Are you mentally challenged? You of course just stand in the window normally and watch when the motorcade arrives AND THEN you go into the prone position. And of course the trees have grown a lot since 1963.
But it is actually a cyber weapon. Instead of bombing the facility with conventional weapons it used software to sabotage the facility. Stuxnet was specially designed to be an actual cyber weapon.
No you can't just audit the output by starting with 1 line of C code and move up from there, because you don't know what is the actual trigger for the back door. It can be any number of specific lines of code, includes modules or at least some output size of the binary.
It doesn't have to be tiny, you can hide the code in data or other code. But even so just take a look at how tiny some programs are in the demoscene, you can build incredibly small code that does a lot. Also take a lookt at how some viruses are done, some use polymorphic code to hide their signature.
Are really saying that this type of thing can't be done? You have little faith in human intelligence.
That's a non-trivial hack, how do you propose it "detect specific enryption algorithms in truecrypt" to detect that its compiling truecrypt, and then modify it. How many bytes of code do you think it would take to program that?
You say it like it is complicated. This is just programming, Microsoft and the NSA has billions of dollars to throw at the problem. It doesn't matter how much space it takes it can be done.
Yes it has to be hidden, but you can have self modifying code and you can have code that looks like it does something innocent but actually does something else. Has anybody actually audited the MSVC binary? Didn't think so.
Of course it isn't something simple like if "solution name" = truecrypt, that is just stupid. It's more like detecting specific encryption algorithms in TrueCrypt and injecting code that makes the encryption weaker by either modifying the encryption slightly or storing maybe part of the key somewhere in the data. So for the right people who know about the back door, decrypting becomes an easy task.
How plausible is that? Well I guess you haven't read about the Ken Thompson hack for the C compiler. Doing something like this is VERY plausible.
Not injecting backdoor into everything, just into the TrueCrypt binary. What is the easiest way to inject a backdoor into TrueCrypt? By asking Microsoft to add a backdoor to the MSVC compiler.
You missed my point. As long as the MSVC compiler is used you can't be sure the binary is correct, even thought the source is audited. The only way to do a validated Windows binary build is to use an open source C++ compiler that has been audited to compile the Windows version of TrueCrypt.
It's a smart move because you don't want to alienate your possible customers. Either the pirates will buy your stuff in the future or they won't ever. Giving them a copy of the software that they already pirated doesn't cost Apple anything.
Given that you can't trust the MSVC compiler, you would either have to use a different open source compiler or the audit would have to be for the generated assembly instead of the source.
That was a weird statement to make, what is that supposed to mean? Writing compilers isn't actually very complex, I have written a few compilers myself, and putting a backdoor injection into a compiler is trivial. The hard thing to do is to hide the backdoor and make it look like innocent code.
There is one problem with his findings. In order to compile TrueCrypt you have to use Microsoft Visual C++ compiler, which is made by Microsoft from a closed source. If I was the NSA I would but the backdoor in the compiler and it would get injected into the binary whenever TrueCrypt was compiled.
These are all elementary software mistakes: 1) You never reuse a flag for a working code, because it makes it impossible to revert back to older deployment. 2) You always double check deployments to make sure it actually succeeded.
When no one has any idea who are the authors to Truecrypt and there has been no audit and no one can be sure if the binaries have not been tampered with, Truecrypt is useless and you have to assume that NSA have infiltrated the Truecrypt developers.
If I was the NSA then I would have put together a team already to create the most user friendly encryption tool available (with NSA backdoor of course) to make sure that the common people will use that tool if they want encryption.
What is the most disturbing part of this story is it seems that box.com doesn't have any major infrastructure for backup of users data. I would have thought that it would be as simple as pressing a button "undelete" for the box.com support people to restore last available data before deletion.
The problem is of course any game that becomes popular on Linux will be ported to other platforms like Xbox,PS3 and Windows. So that immediately kills that idea.
Slashdot Mirror
Are you mentally challenged? You of course just stand in the window normally and watch when the motorcade arrives AND THEN you go into the prone position. And of course the trees have grown a lot since 1963.
What? How does some text some dude wrote in a book 2000 years count as evidence?
I repeat there is no evidence for a creator.
There is no evidence for a creator.
But it is actually a cyber weapon. Instead of bombing the facility with conventional weapons it used software to sabotage the facility. Stuxnet was specially designed to be an actual cyber weapon.
No you can't just audit the output by starting with 1 line of C code and move up from there, because you don't know what is the actual trigger for the back door. It can be any number of specific lines of code, includes modules or at least some output size of the binary.
It doesn't have to be tiny, you can hide the code in data or other code. But even so just take a look at how tiny some programs are in the demoscene, you can build incredibly small code that does a lot. Also take a lookt at how some viruses are done, some use polymorphic code to hide their signature.
Are really saying that this type of thing can't be done? You have little faith in human intelligence.
That's a non-trivial hack, how do you propose it "detect specific enryption algorithms in truecrypt" to detect that its compiling truecrypt, and then modify it. How many bytes of code do you think it would take to program that?
You say it like it is complicated. This is just programming, Microsoft and the NSA has billions of dollars to throw at the problem. It doesn't matter how much space it takes it can be done.
Yes it has to be hidden, but you can have self modifying code and you can have code that looks like it does something innocent but actually does something else. Has anybody actually audited the MSVC binary? Didn't think so.
Of course it isn't something simple like if "solution name" = truecrypt, that is just stupid. It's more like detecting specific encryption algorithms in TrueCrypt and injecting code that makes the encryption weaker by either modifying the encryption slightly or storing maybe part of the key somewhere in the data. So for the right people who know about the back door, decrypting becomes an easy task.
How plausible is that? Well I guess you haven't read about the Ken Thompson hack for the C compiler. Doing something like this is VERY plausible.
Not injecting backdoor into everything, just into the TrueCrypt binary. What is the easiest way to inject a backdoor into TrueCrypt? By asking Microsoft to add a backdoor to the MSVC compiler.
All I see is woman with large breasts, woman with medium breasts, woman with small breasts, and this one looks like you... with breasts.
Yes and he used the MSVC compiler which could include the NSA backdoor.
The compiler doesn't have to attach the backdoor to everything, only when the TrueCrypt binary is being created.
You missed my point. As long as the MSVC compiler is used you can't be sure the binary is correct, even thought the source is audited. The only way to do a validated Windows binary build is to use an open source C++ compiler that has been audited to compile the Windows version of TrueCrypt.
The Windows version is compiled with MSVC, which almost certainly has a NSA backdoor that gets compiled into the TrueCrypt binary.
And how does that help with Windows 7, Linux, or basically any other OS or browser? The good thing about iGoogle is that it was not OS dependent.
It's a smart move because you don't want to alienate your possible customers. Either the pirates will buy your stuff in the future or they won't ever. Giving them a copy of the software that they already pirated doesn't cost Apple anything.
Given that you can't trust the MSVC compiler, you would either have to use a different open source compiler or the audit would have to be for the generated assembly instead of the source.
That was a weird statement to make, what is that supposed to mean? Writing compilers isn't actually very complex, I have written a few compilers myself, and putting a backdoor injection into a compiler is trivial. The hard thing to do is to hide the backdoor and make it look like innocent code.
There is one problem with his findings. In order to compile TrueCrypt you have to use Microsoft Visual C++ compiler, which is made by Microsoft from a closed source. If I was the NSA I would but the backdoor in the compiler and it would get injected into the binary whenever TrueCrypt was compiled.
But did this guy check why the Windows version writes mysterious random bytes in the header but not in the Linux version?
I am waiting for the 8K displays :)
These are all elementary software mistakes:
1) You never reuse a flag for a working code, because it makes it impossible to revert back to older deployment.
2) You always double check deployments to make sure it actually succeeded.
When no one has any idea who are the authors to Truecrypt and there has been no audit and no one can be sure if the binaries have not been tampered with, Truecrypt is useless and you have to assume that NSA have infiltrated the Truecrypt developers.
If I was the NSA then I would have put together a team already to create the most user friendly encryption tool available (with NSA backdoor of course) to make sure that the common people will use that tool if they want encryption.
Except that NSA can read your Truecrypt files:
http://threatpost.com/truecrypt-audit-could-answer-troubling-questions
What is the most disturbing part of this story is it seems that box.com doesn't have any major infrastructure for backup of users data. I would have thought that it would be as simple as pressing a button "undelete" for the box.com support people to restore last available data before deletion.
The problem is of course any game that becomes popular on Linux will be ported to other platforms like Xbox,PS3 and Windows. So that immediately kills that idea.
Well at least I know now my next GPU upgrade will be Nvidia.