Bonum Certa Men Certa

The Increasing Danger of Back Doors in Standards and Binary Blobs

Summary: The risk of back doors in GNU/Linux comes not from source code but from blobs, back room deals, the build process, and bogus standards with weaknesses cleverly shoehorned into them

IT HAS BEEN a while since we last wrote about Mr. Srinivasan from Microsoft-Novell. Suffice to say, Novell did a lot for Microsoft and some former staff of Novell continues to work for Microsoft (either directly or indirectly). One gift from Novell to Microsoft was OOXML inside FOSS/OOo. Another was Mono and let's not forget intrusion into Linux itself. Robert Pogson goes as far as saying that Microsoft "Hacked Linux!"



"My configuration," Pogson argues, "has CONFIG_HYPERV not set. The code in question is Copyright 2010, Novell (mshyperv.c), and Copyright 2009, M$ (vmbus_drv.c). K. Y. Srinivasan is listed as one of the authours on both. I’m not about to run that other OS on Beast, but thank you, Thomas Gleixner, for fixing things." (see this link)

Performance issues overlook the much bigger problem -- a problem which we addressed several times before. We already know that the NSA is pursuing back doors in Linux [1, 2, 3, 4] and as we pointed out before, the NSA might already have some.

incidentally, as we have shown before, Yahoo was fighting against NSA surveillance in court. When Microsoft took over Yahoo it became apparent that Yahoo stopped fighting and soon became part of PRISM. While some new reports suggest that Yahoo might be ready to escape Microsoft "Yahoo is still in NSA's pocket though even if they break free of Microsoft," explains iophk.

Likewise, even if Linux does not engage with Microsoft, the code from Microsoft remains stuck inside Linux and even if there are no back doors in the code itself, this connects to a system, Hyper-V, which is developed by a back doors specialist (Microsoft). There are binary-level back doors from which to access GNU/Linux systems because if the host machine runs Windows, then we already know that the NSA has access. A nearby company that I once visited, UKFast (the UK's largest 'cloud' provider), runs GNU/Linux servers under HyperV, based on what they told me. How insane is that?! GCHO must love it!

Adding to some concerns about back doors, NSA ally and PRISM partner Apple turns out to have hidden a back door. As Think Progress puts it, "Apple quietly released a major update Friday to fix a security glitch in its iOS 7 systems. But independent security experts say the seemingly routine update covers up what arguably could be Apple’s biggest security lapse, exposing iPhone, iPad and iPod Touch users to hackers."

Whether it's a back door or just direct access does not matter, but it enables Apple to dance around important questions. It works across several Apple platforms, even desktop platforms [1].

As iophk put it, in relation to this other new article [2] "Potential problems with an official back door in HTTP 2.0, though only in a proposed draft so far. But because of the ways certificates are currently (mis-)managed, this kind of interception of HTTPS is already easy."

"See one example with four steps," he added, pointing to [3] from the OpenBSD mailing lists.

It's not as though GNU/Linux is immune to back doors (Debian has some new security advisories [4,5]), but at least with access to source code the back doors remain very shallow and too risky/difficult for malicious/covert entities to hide. It's when proprietary software gets added that we lose the ability to ascertain security and privacy.

Related/contextual items from the news:


  1. Apple SSL Vulnerability Affects OSX Too


  2. No, I Don't Trust You! -- One of the Most Alarming Internet Proposals I've Ever Seen
    If you care about Internet security, especially what we call "end-to-end" security free from easy snooping by ISPs, carriers, or other intermediaries, heads up! You'll want to pay attention to this.

    You'd think that with so many concerns these days about whether the likes of AT&T, Verizon, and other telecom companies can be trusted not to turn our data over to third parties whom we haven't authorized, that a plan to formalize a mechanism for ISP and other "man-in-the-middle" snooping would be laughed off the Net.

    But apparently the authors of IETF (Internet Engineering Task Force) Internet-Draft "Explicit Trusted Proxy in HTTP/2.0" (14 Feb 2014) haven't gotten the message.

    What they propose for the new HTTP/2.0 protocol is nothing short of officially sanctioned snooping.


  3. relayd SSL interception
    This mail includes a quite detailed explanation of the attached diff that adds support for SSL Interception ("SSL-MITM") to relayd. If you don't want to read the story, just skip to the configuration example and diff below.


  4. Debian: 2862-1: chromium-browser: Multiple vulnerabilities


  5. Debian: 2861-1: file: denial of service


Recent Techrights' Posts

[Meme] Free Software and Socially-Engineered Groupthink (to Serve Big Sponsors Like Google and Microsoft)
They do this to RMS all the time
Daniel Pocock's ClueCon 2024 Presentation Was Also Streamed Live in YouTube and Later Removed by Google, Citing "Copyrights". Now It's Back.
The talk covers social control media, Debian, politics, and more
 
What Fedora, OpenSUSE, and Debian Elections Teach Us About the State of Weak (or Fake) Communities
They show a total lack of trust in these communities
[Meme] Doing Dog's Job (Not God's Job)
The FSF did not advertise the talk by RMS (its founder), who spoke in France almost exactly 23 hours ago
Links 21/01/2025: Mass Layoffs in "Security" at Microsoft (Despite Microsoft Promising It Would Improve After Many Megabreaches), Skype is Dead (Quietly)
Links for the day
Alternate Version of Daniel Pocock's 2024 Talk, "Technology in European Parliament Election Campaign"
There's loud ovation at the end of the talk
Gemini Links 21/01/2025: London Library, Kobo Sage, and Beyerdynamic DT 48 E
Links for the day
The January 20 Public Talk by Richard Stallman (Around Midday ET), Livestream 'Assassinated' by Google's YouTube
our guess is that the 'cancel mob' sabotaged it, possibly by making a lot of false reports to YouTube
[Video] Daniel Pocock's Public Talk About Free Software Politics, Social Engineering, Debian Deaths and Suicides, Coercion and Exploitation of Women
took many months to get
BetaNews Cannot Survive If Its Fake Articles Are Just SPAM for Companies Like AOHi and Aren't Even Composed by Humans
This is what domains or former "news" sites do when they die and look very desperately for "another way"
Pocock shot in the face, shot in the back, shot on Hitler's birthday saving France, Belgium and FOSDEM
Reprinted with permission from Daniel Pocock
Dr Richard Stallman in Montpellier, Robert Edward Ernest Pocock in France
Reprinted with permission from Daniel Pocock
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, January 20, 2025
IRC logs for Monday, January 20, 2025
Links 20/01/2025: Conflict, Climate, and More
Links for the day
Gemini Links 20/01/2025: Conflicted Feelings and Politics
Links for the day
Google 'Cancels' RMS
Is the talk happening?
Microsoft Revisionism Debunked by Microsoft's Own Words About “the Failure of OS/2”
The Register on “the failure of OS/2”
Improving Daily Links by Culling Spam, Chaff, and LLM Slop
the Web is getting worse
Links 20/01/2025: Indonesia to Prevents Kids' Access to Social Control Media (Addiction and Worse), Climate News Catchuo
Links for the day
[Meme] EPO Targets
Targets mean nothing if or when you measure the wrong thing
EPO Union Says Monopoly-Granting Targets at EPO "Difficult to Achieve Without Compromising [Staff] Health, Personal Time or the Quality of the Final Products" (Products as in Monopolies, Not Real Products)
To those of us (over 99.999% of people impacted by this) who do not work at the EPO the misuse of words like "products" (monopolies are not products) should be disturbing
The EPO is Nowadays Trying to Trick Staff Into Settling Instead of Solving the Underlying Problems of Corruption and Injustice
This seems like a classic case of "divide-and-rule" or using misled/weak people to harm the whole group (or "the village")
Links 20/01/2025: More PR Stunts by ByteDance and MLK’s Legacy Disrespected
Links for the day
Gemini Links 20/01/2025: Magnetic Fields, NixOS, and Pleroma
Links for the day
BetaNews Spreads Donald Trump Propaganda, Promotes Scams, and Publishes Fake 'Articles' About "Linux"
This is typical BetaNews
Richard Stallman 'Unveils' His January 20 Talk in Montpellier, France
It's free (gratis)
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, January 19, 2025
IRC logs for Sunday, January 19, 2025
Links 19/01/2025: Gaza Ceasefire and PR Stunt by Fentanylware (TikTok), Faking It by "Going Dark" to Incite American Addicts (Users)
Links for the day
[Meme] Hardware RAID and Hardware Raid
We're expecting attacks on the press in Trump's second term (no need to impress anyone for another election cycle) to be far worse than the first
What's Running on the Laptops
12 months have passed
They Won't Buy Vista 11 PCs or "Hey Hi" Copilot+++++++ PCs of Microsoft (With TPM)
Windows at 8%
No Time Left for President Biden to Pardon Julian Assange
At least they tried
[Meme] 404, Not Found
Kuhn: I'd like to interject for a moment, we made an alliance with the Microsoft-dominated LF to outsource projects to Microsoft GitHub and rich people gave us money to do this
Total Lock-down Ambitions - Part IV - The Latest Examples and the Perils (in Summary)
For further reading take a look at Musial's nice outline
FOSDEM is Called "FOSDEM" Because of Richard Stallman (RMS)
The overlap there seems timely; yesterday RMS spoke in French-speaking (in part) Switzerland where questions in French were accepted
Links 19/01/2025: TikTok (Fentanylware) Now Banned in the US, Convicted Felon Talks to Fentanylware CEO and Pooh-Tin About Undoing the Ban Despite the Supreme Court Unanimously Upholding It
Links for the day
FTC Realises Microsoft Buying Fake 'Clients' to Fake "Revenue" (Microsoft 'Buying' Services and Products From Itself!)
Ponzi scheme
Total Lock-down Ambitions - Part III - The Web Browser as DRM Pusher
A lot of "streaming" stuff is DRM
Video: University in Peru Honours Richard Stallman
Tomorrow, January 20, Richard Stallman speaks in France
IBM Termination Story and Information From Microsoft About Mass Layoffs
In 2 weeks of 2025 Microsoft already had 2 waves of layoffs
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, January 18, 2025
IRC logs for Saturday, January 18, 2025