Linus Torvalds Admits He Was Approached By US Government To Insert Backdoor Into Linux -- Or Does He?
from the who-can-you-trust? dept
At the LinuxCon meeting in New Orleans, Linus Torvalds was asked if he had ever been approached by the US government to insert a backdoor into the Linux kernel.
Here's his characteristic answer:
Torvalds responded "no" while shaking his head "yes," as the audience broke into spontaneous laughter.
Obviously, it's hard to tell from that whether he really meant "yes" or "no". But the question does touch on an important issue: whether open source might be less vulnerable than traditional applications to tampering by the NSA or other intelligence organizations. That's plausible, because by definition free software's code is always available for inspection; the idea is that even if backdoors are somehow introduced, they will be spotted by people looking over the code.
Of course, there are some problems with that. The first is that just because the code is available does not mean anyone will look at it. Secondly, even if the source code is examined and looks fine, that doesn't imply that the compiled version you run on your machine will be -- a well known, and deep problem. So does that mean we should give up on the hope that open source might be better than traditional closed source when it comes to backdoors?
Not necessarily. Here, for example, is the security expert Bruce Schneier writing in the Guardian a couple of weeks ago on the best ways to stay secure in the light of the revelations about the NSA's activities. One suggestion was as follows:
Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software.
After listing a number of recommended software tools, he also makes the following comment:
I understand that most of this is impossible for the typical internet user. Even I don't use all these tools for most everything I am working on. And I'm still primarily on Windows, unfortunately. Linux would be safer.
That's just one voice, albeit a highly-respected one. Here's another, saying much the same thing as Schneier:
Thanks to the recent NSA leaks, people are more worried than ever that their software might have backdoors. If you don't believe that the software vendor can resist a backdoor request, the onus is on you to look for a backdoor. What you want is software transparency.
That's from Ed Felten (pdf), Professor of Computer Science and Public Affairs, Princeton University, and someone whose name has appeared on Techdirt many times. Despite his upbeat assessment of the value of open source in providing software transparency, the rest of his post urges caution:
Transparency of this type is a much-touted advantage of open source software, so it's natural to expect that the rise of backdoor fears will boost the popularity of open source code. Many open source projects are fully transparent: not only is the source code public, but the project also makes public the issue tracker that is used to manage known defects and the internal email discussions of the development team. All of these are useful in deterring backdoor attempts.transparency does not guarantee that holes will be found, because there might not be enough eyeballs on the code. For open source projects, finding backdoors, or security vulnerabilities in general, is a public good, in the economists' sense that effort spent on it benefits everyone, including those who don't contribute any effort themselves. So it's not obvious in advance that any particular open source project can avoid backdoors.
In other words, open source is not a panacea: it is not guaranteed to protect you from backdoors. But, like encryption, it is probably one of the best defenses we have -- whether or not Torvalds was asked to add a backdoor to Linux.
Follow me @glynmoody on Twitter or identi.ca, and on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, linus torvalds, open source, surveillance, trust
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
The NSA wouldn't be that stupid would they?
[ link to this | view in thread ]
Re:
So even if he didn't, there's 10, 100, 1000s more people who could have pushed a change upstream that looked innocent, but was in fact not.
We can only hope that somewhere along the way, those attempts get filtered out as "junk" when reviewers detect vulnerabilities.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Not to mention paid-for corporate spying! -- Because yet again, you DIDN'T.
And I'm sure everyone knows that Microsoft operating systems have a number of "services" running that similarly report anything and everything you do.
[ link to this | view in thread ]
Don't trust - reverse engineer
To the reverse engineer, all programs are open source. Some are more open source than others, but all can be disassembled, decompiled, and analyzed.
Even if you use open source software, and even if you compile it yourself, you still might benefit from reversing the binary you made to ensure that it is doing exactly what you think it's doing.
Oh, and it never hurts to remove the WiFi card from your laptop, hook it up to the Internet over Ethernet with a hub, and then plug in another computer to the hub which is running wireshark.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Don't trust - reverse engineer
[ link to this | view in thread ]
Re: Re: Don't trust - reverse engineer
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Not to mention paid-for corporate spying! -- Because yet again, you DIDN'T.
More lies from blue balls.
1) It's trivial to run a program like TCPView; no "considerable effort" required.
2) If a browser didn't honor users' wishes in this regard, we'd hear about it pretty quickly. Popular programs that are used by millions have too many eyes watching them.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Can I suggest
MAKE A PROGRAM THE CONSUMER WOULD USE...
An anti virus/game/chat Program what works VERY WELL..
and insert your OWN bot into it..
Then ask the OTHER AV makers not to search for it...
Easy.
and you could make it work on many OS's..
Think hard now..
Yahoo
MSN
Google
Excite
Game chats..and many others...
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Don't trust - reverse engineer
And we've looped back around on ourselves. If we can't trust pre-compiled software, we can't use a P3 as a router.
[ link to this | view in thread ]
Re: Not to mention paid-for corporate spying! -- Because yet again, you DIDN'T.
Yes, but I tend to use Opera as my primary browser on the desktop, Safari on mobile. They have many competitors in both spaces.
If Firefox's implementation scares you so much, why are you using it? Why aren't you getting together with your fellow conspiracy theorists and editing the source code to remove the Google-pointing bits, like you have the tools and access to do?
How can someone be simultaneously that paranoid and that lazy?
"you corporatists"
Wait, aren't you the one usually complaining that we're "pirates" and "grifters" robbing corporations of their profits?
If you're going to make up stupid terms to try and insult people at least be consistent about them.
"everyone knows that Microsoft..."
Yes, which is why the non-moron, non-lazy among us use alternatives where possible, to the point where Microsoft has lost its monopoly in many of the area where it held one a decade or so ago.
Stop whining, do something about it other than lying on a web forum and maybe the world will change the way you want it to. Stop using Google, you abject moron, it's extremely easy if you're not waiting around for someone to do it for you.
[ link to this | view in thread ]
Re:
https://www.datenschutzzentrum.de/material/themen/presse/anonip_e.htm
The JAP(Java Anonymous Proxy is a cautionary tale.
[ link to this | view in thread ]
Re: Not to mention paid-for corporate spying! -- Because yet again, you DIDN'T.
Firefox addon: TamperData
Sniff all you want, no need to install Wireshark to see what your "browser" is doing.
In Chrome(from Evil Google) you don't even need to install anything just use the integrated sniffer on the developers tool menu.
Now if you need some assistance learning how to use that addon, you can go to Youtube and watch any of the hundreds of videos explaining how it works.
It will show you all the browser unencrypted traffic, yay!
[ link to this | view in thread ]
Re:
Fuck You! I am a cat!
Dude, WTF is wrong with you?
[ link to this | view in thread ]
Re: Re: Re: Re: Don't trust - reverse engineer
[ link to this | view in thread ]
NSA exposures may actually require compilation
The companies actually contacted by the NSA would almost certainly be immune, however (if they were American).
[ link to this | view in thread ]
Re: Can I suggest
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
IBM contributes to Linux.
Did IBM receive a NSA notice and request to insert backdoors?
How many other companies contribute to Linux?
Have any of them inserted backdoors?
We know Microsoft, Apple, Google, Yahoo, Facebook and a dozen other are sending the NSA data.
How would you feel about this is you were the Russian, Chinese, et. government?
Well the Brazilians are furious about the NSA interception of Brazilian government e-mail.
If you were any of these governments what would you do to protect your data?
Did the NSA shit in their soup bowl?
[ link to this | view in thread ]
Re:
From an American economic perspective it also could end the one bright spot on the national economic front as software for foreign entities is more and more developed in a non spy environment.
[ link to this | view in thread ]
All your backdoors...
[ link to this | view in thread ]
Re: Re: Don't trust - reverse engineer
You need a hub specifically, because hubs rebroadcast the data they receive from one port to all ports. That's the only way you'll be able to eavesdrop.
If you still think even hubs will be compromised (due to their simplicity, I would think this would be easy to determine...) then you could leave WiFi on, and use wireshark to record all the 802.11 packets that your target computer is transmitting.
[ link to this | view in thread ]
Re: Re: Re: Re: Don't trust - reverse engineer
You could very easily put your own personally compiled kernel of Linux onto a Pentium 3 and load it up with your own personally compiled version of wireshark.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Don't trust - reverse engineer
[ link to this | view in thread ]