Bonum Certa Men Certa

The Increasing Danger of Back Doors in Standards and Binary Blobs

Summary: The risk of back doors in GNU/Linux comes not from source code but from blobs, back room deals, the build process, and bogus standards with weaknesses cleverly shoehorned into them

IT HAS BEEN a while since we last wrote about Mr. Srinivasan from Microsoft-Novell. Suffice to say, Novell did a lot for Microsoft and some former staff of Novell continues to work for Microsoft (either directly or indirectly). One gift from Novell to Microsoft was OOXML inside FOSS/OOo. Another was Mono and let's not forget intrusion into Linux itself. Robert Pogson goes as far as saying that Microsoft "Hacked Linux!"



"My configuration," Pogson argues, "has CONFIG_HYPERV not set. The code in question is Copyright 2010, Novell (mshyperv.c), and Copyright 2009, M$ (vmbus_drv.c). K. Y. Srinivasan is listed as one of the authours on both. I’m not about to run that other OS on Beast, but thank you, Thomas Gleixner, for fixing things." (see this link)

Performance issues overlook the much bigger problem -- a problem which we addressed several times before. We already know that the NSA is pursuing back doors in Linux [1, 2, 3, 4] and as we pointed out before, the NSA might already have some.

incidentally, as we have shown before, Yahoo was fighting against NSA surveillance in court. When Microsoft took over Yahoo it became apparent that Yahoo stopped fighting and soon became part of PRISM. While some new reports suggest that Yahoo might be ready to escape Microsoft "Yahoo is still in NSA's pocket though even if they break free of Microsoft," explains iophk.

Likewise, even if Linux does not engage with Microsoft, the code from Microsoft remains stuck inside Linux and even if there are no back doors in the code itself, this connects to a system, Hyper-V, which is developed by a back doors specialist (Microsoft). There are binary-level back doors from which to access GNU/Linux systems because if the host machine runs Windows, then we already know that the NSA has access. A nearby company that I once visited, UKFast (the UK's largest 'cloud' provider), runs GNU/Linux servers under HyperV, based on what they told me. How insane is that?! GCHO must love it!

Adding to some concerns about back doors, NSA ally and PRISM partner Apple turns out to have hidden a back door. As Think Progress puts it, "Apple quietly released a major update Friday to fix a security glitch in its iOS 7 systems. But independent security experts say the seemingly routine update covers up what arguably could be Apple’s biggest security lapse, exposing iPhone, iPad and iPod Touch users to hackers."

Whether it's a back door or just direct access does not matter, but it enables Apple to dance around important questions. It works across several Apple platforms, even desktop platforms [1].

As iophk put it, in relation to this other new article [2] "Potential problems with an official back door in HTTP 2.0, though only in a proposed draft so far. But because of the ways certificates are currently (mis-)managed, this kind of interception of HTTPS is already easy."

"See one example with four steps," he added, pointing to [3] from the OpenBSD mailing lists.

It's not as though GNU/Linux is immune to back doors (Debian has some new security advisories [4,5]), but at least with access to source code the back doors remain very shallow and too risky/difficult for malicious/covert entities to hide. It's when proprietary software gets added that we lose the ability to ascertain security and privacy.

Related/contextual items from the news:


  1. Apple SSL Vulnerability Affects OSX Too


  2. No, I Don't Trust You! -- One of the Most Alarming Internet Proposals I've Ever Seen
    If you care about Internet security, especially what we call "end-to-end" security free from easy snooping by ISPs, carriers, or other intermediaries, heads up! You'll want to pay attention to this.

    You'd think that with so many concerns these days about whether the likes of AT&T, Verizon, and other telecom companies can be trusted not to turn our data over to third parties whom we haven't authorized, that a plan to formalize a mechanism for ISP and other "man-in-the-middle" snooping would be laughed off the Net.

    But apparently the authors of IETF (Internet Engineering Task Force) Internet-Draft "Explicit Trusted Proxy in HTTP/2.0" (14 Feb 2014) haven't gotten the message.

    What they propose for the new HTTP/2.0 protocol is nothing short of officially sanctioned snooping.


  3. relayd SSL interception
    This mail includes a quite detailed explanation of the attached diff that adds support for SSL Interception ("SSL-MITM") to relayd. If you don't want to read the story, just skip to the configuration example and diff below.


  4. Debian: 2862-1: chromium-browser: Multiple vulnerabilities


  5. Debian: 2861-1: file: denial of service


Recent Techrights' Posts

'India Today' is a Slopfarm, Sometimes 'Covering' "Linux" With Slop Images
New example of pure BS
Rumours of IBM Layoffs Again, This Time Marketing
It's "bad marketing" to talk about layoffs
Slopwatch: linuxsecurity.com and hamradio.my (in Planet Ubuntu) Are at It Again With LLM Slop About "Linux"
LLM slop does not save time
Bluewashing Ends DEI at IBM and at Red Hat (HR or Hiring Become Gender- and Race-Neutral)
All that "whitelist is racist" stuff is likely a thing of the past
 
Sierra Leone: Android Up to Record Highs, Windows Falls to Record Lows of Almost 5% (15 Years Ago It Was 100%)
This is what happens when about 83% of Web requests come from mobile
Margarita Manterola (marga, Google) & Debian DebConf13 Swiss venue intrigue
Reprinted with permission from Daniel Pocock
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, March 14, 2025
IRC logs for Friday, March 14, 2025
Gemini Links 14/03/2025: Grizzy Bear and Prime Beats
Links for the day
Links 14/03/2025: ProPublica Admitting That It Uses Slop (Foolish Move), RIP Mark Klein
Links for the day
Windows is Fast Becoming Insignificant to Zimbabweans
based on this survey, less than 1 in 6 Web requests may originate from Windows
The Fall of the Open Source Initiative (OSI): The OSI Does Not Speak For You, OSI Staff Speaks for GAFAM/Microsoft (the Paymasters)
they speak for proprietary software companies, but they wear "open" on their sleeve
Microsoft Money Used for Abuse of Women and Against Journalism in Support of Women (the Victims)
"Never interrupt your opponent while he is in the middle of making a mistake."
Links 14/03/2025: Chinese Tensions With Australia, Putin Turns Down Ceasefire
Links for the day
Gemini Links 14/03/2025: Löjl and Docker Context Stuff
Links for the day
Links 14/03/2025: Scam Currencies in the US and Oligarchs (Including GAFAM) Controlling All the Major Policies
Links for the day
Antisemitic Attacks on Richard Matthew Stallman (RMS) in Wikipedia This Week
Did the man strike a nerve or what?
Links 13/03/2025: Intel Rotates Figurehead and South Korea Imports Karen People From Myanmar
Links for the day
Meanwhile at Microsoft Canonical...
Promoting proprietary surveillance by a company that actively attacks Linux in a lot of ways
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, March 13, 2025
IRC logs for Thursday, March 13, 2025
Links 13/03/2025: Calculators and Spreadsheets, Returning to a Human Internet
Links for the day
Links 13/03/2025: Further Assaults on Science and Education in the US
Links for the day
Expect XBox to Be Shut Down Like Skype
"hey hi"-washing fools nobody
Truth Hurts (Especially Some Dishonest and/or Greedy People), But Reporting Truth is What Makes Journalism Valuable to the General Public and Helps Protect Society From Abuse by Sociopaths or Pathological Liars
When it comes to reporting, we're on the side of female victims, not the men who strangle them.
New Paper Reveals the Web (and Net) Drowns in LLM Slop, "Linux" is Impacted Too
It will be getting harder to trust anything on the Web
Links 13/03/2025: RIP, Carl Lundström; Tesla (the Company, Not Scientist It Piggybacks) Besieged by Public Backlash
Links for the day
Gemini Links 13/03/2025: MElon "Greek Tragedy" and Going Offline More
Links for the day
Richard Matthew Stallman, or rms (RMS), Turns 72 This Coming Weekend
This coming Sunday he deserves a cake
Links 13/03/2025: COVID-19 Legacies and "Modern" Cars as Spying Machines on Wheels
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, March 12, 2025
IRC logs for Wednesday, March 12, 2025