserve software freedom.
Digital Citizen
Despite the many eyeballs, serious bugs in open source software have been found before. The NSA doesn't have to insert their own backdoor, they can just dig through the existing code, and find a bug that allows them to get in.
What does this have to do with anything? His "operational" phase consisted of him asking clueless users for their passwords. Open Source or backdoors had nothing to do with what he did, or how he did it.
Yeah, I get that Snowden gets a lot of love around here, but on a technical or knowledge basis, he's one of the least interesting people out there. Ever most script kiddies are more interesting than he is.
And this applies to closed sores as well.
It's a lot easier to find the bug when you have the source code.
Note the following:
[...] citing projects like Tor, Tails (a highly secure Linux distribution) and Debian.
"Tor" and "Debian" are well known and probably don't need explanation, while "Tails" is more obscure and has a quick explanatory note.
This is how you do it, this is a good method. (It's in the original article.)
Looking through the past 3 pages of Slashdot I couldn't find any examples of obscurity, but I found lots of examples of references that had a hint of help for the reader - a word of context or a placing phrase or something that illuminates the subject for the reader.
It looks like things are getting better. Keep up the good work.
But it's impossible to audit the source code of closed source software if you don't have the source code.
Correct, but I think the NSA is much more motivated to find an exploit in millions of lines of code than other people are to audit the same.
gnupg.org
With OSS you still need to trust people, but you need to trust fewer people, you know who those people are, and you can see who else trusts them. With proprietary code, there is a chain of trust that is only as strong as its weakest link. With OSS, there is a web of trust. I can look at the git log and see who wrote a particular algorithm, and I can often see what other code they have written. I can see the changes that were made later, and who made them. For many OSS projects, I can see who reviewed/audited the code. None of this is magic, and there is never a 100% assurance, but OSS has come clear advantages.
And yet.. Heartbleed.
Think the other way round: try to sneak in a backdoor in opensource.
1) You're never sure, who reads the source and finds it. And when this will happen
2) It can probably be attributed to you in some way
3) The big security does not come from the source alone, but from the open development process. Go, read the Linux source and look for security holes. Much work? Indeed! But now go and look at the commits from today. Read the summary, read the code, check if it seems to match, watch out for possible security hole. This can be done and this is done by many people.
On the closed source side: You get from time to time one big update, no code at all. If you want to make yourself some work, you can try to disassamble the binary. People do so and people find security bugs and backdoors, but it's a lot more efford.
And the third thing: If you already suspect something, you can go and read the corresponding code of the misbehaving part, while you are still without source when using closed source.
So yeah, nobody has a guarantee for no backdoors, but it's harder to sneak one in.
Snowden is fighting against people, who have the source for software, where he does not have the source. This makes it even worse for him.
but these days I think assuming it's not backdoored by the NSA would be naive.
The problem the NSA is up against is that they have to compromise every copy of the source code that's out there, or even a large number of binaries to make a backdoor work reliably.
There are literally hundreds of mirrors of Ubuntu alone, each with hashes that need to match. That's only one distribution of one OS. Then there's the BSDs, which are dying, according to Netcraft.
--
BMO
It's a lot easier to find the bug when you have the source code.
1. Many security researchers have claimed that this is not true. They often find bugs just by pushing the running code past its limits: giving it more input data that it is expecting, giving it binary data when it is expecting ascii, or exploiting corner cases, like negative numbers when it is expecting only positive numbers or triggering arithmetic overflow on a pointer, etc. You don't need the source to do any of this.
2. Just because you don't have access to the source, doesn't mean the NSA/CIA/FBI/FIS/MSS doesn't have the source. Many times they simply buy access, as they did with RSA. Sometimes they demand access as a condition of doing business, as they did with Microsoft. Sometimes they hack their way in. Other times they infiltrate or bribe low level developers.
You're right, you're right: in open source, other people do not check the code. Ever. (I stand corrected; thank you for putting me in my place.) ;)
Indeed. The stupid is strong with that one. The thing is that in OSS, backdoors will be found sooner or later, sometimes much later. And that is something the NSA/GCHQ/GeStaPo dreads as it exposes them. Does not matter that much even if it is 5 years or 10 years later.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Which is a good example how and why OSS works: It was found, documented, traced back (no sign of foul play) and fixed. What do you think would have happened in a commercial, closed library?
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The US, Russian and Chinese security services have all the source code to Windows. The difference is that security researchers don't have access to it.
So, the adversaries have it but none of the people we would hope to be protecting it.
The NSA has essentially been shown to have known vulnerabilities they use for eavesdropping, but never notify the vendor. Why would they? They have a key to the kingdom. What possible motive would they have to fix that vulnerability? They don't care a bit about privacy and security: just access to the data. If they have it, likely so does every other adversary.
So basically everybody is happy except for the users who rely on both the vendors and security services to keep them safe. Massive failures all around.
And if it gets discovered, there is an excellent chance it will also be attributed and whoever out it in will be burned and that makes such an attack extremely costly. For example, the forward-hashes of git serve exactly this purpose: No revision of the change-history after commit.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I agree that NSA and friends manage to get the source code for many projects. But that proves my point that having the source code helps to find bugs, otherwise they wouldn't have to go through that much trouble. Entering invalid input is a great way to catch easy bugs, but some bugs may be much more subtle, and require various pieces of input to align accurately.
You do not get it: Nobody at all (except morons like you) claim OSS is bug-free. The claim is that closed-source software is much, much worse. From some code security reviews I did under NDA, I fully and completely agree to that claim.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
And this applies to closed sores as well.
It's a lot easier to find the bug when you have the source code.
What makes you think the NSA doesn't have access to the source code of any but the smallest closed source project they wish to examine?
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
Nobody at all (except morons like you) claim OSS is bug-free
I didn't claim it either, moron.
Depends. They probably have access to source code from plenty of American companies. I guess they'll have a much harder time getting the source code of non-friendly foreign companies. Given enough motivation, they may find ways to get it, but it won't be nearly as easy as downloading it from the interwebs somewhere.
If you get a backdoor in through a legitimate developer, all copies will be compromised automatically.
And it's a lot easier to keep that exploit hidden (i.e. available) when the source is closed. Did you have a point?
But that proves my point
No, it doesn't; however, your misplaced confidence in your intellectual abilities definitely does amuse. ;)
And it's a lot easier to keep that exploit hidden (i.e. available) when the source is closed
Having the source code allows you to find the really subtle exploits that can remain hidden for a long time. Also, people aren't as likely to audit old code that they and others have already looked at before.
Exactly; it is a really weak claim.
He could have used proprietary encryption products, a self-hosted commercial VPN instead of Tor, an obscure proprietary OS not on the list of things worth backdooring, etc.
He did use some libre software, so we know what happened could happen using those tools. But we don't know anything about this idea that he couldn't have done it otherwise.
Avoiding Windows in particular is prudent for a wide variety of reasons; not least, products designed for the masses will have sacrificed some security for convenience.
And keep in mind, almost all the software I use is Free or OSS. I do also use a proprietary email app on my mobile device, and I use the LTSpice circuit simulator. (Only for simulation of the OSS-generated netlist)
Which is a good example how and why OSS works: It was found, documented, traced back (no sign of foul play) and fixed. What do you think would have happened in a commercial, closed library?
In commercial software it would be found, documented, traced back, and fixed. Documentation would be internal.
I'm pretty strongly against using proprietary stuff in my tool chain, but I just don't think this is a real difference.
But that proves my point that having the source code helps to find bugs
They don't want the source code to "find bugs". They want the source code so they can modify the source, insert backdoors, and install/distribute the compromised binaries ... like they did with Cisco switches and Xerox printers.
In commercial software it would be found, documented, traced back, and fixed.
Only if the company made it a priority and budgeted for it. Then it would be rolled into the next release, which may not come for months, or even years. Oh, and the next release will only be installed by users that can afford the upgrade fee.
Same is true for open source.
On github this week, I fixed a bug where the ticket was over 5 years old, and the project owner finally realized it is a real bug and the solution is harmless.
It hasn't been accepted yet, of course. Give it a couple more years.
That's the whole point, your odds are better... Nothing is perfect.
With closed source only a single party really has access to the source, anyone else they grant access to will be under the terms (eg NDA) of the vendor and so may be unable to disclose finding anything bad even if they do, plus if they're working together they likely have the same agenda.
There is also the chance that source code has leaked, in which case blackhats have it, even if they do find backdoors or bugs such people are more likely to make use of them for their own nefarious purposes than disclose them to the public.
With open source the possibility exists for anyone to get their hands on the code, including multiple parties with conflicting goals. If a backdoor existed then at least some of those with access to the source are going to be against the backdoor and disclose/close it.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Yep
I would be shocked if the government did not have all kinds of stuff planted in Microsoft products. And that can lead to very dangerous actions. Suppose, as an example that the government becomes informed of a very dangerous criminal due to bugs planted in an OS or browser. But it is obvious that making an arrest would reveal the existence of that bug. People could be made to vanish and never be heard from again. The problem is it could be someone else that used your computer. With no open trials taht could be a very real problem.
In commercial software it would be found, documented, traced back, and fixed.
How would you know?
Documentation would be internal.
Case in point.
> Did you have a point?
Just recently they began posting in abundance. I'd speculate sockpuppet but who knows? I'll let you draw any conclusions you might wish about their reasoning and logic skills. They have some.. Some, shall we say, unusual opinions and seem inclined to stick with those opinions regardless of evidence presented. I don't really have much/any interaction. Such is simply an observation.
I've an odd habit of reading the "by" field prior to reading the post. Given that I'm retired, it affords me plenty of time to read and sometimes even check comment histories. A sock for whom, I have no idea and it's purely speculation. They may not be but a quick skim through their post history is insightful. As always, draw your own damned conclusions. ;-)
"So long and thanks for all the fish."
I'm inclined to disbelieve you. Given the sheer volume associated with the task, I've absolutely no reason to believe that you've read every line of code that you use. There's simply not enough time in the day to do so and remain even remotely close to secure - you'd be reading code from years and years ago. There are simply too many component pieces for me to believe you.
Yes, yes I am calling you a liar. I'm not sorry, if I was sorry I'd not be doing it. You have not read all the code in your OS and in the applications that you use. I won't even count the applications that you use outside of your control - those that are on the web.
However, I'll give you the chance to try to change my mind - if you feel inclined to undertake that effort. I wouldn't. What the hell does it matter if I don't believe you? But, if you want to change my mind you're free to do so but you're gonna have to make it believable. What OS do you use? How do you get online? What hardware are you using? You have *zero* binary blobs? You've somehow managed to read and then re-read the code for every single piece of software you have - and keep up with updates for security problems?
Yeah, I'm thinking that, at best, you might skim through some or speed-read without comprehension at best and, even then, you certainly don't do so with any modern OS and keep up with the myriad updates that come down the pipe daily. Which OS is this? Chances are, unless it's proprietary, I've used it. Hell, even if it is proprietary, I've probably used it.
"So long and thanks for all the fish."
There's a disinfo unit out of Fort Meade that uses low-grade nerds in uniform to overwhelm people in chatrooms when certain subjects come up; the government has openly solicited bids for software to allow these clowns to "handle multiple simultaneous chatbots and user accounts."
Yup, the jig's now up. Anyone who disagrees simply can't see the forest for all the straw, man.
Listen, you choose to wheel out a Matt Damon quote, and that's cool, that's fine. I don't have a problem with that. But do at least try to get the quote right, would ya?
I had not heard or read anything about this. That is not even remotely surprising. I know the Russians use it and I know that there are some paid posters with various companies. I'm not terribly surprised that the US government would be involved though I guess it's a bit surprising that it is in the hands of the Army as opposed to something a bit more clandestine or tasked with a different charter. I could envision the US Army wanting to do so for defensive and offensive purposes when dealing with externalities but, internally? That's a little odd for the Army to be tasked with.
Surprising? No, not really. Just in who it is. That's the only odd thing that I got from your post. I'd expect something, perhaps the NSA, different to be involved. Maybe the CIA but probably not the FBI. The Army is surprising but they've got a pretty decent "cyber warfare" program. I'd expect it to be external but, then again, the web is (by its nature) international.
I've no idea if that's applicable here, with this particular person. If it is, then they're doing a very poor job of it and need to fire this guy. If it is automated then they need to tune them up again. They're illogical, inconsistent, instigating, interrupting, and inferior. (That's just a few of the words beginning with the letter "I".) They should ask for a refund, unless being unbelievable and obtuse is their goal? If "instantly recognized as a meatstick" is a desired operational parameter then they've achieved that.
Oddly, this is not the first time I've made such observations and a few of them have quietly disappeared when others noticed. I do wonder if you're are indeed onto something? It does seem a strange program for the Army to be involved in. I'd really expect a group tasked with such would be under a different heading - though perhaps it's buried under the Pentagon itself and is just manifest through the Army as they're already set up with a "cyber defense" program? I'd love more information, if you have it.
"So long and thanks for all the fish."
It is important, to me, to realize that it doesn't have to be in isolation. Innocuous looking code may be truly benign -- until it is compounded by externalities beyond the control of the user and their systems. Who's to say, for example, that there's no hidden magic where packets are injected with content while in transit and that the injection doesn't alter the results? There's no reason to believe it needs to be simple, there could be many varied (and trivial-seeming) manipulations that chance the expected behavior without actually changing the expected results.
Security is a process, not an application. Nothing is completely secure - nor will it ever be. Security is deciding what you want to do and making informed choices about the risks you'll accept to achieve the goals needed to reach the desired end. It is about accepting risks - or not accepting risks. It is about varied levels as there is no such thing as complete security. It is not a binary thing and the answer is not even remotely associated with software licenses.
I've said many times how much I admire Snowden but his continued opining on things he knows nothing about is annoying. That doesn't mean we should stop giving him attention - not at all. We just need to accept that he's annoying as of late. We need to keep him around and in the limelight a while longer, ideally until a conclusion is reached. It was amusing to hear him opine on Apple. The guy's been out of the scene since before the phone was released, was never a part of the FBI, but felt qualified to authoritatively and affirmatively state the capabilities of multiple parties. I pointed that out. Nobody actually bothered to pay attention to what they were responding to and seemed more interested in asserting that Snowden somehow, mysteriously, was eminently qualified to make absolute statements.
Speculation? I'd have been more open to. "It seems likely that they can do..." Instead it was, "They can do..." Pointing out the difference made me a troll, for some reason? I kind of giggled at the replies. They simply fail to see the difference.
"So long and thanks for all the fish."
Free and open source software can be _used_ for any purpose, good or evil.
Sure we can acknowledge the good that is done, but lets not forget the evil its used for.
If there was an ethical licence, it would not be considered free or open, unfortunately.
Apparently you also have bad memory and dyslexia. And your creativity in insults is lacking, as you cannot even do more than copy. Seems my estimation of your level of insight is exactly right, namely none at all.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Ahahahahahaha, your naivety is cute.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Which is a good example how and why OSS works: It was found, documented, traced back (no sign of foul play) and fixed. What do you think would have happened in a commercial, closed library?
In commercial software it would be found, documented, traced back, and fixed. Documentation would be internal.
Not in the vast majority of companies. I've been a professional software engineer for better than 25 years, and I've worked for a lot of different companies. In almost none of them is there any focus at all on going back to identify and fix problems in existing code. It's always about the next product release, or the next customization request... what will bring in more money.
There are some exceptions, but they're mostly companies and products who are facing significant outside scrutiny. These days, I'm sure Cisco is spending a lot on internal security research, but only because they've been caught several times very publicly with their pants down, for example.
OSS isn't a panacea, obviously. But it does mean that when someone decides they do care enough to look, they can find the problems, and fix them.
Sure! It's secure-free-software-here.totally-not-the-nsa.gov.sorry-i-mean.org
sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
though I guess it's a bit surprising that it is in the hands of the Army as opposed to something a bit more clandestine or tasked with a different charter.
Considering their choice of location, it's easy to surmise that this is a joint military/intelligence endeavor of some sort...
Yeah, it is Meade. Hmm... I'll see what I can dredge up about it. I have some friends that are still in and have increased in rank a great deal. However, they're all Marines or Navy. Still, they might have some scuttlebutt. If anything interesting pops up, I'll email you. No need to respond, obviously.
"So long and thanks for all the fish."
There's a disinfo unit out of Fort Meade that uses low-grade nerds in uniform to overwhelm people in chatrooms when certain subjects come up; the government has openly solicited bids for software to allow these clowns to "handle multiple simultaneous chatbots and user accounts."
"Clowns," huh? Unless you have some other info you seem to be confused about this program:
U.S. Central Command 'friending' the enemy in psychological war
By Shaun Waterman - The Washington Times - Tuesday, March 1, 2011
The U.S. Central Command is stepping up psychological warfare operations using software that allows it to target social media websites used by terrorists.
The Tampa, Fla.-based military command that runs the wars in Iraq and Afghanistan recently bought a special computer program that troops use to create multiple fake identities on the Internet. The military uses the fictitious identities to infiltrate groups and in some cases spread disinformation among extremist organizations such as al Qaeda and the Taliban with the goal of disrupting their operations, according to documents and U.S. officials.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
It looks to me like "Type44Q" is confused about this program that has been previously discussed on Slashdot IIRC:
U.S. Central Command 'friending' the enemy in psychological war
Not really what is implied by him.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
Snowden used free software to commit what is basically a crime and brags about it...
That his crime is defensible using whistleblower protection, that it is "for greater good" doesn't make it different from a technical standpoint.
And while anyone that understand the idea behind free software and encryption know that it can help good citizens and criminals alike but it may not be the same for the general public. And many of them view Snowden as a traitor.
Is this a good thing for OSS, that Snowden mentions it made what he did possible? Snowden may get thumbs up by most on this site, i believe the average joe takes the side of the government and think he's a 'terrorist'. What people know about OSS (if at all) is what MS and other companies have bombarded them with the last +10 years or so (communist, cancer, etc). So putting these two together, how will this affect the reputations of OSS more? might give the government more free play to limit OSS development.
On a long enough timeline, the survival rate for everyone drops to zero.
Security is a process, not an application. Nothing is completely secure - nor will it ever be.
It may not be an application, but I'd like the see the NSA, et al recover from one of these.
I jest, of course, but these things fascinate the little kid in me.
"If you have nothing to hide, you have nothing to fear." - Every fascist, ever
Also known as "professional experience," but maybe you have a hard time dealing with word meanings?
"He says something different than what I believe" doesn't imply naivety. It only implies we're different people.
Make a point next time, beyond the raw pejorative.
Of course. But this takes a lot more efford and you still have the chance, that somebody fixed your "small bug" before you finish your evil masterplan.