04.30.08
Novell’s ‘Binary Bridges’: Could SUSE Ever Inherit the Anti-Features of Windows?
Dozens of reasons to avoid mimicking Windows
Surprisingly enough, some people remain shocked that Microsoft is collaborative when it comes to political, police-related and federal snooping. Robert Scoble even argued with me about this roughly 3 years ago, denying that such an issue even exists. At the sight of yesterday’s pick from Slashdot many such skeptics and deniers have finally come to realise this:
Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes.
Forget about passwords, security on the network and so forth. It’s enough to only be a suspect and the rules are bound to be misused (they usually are). No warrants are even necessary. Not so long ago, an animal activist received demands for divulging a PGP key, using laws that were introduced to combat terrorism (and justified in this way).
“If SLES/SLED achieves binary compatibility with Windows, it gets harder to trust what’s being delivered out of the box.”The example above is just one among many anti-features, to borrow the phrase used frequently (maybe even coined) by the Free Software Foundation. Microsoft’s customers happen to be the governments, media companies, developers, OEMs and other parties that are certainly not the end users. Features are provided to the real customers, who are rarely actual users of the personal computer.
Why is this subject brought up again? Well, it is already known that there have been interactions between the government and SUSE and the same goes for Apple with Mac OS X. It’s hardly a secret because it’s too difficult to keep it a secret.
Many people will tell you that you can look at and carefully study the source code in GNU/Linux to verify no back doors exist (and then check also the compiler, the computer chip used to run and compile the program, et cetera). It’s all possible, assuming sufficient transparency at the bottom layers exists, along with that trust which comes with it (threat of leaks is accompanied by openness).
Questions arise, however, as soon as you consider what Novell does with Microsoft. Novell gets access to Microsoft source code and it also incorporates some code which simply cannot be studied. Moreover, it relies a great deal on Microsoft protocols, which themselves can have back doors included (a back door as part of the ‘standard’, as shown in the citations at the very bottom). If SLES/SLED achieves binary compatibility with Windows, it gets harder to trust what’s being delivered out of the box.
Some of the reports below were briefly and partly mentioned also in [1, 2, 3]. It’s worth highlighting the problem again, using just references. Here it goes.
NSA Helps Microsoft with Windows Vista
NSA Helps Microsoft with Windows Vista
Is this a good idea or not?
For the first time, the giant software maker is acknowledging the help of the secretive agency, better known for eavesdropping on foreign officials and, more recently, U.S. citizens as part of the Bush administration’s effort to combat terrorism.”
Microsoft could be teaching police to hack Vista
Microsoft may begin training the police in ways to break the encryption built into its forthcoming Vista operating system.
UK holds Microsoft security talks
UK officials are talking to Microsoft over fears the new version of Windows could make it harder for police to read suspects’ computer files.
Microsoft’s Vista stores much more data—and may affect the discovery process
Vista—Microsoft’s latest operating system—may prove to be most appropriately named, especially for those seeking evidence of how a computer was used.
Dual_EC_DRBG Added to Windows Vista
Microsoft has added the random-number generator Dual_EC-DRBG to Windows Vista, as part of SP1. Yes, this is the same RNG that could have an NSA backdoor.
It’s not enabled by default, and my advice is to never enable it. Ever.
Will Microsoft Put The Colonel in the Kernel?
The kernel meets The Colonel in a just-published Microsoft patent application for an Advertising Services Architecture, which delivers targeted advertising as ‘part of the OS.’
Microsoft patents the mother of all adware systems
The adware framework would leave almost no data untouched in its quest to sell you stuff. It would inspect “user document files, user e-mail files, user music files, downloaded podcasts, computer settings, computer status messages (e.g., a low memory status or low printer ink),” and more. How could we have been so blind as to not see the marketing value in computer status messages?
Here is another possible shocker (depending on one’s expectations really):
Forget about the WGA! 20+ Windows Vista Features and Services Harvest User Data for Microsoft
Are you using Windows Vista? Then you might as well know that the licensed operating system installed on your machine is harvesting a healthy volume of information for Microsoft. In this context, a program such as the Windows Genuine Advantage is the last of your concerns. In fact, in excess of 20 Windows Vista features and services are hard at work collecting and transmitting your personal data to the Redmond company.
Microsoft makes no secret about the fact that Windows Vista is gathering information. End users have little to say, and no real choice in the matter. The company does provide both a Windows Vista Privacy Statement and references within the End User License Agreement for the operating system. Combined, the resources paint the big picture over the extent of Microsoft’s end user data harvest via Vista.
German spyware plans trigger row
The e-mails would contain Trojans – software that secretly installs itself on suspects’ computers, allowing agents to search the hard drives.
FBI ducks questions about its remotely installed spyware
There are plenty of unanswered questions about the FBI spyware that, as we reported earlier this week, can be delivered over the Internet and implanted in a suspect’s computer remotely.
German Security Professionals in the Mist
This hope was important because earlier this year the German Government had introduced similar language into Section 202c StGB of the computer crime laws, which would have made the mere possession of (creates, obtains or provides access to, sells, yields, distributes or otherwise allows access to) tools like John, Kismet, KisMAC, Nessus, nmap, and the ability to Google effectively a crime.
Austria OKs terror snooping Trojan plan
Austria has become one of the first countries to officially sanction the use of Trojan Horse malware as a tactic for monitoring the PCs of suspected terrorists and criminals.
[...]
Would-be terrorists need only use Ubuntu Linux to avoid the ploy. And even if they stuck with Windows their anti-virus software might detect the malware. Anti-virus firms that accede to law enforcement demands to turn a blind eye to state-sanctioned malware risk undermining trust in their software, as similar experience in the US has shown.
Schäuble renews calls for surreptitious online searches of PCs
In his speech towards the end of the national conference of the Junge Union, the youth organization of the ruling conservative Christian Democratic Union (CDU), in Berlin the Federal Minister of the Interior Wolfgang Schäuble has again come out in favor of allowing authorities to search private PCs secretly online and of deploying the German Armed Forces in Germany in the event of an emergency.
Here is a video of Richard Stallman talking about back doors in Microsoft Windows, among other things. I will be fortunate enough to attend a talk from Stallman tomorrow evening.
Encrypted E-Mail Company Hushmail Spills to Feds
Hushmail, a longtime provider of encrypted web-based email, markets itself by saying that “not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer.”
But it turns out that statement seems not to apply to individuals targeted by government agencies that are able to convince a Canadian court to serve a court order on the company.
No email privacy rights under Constitution, US gov claims
This appears to be more than a mere argument in support of the constitutionality of a Congressional email privacy and access scheme. It represents what may be the fundamental governmental position on Constitutional email and electronic privacy – that there isn’t any. What is important in this case is not the ultimate resolution of that narrow issue, but the position that the United States government is taking on the entire issue of electronic privacy. That position, if accepted, may mean that the government can read anybody’s email at any time without a warrant.
Microsoft exec calls XP hack ‘frightening’
“You can download attack tools from the Internet, and even script kiddies can use this one,” said Mick.
Mick found the IP address of his own computer by using the XP Wireless Network Connection Status dialog box. He deduced the IP address of Andy’s computer by typing different numerically adjacent addresses in that IP range into the attack tool, then scanning the addresses to see if they belonged to a vulnerable machine.
Using a different attack tool, he produced a security report detailing the vulnerabilities found on the system. Mick decided to exploit one of them. Using the attack tool, Mick built a piece of malware in MS-DOS, giving it a payload that would exploit the flaw within a couple of minutes.
Duh! Windows Encryption Hacked Via Random Number Generator
A group of researchers headed by Dr. Benny Pinkas from the Department of Computer Science at the University of Haifa succeeded in finding a security vulnerability in Microsoft’s “Windows 2000″ operating system. The significance of the loophole: emails, passwords, credit card numbers, if they were typed into the computer, and actually all correspondence that emanated from a computer using “Windows 2000″ is susceptible to tracking. “This is not a theoretical discovery. Anyone who exploits this security loophole can definitely access this information on other computers,” remarked Dr. Pinkas.
Editors Note: I believe this “loophole” is part of the Patriot Act, it is designed for foreign governments. Seriously, if you care about security, privacy, data, trojans, spyware, etc., one does not run Windows, you run Linux.
From Wikipedia:
In relation to the issue of sharing technical API and protocol information used throughout Microsoft products, which the states were seeking, Allchin alleged that releasing this information would increase the security risk to consumers.
“It is no exaggeration to say that the national security is also implicated by the efforts of hackers to break into computing networks. Computers, including many running Windows operating systems, are used throughout the United States Department of Defense and by the armed forces of the United States in Afghanistan and elsewhere.”
The following two articles are much older and some have doubted their arguments’ validity.
How NSA access was built into Windows
A careless mistake by Microsoft programmers has revealed that special access codes prepared by the US National Security Agency have been secretly built into Windows.
[...]
The first discovery of the new NSA access system was made two years ago by British researcher Dr Nicko van Someren. But it was only a few weeks ago when a second researcher rediscovered the access system. With it, he found the evidence linking it to NSA.
NSA Builds Security Access Into Windows
A careless mistake by Microsoft programmers has shown that special access codes for use by the U.S. National Security Agency (NSA) have been secretly built into all versions of the Windows operating system.
There are many more citations like these available, shall any be necessary.
In summary, welcome to the twenty-first century, the age when every ‘binaries-boosted’ GNU/Linux distribution should be taken with a grain of salt (not to mention the NSA and SELinux).
Governments ‘wish’ to ‘give’ you control and to offer you privacy, but it’s often just an illusion. The government is an exception to this condition, rule or semi-true promise.
The stories above hopefully illustrate just why Free software is so important (even to national security, assuming you live outside the United States). That’s why those who support back doors-free computing will often be labeled “terrorists”, or those who defend “terrorists”. It’s a straw man really. It’s means for introducing new laws and using the “T” word as an excuse for virtually everything. Here is a discomforting thought:
Do you imagine that any US Linux distributor would say no to the US government if they were requested (politely, of course) to add a back-door to the binary Linux images shipped as part of their products? Who amongst us actually uses the source code so helpfully given to us on the extra CDs to compile our own version? With Windows of course there are already so many back-doors known and unknown that the US government might not have even bothered to ask Microsoft, they may have just found their own, ready to exploit at will. What about Intel or AMD and the microcode on the processor itself?
Back doors needn’t be incorporated only at software-level. Mind the following articles too:
Chip Design Flaw Could Subvert Encryption
Shamir said that if an intelligence organization discovered such a flaw, security software on a computer with a compromised chip could be “trivially broken with a single chosen message.” The attacker would send a “poisoned” encrypted message to a protected computer, he wrote. It would then be possible to compute the value of the secret key used by the targeted system.
Trouble with Design Secrets
“Millions of PCs can be attacked simultaneously, without having to manipulate the operating environment of each one of them individually,” Shamir wrote.
You could then argue that Sun has some GPL-licensed processors, but who is to check the physical manufacturing process to ensure the designs, which comprise many millions of transistors, are consistently obeyed? This, however, is a lot more complex and far-fetched. How about back doors in standards?
Did NSA Put a Secret Backdoor in New Encryption Standard?
Which is why you should worry about a new random-number standard that includes an algorithm that is slow, badly designed and just might contain a backdoor for the National Security Agency.
NSA Backdoors in Crypto AG Ciphering Machines
We don’t know the truth here, but the article lays out the evidence pretty well.
See this essay of mine on how the NSA might have been able to read Iranian encrypted traffic.
Inheritance of protocols does not seem like a very safe idea. Novell should enter these territories with its mixed-source strategy. █
Nikolas Koswinkle said,
April 30, 2008 at 6:11 am
Really, the title has got nothing to do with the contents. The contents is just one unrelated quote after another.
What you are doing here is you are trying to MANUFACTURE THE IMPRESSION that SUSE will spy on its users – something which none of your quote even remotely indicates ever will happen.
Are you simply hoping your readers are stupid enough to believe it anyway, if you only throw enough quotes at them that they are too lazy to read in full. Or that, once they have gotten through to the bottom they already have forgotten what question the whole thing started with, but think, hey, after so much text, it must be proven fact now?
What is most repulsive about this behavior is that you try to escape all responsibility for you slander by framing the decisive accusation as a (leading) question.
This leaves a very bitter aftertaste. How low will you allow to yourself to get just to serve what you believe is a ‘noble’ goad? Morale is of course your personal choice, but as a Christian I shall keep with Matth. 7, verse 16; Ye shall know them by their fruits.
Your fruits are sour.
Note: comment has been flagged for arriving from a possible incarnation of known (eet), pseudonymous, forever-nymshifting, abusive Internet troll that posts from open proxies and relays around the world.
Nikolas Koswinkle said,
April 30, 2008 at 6:13 am
Please excuse all the typos, I should really take more care. ‘goad’ was the funniest, I think; it should have been ‘goal’, of course.
Note: comment has been flagged for arriving from a possible incarnation of known (eet), pseudonymous, forever-nymshifting, abusive Internet troll that posts from open proxies and relays around the world.
Roy Schestowitz said,
April 30, 2008 at 6:38 am
The post began as a timely (triggered by some news item) accumulation of references which then brought back to mind Novell’s/SUSE’s flirt with the NSA (I can’t recall if it was the NSA or another department). I still believe that back doors are being embedded where there is tighter control over the distribution and with binary appendages this is made easier (NSA contributes changes to GNU/Linux as assembly code).
What you choose to say is that the sequence of references was intended to deceive, but it wasn’t. It’s was just a logical to lay things out. I still view Novell as a Microsoft subsidiary because these two are getting closer every month. What Microsoft does with the US government (nanny nation’s best friend) can equally well apply to a conceited company like Novell, whose behaviour has roots in its long history. It’s easier for the government to achieve ‘compliance’ with large companies like these.
Dan O'Brian said,
April 30, 2008 at 8:31 am
[quote]Questions arise, however, as soon as you consider what Novell does with Microsoft. Novell gets access to Microsoft source code[/quote]
Happen to have any evidence of this? Or is this just another example of you making stuff up to back up your false claims?
[quote]and it also incorporates some code which simply cannot be studied.[/quote]
Again, do you have any proof of this? Seeing as how you can’t prove this statement without first proving the first, I guess I’ll be waiting indefinitely for the proof on this “fact”.
[quote]Moreover, it relies a great deal on Microsoft protocols, which themselves can have back doors included (a back door as part of the ’standard’, as shown in the citations at the very bottom).[/quote]
Wow, Roy, you clearly have no clue what you are talking about. This doesn’t even make any sense. Microsoft protocols? What protocols? SMB? If so, then there’s an easy way to provide evidence – you could get some statements from the SAMBA devs about this, but alas… you haven’t. Since they have never claimed such backdoors existed (and they, if anyone, would certainly know), I highly doubt it to be true.
[quote]If SLES/SLED achieves binary compatibility with Windows, it gets harder to trust what’s being delivered out of the box.[/quote]
Binary compatibility with Windows… uh, yea. Another “clueful” comment by the great Roy Schestowitz. Do you even think before you post? Is there even one iota of logical reasoning going on between your ears? Or do you only have utter horse shit in there?
I’m leaning toward utter horse shit.
As far as the previous paragraph in your article, about how you can’t trust the shipped SuSE binaries because it might contain purposely included backdoors to allow the US Government into anyone and everyone’s computer running SuSE packages, the same could just as easily hold true for Mandrake, Ubuntu, Fedora or OpenSolaris.
Give me a break.
All you are trying to do in this article is spread FUD.
You don’t even have one shred of evidence to back up any of your claims.
Roy Schestowitz said,
April 30, 2008 at 8:50 am
http://www.businessreviewonline.com/os/archives/2007/05/a_new_explanati.html
“According to the executive summary (PDF) “The cross-licensing agreement that Novell signed with Microsoft, according to both Justin and Sam, was necessary as Novell required sanctioned access to Microsoft’s code in order to develop open source interoperability without violating MSFT’s IP.”"
http://tirania.org/blog/archive/2007/Sep-05.html
“Microsoft will make the codecs for video and audio available to users of Moonlight from their web site. The codecs will be binary codecs, and they will only be licensed for use with Moonlight on a web browser (sorry, those are the rules for the Media codecs[1]). ”
See the references at the bottom. Also see:
http://en.wikipedia.org/wiki/Jim_Allchin
“It is no exaggeration to say that the national security is also implicated by the efforts of hackers to break into computing networks. Computers, including many running Windows operating systems, are used throughout the United States Department of Defense and by the armed forces of the United States in Afghanistan and elsewhere.”
See context above and therein.
[rest of rude personal attacks unreplied to...]
Nikolas Koswinkle said,
April 30, 2008 at 10:08 am
Oh, please stop, I think more than one reader is wetting him/herself now for laughter! Oh boy! My belly hurts.
So Microsoft’s multimedia codecs are the trojan horses for the NSA? The mysterious ‘code that cannot be studied? NICE idea! Apart from that this is of course an UTTER speculation from your side, it is technically absolutely ignorant! By god!
Do you know that those multimedia-extensions would need to trigger a buffer-overrun in order to do this? This is certainly not an insuspicious behavior for a trojan… Quite the opposite, it’s the kind of bug you must fix.
Why all the trouble then, anyway? The NSA could simply turn to Macromedia for a nice ‘backdoor’ in Flash and spy on everyone’s computer, Moonlight or no Moonlight!
(Whoops.)
Oh, Roy. This was really, really a desperate grasp from you. Multimedia codecs as MS-trojan horse inside SLED. My goodness.
Note: comment has been flagged for arriving from a possible incarnation of known (eet), pseudonymous, forever-nymshifting, abusive Internet troll that posts from open proxies and relays around the world.
Nikolas Koswinkle said,
April 30, 2008 at 10:10 am
Oh, WHAT, please has your last answer to Dan actually to do with what Dan ASKED?
You REALLY don’t have a clue how all this works, technically, do you?
Note: comment has been flagged for arriving from a possible incarnation of known (eet), pseudonymous, forever-nymshifting, abusive Internet troll that posts from open proxies and relays around the world.
Roy Schestowitz said,
April 30, 2008 at 11:42 am
These were /examples/. They were not intended to suggest that *this* is where back doors lie (never claimed they exist, either), but only to show Dan that his arguments are wrong.
Miles said,
April 30, 2008 at 12:35 pm
I’d argue that just because Novell has the access to view portions of Microsoft’s source code does not mean that any of that source code is making it into any of their products (F/LOSS or otherwise).
More than likely, the number of people with access to view said source code is limited to few people – and those people’s job is probably documenting how the code works such that the developers of the actual Novell products can implement the functionality.
You do not give developers of your products the source code because then you increase your risk of IP violations.
The source code for all of the SuSE packages are publicly available as SRPM’s, so if you are really worried about back doors being introduced, you could peruse said sources.
To check against your fear that chips on the SuSE build machines are injecting trojans into the final binaries during compilation, you could recompile said SRPM’s on your own machine using the same compiler version and compare binary output. AFAIK, they should be identical.
I’m sure someone out there has documented means of verifying things like this.
If Novell is injecting trojans into the binary packages, then it would be quite easy to prove. If the original tarball of said project + the patches included in the SRPM built with the same compiler for the same arch using the same compile-time options doesn’t produce the same binary, then something is different.
It’s also a bit far fetched to presume that Novell is purposely using computer chips that maliciously inject trojans into compiled software. I mean, really.
Google said,
April 30, 2008 at 12:48 pm
[rant] Anything that is closed source cannot be trusted. [/rant]
The title of this post says “COULD” – a distant possibility – just to be aware of that it might happen
Miles said,
April 30, 2008 at 1:39 pm
The possibility that Red Hat injects trojans into their binary rpms /could/ happen too. Why isn’t that reported?
The world could blow up tomorrow.
There’s a lot of things that /could/ happen, but without any sort of evidence to suggest that it is a real possibility, it’s just FUD.
Nikolas Koswinkle said,
April 30, 2008 at 3:31 pm
All that I’ve ever read here was ‘could’ and ‘maybe’ and ‘what if’…
Note: comment has been flagged for arriving from a possible incarnation of known (eet), pseudonymous, forever-nymshifting, abusive Internet troll that posts from open proxies and relays around the world.
Nikolas Koswinkle said,
May 1, 2008 at 8:52 am
Roy, how about pulling perhaps this complete article. It does look a little ridiculous?
Note: comment has been flagged for arriving from a possible incarnation of known (eet), pseudonymous, forever-nymshifting, abusive Internet troll that posts from open proxies and relays around the world.
Roy Schestowitz said,
May 1, 2008 at 8:59 am
In what way? The substance of the article is a set of good articles that are quoted.
Nikolas Koswinkle said,
May 1, 2008 at 9:02 am
Substance? There is not substance. Point to something of substance in here.
You insinuate SUSE could contain spyware and only after intense discussino we could get to the point that all you had were ‘coulds’ and ‘woulds’ and ‘maybes’. So, pull it – if you have any integrity left in you. I see this as a kind of your test for your honesty.
Note: comment has been flagged for arriving from a possible incarnation of known (eet), pseudonymous, forever-nymshifting, abusive Internet troll that posts from open proxies and relays around the world.
Roy Schestowitz said,
May 1, 2008 at 9:06 am
If SUSE becomes the darling of companies like SAP, then I can assure you there will be attempts to take advantage. SUSE and Novell are neither Free software… nor GPL, which they sought to bypass along with Microsoft. They don’t have the philosophy in mind, let alone the trust of FOSS advocates. And don’t get me wrong, IBM isn’t much better with its ‘open’ (proprietary+standards) policy and Trusted Computing for Linux project.
Nikolas Koswinkle said,
May 1, 2008 at 10:42 am
WHERE is the bloody SUBSTANCE? I didn’t ask ‘where is your speculation on what MIGHT be IF?’.
God, excuse the tone, this is nothing like me, but you really, really test my patience sometimes.
Note: comment has been flagged for arriving from a possible incarnation of known (eet), pseudonymous, forever-nymshifting, abusive Internet troll that posts from open proxies and relays around the world.
p.cole said,
August 17, 2008 at 1:43 pm
Hey Winkle,
What’s your hurry to have the article voided?
The codecs among others from MS are binary. Open the source,
BTW, patience is a virtue, and if you feel it’s being tested, consider it a blessing.
GOD be with you.