Bonum Certa Men Certa

The Increasing Danger of Back Doors in Standards and Binary Blobs

Summary: The risk of back doors in GNU/Linux comes not from source code but from blobs, back room deals, the build process, and bogus standards with weaknesses cleverly shoehorned into them

IT HAS BEEN a while since we last wrote about Mr. Srinivasan from Microsoft-Novell. Suffice to say, Novell did a lot for Microsoft and some former staff of Novell continues to work for Microsoft (either directly or indirectly). One gift from Novell to Microsoft was OOXML inside FOSS/OOo. Another was Mono and let's not forget intrusion into Linux itself. Robert Pogson goes as far as saying that Microsoft "Hacked Linux!"



"My configuration," Pogson argues, "has CONFIG_HYPERV not set. The code in question is Copyright 2010, Novell (mshyperv.c), and Copyright 2009, M$ (vmbus_drv.c). K. Y. Srinivasan is listed as one of the authours on both. I’m not about to run that other OS on Beast, but thank you, Thomas Gleixner, for fixing things." (see this link)

Performance issues overlook the much bigger problem -- a problem which we addressed several times before. We already know that the NSA is pursuing back doors in Linux [1, 2, 3, 4] and as we pointed out before, the NSA might already have some.

incidentally, as we have shown before, Yahoo was fighting against NSA surveillance in court. When Microsoft took over Yahoo it became apparent that Yahoo stopped fighting and soon became part of PRISM. While some new reports suggest that Yahoo might be ready to escape Microsoft "Yahoo is still in NSA's pocket though even if they break free of Microsoft," explains iophk.

Likewise, even if Linux does not engage with Microsoft, the code from Microsoft remains stuck inside Linux and even if there are no back doors in the code itself, this connects to a system, Hyper-V, which is developed by a back doors specialist (Microsoft). There are binary-level back doors from which to access GNU/Linux systems because if the host machine runs Windows, then we already know that the NSA has access. A nearby company that I once visited, UKFast (the UK's largest 'cloud' provider), runs GNU/Linux servers under HyperV, based on what they told me. How insane is that?! GCHO must love it!

Adding to some concerns about back doors, NSA ally and PRISM partner Apple turns out to have hidden a back door. As Think Progress puts it, "Apple quietly released a major update Friday to fix a security glitch in its iOS 7 systems. But independent security experts say the seemingly routine update covers up what arguably could be Apple’s biggest security lapse, exposing iPhone, iPad and iPod Touch users to hackers."

Whether it's a back door or just direct access does not matter, but it enables Apple to dance around important questions. It works across several Apple platforms, even desktop platforms [1].

As iophk put it, in relation to this other new article [2] "Potential problems with an official back door in HTTP 2.0, though only in a proposed draft so far. But because of the ways certificates are currently (mis-)managed, this kind of interception of HTTPS is already easy."

"See one example with four steps," he added, pointing to [3] from the OpenBSD mailing lists.

It's not as though GNU/Linux is immune to back doors (Debian has some new security advisories [4,5]), but at least with access to source code the back doors remain very shallow and too risky/difficult for malicious/covert entities to hide. It's when proprietary software gets added that we lose the ability to ascertain security and privacy.

Related/contextual items from the news:


  1. Apple SSL Vulnerability Affects OSX Too


  2. No, I Don't Trust You! -- One of the Most Alarming Internet Proposals I've Ever Seen
    If you care about Internet security, especially what we call "end-to-end" security free from easy snooping by ISPs, carriers, or other intermediaries, heads up! You'll want to pay attention to this.

    You'd think that with so many concerns these days about whether the likes of AT&T, Verizon, and other telecom companies can be trusted not to turn our data over to third parties whom we haven't authorized, that a plan to formalize a mechanism for ISP and other "man-in-the-middle" snooping would be laughed off the Net.

    But apparently the authors of IETF (Internet Engineering Task Force) Internet-Draft "Explicit Trusted Proxy in HTTP/2.0" (14 Feb 2014) haven't gotten the message.

    What they propose for the new HTTP/2.0 protocol is nothing short of officially sanctioned snooping.


  3. relayd SSL interception
    This mail includes a quite detailed explanation of the attached diff that adds support for SSL Interception ("SSL-MITM") to relayd. If you don't want to read the story, just skip to the configuration example and diff below.


  4. Debian: 2862-1: chromium-browser: Multiple vulnerabilities


  5. Debian: 2861-1: file: denial of service


Recent Techrights' Posts

Microsoft Staff Explains How Microsoft Swindled Employees and Avoided Paying Out Severance Pay (Microsoft Hasn't Much Money Left in the Bank)
This is a classic way to avoid paying workers
Techrights Should be Even Faster Now
We're now better off
Richard Stallman (RMS) Gave 3 Talks in India in Less Than a Week
In India this month we've not seen a single negative comment about RMS
Microsoft Mass Layoffs Without Severance Pay Reported Hours After Microsoft Reported Weak Numbers and Microsoft Stock Fell
Microsoft has a bloodbath this month
Another Slew of Fake Articles About 'Linux' and 'Security' From Brittany Day at linuxsecurity.com (Spamfarm/Slopfarm)
linuxsecurity.com is basically a pariah and parasite. It lessens the incentive to write real articles about "Linux" by generating fake ones to outrank the originals.
 
Links 31/01/2025: Mass Layoffs at Amazon and Microsoft, Sweden Again Fails to Protect Critics of Violence
Links for the day
Slopwatch: Fake Articles About "Linux" and More (Latest Roundup Featuring BetaNews, Janus Atienza, and Brittany Day From Guardian Digital, Inc)
LLM slop season
"Not one of us" by Dr. Andy Farnell
Elon Musk has brought embarrassment to nerds and technologists
Gemini Links 31/01/2025: "Bulletin Buble" and "Why Blog?"
Links for the day
Static Site Generators (SSGs) Pay Off: Vastly Faster Sites, Much Smaller Hosting Bills
success story for SSGs
Of Note: Linux Foundation Has Already Let Linux.com Rot for About 4 Months (No Activity)
there's no campaign aside from marketing spam there
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, January 30, 2025
IRC logs for Thursday, January 30, 2025
Indian Data Biases statCounter For or Against "Linux"
In statCounter, the GNU/Linux increases and decreases are deeply tied to what it does with data collected in India
The Corporate Media Pretends That Facebook ("Meta") Has Performed Well, But Its Debt Doubles Every 2 Years Despite Mass Layoffs
That same media also helps parrot misleading financial claims
Microsoft's Debt Surged by More Than 6,000,000,000 Dollars in Just 3 Months
numbers released hours ago
The Sheer Irony of Microsoft Proxy Accusing Others of 'Stealing'
Wherever DeepSick's data came from, Microsoft (or its proxy) is in no position to issue criticism.
The Difference a Decade (and GAFAM Money) Makes
Credibility cannot be purchased
[Meme] The Free Software Foundation (FSF) Has Critics Because Its Message is Effective
Applying to others the same standards one is willing to violate?
The Free Software Foundation (FSF) Raised $422,000 (Another $22k in the Two Weeks After Campaign Ended), Proving That Truth and Justice Tend to Find a Way
10,000+ dollars a week even without campaigning for more funds
Faking Revenue Increase by Buying Your Own Products and Services (Through Scams and Scammers Like Scam Altman)
Is this what society deserves? Media that instead of exposing corruption has chosen to participate in it and profit from it?
Links 30/01/2025: Fentanylware (TikTok) Causes Deaths, FBI Seizes Domains
Links for the day
Gemini Links 30/01/2025: Action vs Inaction, Gopherholes, and More
Links for the day
Links 30/01/2025: Microsoft Wants Convicted Felon to Give Fentanylware (TikTok) to It (After Making a Phonecall Asking for That in 2019), "Moving Away From Google's Ecosystem"
Links for the day
Jack M. Germain (LinuxInsider) Seems to Have Turned to LLM Slop, Graphics Slop, and B2B SPAM
LinuxInsider is barely active anymore
Links 30/01/2025: Amazon Layoffs and DeepSeek Panic
Links for the day
Gemini Links 30/01/2025: Chaos Reigns, E-mail, Searching
Links for the day
IBM: Many Thousands of Layoffs in 2025
If 2025 is expected to be the same, then perhaps about 20,000 IBM workers will no longer be there
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, January 29, 2025
IRC logs for Wednesday, January 29, 2025
Google: Your Only Option is Google YouTube (Coming Soon: Mandatory DRM and Attestation?)
Digital Restrictions (DRM) to follow? Only for "approved" (attestation) browsers?
Mastodon Was Always Biased (Just Like Twitter After Abandoning Chronological and Neutral Timelines in Order to Become More Like Facebook)
So bury-brigading and click-farming control what people see
Certificate Authority Let's Encrypt Falls to Only 0.4% of the Total in Geminispace
Geminispace does not need to outsource trust
The Munich-Based EPO is Still Using a Platform That Promotes the Far Right and Rehabilitates Nazism
Active Twitter account
Links 29/01/2025: Dismantling Public Health in the US, Air Busan Plane Up in Flames (South Korea's Air Disasters Streak)
Links for the day
Announcements and Administrivia
This week we're going out for two days in a row to celebrate an achievement that's very respectable
Gemini Links 29/01/2025: Japan, GTD, and More
Links for the day
Sir, Yes, Sir. The Life of EPO Patent Examiners.
If working for the EPO makes it harder to sleep at night, take action
How the EPO Pressures Staff Into Minting More Monopolies (Patents), Even Illegal Ones That Harm Europe and Ultimately Dismantle the Rule of Law
insights into the pressure examiners are under
LLM Slop Machines Are Not a Win for "Open Source" and If They Get Cheaper, It's Even Worse
If some program that claims to be "Open Source" pollutes the Web with fake articles (Microsoft SPAM and fake "Linux" articles), whose win is it?
Links 29/01/2025: Data Privacy Day and Growing Tensions in Europe
Links for the day
Nazi Twitter (aka "X") Became a Troll Site That Lets People Buy a Blue Tick While Its Boss Actively Promotes Neonazi Politicians
the intellectual level of people who infest the Web through "Twitter" or "X"
This is Why They're So Afraid of Richard Stallman (He Tells People the Correct History)
Then they post about it to Microsoft's LinkedIn
Richard Stallman Speech in Bengaluru, "Silicon Valley of India"
62 years have passed since his "young nerd" days and he's still at it
Claim: Facebook Deletes Posts of IBM Red Hat Critics
As always, follow the money (advertisers)
Links 29/01/2025: Climate Crisis and "It’s time for the Xbox to fade away" (Microsoft Lose)
Links for the day
Links 29/01/2025: Buying Groceries During a Trade War, Political 'Retro'
Links for the day
More Illegal Patents at the EPO, Legality of Granted European Patents No Longer Matters to the Office
breaking the law for profit
Network Improvements Tomorrow
"Network maintenance" down in London
Sharing is Caring (But Advocating Copyleft Makes You a "Target")
GPLv3 does not close all the loopholes which the "Affero" helps close
Articles About Free Speech at Facebook
'Facebook vs Linux' story is now receiving a lot more media coverage
We Were Right About stallmansupport.org Making an Error by Joining Social Control Media. mastodon.social Suspends stallmansupport.org.
From what we can guess, accounts can be banned by some oversensitive admin or a mob of users ("bury brigades")
"Latest Technology News" in BetaNews Still LLM Slop and SPAM Composed by LLMs (It's Basically a Spamfarm Disguised as a News Site)
Only a fool would visit BetaNews in search of actual news
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, January 28, 2025
IRC logs for Tuesday, January 28, 2025
The EPO's Corruption, If It Remains Untackled, Helps the Far Right and Enemies of European Unity/Solidarity
Do not negotiate with evil
The Web, Including Wikipedia, Gets Filled With Lies About Bill Gates, Added by Bill Gates and His PR Team
Of course Wikipedia is funded by Gates
Facebook Banning Linux Sites (or People Who Link to Linux Sites) is Another Symptom of the Web's Demise
The state of media on the Web is really bad; Social Control Media amplifies the badness, as Facebook serves to show
Gemini Links 29/01/2025: Neovim Telescope and Writing Less
Links for the day