Linus Torvalds Admits He Was Approached By US Government To Insert Backdoor Into Linux -- Or Does He?

from the who-can-you-trust? dept

Thu, Sep 19th 2013 1:44pm — Glyn Moody

At the LinuxCon meeting in New Orleans, Linus Torvalds was asked if he had ever been approached by the US government to insert a backdoor into the Linux kernel. Here's his characteristic answer:

Torvalds responded "no" while shaking his head "yes," as the audience broke into spontaneous laughter.

Obviously, it's hard to tell from that whether he really meant "yes" or "no". But the question does touch on an important issue: whether open source might be less vulnerable than traditional applications to tampering by the NSA or other intelligence organizations. That's plausible, because by definition free software's code is always available for inspection; the idea is that even if backdoors are somehow introduced, they will be spotted by people looking over the code.

Of course, there are some problems with that. The first is that just because the code is available does not mean anyone will look at it. Secondly, even if the source code is examined and looks fine, that doesn't imply that the compiled version you run on your machine will be -- a well known, and deep problem. So does that mean we should give up on the hope that open source might be better than traditional closed source when it comes to backdoors?

Not necessarily. Here, for example, is the security expert Bruce Schneier writing in the Guardian a couple of weeks ago on the best ways to stay secure in the light of the revelations about the NSA's activities. One suggestion was as follows:

Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software.

After listing a number of recommended software tools, he also makes the following comment: I understand that most of this is impossible for the typical internet user. Even I don't use all these tools for most everything I am working on. And I'm still primarily on Windows, unfortunately. Linux would be safer.
That's just one voice, albeit a highly-respected one. Here's another, saying much the same thing as Schneier: Thanks to the recent NSA leaks, people are more worried than ever that their software might have backdoors. If you don't believe that the software vendor can resist a backdoor request, the onus is on you to look for a backdoor. What you want is software transparency.

Transparency of this type is a much-touted advantage of open source software, so it's natural to expect that the rise of backdoor fears will boost the popularity of open source code. Many open source projects are fully transparent: not only is the source code public, but the project also makes public the issue tracker that is used to manage known defects and the internal email discussions of the development team. All of these are useful in deterring backdoor attempts.
That's from Ed Felten (pdf), Professor of Computer Science and Public Affairs, Princeton University, and someone whose name has appeared on Techdirt many times. Despite his upbeat assessment of the value of open source in providing software transparency, the rest of his post urges caution: transparency does not guarantee that holes will be found, because there might not be enough eyeballs on the code. For open source projects, finding backdoors, or security vulnerabilities in general, is a public good, in the economists' sense that effort spent on it benefits everyone, including those who don't contribute any effort themselves. So it's not obvious in advance that any particular open source project can avoid backdoors.
In other words, open source is not a panacea: it is not guaranteed to protect you from backdoors. But, like encryption, it is probably one of the best defenses we have -- whether or not Torvalds was asked to add a backdoor to Linux.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: backdoors, linus torvalds, open source, surveillance, trust

36 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

sophisticatedjanedoe (profile), 19 Sep 2013 @ 2:26pm

It's all conspiracy theories. Linus a Bulgarian. That's it.
[ link to this | view in chronology ]
- sophisticatedjanedoe (profile), 19 Sep 2013 @ 2:27pm
  
  Re:
  (if you don't know what I'm talking about: http://en.wikipedia.org/wiki/Bulgarian_language#Miscellaneous )
  [ link to this | view in chronology ]
Anonymous Coward, 19 Sep 2013 @ 2:33pm

The question was "were you asked" when it should have been "did you implement". We still have no answer to the later.
[ link to this | view in chronology ]
- Anonymous Coward, 19 Sep 2013 @ 2:45pm
  
  Re:
  Eh, Linus doesn't even write much of the code these days - he's just the gatekeeper reviewing and accepting patches from his downstream colleagues.
  
  So even if he didn't, there's 10, 100, 1000s more people who could have pushed a change upstream that looked innocent, but was in fact not.
  
  We can only hope that somewhere along the way, those attempts get filtered out as "junk" when reviewers detect vulnerabilities.
  [ link to this | view in chronology ]
- John Fenderson (profile), 20 Sep 2013 @ 9:40am
  
  Re:
  Or the former.
  [ link to this | view in chronology ]
Anonymous Coward, 19 Sep 2013 @ 2:40pm

Deliberately putting a backdoor in open source software would be stupid. The source code is available to any one, which includes other spy organisations. Due to the massive use of Linux for large scale servers, it seems sensible to assume that other spy agencies have people looking at the code.
The NSA wouldn't be that stupid would they?
[ link to this | view in chronology ]
- Anonymous Coward, 19 Sep 2013 @ 2:52pm
  
  Re:
  hahahahahaha....oh, you were serious. Yes, the NSA actually IS that stupid.
  [ link to this | view in chronology ]
- DCX2, 19 Sep 2013 @ 3:16pm
  
  Re:
  How many people actually compile their open source software from source? In my experience, the vast majority download precompiled binaries. What's stopping NSA from presenting SourceForge with a gag order that lets them insert secret backdoors into all binaries uploaded to the service?
  [ link to this | view in chronology ]
  - G Thompson (profile), 19 Sep 2013 @ 7:10pm
    
    Re: Re:
    I think you would be amazed how often .make is still actually used nowadays for all backend software (not just kernels) by enterprise users. Just because the PC world uses ubuntu et.al and its KISS software installations doesn't mean the actual orgs that rely on *nix for major use don't compile directly from source.
    [ link to this | view in chronology ]
    - RonKaminsky (profile), 20 Sep 2013 @ 2:32am
      
      NSA exposures may actually require compilation
      If a corporation is distributing GPL-licensed software like Linux, and it has become well-known that there is a significant chance that the NSA has corrupted Linux binaries, then in order to avoid legal liability the corporation might have to compile from source --- since the NSA backdoors wouldn't be GPL-licensed (presumably, and even if so, the corporation would be unable to distribute the sources to those backdoors).
      
      The companies actually contacted by the NSA would almost certainly be immune, however (if they were American).
      [ link to this | view in chronology ]
- PRMan, 19 Sep 2013 @ 3:23pm
  
  Re:
  The NSA created AES, which almost everyone uses. Does it have a flaw known only to them?
  [ link to this | view in chronology ]
  - Anonymous Coward, 20 Sep 2013 @ 7:02am
    
    Re: Re:
    IBM does major work for the government.
    IBM contributes to Linux.
    
    Did IBM receive a NSA notice and request to insert backdoors?
    
    How many other companies contribute to Linux?
    Have any of them inserted backdoors?
    
    We know Microsoft, Apple, Google, Yahoo, Facebook and a dozen other are sending the NSA data.
    
    How would you feel about this is you were the Russian, Chinese, et. government?
    
    Well the Brazilians are furious about the NSA interception of Brazilian government e-mail.
    
    If you were any of these governments what would you do to protect your data?
    
    Did the NSA shit in their soup bowl?
    [ link to this | view in chronology ]
- Anonymous Coward, 20 Sep 2013 @ 1:25am
  
  Re:
  The German government though was LoL
  https://www.datenschutzzentrum.de/material/themen/presse/anonip_e.htm
  
  The JAP(Java Anonymous Proxy is a cautionary tale.
  [ link to this | view in chronology ]
- John Fenderson (profile), 20 Sep 2013 @ 9:44am
  
  Re:
  It's not as hard as you might think to introduce security weaknesses in a way that can pass source code examination. The NSA attempting to do this with OSS is no more inherently stupid than attempting it with closed source software.
  [ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

out_of_the_blue, 19 Sep 2013 @ 2:53pm

Not to mention paid-for corporate spying! -- Because yet again, you DIDN'T.
Got a recent Firefox? Type "about:config" into address bar, click away the frightening question, then type "google" into internal search field. You'll almost certainly see that the "Safebrowsing" link goes right to Google, so that can get around all other measures and Google gets to learn every site that you visit, log it, and eventually collate to profile you. (You can supposedly switch it off, and you can modify it to empty string, but without a network sniffer you don't really KNOW whether it stops reporting!) -- So, one of you corporatists again try to tell me that you can avoid Google, meaning without considerable effort, and even then, only maybe. I keep hoping that soon as the public just learns the facts that Google will be cut down.

And I'm sure everyone knows that Microsoft operating systems have a number of "services" running that similarly report anything and everything you do.
[ link to this | view in chronology ]
- Slicerwizard, 19 Sep 2013 @ 4:14pm
  
  Re: Not to mention paid-for corporate spying! -- Because yet again, you DIDN'T.
  " but without a network sniffer you don't really KNOW whether it stops reporting! So, one of you corporatists again try to tell me that you can avoid Google, meaning without considerable effort, and even then, only maybe."
  
  More lies from blue balls.
  
  1) It's trivial to run a program like TCPView; no "considerable effort" required.
  
  2) If a browser didn't honor users' wishes in this regard, we'd hear about it pretty quickly. Popular programs that are used by millions have too many eyes watching them.
  [ link to this | view in chronology ]
- PaulT (profile), 20 Sep 2013 @ 12:43am
  
  Re: Not to mention paid-for corporate spying! -- Because yet again, you DIDN'T.
  "Got a recent Firefox? "
  
  Yes, but I tend to use Opera as my primary browser on the desktop, Safari on mobile. They have many competitors in both spaces.
  
  If Firefox's implementation scares you so much, why are you using it? Why aren't you getting together with your fellow conspiracy theorists and editing the source code to remove the Google-pointing bits, like you have the tools and access to do?
  
  How can someone be simultaneously that paranoid and that lazy?
  
  "you corporatists"
  
  Wait, aren't you the one usually complaining that we're "pirates" and "grifters" robbing corporations of their profits?
  
  If you're going to make up stupid terms to try and insult people at least be consistent about them.
  
  "everyone knows that Microsoft..."
  
  Yes, which is why the non-moron, non-lazy among us use alternatives where possible, to the point where Microsoft has lost its monopoly in many of the area where it held one a decade or so ago.
  
  Stop whining, do something about it other than lying on a web forum and maybe the world will change the way you want it to. Stop using Google, you abject moron, it's extremely easy if you're not waiting around for someone to do it for you.
  [ link to this | view in chronology ]
- Anonymous Coward, 20 Sep 2013 @ 1:48am
  
  Re: Not to mention paid-for corporate spying! -- Because yet again, you DIDN'T.
  blue you are hilarious, this is why I am going to give you a bone.
  
  Firefox addon: TamperData
  
  Sniff all you want, no need to install Wireshark to see what your "browser" is doing.
  
  In Chrome(from Evil Google) you don't even need to install anything just use the integrated sniffer on the developers tool menu.
  
  Now if you need some assistance learning how to use that addon, you can go to Youtube and watch any of the hundreds of videos explaining how it works.
  
  It will show you all the browser unencrypted traffic, yay!
  [ link to this | view in chronology ]
DCX2, 19 Sep 2013 @ 3:12pm

Don't trust - reverse engineer
Can you really trust "open source"? Do you compile from the source yourself, or download the precompiled binary for your platform? How can you know that the binary you are downloading was actually produced by the source?

To the reverse engineer, all programs are open source. Some are more open source than others, but all can be disassembled, decompiled, and analyzed.

Even if you use open source software, and even if you compile it yourself, you still might benefit from reversing the binary you made to ensure that it is doing exactly what you think it's doing.

Oh, and it never hurts to remove the WiFi card from your laptop, hook it up to the Internet over Ethernet with a hub, and then plug in another computer to the hub which is running wireshark.
[ link to this | view in chronology ]
- PRMan, 19 Sep 2013 @ 3:25pm
  
  Re: Don't trust - reverse engineer
  Which assumes that router manufacturers haven't been forced to get into the game and hide the traffic from wireshark.
  [ link to this | view in chronology ]
  - PopeRatzo (profile), 19 Sep 2013 @ 3:52pm
    
    Re: Re: Don't trust - reverse engineer
    Use an old Pentium III as your router.
    [ link to this | view in chronology ]
    - Chronno S. Trigger (profile), 19 Sep 2013 @ 7:30pm
      
      Re: Re: Re: Don't trust - reverse engineer
      "Use an old Pentium III as your router."
      
      And we've looped back around on ourselves. If we can't trust pre-compiled software, we can't use a P3 as a router.
      [ link to this | view in chronology ]
      - bratwurzt (profile), 20 Sep 2013 @ 2:16am
        
        Re: Re: Re: Re: Don't trust - reverse engineer
        To understand recursion first you must understand recursion.
        [ link to this | view in chronology ]
      - DCX2, 20 Sep 2013 @ 7:56am
        
        Re: Re: Re: Re: Don't trust - reverse engineer
        Your statement makes as much sense as "if we can't trust an orange, we can't eat the apple either." A Pentium 3 is hardware, not software.
        
        You could very easily put your own personally compiled kernel of Linux onto a Pentium 3 and load it up with your own personally compiled version of wireshark.
        [ link to this | view in chronology ]
        
        Anonymous, 21 Sep 2013 @ 4:24pm
        
        Re: Re: Re: Re: Re: Don't trust - reverse engineer
        I don't want anything to do with Apple anyway.
        [ link to this | view in chronology ]
  - DCX2, 20 Sep 2013 @ 7:54am
    
    Re: Re: Don't trust - reverse engineer
    I didn't say router, I said hub. Routers will not work, because the router will direct traffic only where it needs to go, meaning wireshark won't see it, no need to be "into the game" because that's what routers are designed to do.
    
    You need a hub specifically, because hubs rebroadcast the data they receive from one port to all ports. That's the only way you'll be able to eavesdrop.
    
    If you still think even hubs will be compromised (due to their simplicity, I would think this would be easy to determine...) then you could leave WiFi on, and use wireshark to record all the 802.11 packets that your target computer is transmitting.
    [ link to this | view in chronology ]
Anonymous Coward, 19 Sep 2013 @ 3:59pm

"The act of breaking into a computer system has to have the same social stigma as breaking into a neighbor's house. It should not matter that the neighbor's door is unlocked. The press must learn that misguided use of a computer is no more amazing than drunk driving of an automobile."
[ link to this | view in chronology ]
- Anonymous Coward, 20 Sep 2013 @ 1:59am
  
  Re:
  Excuse me, hackers everywhere want to send you these images.
  
  Fuck You! I am a cat!
  
  Dude, WTF is wrong with you?
  [ link to this | view in chronology ]
Hephaestus (profile), 19 Sep 2013 @ 4:18pm

In the end, the NSA spying program is probably going to kill closed source software. Microsoft, Oracle, and their ilk are likely going to be feeling the repercussions for the next 20 years. If they last that long.
[ link to this | view in chronology ]
- Anonymous Coward, 20 Sep 2013 @ 7:09am
  
  Re:
  Worse than that from an American perspective it will most like kill Silicon Valley as other countries retaliate against the NSA attempt at world domination.
  
  From an American economic perspective it also could end the one bright spot on the national economic front as software for foreign entities is more and more developed in a non spy environment.
  [ link to this | view in chronology ]
Anonymous Coward, 19 Sep 2013 @ 5:19pm

Another problem is that the compiler itself could be compromised and programmed to make a slight change in a portion of code that would introduce a security flaw that could be exploited.
[ link to this | view in chronology ]
Bob, 19 Sep 2013 @ 5:23pm

Considering Linux's /dev/random device is fundamentally broken (See Ben Laurie's posts for details) he doesn't need to.
[ link to this | view in chronology ]
ECA (profile), 19 Sep 2013 @ 7:03pm

Can I suggest
I know an easier way..

MAKE A PROGRAM THE CONSUMER WOULD USE...
An anti virus/game/chat Program what works VERY WELL..
and insert your OWN bot into it..
Then ask the OTHER AV makers not to search for it...
Easy.

and you could make it work on many OS's..
Think hard now..
Yahoo
MSN
Google
Excite
Game chats..and many others...
[ link to this | view in chronology ]
- Anonymous Coward, 20 Sep 2013 @ 4:01am
  
  Re: Can I suggest
  There are already plenty of ways to hide bad processes from AVs. And some have been working for years... Just poke the infosec people, old pubbers or anyone heavily involved in warez (not your common script kiddie).
  [ link to this | view in chronology ]
Shon Gale (profile), 20 Sep 2013 @ 6:23am

Can we trust the NSA to protect my cars source code from terrorists? 100 plus million lines of code and all it takes is 1 or 2 lines to tap into WiFi / Bluetooth and control your car. Speed it up! Put on the brakes! Turn it left and right! Turn it off! Stop it in the middle of the freeway with a truck coming at you! The Toyota problems we recently say are just tests and they succeeded brilliantly. They left no trace when they hacked the car. Toyotas are totally hacked and can be controlled by anyone who was planted in software development with these large companies. None of your software is safe from Indian / Pakistani Terrorists working for cheap.
[ link to this | view in chronology ]
RyanNerd (profile), 20 Sep 2013 @ 7:36am

All your backdoors...
are belong to us.
[ link to this | view in chronology ]