×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Richard Stallman Speaks About Back Doors After NSA Documents Leak

samzenpus posted about 10 months ago | from the listen-up dept.

Privacy 332

An anonymous reader writes "Companies such as Microsoft, Facebook, Apple, and Google are scrambling to restore trust amid fresh litigation over the PRISM surveillance program. Richard Stallman, the founder of the Free Software Foundation and a newly-inducted member of the 2013 Internet Hall of Fame, speaks about not only abandoning the cloud, which he warned about 5 years ago, but also escaping software with back doors. 'I don't think the US government should use operating systems made in China,' he says in this new interview, 'for the same reason that most governments shouldn't use operating systems made in the US and in fact we just got proof since Microsoft is now known to be telling the NSA about bugs in Windows before it fixes them.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

332 comments

Abandoning the cloud ? (3, Insightful)

vikingpower (768921) | about 10 months ago | (#44130135)

Stallman is right, in sofar that any sensible engineer should never have had his works, artefacts, algorithms and data "in" the cloud. Period.

Re:Abandoning the cloud ? (5, Interesting)

Tom (822) | about 10 months ago | (#44130491)

Disclaimer: I am an IT Security professional.

It all depends on your thread scenario. Most of the smaller side-projects I work on are of no interest to any entity able to intercept the data transfers, so I don't mind storing stuff in, say, Evernote or Dropbox where it is more convenient to do so.

The stuff that the survival of my small company depends on, running my own servers is worth the effort. For my holiday pictures, iCloud is perfectly acceptable.

Thread scenario? (1)

Anonymous Coward | about 10 months ago | (#44130799)

I don't use threads -- I use multiple asynchronous processes, you insensitive clod!

Re:Abandoning the cloud ? (1)

Traiano (1044954) | about 10 months ago | (#44130499)

Are you kidding? The cloud is just a rebranding of networked systems. If you fear the cloud you might as well disconnect your networks.

Re:Abandoning the cloud ? (3, Interesting)

vikingpower (768921) | about 10 months ago | (#44130519)

I do not "fear" the cloud. I do hate, however, the hype, with stratospheric hate.

Re:Abandoning the cloud ? (2)

ls671 (1122017) | about 10 months ago | (#44130829)

Well, I do not "hate" the hype, I just find it funny. Along the same way as the GP has said, and one poster above disclaiming he was an " IT Security professional":

If you are planning doomsday scenarios, then don't have you computers connected to anything. I have been running my systems for 20 years without any intrusion that I am aware of. This doesn't mean I am not owned. So yes, you could put some stuff on the cloud. From an "IT Security professional" point of view: you categorize the levels of security you are comfortable with and act accordingly.

Nothing is 100% secure unless it is completely disconnected from any network, nobody has the passwd to login and the power is off.

Re:Abandoning the cloud ? (5, Informative)

martin-boundary (547041) | about 10 months ago | (#44130593)

No it's not. A classical networked system belongs to a single company, and there's a clear separation between the inside (which is mostly trusted) and the outside (which is not trusted). A cloud system blurs the distinction, so you never know if the stuff you're accessing is actually being used by untrusted people who are going to steal your secrets, blackmail you, etc.

Re:Abandoning the cloud ? (2)

ls671 (1122017) | about 10 months ago | (#44130845)

It just makes it a tad harder to categorize your levels of security. Since brains to do that properly are rather seldom, it may end up up costing you more money to put stuff on the cloud if you want to do it properly.

Re:Abandoning the cloud ? (0)

Anonymous Coward | about 10 months ago | (#44130731)

Yes, please, disconnect your networks! Not everything needs to be connected to the internets!

The cloud is still fine for your cat videos that you want to share with the world.

Skype NSA surveillance from Microsoft (5, Insightful)

Anonymous Coward | about 10 months ago | (#44130501)

I remember Microsoft's denials about intercepting Skype, yet the PRISM leak shows they can fully intercept everything:

http://gizmodo.com/what-is-prism-511875267

There are two worlds here, companies that cooperated with NSA illegal spying and those that didn't. They chose their sides, they chose the side against the constitution. That's not my side, I need to secure my data against NSA and its corporate allies.

Skype leak shows they can intercept voice communications, the files you sent, the text messages, the video of your conversations, the lot, and it's a live intercept, so its a live connection too. I bet they can even turn on the camera and mic remotely on Skype.

Then we find out Stuxnet is confirmed as NSA. So no doubt where all those zero day exploits came from, Microsoft themselves:

http://www.guardian.co.uk/world/2013/jun/28/general-cartwright-investigated-stuxnet-leak

So all the scary hackers out there making Stuxnet? They're the NSA itself.

I don't trust this Windows box in front of me currently, my server is being moved out of the USA, this Windows box is next.

Skype Link Spying Germany (3, Informative)

Anonymous Coward | about 10 months ago | (#44130547)

Remember this?
http://yro.slashdot.org/story/13/05/14/1516247/microsoft-reads-your-skype-chat-messages?utm_source=commentcnt&utm_medium=feed#comments

A german user noticed that if he passed a link in a skype message, the link was accessed by Skype servers?

Microsoft claimed it was to protect from malware. But now we know they're in the NSA's pocket, and the NSA is data mining all communications and storing them in the big database, the obvious conclusion to come to, is that this is part of NSA's data mining effort.

If you look at 'Boundless Informant' leak, Germany is very heavily spied on by the NSA, and so German Skype chatter is likely a major target for interception. Germany is a big commercial competitors to the USA.

Also notice the fake 'RC Plane bomb plot in Germany' from yesterday... part of the marketing to try to quieten down German anger.

As usual. Stallman was right all along. (5, Insightful)

Anonymous Coward | about 10 months ago | (#44130141)

His record for being correct is rather unusual.

Re:As usual. Stallman was right all along. (5, Insightful)

Anonymous Coward | about 10 months ago | (#44130577)

No, his record for being correct is not unusual.

It's pathetic.

And by that I mean that it is pathetic that you need to be a pessimist and paranoiac to even get halfway to predicting government and industry trends.

We need to work towards a world where Stallman is wrong more often.

Re:As usual. Stallman was right all along. (5, Insightful)

Anonymous Coward | about 10 months ago | (#44130689)

What I respect about Stallman is his persistence. He just keeps hammering home the same message, over and over again, decade after decade. As opposed to politicians or talking-heads, he doesn't budge nor compromise. And then, ten or twenty years later, people realise he was right all along. And what does he do? He keeps hammering on the same message still, because people still didn't act, even when they know exactly what they ought to do. I think that is what makes him unusual.

GNU/Linux is made in the USA (-1, Troll)

kthreadd (1558445) | about 10 months ago | (#44130151)

So which operating system should we use?

Re:GNU/Linux is made in the USA (3, Informative)

Anonymous Coward | about 10 months ago | (#44130175)

No its not. There are distros based in all parts of the world. Also the difference here is that the source code is freely available for all to see.

Re:GNU/Linux is made in the USA (2)

silentcoder (1241496) | about 10 months ago | (#44130763)

Not to mention the original linux kernel was written in Finland.
Many other free software projects are likewise non-American. Hell OpenBSD is developed by a South African living in Canada.

Re:GNU/Linux is made in the USA (1)

Anonymous Coward | about 10 months ago | (#44130177)

That's different. GNU/Linux is open source, so you can (in theory) verify for yourself that there aren't any back doors. And if there are, you can fix them.

Re:GNU/Linux is made in the USA (0)

kthreadd (1558445) | about 10 months ago | (#44130221)

That's true, but not if you're among the 99+ % that installs a binary distribution.

Re:GNU/Linux is made in the USA (4, Insightful)

heikkile (111814) | about 10 months ago | (#44130249)

GNU/Linux is open source, so you can (in theory) verify for yourself that there aren't any back doors. And if there are, you can fix them

That's true, but not if you're among the 99+ % that installs a binary distribution.

The point is not that everyone needs to verify the code, but that anyone can do so, and that someone is likely to have done so.

Re: GNU/Linux is made in the USA (0)

kthreadd (1558445) | about 10 months ago | (#44130269)

But that still just verifies the source. As long as you get a binary from someone you have to trust that other person. Verifying the source does not verify the binary.

Re: GNU/Linux is made in the USA (3, Informative)

Guinness Beaumont (2901413) | about 10 months ago | (#44130343)

It does when you compile, compare md5 hash, and verify that they're bit-for-bit identical. Jeez, it's like someone already thought of this.

Re: GNU/Linux is made in the USA (1)

Anonymous Coward | about 10 months ago | (#44130361)

While this is correct, it requires the exact same compiler settings, and the exact same compiler version.

Re: GNU/Linux is made in the USA (5, Informative)

Anonymous Coward | about 10 months ago | (#44130367)

But who compiled the compiler?

http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

And who knows what they put in your water... (4, Funny)

Anonymous Coward | about 10 months ago | (#44130695)

And how do you know that mind control isn't perfected by the government?

How do you know that you are actually alive and not just dreaming?

Re: GNU/Linux is made in the USA (1)

Ash-Fox (726320) | about 10 months ago | (#44130733)

It does when you compile, compare md5 hash, and verify that they're bit-for-bit identical. Jeez, it's like someone already thought of this.

Sounds pretty hard since that information is not provided with the binary or source.

Re:GNU/Linux is made in the USA (0)

Anonymous Coward | about 10 months ago | (#44130515)

And despite it being a smaller group, there are thousands of developers around the world with access to closed source systems like Windows who also verify them. There are thousands more who reverse engineer the binaries themselves constantly looking for vulnerabilities. While I prefer open source, it is a complete myth that closed source OS's aren't also under considerable talented scrutiny.

Re:GNU/Linux is made in the USA (0)

Anonymous Coward | about 10 months ago | (#44130585)

The difference is that the scrutinisers of closed-source software are most often motivated *not* to disclose their findings to the public.

Re:GNU/Linux is made in the USA (3, Interesting)

L4t3r4lu5 (1216702) | about 10 months ago | (#44130625)

... [A]nyone can [ verify the code], and ... someone is likely to have done so.

Yes. The NSA guy who wrote the patch, and three of his astroturfing friends.

The "Many Eyes" fallacy is important here. Unless you can verify the authenticity of the code yourself, you need to verify the authenticity of the person verifying the code. Do you know all of the kernel devs personally? How about the X / Mir / $module devs? How many people actually write code for kernelspace? How many modify it for their particular distribution of choice? Do you trust those people?

Re:GNU/Linux is made in the USA (4, Insightful)

myurr (468709) | about 10 months ago | (#44130259)

But equally there are thousands of really talented programmers who examine the source code very thoroughly, many of whom contribute back. If there were back doors then there is a high chance that they would have been detected. Plus anyone really paranoid about it CAN go and check the source code to make sure for themselves.

With propriety operating systems you do not have that luxury.

Re:GNU/Linux is made in the USA (1)

ls671 (1122017) | about 10 months ago | (#44130533)

Binary distributions should be a little more risky but there is nothing like a back-door hiding in plain site, there for anyone to see in the source code but not getting detected in most source code audits.

Re:GNU/Linux is made in the USA (1)

Anonymous Coward | about 10 months ago | (#44130179)

They call it BSD and Open, because it's always free and open...

For historical reasons OpenBSD is based in Canda...

Re:GNU/Linux is made in the USA (0)

Anonymous Coward | about 10 months ago | (#44130233)

Is there a GNU/OpenBSD available?

Re:GNU/Linux is made in the USA (1)

Guinness Beaumont (2901413) | about 10 months ago | (#44130347)

No. As BSD is a Unix branch, and the GNU/* only applies to the Linux branch.

Re:GNU/Linux is made in the USA (1)

YukariHirai (2674609) | about 10 months ago | (#44130455)

Incorrect. GNU userland utilities can theoretically be made to work with any Unix-like kernel. It's just that Linux is what it's most commonly paired with.

Re:GNU/Linux is made in the USA (0)

Anonymous Coward | about 10 months ago | (#44130465)

Wrong.

GNU is the userland (libc, gcc, bash), while Linux is the kernel.

There is also a GNU kernel, called Hurd. GNU userland + Hurd kernel is called GNU/Hurd, just like GNU userland + Linux kernel is called GNU/Linux.

GNU is pretty cross platform, and it should be possible to combine GNU userland with the OpenBSD kernel, giving you GNU/OpenBSD, but I think he's going to need to do it himself if he wants it. Debian has done so with FreeBSD, calling the result Debian GNU/kFreeBSD - the "k" indicating FreeBSD kernel, rather than all of FreeBSD.

The opposite should also be possible, though I don't know of anyone having done so. BSD userland on Linux, giving you BSD/Linux (now will people understand why that "GNU/" in front of Linux matters?). I don't know how portable BSD userland is, some of it may not be - at least that was the impression I got when I was looking at replacing udev with devd when udev was absorbed by systemd.

Re:GNU/Linux is made in the USA (0)

Anonymous Coward | about 10 months ago | (#44130473)

Ehm, what are you blathering about? There's a project known as the Hurd, maybe you've not heard of? With the GNU software coupled with the Hurd kernel you get something called the GNU/Hurd. Nothing stops you from compiling GNU software on BSD systems. So what was that about GNU being only Linux?

Re:GNU/Linux is made in the USA (1)

YukariHirai (2674609) | about 10 months ago | (#44130449)

Not as far as I know, but Debian do actually do GNU/FreeBSD and GNU/NetBSD distros in addition to their usual GNNU/Linux.

Re:GNU/Linux is made in the USA (3, Informative)

Anonymous Coward | about 10 months ago | (#44130187)

Linux was made in Finland.

Yet another Yank taking claim for other's achievements.

Re:GNU/Linux is made in the USA (1)

Anonymous Coward | about 10 months ago | (#44130263)

Well most of the (most active) kernel developpers do live in usa (including Linus), also many (if not most) of the GNU developpers live in usa (including Stallman), so you could say GNU/Linux is developped in usa currently.

btw. i'm not from usa.

You could say what the hell you like (0)

Anonymous Coward | about 10 months ago | (#44130743)

However, that isn't true.

Are the computers Chinese or Taiwanese because most of the manufacturing by weight is done by them? No? why not?

Re: GNU/Linux is made in the USA (4, Informative)

kthreadd (1558445) | about 10 months ago | (#44130283)

The kernel work started in Finland, but most of the work and most of the GNU system originated in other countries and most prominently the USA.

Re:GNU/Linux is made in the USA (0)

Anonymous Coward | about 10 months ago | (#44130641)

You are aware that probably the most important current kernel developer, a certain Linus Torvalds, is a naturalized citizen of the U.S.A.?

Re:GNU/Linux is made in the USA (0)

Anonymous Coward | about 10 months ago | (#44130715)

Yes but still a Finnish citizen also AND the idea and foundation grounding for the kernal was written in Finland it would not exist if it wasnt written there, as the real GNU kernel was not even finished yet, and Linux was just there at the right time, kinda like MS-DOS

Re:GNU/Linux is made in the USA (0)

Anonymous Coward | about 10 months ago | (#44130741)

You misspelled "kernel".

Re:GNU/Linux is made in the USA (0)

Anonymous Coward | about 10 months ago | (#44130197)

here's one https://tails.boum.org/

Re:GNU/Linux is made in the USA (2)

gigaherz (2653757) | about 10 months ago | (#44130237)

GNU/Linux is made by a community of developers from about every single developed country in the world, and possibly has had patches done by people who were at the time in less developed places. So there isn't one single government telling the contributors what to do. It either has no backdoors (because it's opensource and supposedly someone has reviewed the patches), or it has backdoors from all over the world.

I may not like GNU much, or Stallman, but that's a fact regardless.

Re:GNU/Linux is made in the USA (2)

aaaaaaargh! (1150173) | about 10 months ago | (#44130279)

Bullshit. GNU/Linux is an international effort with contributors from many different countries. It is constantly peer reviewed by all kind of people, e.g. security researchers all over the world, and the source is open so you can check it yourself.

Re: GNU/Linux is made in the USA (0)

kthreadd (1558445) | about 10 months ago | (#44130297)

Yes but you can't trust binaries which may include modifications not available in the original source code.

Re: GNU/Linux is made in the USA (1)

Guinness Beaumont (2901413) | about 10 months ago | (#44130355)

This is incorrect. Again. For the same reasons given to you above, you can compare compiled binaries to the source and verify that they're identical via hashing.

Re: GNU/Linux is made in the USA (1)

ta_gueule (2795275) | about 10 months ago | (#44130433)

You can do that with cmp or diff. Why do you mention hashing?

Re: GNU/Linux is made in the USA (1)

Guinness Beaumont (2901413) | about 10 months ago | (#44130469)

Because I am most familiar with using md5 for this purpose. I am sure that "I'm doing it wrong", and there are more inspired/better ways to do this. I only speka from what I've done.

Re: GNU/Linux is made in the USA (1)

ta_gueule (2795275) | about 10 months ago | (#44130525)

You are doing correctly. It's just that the step of hashing is unnecessary. You can just compile the stuff and compare it, instead of compiling the stuff, hashing both stuffs and compare the hashes.

Re: GNU/Linux is made in the USA (1)

kbg (241421) | about 10 months ago | (#44130445)

But to compile and compare the binaries you have to use at some point a compiled binary from some source, which you can't trust.

Of course you can. Write your own compiler. (0)

Anonymous Coward | about 10 months ago | (#44130711)

Then you know that the compile has no known backdoors in it and won't put any in your code.

The C standard is available.

Re: GNU/Linux is made in the USA (0)

Anonymous Coward | about 10 months ago | (#44130667)

No if you find the exploit they can tell and you mysteriously disappear, don't look for it

No surprises (5, Interesting)

cold fjord (826450) | about 10 months ago | (#44130167)

Stallman's position isn't a surprise. I expect him to advocate open source software over any proprietary software. He has for thirty plus years. Why would he change now? There is one thing he overlooks when he says:

'I don't think the US government should use operating systems made in China,' ... 'for the same reason that most governments shouldn't use operating systems made in the US

Stallman overlooks the fact that various foreign governments already have access to the Windows source.

Microsoft to Share Source Code With Governments [washingtonpost.com]

Microsoft Corp. announced this week it is making the programming code for its Office 2003 software suite available to government agencies around the globe, a move partly aimed at allowing them to inspect the product for flaws and security problems.

Though Microsoft usually guards such software coding tightly, the step is an extension of an initiative the company began in January 2003 giving about 60 governments access to the inner workings of the Windows operating system. This is the first time the software giant has shared the source code for Office, which includes the Word text processing, Excel spreadsheet, and PowerPoint presentation programs.

Microsoft Grants Governments Access to Windows [techhive.com]

Re:No surprises (2, Interesting)

Anonymous Coward | about 10 months ago | (#44130201)

If current state-of-the-art software engineering methodologies are not sufficient for producing bug free code, what makes you think a government can spot "bugs" that were planted there as backdoors?

So how do you know the binary matches the source? (4, Insightful)

Anonymous Coward | about 10 months ago | (#44130217)

You're not allowed to build your own version of the software from the source. This is why one of the FSF rights is the ability to compile the program for use.

Seems in pointing out what Stallman "forgot", you forgot something yourself.

Re:So how do you know the binary matches the sourc (3, Informative)

cold fjord (826450) | about 10 months ago | (#44130531)

I'm afraid you've got it wrong. At least Australia can build from source. I doubt they got a special deal.

Australia to see Windows source code [cnet.com]

The ability to build from source would seem to be a key aspect of verifying the code. I'm not sure why you think they wouldn't be able to do it. What they probably can't do is distribute the binaries for free - they still have to pay Microsoft for the distribution of software.

Also, it seems likely that by providing their code to foreign governments, Microsoft is picking up what to them is free services of what are no doubt some of the best software engineers in government looking over their code, and probably sending in the occasional bug report. What's that saying? Many eyes makes for shallow bugs? Or maybe not.

Re:So how do you know the binary matches the sourc (1)

advocate_one (662832) | about 10 months ago | (#44130633)

I'm afraid you've got it wrong. At least Australia can build from source. I doubt they got a special deal.

Australia to see Windows source code

The ability to build from source would seem to be a key aspect of verifying the code. I'm not sure why you think they wouldn't be able to do it. What they probably can't do is distribute the binaries for free - they still have to pay Microsoft for the distribution of software.

do they have access to the source code for the entire toolchain?

Re:So how do you know the binary matches the sourc (1)

AHuxley (892839) | about 10 months ago | (#44130789)

Cold you have to understand Australia.
They love MS, MS giving them code to look over at after generational buy in is just a trinket.
What was Australia going to do if it finds a project related hole? File it with MS and hope its fixed in weeks? Months? Many months?
Australia was just feeling bad over its lack of sufficient software source code and IP to allow its airforce to understand some aircraft systems.
Source code became a political and defence issue with huge political efforts to try and get the US gov to be nice over the issue.
So for the US and MS to be seen to be offering Australia something was cute, but with todays insights, MS at a VOIP, server, cloud, code, consumer or filesystem level seems a tame tool of US gov interests.
http://www.smh.com.au/national/public-service/trade-war-up-in-the-clouds-20120529-1zhpg.html [smh.com.au]
Comments like this from the US:
‘‘...governments should not prevent service suppliers of other countries, or customers of those suppliers, from electronically transferring information internally or across borders ... or accessing their own information stored in other countries’’...
seem a bit of a LOL given the other line about 'a careful set of constraints to protect individual privacy"

Re:No surprises (5, Insightful)

Anonymous Coward | about 10 months ago | (#44130255)

Your point about source code is interesting enough on the surface, but how many organizations compile Windows from source code?

I'm not convinced that what's in the [quasi-public] source code matters a lot when pretty much everyone runs the distributed binaries. Those are the things that need to be analyzed from a security perspective, along with the rest of the functional system that ends up in place. C'mon, you don't test food for poison by obtaining the recipe.

Re:No surprises (1)

cold fjord (826450) | about 10 months ago | (#44130475)

It looks like at least Australia can build the source. I doubt they got a special deal. Also, the governments receiving the source code didn't get the "recipe," they got the ingredients - that's what source code is.

Australia to see Windows source code [cnet.com]

The agreement will enable Australian government officials to view the source code for Windows 2000, XP, Server 2003 and CE. They can also use the code to build those versions of Windows, see Microsoft security documentation the company doesn't otherwise share, speak with Microsoft developers and perform their own tests on the code.

No, they HAVE the source code. Not compilation. (0)

Anonymous Coward | about 10 months ago | (#44130721)

Just because you can read a book doesn't mean you're allowed to write it out and use that copy you created to read.

The agreement given does not include that. The report is in error, that wasn't made available, though there was the intent to do so *by the Australian government*. Microsoft didn't give them that right.

Yes, but (5, Informative)

Anonymous Coward | about 10 months ago | (#44130261)

While it is true that Microsoft is agreeing in certain cases to give access to the source code to Windows, it appears actually getting your hands on the code is sometimes harder than expected.

Point in case, Éric Filiol, an ex French intelligence officer from DGSE (the Directorate-General for External Security) recently explained that
“The French State can't obtain certain pieces of technical information on the WIndows kernel. A country that has nuclear fire and is a member of the UN's Security Council can't make Microsoft reveal necessary informations on a système that is absolutely everywhere.”

("L’État français n’arrive pas à obtenir certaines informations techniques précises sur le noyau Windows. Un pays doté de l’arme nucléaire et membre du conseil de sécurité des Nations-Unies ne peut pas contraindre Microsoft de lui donner des informations nécessaire sur un système qui est absolument partout".)
Source:
http://www.numerama.com/magazine/26360-la-france-n-arrive-pas-a-avoir-des-informations-sur-le-noyau-windows.html

So there seems to be a difference between what is announced and what happens.

Re:Yes, but (2)

cold fjord (826450) | about 10 months ago | (#44130541)

While it is true that Microsoft is agreeing in certain cases to give access to the source code to Windows, it appears actually getting your hands on the code is sometimes harder than expected.

“The French State can't obtain certain pieces of technical information on the WIndows kernel.

Is that referring to getting the source code? I interpreted it to mean getting some additional technical information, or perhaps a clarification, on the functioning of the kernel.

Re:No surprises - Trust? (0)

Anonymous Coward | about 10 months ago | (#44130303)

Access to source compiled binary currently in use.

Do you trust that whatever you compile from the source code they send will result in an equal file to those currently in use? I seriously doubt that most entities bother to check.

Re:No surprises (0)

Anonymous Coward | about 10 months ago | (#44130349)

And how do these select governments confirm that the Microsoft products that they have installed were indeed compiled using the same source code that they have reviewed? Are they allowed to compile it themselves as well?

Re:No surprises (0)

Anonymous Coward | about 10 months ago | (#44130505)

Yes, at least some of them can build from source.

Re:No surprises (0)

Anonymous Coward | about 10 months ago | (#44130411)

They might as well have access to the Debian source. Nobody is safe anymore!

Re:No surprises (2, Insightful)

Anonymous Coward | about 10 months ago | (#44130493)

Having access to source code is not enough. You need access to ALL the source code and data AND the build tools for converting it to the final binary the computer will run. And the source for the tools too. Then you have to actually BUILD that source code and VERIFY that the binaries match (or use only what you build).

With Linux or BSD this is routine. There are thousands (millions?) of people that build their OS from scratch (Arch and Gentoo are two popular Linux distributions that work like this). With Windows? I seriously doubt it's even possible.

Re:No surprises (3, Informative)

stephanruby (542433) | about 10 months ago | (#44130511)

So what? Those governments don't have the right to compile the code.

However, government users will not be allowed to make modifications to the code or compile the source code into Windows programs themselves, Simon Conant, a Microsoft security specialist based in Munich, said.

"Governments under the GSP are allowed to view the code in a debugger, but not compile, redistribute, or actually modify the code," Conant, said. A debugger is a tool used to evaluate software code.

If you can't compile the code, there is no guarantee that you'll be auditing the right code base. If you dig down deep enough, the debugger will start taking you to the wrong lines (as it happens with most software projects, even open source ones), but Microsoft will just explain away those discrepancies by saying that they had to remove some of their testing code and some of their logging statements (an explanation which is sensible enough, but that you can't workaround, because you're not allowed to compile the code yourself, nor have you been provided the exact compiling recipe/code snapshot they've used for their official release).

So whatever you do audit of the code base, Microsoft or the NSA can then modify before it gets compiled for your own citizens, and the chain of custody will have been broken thereby completely circumventing your audit in the first place.

Re:No surprises (1)

cold fjord (826450) | about 10 months ago | (#44130549)

Apparently the Australians are allowed to compile the code. Maybe there is more than one set of terms.

In Stallman We Trust (0)

Anonymous Coward | about 10 months ago | (#44130181)

And on the Final day, St IGNUcious declared Gentoo be the system by which all operates. His will be done, on Earth as it is on silicon.

it's far better... (0, Offtopic)

Titus Groan (2834723) | about 10 months ago | (#44130191)

it is far better that RMS talk about backdoors than pick his on stage and pop whatever he pulls out of it into his mouth to chew.

USA has form (1)

Jimbookis (517778) | about 10 months ago | (#44130203)

I recall reading about a hushed up brouhaha ages ago concerning backdoored USA compiled software run on Australian government systems in the 80's or early 90's. Google seems to disavow all knowledge damnit.

Re:USA has form (3, Interesting)

FriendlyLurker (50431) | about 10 months ago | (#44130245)

Maybe you mean this? [eideard.com]:

“...the result of having the secret key inside your Windows operating system “is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system“. The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onwards”

Maybe the NSA has infiltrated Microsoft . . . ? (1)

PolygamousRanchKid (1290638) | about 10 months ago | (#44130363)

You know, like, sending NSA agents to get cover jobs in Microsoft, and purposely plant in obscure security bugs, that can only be exploited by the NSA . . . ? I know that they are not supposed to do that, but the new description of work for the NSA seems to be something like:

Question: "What does the NSA do?

Answer: "Things that it is not supposed to do."

He's right about one thing. (4, Insightful)

some old guy (674482) | about 10 months ago | (#44130365)

RMS's comments about OS back-doors are rather dated, since M$ made Win2K source available to governments many years ago. It gave a whole new meaning to the Windows joke, "That's not a bug, that's a feature!"

He is, however, spot on about "the cloud". No engineer or admin in his right mind would entrust his/her organization's data to a medium riddled with security, privacy, and reliability flaws.

Bean counters are all for the cost savings of "the cloud" until you clearly spell out the risks involved. Accountants and executives hate taking big risks for only a tiny commensurate potential for gain.

His backdoor remark is VERY CURRENT (3, Informative)

Anonymous Coward | about 10 months ago | (#44130527)

This wasn't about the win2k NSA key, it is about Microsoft passing info about zero day exploits to the NSA instead of fixing them, so the NSA can use them to break into people's computers and spy on them. This came out in the news in just the past few days (not sure if revealed by Snowden or someone else). It would seem to explain why Microsoft is so damn slow about fixing bugs.

Re:He's right about one thing. (0)

Anonymous Coward | about 10 months ago | (#44130543)

RMS's comments about OS back-doors are rather dated, since M$ made Win2K source available to governments many years ago.

Not necessarily - simply being able to look at the source code is no guarantee of anything. Unless they're able to build the OS themselves from that source, which I don't believe is an option for Microsoft's kinda-shared source code thing.

Re:He's right about one thing. (0)

Anonymous Coward | about 10 months ago | (#44130627)

If you think having the source code for Windows is enough, when it has to be built by using their compiler, I recommend reading Ken Thompson's Turing Award lecture:

http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

US government should use OSes made in China (2)

citizenr (871508) | about 10 months ago | (#44130381)

CPUs on the other hand (Loongson) are kosher!

Re:US government should use OSes made in China (1)

Anonymous Coward | about 10 months ago | (#44130529)

First off, he's speaking about software. Secondly, MIPS's reduced instruction set makes it possible to actually verify it's design has no "hidden features". Although there are very few people left who can actually do this, there have been examples of CPU getting reversed engineered with a microscope, pen and paper in the past. This days we have image processing, robotic microscopes and most importantly, processing clusters capable of emulating a whole cpu\gpu.
Even the old x86 had Soviet clones so I don't see why a RISC processor should be nearly as difficult.

Irrelevant (1)

abigsmurf (919188) | about 10 months ago | (#44130397)

Closed source, open source, it doesn't matter when you can just give them access to a database, an admin account or access to logs.

The fear of backdoors into your OS is out of date in today's society. Why would they need wait for you to be online then risk detection by using a backdoor when they can just make a call to facebook, your ISP or your mobile phone network and probably get far more valuable information?

It's also very naive to think that intelligence organisations don't have a catalogue of undisclosed exploits and security holes that they keep secret in case they need to attack someone, Whether it's Linux, Windows or whatever.

Re:Irrelevant (0)

Anonymous Coward | about 10 months ago | (#44130421)

So what data do they want from Facebook if nobody uses it? Did you miss his point about not using cloud services? Granted, cellular carriers have more information than they need about us. That should be fixed too.

That explains the slow fixes (5, Interesting)

erroneus (253617) | about 10 months ago | (#44130403)

Some Microsoft bugs take a ridiculous amount of time to get fixed and all the reports seem to fall on deaf ears. We bash Microsoft for this behaviour but doesn't having a reporting relationship with the NSA help it all to make sense? Taking a long time to fix? Well, they may not be done exploiting it yet. Falls on deaf ears? Well maybe it's not a "bug" but a back door that no one was supposed to know about and Microsoft cannot comment on it without NSA approval.

If there's one thing... (-1)

Anonymous Coward | about 10 months ago | (#44130801)

that RMS knows about, it's having his backdoor probed and leaking.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...