Linus Torvalds Admits He Was Approached By US Government To Insert Backdoor Into Linux -- Or Does He?

from the who-can-you-trust? dept

At the LinuxCon meeting in New Orleans, Linus Torvalds was asked if he had ever been approached by the US government to insert a backdoor into the Linux kernel. Here's his characteristic answer:

Torvalds responded "no" while shaking his head "yes," as the audience broke into spontaneous laughter.
Obviously, it's hard to tell from that whether he really meant "yes" or "no". But the question does touch on an important issue: whether open source might be less vulnerable than traditional applications to tampering by the NSA or other intelligence organizations. That's plausible, because by definition free software's code is always available for inspection; the idea is that even if backdoors are somehow introduced, they will be spotted by people looking over the code.

Of course, there are some problems with that. The first is that just because the code is available does not mean anyone will look at it. Secondly, even if the source code is examined and looks fine, that doesn't imply that the compiled version you run on your machine will be -- a well known, and deep problem. So does that mean we should give up on the hope that open source might be better than traditional closed source when it comes to backdoors?

Not necessarily. Here, for example, is the security expert Bruce Schneier writing in the Guardian a couple of weeks ago on the best ways to stay secure in the light of the revelations about the NSA's activities. One suggestion was as follows:

Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software.
After listing a number of recommended software tools, he also makes the following comment:
I understand that most of this is impossible for the typical internet user. Even I don't use all these tools for most everything I am working on. And I'm still primarily on Windows, unfortunately. Linux would be safer.
That's just one voice, albeit a highly-respected one. Here's another, saying much the same thing as Schneier:
Thanks to the recent NSA leaks, people are more worried than ever that their software might have backdoors. If you don't believe that the software vendor can resist a backdoor request, the onus is on you to look for a backdoor. What you want is software transparency.

Transparency of this type is a much-touted advantage of open source software, so it's natural to expect that the rise of backdoor fears will boost the popularity of open source code. Many open source projects are fully transparent: not only is the source code public, but the project also makes public the issue tracker that is used to manage known defects and the internal email discussions of the development team. All of these are useful in deterring backdoor attempts.
That's from Ed Felten (pdf), Professor of Computer Science and Public Affairs, Princeton University, and someone whose name has appeared on Techdirt many times. Despite his upbeat assessment of the value of open source in providing software transparency, the rest of his post urges caution:
transparency does not guarantee that holes will be found, because there might not be enough eyeballs on the code. For open source projects, finding backdoors, or security vulnerabilities in general, is a public good, in the economists' sense that effort spent on it benefits everyone, including those who don't contribute any effort themselves. So it's not obvious in advance that any particular open source project can avoid backdoors.
In other words, open source is not a panacea: it is not guaranteed to protect you from backdoors. But, like encryption, it is probably one of the best defenses we have -- whether or not Torvalds was asked to add a backdoor to Linux.

Follow me @glynmoody on Twitter or identi.ca, and on Google+



Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    sophisticatedjanedoe (profile), Sep 19th, 2013 @ 2:26pm

    It's all conspiracy theories. Linus a Bulgarian. That's it.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    sophisticatedjanedoe (profile), Sep 19th, 2013 @ 2:27pm

    Re:

    (if you don't know what I'm talking about: http://en.wikipedia.org/wiki/Bulgarian_language#Miscellaneous )

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Sep 19th, 2013 @ 2:33pm

    The question was "were you asked" when it should have been "did you implement". We still have no answer to the later.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Sep 19th, 2013 @ 2:40pm

    Deliberately putting a backdoor in open source software would be stupid. The source code is available to any one, which includes other spy organisations. Due to the massive use of Linux for large scale servers, it seems sensible to assume that other spy agencies have people looking at the code.
    The NSA wouldn't be that stupid would they?

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Sep 19th, 2013 @ 2:45pm

    Re:

    Eh, Linus doesn't even write much of the code these days - he's just the gatekeeper reviewing and accepting patches from his downstream colleagues.

    So even if he didn't, there's 10, 100, 1000s more people who could have pushed a change upstream that looked innocent, but was in fact not.

    We can only hope that somewhere along the way, those attempts get filtered out as "junk" when reviewers detect vulnerabilities.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Sep 19th, 2013 @ 2:52pm

    Re:

    hahahahahaha....oh, you were serious. Yes, the NSA actually IS that stupid.

     

    reply to this | link to this | view in thread ]

  7. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Sep 19th, 2013 @ 2:53pm

    Not to mention paid-for corporate spying! -- Because yet again, you DIDN'T.

    Got a recent Firefox? Type "about:config" into address bar, click away the frightening question, then type "google" into internal search field. You'll almost certainly see that the "Safebrowsing" link goes right to Google, so that can get around all other measures and Google gets to learn every site that you visit, log it, and eventually collate to profile you. (You can supposedly switch it off, and you can modify it to empty string, but without a network sniffer you don't really KNOW whether it stops reporting!) -- So, one of you corporatists again try to tell me that you can avoid Google, meaning without considerable effort, and even then, only maybe. I keep hoping that soon as the public just learns the facts that Google will be cut down.

    And I'm sure everyone knows that Microsoft operating systems have a number of "services" running that similarly report anything and everything you do.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    DCX2, Sep 19th, 2013 @ 3:12pm

    Don't trust - reverse engineer

    Can you really trust "open source"? Do you compile from the source yourself, or download the precompiled binary for your platform? How can you know that the binary you are downloading was actually produced by the source?

    To the reverse engineer, all programs are open source. Some are more open source than others, but all can be disassembled, decompiled, and analyzed.

    Even if you use open source software, and even if you compile it yourself, you still might benefit from reversing the binary you made to ensure that it is doing exactly what you think it's doing.

    Oh, and it never hurts to remove the WiFi card from your laptop, hook it up to the Internet over Ethernet with a hub, and then plug in another computer to the hub which is running wireshark.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    DCX2, Sep 19th, 2013 @ 3:16pm

    Re:

    How many people actually compile their open source software from source? In my experience, the vast majority download precompiled binaries. What's stopping NSA from presenting SourceForge with a gag order that lets them insert secret backdoors into all binaries uploaded to the service?

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    PRMan, Sep 19th, 2013 @ 3:23pm

    Re:

    The NSA created AES, which almost everyone uses. Does it have a flaw known only to them?

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    PRMan, Sep 19th, 2013 @ 3:25pm

    Re: Don't trust - reverse engineer

    Which assumes that router manufacturers haven't been forced to get into the game and hide the traffic from wireshark.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    PopeRatzo (profile), Sep 19th, 2013 @ 3:52pm

    Re: Re: Don't trust - reverse engineer

    Use an old Pentium III as your router.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Sep 19th, 2013 @ 3:59pm

    "The act of breaking into a computer system has to have the same social stigma as breaking into a neighbor's house. It should not matter that the neighbor's door is unlocked. The press must learn that misguided use of a computer is no more amazing than drunk driving of an automobile."

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Slicerwizard, Sep 19th, 2013 @ 4:14pm

    Re: Not to mention paid-for corporate spying! -- Because yet again, you DIDN'T.

    " but without a network sniffer you don't really KNOW whether it stops reporting! So, one of you corporatists again try to tell me that you can avoid Google, meaning without considerable effort, and even then, only maybe."

    More lies from blue balls.

    1) It's trivial to run a program like TCPView; no "considerable effort" required.

    2) If a browser didn't honor users' wishes in this regard, we'd hear about it pretty quickly. Popular programs that are used by millions have too many eyes watching them.

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    Hephaestus (profile), Sep 19th, 2013 @ 4:18pm

    In the end, the NSA spying program is probably going to kill closed source software. Microsoft, Oracle, and their ilk are likely going to be feeling the repercussions for the next 20 years. If they last that long.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Sep 19th, 2013 @ 5:19pm

    Another problem is that the compiler itself could be compromised and programmed to make a slight change in a portion of code that would introduce a security flaw that could be exploited.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Bob, Sep 19th, 2013 @ 5:23pm

    Considering Linux's /dev/random device is fundamentally broken (See Ben Laurie's posts for details) he doesn't need to.

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    ECA (profile), Sep 19th, 2013 @ 7:03pm

    Can I suggest

    I know an easier way..

    MAKE A PROGRAM THE CONSUMER WOULD USE...
    An anti virus/game/chat Program what works VERY WELL..
    and insert your OWN bot into it..
    Then ask the OTHER AV makers not to search for it...
    Easy.

    and you could make it work on many OS's..
    Think hard now..
    Yahoo
    MSN
    Google
    Excite
    Game chats..and many others...

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    G Thompson (profile), Sep 19th, 2013 @ 7:10pm

    Re: Re:

    I think you would be amazed how often .make is still actually used nowadays for all backend software (not just kernels) by enterprise users. Just because the PC world uses ubuntu et.al and its KISS software installations doesn't mean the actual orgs that rely on *nix for major use don't compile directly from source.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    Chronno S. Trigger (profile), Sep 19th, 2013 @ 7:30pm

    Re: Re: Re: Don't trust - reverse engineer

    "Use an old Pentium III as your router."

    And we've looped back around on ourselves. If we can't trust pre-compiled software, we can't use a P3 as a router.

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    PaulT (profile), Sep 20th, 2013 @ 12:43am

    Re: Not to mention paid-for corporate spying! -- Because yet again, you DIDN'T.

    "Got a recent Firefox? "

    Yes, but I tend to use Opera as my primary browser on the desktop, Safari on mobile. They have many competitors in both spaces.

    If Firefox's implementation scares you so much, why are you using it? Why aren't you getting together with your fellow conspiracy theorists and editing the source code to remove the Google-pointing bits, like you have the tools and access to do?

    How can someone be simultaneously that paranoid and that lazy?

    "you corporatists"

    Wait, aren't you the one usually complaining that we're "pirates" and "grifters" robbing corporations of their profits?

    If you're going to make up stupid terms to try and insult people at least be consistent about them.

    "everyone knows that Microsoft..."

    Yes, which is why the non-moron, non-lazy among us use alternatives where possible, to the point where Microsoft has lost its monopoly in many of the area where it held one a decade or so ago.

    Stop whining, do something about it other than lying on a web forum and maybe the world will change the way you want it to. Stop using Google, you abject moron, it's extremely easy if you're not waiting around for someone to do it for you.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Sep 20th, 2013 @ 1:25am

    Re:

    The German government though was LoL
    https://www.datenschutzzentrum.de/material/themen/presse/anonip_e.htm

    The JAP(Java Anonymous Proxy is a cautionary tale.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Sep 20th, 2013 @ 1:48am

    Re: Not to mention paid-for corporate spying! -- Because yet again, you DIDN'T.

    blue you are hilarious, this is why I am going to give you a bone.

    Firefox addon: TamperData

    Sniff all you want, no need to install Wireshark to see what your "browser" is doing.

    In Chrome(from Evil Google) you don't even need to install anything just use the integrated sniffer on the developers tool menu.

    Now if you need some assistance learning how to use that addon, you can go to Youtube and watch any of the hundreds of videos explaining how it works.

    It will show you all the browser unencrypted traffic, yay!

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Sep 20th, 2013 @ 1:59am

    Re:

    Excuse me, hackers everywhere want to send you these images.

    Fuck You! I am a cat!

    Dude, WTF is wrong with you?

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    bratwurzt (profile), Sep 20th, 2013 @ 2:16am

    Re: Re: Re: Re: Don't trust - reverse engineer

    To understand recursion first you must understand recursion.

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    RonKaminsky (profile), Sep 20th, 2013 @ 2:32am

    NSA exposures may actually require compilation

    If a corporation is distributing GPL-licensed software like Linux, and it has become well-known that there is a significant chance that the NSA has corrupted Linux binaries, then in order to avoid legal liability the corporation might have to compile from source --- since the NSA backdoors wouldn't be GPL-licensed (presumably, and even if so, the corporation would be unable to distribute the sources to those backdoors).

    The companies actually contacted by the NSA would almost certainly be immune, however (if they were American).

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, Sep 20th, 2013 @ 4:01am

    Re: Can I suggest

    There are already plenty of ways to hide bad processes from AVs. And some have been working for years... Just poke the infosec people, old pubbers or anyone heavily involved in warez (not your common script kiddie).

     

    reply to this | link to this | view in thread ]

  28.  
    icon
    Shon Gale (profile), Sep 20th, 2013 @ 6:23am

    Can we trust the NSA to protect my cars source code from terrorists? 100 plus million lines of code and all it takes is 1 or 2 lines to tap into WiFi / Bluetooth and control your car. Speed it up! Put on the brakes! Turn it left and right! Turn it off! Stop it in the middle of the freeway with a truck coming at you! The Toyota problems we recently say are just tests and they succeeded brilliantly. They left no trace when they hacked the car. Toyotas are totally hacked and can be controlled by anyone who was planted in software development with these large companies. None of your software is safe from Indian / Pakistani Terrorists working for cheap.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Sep 20th, 2013 @ 7:02am

    Re: Re:

    IBM does major work for the government.
    IBM contributes to Linux.

    Did IBM receive a NSA notice and request to insert backdoors?

    How many other companies contribute to Linux?
    Have any of them inserted backdoors?

    We know Microsoft, Apple, Google, Yahoo, Facebook and a dozen other are sending the NSA data.

    How would you feel about this is you were the Russian, Chinese, et. government?

    Well the Brazilians are furious about the NSA interception of Brazilian government e-mail.

    If you were any of these governments what would you do to protect your data?

    Did the NSA shit in their soup bowl?

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Anonymous Coward, Sep 20th, 2013 @ 7:09am

    Re:

    Worse than that from an American perspective it will most like kill Silicon Valley as other countries retaliate against the NSA attempt at world domination.

    From an American economic perspective it also could end the one bright spot on the national economic front as software for foreign entities is more and more developed in a non spy environment.

     

    reply to this | link to this | view in thread ]

  31.  
    icon
    RyanNerd (profile), Sep 20th, 2013 @ 7:36am

    All your backdoors...

    are belong to us.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    DCX2, Sep 20th, 2013 @ 7:54am

    Re: Re: Don't trust - reverse engineer

    I didn't say router, I said hub. Routers will not work, because the router will direct traffic only where it needs to go, meaning wireshark won't see it, no need to be "into the game" because that's what routers are designed to do.

    You need a hub specifically, because hubs rebroadcast the data they receive from one port to all ports. That's the only way you'll be able to eavesdrop.

    If you still think even hubs will be compromised (due to their simplicity, I would think this would be easy to determine...) then you could leave WiFi on, and use wireshark to record all the 802.11 packets that your target computer is transmitting.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    DCX2, Sep 20th, 2013 @ 7:56am

    Re: Re: Re: Re: Don't trust - reverse engineer

    Your statement makes as much sense as "if we can't trust an orange, we can't eat the apple either." A Pentium 3 is hardware, not software.

    You could very easily put your own personally compiled kernel of Linux onto a Pentium 3 and load it up with your own personally compiled version of wireshark.

     

    reply to this | link to this | view in thread ]

  34.  
    icon
    John Fenderson (profile), Sep 20th, 2013 @ 9:40am

    Re:

    Or the former.

     

    reply to this | link to this | view in thread ]

  35.  
    icon
    John Fenderson (profile), Sep 20th, 2013 @ 9:44am

    Re:

    It's not as hard as you might think to introduce security weaknesses in a way that can pass source code examination. The NSA attempting to do this with OSS is no more inherently stupid than attempting it with closed source software.

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Anonymous, Sep 21st, 2013 @ 4:24pm

    Re: Re: Re: Re: Re: Don't trust - reverse engineer

    I don't want anything to do with Apple anyway.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This