Leaked Memo Says Apple Provides Backdoor To Governments 582
Posted
by
timothy
from the well-we-know-att-does dept.
from the well-we-know-att-does dept.
Voline writes "In a tweet early this morning, cybersecurity researcher Christopher Soghoian pointed to an internal memo of India's Military Intelligence that has been liberated by hackers and posted on the Net. The memo suggests that, "in exchange for the Indian market presence" mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as "RINOA") have agreed to provide backdoor access on their devices.
The Indian government then "utilized backdoors provided by RINOA" to intercept internal emails of the U.S.-China Economic and Security Review Commission, a U.S. government body with a mandate to monitor, investigate and report to Congress on 'the national security implications of the bilateral trade and economic relationship' between the U.S. and China. Manan Kakkar, an Indian blogger for ZDNet, has also picked up the story and writes that it may be the fruits of an earlier hack of Symantec. If Apple is providing governments with a backdoor to iOS, can we assume that they have also done so with Mac OS X?"
How Not to be Seen (Score:5, Insightful)
It's all a big setup. The Patriot Act lets them investigate anything, anywhere, without a warrant. Now they are on your devices. Now any terrorist loses his rights as an American. The next war is at civil. No wonder the troops are coming back home.
Re:How Not to be Seen (Score:5, Insightful)
PGP... it's way past time. Clinton was trying to mandate forced escrow keys for strong encryption years ago, first warning. Now, you can't place your trust in anyone but yourself to protect your privacy.
Re:How Not to be Seen (Score:5, Insightful)
PGP... it's way past time.
Yeah that will work if they are reading your keystrokes.
Re:How Not to be Seen (Score:5, Funny)
Re:How Not to be Seen (Score:5, Funny)
Don't forget to drink your Ovaltine.
XSecure (Score:5, Interesting)
Hm, I wonder if a smart keyboard ran its own OS, like Android, running an X client over a network to the main PC's X server, if that would secure the aggregated workstation better against keyloggers and other similar devices. Not trusting the local buses, which seem harder to secure. An Optimus keyboard might have the HW to run the OS and X client. A monitor that's just an OS and X server over a gigabit ethernet to the main PC might complete the picture. And maybe the whole thing would then run even faster.
Or maybe that all just kicks the can a little down the road, to where a keylogger or other spyware just infests the "app host" PC at the core.
Re:How Not to be Seen (Score:5, Funny)
Re:How Not to be Seen (Score:4, Insightful)
Valid point: there's a Real Life workaround for crypto: force.
But it's still quite a big win: if they can't watch you without threatening you, they can't watch you without telling you.
Re:How Not to be Seen (Score:5, Interesting)
I have to wonder how "ahead of the game" the average law enforcement is when it comes to crypto simply because talking to a friend in the state crime lab (he keeps trying to hire me but...damn i don't think i could handle that shit 5 days a week) I have learned that even internet criminals are like most criminals and just very very very very...dumb. I mean stupid on whole never before seen levels of dipshit, just ignorant like you wouldn't believe. I had to cook up a batch file for my buddy last year because all his tools are based on NTFS and he couldn't recall off the top of his head the old DOS commands and they had found a braintrust still using Win98SE! Sure enough Mr Dipshit had hidden enough CP on his drive to get himself 300 years by dropping it in a subfolder in the Windows folder. no crypto, hell not even a password protected zip file, just dropped in a damned folder.
So while I'm sure the NSA and Interpol have some chops simply because they have to deal with foreign powers and spies I have to wonder if the rest simply are up on their game because the "cyber criminals" they have to deal with are about as smart as the dipshit we had rob a bank last year while wearing his workshirt with his name and the name of the company in bold letters right on the front. Hell the lettering was big enough they could just read the shirt right off the security cam and sure enough Mr braintrust showed up for work the very next day and was shocked! Shocked I tell you! That they had managed to catch his brilliant ass.
Re:How Not to be Seen (Score:4, Interesting)
I saw a forensic expert that works for local law enforcement give a presentation for a local community college "intro to computers" class awhile back. 90% of what he told them was bullshit. He told them, that once they saved a file to their hard drive there was no way they could really delete it and that he could always recover it. He went on and on, belaboring the point that there was no way anyone could ever hide anything from him. I was working on a computer in the class, getting it ready for an upcoming engineering class in the same room, and didn't want to start anything so I just shut up, but I mentioned to the instructor and the class members later that the guy was full of shit.
It kind of disheartening that a moron like that qualifies as an expert witness for law enforcement.
Re:How Not to be Seen (Score:4, Interesting)
That is why i'm glad my buddy actually has a brain. he'll be the first to tell you he won't be getting past any crypto that won't fall to a rainbow hash or brute force dictionary attack and that with a modern drive you wipe with zeroes that shit is gone friend. just to be safe i do a DoD 3 on all drives that pass through the shop but that is just because i have a box sitting in the corner for drive wiping and a DoD 3 really doesn't add much time over a random wipe and part of the reason why many businesses and schools are willing to donate machines to me to refurb for the poor is i tell them "Any drive that you leave in will be getting wiped to DoD specs" which gives them piece of mind.
And he is damned good in court, I've watched the man work and he is cool as ice, I just don't think i could do that shit. i know the state pays him to see a shrink weekly so he can "data dump" as he calls it but seeing raped kids pics and vids all damned day? man I do NOT want that damned job! In the consumer retail biz i make it a point not to snoop people's drives so i don't have to see any nasty shit, the worst i've had to deal with was some gal that wanted me to back up her erotic pics of herself before I wiped the drive. I swear that gal had dildos big enough you could mount them on a gun rack! But I don't think I could do like he does and sit there all calm while sitting across from some guy I KNOW raped his kid because i saw the pics. not enough brain bleach in the world, i don't care how good the benefits are!
Re:How Not to be Seen (Score:5, Funny)
Hacking stuff you own is perfectly legal.
Re:How Not to be Seen (Score:5, Funny)
You must be new around here..
Re:How Not to be Seen (Score:5, Insightful)
What does legality have to do with it?
Re: (Score:3, Funny)
You only get thrown into federal prison for doing illegal things.
Re:How Not to be Seen (Score:5, Insightful)
Everyone has done something illegal. They might not know it and it might not have been immoral. As long as you can monitor everything they do you can find a reason to send them to jail if they start to express 'undesirable' opinions.
Re:How Not to be Seen (Score:5, Interesting)
Everyone has done something illegal. They might not know it and it might not have been immoral. As long as you can monitor everything they do you can find a reason to send them to jail if they start to express 'undesirable' opinions.
I can be more specific. All programmers violate patent law every time they code, whether they release their code or not.
question:
How is it we've accepted a set of laws that guarantee we'll be lawbreakers subject to enormous civil fines and seizure and what can we do?
answer: publicly funded elections.
puzzler: explain the answer
Re:How Not to be Seen (Score:5, Interesting)
Question: We've given way too much power to the government and we are about to be trapped in a dystopian police state. What can we do to stop it before tos too late?
Answer: Give the government control over campaign finance as well.
Puzzler: Why do I have a bad feeling about this?
Re:How Not to be Seen (Score:4, Interesting)
I don't like either, but while we still have elections, I'd rather have government power than corporate power. At least with the government you can vote them out. You can't vote a company out of existence.
Re:How Not to be Seen (Score:5, Insightful)
Answer: Fight among ourselves, either choosing the corporate side (because in the libertarian fantasy world where govts have no regulatory power, bullies do step in and do what they want), or the government side (where the government has a police state to smash immigration, protests, etc).
Better Answer: Let's unite over what really matters: A system of government where votes count, money doesn't buy elections or politicians, and "we the people" actually do run the country. That means campaign finance reform. It means overturning Citizens United. It means getting rid of the electoral college. It means dumping primaries and instituting instant run-off voting. So we end up with a single national popular vote, with instant-run-off, no states getting to go first, and no vast sums of money polluting the discourse and purchasing politicians. That is what we fight for.
Re:How Not to be Seen (Score:5, Insightful)
If the government is corrupt, why would that corruption not extend to campaign finance reform?
Re:How Not to be Seen (Score:4, Informative)
Re:How Not to be Seen (Score:4, Informative)
Just one point. Violating "patent law" isn't a criminal offense
Perhaps not; its worse, it makes me suspect you are a terrorist.
And that's way better than a criminal offense... as a criminal you still have rights... as terrorist suspect... you don't.
Aha... I saw you roll your eyes at this post... and then I felt a bit queasy... so you are cleary a witch too...
Re:How Not to be Seen (Score:5, Informative)
In this case, Apple was aiding and abetting foreign intelligence services collecting against the US. Thats illegal.
Re:How Not to be Seen (Score:4, Funny)
You only get thrown into federal prison for doing illegal things.
But innocent people have nothing to hide!
Re:How Not to be Seen (Score:4, Informative)
You only get thrown into federal prison for doing illegal things, in america, if your outside america you get drugs, stuck in nappies and an orange jumpsuit, abducted, flown to a foreign state know for torture, held and tortured then released in another country on the side of the road. all for having a name as come as Smith in the arab world. https://en.wikipedia.org/wiki/Khalid_El-Masri
And that was a citizen of a member of nato.
Re:How Not to be Seen (Score:4, Insightful)
You only get thrown into federal prison for doing illegal things, in america, if your outside america you get drugs, stuck in nappies and an orange jumpsuit, abducted, flown to a foreign state know for torture, held and tortured then released in another country on the side of the road. all for having a name as come as Smith in the arab world. https://en.wikipedia.org/wiki/Khalid_El-Masri [wikipedia.org]
And that was a citizen of a member of nato.
You forgot to mention "get detained and interrogated months after you have been identified as not being the guy they are after.".
Re:How Not to be Seen (Score:4, Interesting)
In the UK, you get shot six times in the face for wearing a jacket in summer.
Not anymore (see NDAA) (Score:5, Insightful)
Go read NDAA, shamelessly passed by Senate (both parties) and shamelessly signed by Obama little more than a week ago. It allows for indefinite military detention of people your lovely govt. calls "terrorists" without charges and without recourse to a court of law as they're free to ignore court orders. With NDAA passed, US is now officialy a police state of kind it used to install in some many Latin countries in the past. You can kiss your freedoms goodbye as your constitution now has been teared down along with all its amendments.
I doubt US millitary will use it to full extent at first as it would be a major PR disaster, but as time passes and popular anger at corporations/government grows you'll see more and more of people in jail just refusing to do that our corporate overlords want.
Re:Not anymore (see NDAA) (Score:4, Insightful)
This is what I so dislike about President Obama. He's not even a good liberal. This is the kind of thing I would Expect from the Bush administration.
Re:Not anymore (see NDAA) (Score:5, Insightful)
Obama is OK in my book. (Score:5, Interesting)
2 weeks after my wife and I bought our house in 2001, I was laid off. After 3 months of searching 9/11 happened, and the shit really hit the fan. Silicon Valley for a time looked like a ghost town. Moving trucks were moving east (getting the fuck out of dodge so to speak)
A year later I wound up getting a crappy job at a bar. 10 years later I'm still here, working on my own software that runs certain aspects of the bar (very profitably I might add) When we bought our house in 2001 interest rates were sky high, and the wife and I thought our futures in tech were pretty secured. I think we were at 10% interest. We refinanced twice over the 10 years trying to keep payments down so we could stay in our house.
In the last 2 years the ARM on our loan got so high we were paying over $1600@mo for the new interest charges alone. We were virtually on the brink of losing our house. Then the "Obama Affordable home" plan was passed. Bank of America didn't make it easy. My wife had to call them every single day for a year. (like calling your AT&T subcontractor when your T1 goes down) At one point they denied us because "We couldn't verify your identity" (one of the loan modders wrote my social security number down wrong)
Despite what you might think of Obama.. He's just doing the best he can. He's no Bill Clinton, but having to clean up after GWB can't be easy. He stopped the banks from bending over hardworking people. Osama was killed during his term. Troops are withdrawing from Iraq.
Re:Obama is OK in my book. (Score:4, Informative)
We could afford it at the time. We bought an "as is" house with numerous problems because it was the cheapest one on the market in an area we wanted to be in. We figured we'd just keep working, and fixing the problems as we saved our money along.
We didn't buy a house with 0 down either. My wife and I both cashed in stock options (that we had earned and vested at .coms) and had a $50k downpayment on a $500k house. So how dare you discredit the hard work we did getting to that point.
After 2001-9/11 it wasn't just the banks screwing people over. The counties lost a ton of funding (again, went to Iraq) Everyone's property taxes got raised sky high (we're at about $7k@year)
Let's face it man, with every city in the bay area suffering a deficit, from San Jose to Vallejo (who went bankrupt) everyone, everywhere lost funding. Inflation really hit hard. Gas prices skyrocketed.
Guys like countrywide home loans really set up a lot of hardworking folks to fail. We were with countrywide in the beginning.
I'm not the only one in this boat. I am the 99%.
Re:Not anymore (see NDAA) (Score:5, Informative)
Obama is Dubya V2.0. The folks who thought he was liberal got pwned.
The folks who thought Dubya was conservative got pwned too. Obama wants to sell us out to big government, Dubya was sold us out to big bussiness, somebody else is just as eager to sell up out to big religion; the only thing that stays the same is we get sold out to something big.
Re:Not anymore (see NDAA) (Score:5, Informative)
So let's see, in the past three years we've gotten:
*Health care extended to millions of people who wouldn't otherwise have it
*Honesty about how much the War on Terror is costing by putting it in the budget, rather than hiding it as Bush did
*Laws stopping credit card companies from abusing their customers through short notice due date changes and excessive default rates
*Limitations on outrageous fees charged to retailers by the card companies
*A Network Neutrality law (albeit not on mobile networks, but there are good technical reasons why wireless networks can't be as unfettered as wired ones)
*An end to the stop loss program wherein soldiers were forced to stay beyond what they signed up for
*Fixes to the abortion that was No Child Left Behind (e.g. funding it, helping low scoring school instead of punishing them, etc.)
*The Ledbetter Law, pushing back against a conservative SCOTUS ruling that made it virtually impossible for women and minorities to sue over pay discrimination
*An end to torture and extraordinary rendition
*An end to DADT, and no support for DOMA (he can't end it unilaterally, but he's refusing to defend it in court)
*A new START treaty to reduce the number of nukes in the world
Had it not been for Republican filibusters, we also would have gotten:
*EFCA, helping to fight back against the corporate driven destruction of unions
*Cap & Trade, a free market solution to global warming
*Public option health care, allowing people to buy health insurance direct from the government rather than a for-profit company
*The DREAM act, allowing illegal immigrants a path to citizenship through college or military service
That's just what's coming to mind right now. I'm sure there's a bunch of small stuff I've forgotten. Now, how many of those things would be supported by the GOP? Maybe the New START treaty, but I doubt it, and certainly none of the others.
Claiming that Obama is "Dubya 2.0" makes for a nice sound bite, but it is blatantly false. This whole myopic claim that Republicans and Democrats are the same is just an excuse for the lazy who don't want to be bothered trying to make a difference in the world, and prefer to just shrug off the whole system while hoping for a magic solution that will never come.
Re:Not anymore (see NDAA) (Score:4, Interesting)
While I don't like all of his decisions, everyone got "pwned" (to quote a sibling post) on this one.
Since it was packaged in the defense budget, nobody wanted to be seen as 'bad on military' in an election year. So: It ran through House and Senate with a veto-proof majority. Obama could have either taken a stand on this and had it go through anyway (with the headlines in October reading "He hates our troops") or signed it and gotten painted with "He hates our citizens."
Oddly, the House and Senate, which wrote and passed this POS, seem not to be hit with the same brush.
They are all the same party (Score:5, Insightful)
Bush, Obama, Romney.
It no longer matters who you vote for, they are all owned.
Re:They are all the same party (Score:5, Insightful)
My wife always asks me why I "throw away my vote" by voting for a third party. I ask her why she bothers to vote at all *unless* it's for a third party. Otherwise it's just picking between different flavors of vanilla.
They are all the same party: Said Nader (Score:5, Insightful)
Did I forget to wind my watch, or is it 2000 all over again? Picking between different flavors of vanilla, and a few trillion dollars, a few thousand lives, some wonderful Federal legislation, zero wage growth, zero oversight of the financial markets...
The problem is that to create real political change requires a hell of a lot more personal commitment than checking an alternative box every few years, or posting about Nader/Paul/Bo, etc.
Exactly. Revolution (Score:4, Insightful)
The problem is that to create real political change requires a hell of a lot more personal commitment than checking an alternative box every few years, or posting about Nader/Paul/Bo, etc.
Spot on. The political systems have degenerated to the point that revolution is required to make real changes.
Re:Not anymore (see NDAA) (Score:5, Insightful)
Please, please, PLEASE stop spreading this lie. We can't run a country based on false information.
The NDAA is a military spending bill. It gets passed every year. For several years it has allowed the military to detain members of Al Qaeda, and no one had a problem with this. In the latest version, this was expanded to cover members of other terrorists organizations, but it still states that it cannot be applied to United States citizens or immigrants.
I know that doom and gloom is fun. It gets the blood pumping, and being outraged squirts some feel good chemicals into your brain. But stop spreading lies, and go read the damn thing. Claiming that the US is now a police state is the sort of lie I'd expect from Glen Beck; no different from claiming that the government subsidizing people meeting with their doctor to learn about Do Not Resuscitate orders is equivalent to the Holocaust.
Re:Not anymore (see NDAA) (Score:4, Informative)
Please, please, PLEASE stop spreading this lie. We can't run a country based on false information.
The NDAA is a military spending bill. It gets passed every year. For several years it has allowed the military to detain members of Al Qaeda, and no one had a problem with this. In the latest version, this was expanded to cover members of other terrorists organizations, but it still states that it cannot be applied to United States citizens or immigrants.
What Section 1021, subsection (e), of H.R. 1540 as enrolled [loc.gov] says is
which doesn't explicitly say it cannot be applied to US citizens etc.. The question is what "existing law or authorities" say. Senator Carl Levin quoted the Supreme Court as saying "There is no bar to this nation's holding one of its own citizens as an enemy combatant." [csmonitor.com], which comes from the O'Connor/Rehnquist/Kennedy/Breyer opinion in Hamdi v. Rumsfeld [supremecourt.gov]. On the other hand, they also say "It is a clearly established principle of the law of war that detention may last no longer than active hostilities.", but if active hostilities continue until we've defeated "those nations, organizations, or persons he determines planned, authorized, committed, or aided the terrorist attacks that occurred on September 11, 2001, or harbored such organizations or persons" [gpo.gov], who knows when they'll cease.
Re:Not anymore (see NDAA) (Score:4, Informative)
According to Wikipedia, the text of the bill allows to detain anyone "who was part of or substantially supported al-Qaeda, the Taliban, or associated forces that are engaged in hostilities against the United States or its coalition partners ... without trial, until the end of the hostilities". That's pretty damn broad, especially the part without trial - it essentially leaves the definition of "substantially supporting" at the discretion of the executive.
Furthermore, there was to be a specific amendment to the wording this year that would clearly spell out that the above is not ever applicable to U.S. citizens. That amendment got thrown out. The wording as it stands is ambiguous on whether it permits indefinite detaining without trial of U.S. citizens or not; what matters is that Obama administration has already explicitly stated that they believe it to be permitted, so that's how they are going to operate. That is a police state, indeed, even if it will not apply in practice to most American citizens.
Re:How Not to be Seen (Score:4)
Oh, yeah? [wikipedia.org] You get thrown in prison for being convicted of a felony whether you committed the crime or not.
Re:How Not to be Seen (Score:5, Informative)
Hacking stuff you own is perfectly legal.
It is until the government makes it illegal. The number of federal crimes has ballooned from around 3,000 in the 1980s to an estimated 4,500 today. wsj.com [wsj.com] The Feds seem to make all kinds of things illegal today, so I wouldn't hang my hat on whether it's illegal or not. Where would one even look? Have you ever seen the United States Code? It's a nightmare. New bills that come up for a vote that amend an existing statute, for instance to add a crime to an existing statute, don't republish the whole statute, the bill shows the changes to the statute, and they show that they add a sub-paragraph here or remove a word there. It's really very difficult to figure out what's going on, even for our legislators.
Re:How Not to be Seen (Score:5, Insightful)
Sounds like you need a US Code Repository, with bills published as changesets, but retaining the ability to pull a complete version of the legal framework that is actually in use.
Re:How Not to be Seen (Score:5, Informative)
Sounds like you need a US Code Repository, with bills published as changesets, but retaining the ability to pull a complete version of the legal framework that is actually in use.
I really wonder why this hasn't been done years ago. Some svn+wiki could be hacked easily, with the whole changelog, the name of the senators/governors who voted on it and links to law cases that applied it.
... well that's one reason open source is superior (Score:5, Insightful)
I'm not a huge open source guru. I have nothing against it and I use open source software all the time. But I'm not a zealot on the subject. Still... this is unacceptable. If I buy a bit of software from apple or microsoft, it has to be understood that I control the security. I bought the OS. I bought the machine. I own that license. if they're going behind my back to sell my security to a third party... then I consider that a breach of contract and I'm really not amused.
If this is valid... and it hasn't been confirmed yet... then anyone that signed that agreement is untrustworthy.
Nothing else to say on the matter.
Re: (Score:3, Insightful)
Unless you've personally verified every single line of code in the OS, you're not really better off. You've just hoping that others have verified every single line of code, and unless you've verified that they're all trustworthy, you're just hoping that's true, too.
...and in case anyone's thinking this is an astroturf troll, I use Linux, not Windows or Mac. I've exclusively used Linux for 11 years now.
Re:... well that's one reason open source is super (Score:5, Insightful)
Well, you're slightly better off. Unless you expect a global conspiracy where every person who ever read the code and would talk about it has been bought or silenced.
The key is that it's heaps harder to slip a backdoor into OSS simply because far more people can (and do) examine it. The chance that someone finds it and reports it is simply by some margin higher.
Re:... well that's one reason open source is super (Score:5, Insightful)
Re:... well that's one reason open source is super (Score:5, Insightful)
The key is that it's heaps harder to slip a backdoor into OSS simply because far more people can (and do) examine it. The chance that someone finds it and reports it is simply by some margin higher.
My thoughts exactly. If you think about this as a developer who wants to implement a backdoor, open source is much more risky for you. You'll have to be clever in order to hide it in plain sight, and there is still a good chance someone will find it. In contrast, when the software is closed, you can write the simplest possible backdoor, and not worry about being seen.
Re:... well that's one reason open source is super (Score:4, Informative)
Unless you've personally verified every single line of code in the OS, you're not really better off.
Even if you do, you're not sure. Your compiler may be compromised. See: Reflections on trusting trust. [cmu.edu]
Re: (Score:3)
This is borderline FUD. Yes it's possible to poison the code but with a proprietary closed system it's damn near certain you're backdoored. If for nothing else than for the company who sells the software to keep tabs on it. It's in their best interests not to sell you out because loss of credibility means loss of revenue but if the stakes are high enough they can be persuaded. For this reason it's not a problem for the average Joe usually but if you have anything you want kept secure and the stakes are
Re:... well that's one reason open source is super (Score:4, Insightful)
Even if a backdoor is discovered, there's no guarantee that credibility will be lost... A smart backdoor would look like a bug and could easily be explained away as such... Exploitable security holes are commonplace, who's to say some of them weren't originally designed as backdoors?
Re:... well that's one reason open source is super (Score:5, Interesting)
A smart backdoor would look like a bug and could easily be explained away as such...
Tee hee. A while ago, one of the hacker sites had a competition to see who could hide a "backdoor" -- the idea was to take an image in a script compatible form (all the numbers were in text, rather than in binaries), black out a certain region (think redaction), and still have some way to have the redacted area be recoverable when the right inputs were given.
The catch? The code would be given a peer review, so you had to come up with something that would pass most attempts at oversight.
A lot of people tried to hide stuff in "error detection" routines.
The winning code had no bugs of any kind. It did perfect redaction of the specified area. No flaws, no errors, nothing to be spotted in code review.
Except for one oddball usage of fetching and writing individual characters -- getc() and putc(). The author explained that as an attempt to make sure that no matter what was in the input data, no matter how messed up the graphics were in an attempt to break the code, it would not have any overruns, no undefined behavior, etc.
Result? The "black" would be written out as "0", "00", or "000", depending on the light level of the source. For all three color channels.
Absolutely unnoticeable when viewed on a viewer. There was no hidden alpha channel, no slight alternation between black-0 and black-1, etc.
Yet you could still recover readable text, almost perfect pictures, etc.
Security hole back door? Very doable.
Re:... well that's one reason open source is super (Score:5, Insightful)
Exactly. Even the open source community is built on a massive foundation of blind trust, because perhaps one user in a hundred thousand will actually look at the source. Otherwise, no matter if it's open or closed, the average user says, "That looks neat, I'm gonna install that".
A personal anecdote: my open source theft recovery package for Macs has several thousand users. All of the source (with comments) is bundled with the installer, yet I often get questions from users about what the program does "under the hood", when they could easily learn the answer themselves by reading the source code.
The overwhelming majority of users seem to like open source because it's free, not because it is theoretically more secure. I might have been collecting private information from the users of my program for the past three years, and I often wonder if a single one of them would have bothered to check the source in all that time.
The best attack vector for any malware is incredibly simple: bundle it into something useful, and then give it away. You can guarantee that some people will install it (for the same reason they'll pick up and use a "lost" USB memory stick), because it is human nature to want to take advantage of something that is freely given.
Re:... well that's one reason open source is super (Score:5, Insightful)
While most people cannot, or will not read the source code... It only takes one of them to read it and find a backdoor, and then tell the world.
If your really paranoid, you can read the code yourself or find someone you trust to do it for you. Personally i'd much rather trust a friend, or someone who is working explicitly *for me* than a company which has the primary goal of making profit at any expense.
Re:... well that's one reason open source is super (Score:4, Interesting)
The Linux kernel is 14 million lines of code alone, when I type in a password I'm guessing between the kernel, xorg and the browser at least double that. Even if only a tiny bit of the code paths are touched, what's to say there's not a trigger set up somewhere to peek at some buffers?
Let's say you're walking in a city of 14 million people. You stop at an ATM and enter your PIN. What's to say that one of those 14 million isn't watching, hoping to steal your PIN and then your money?
When you're wandering around in a city full of strangers, there are real security concerns, some of them supported statistically by the sheer impossibility of being able to trust every member of a given community. But even given those limitations, you can still maintain a decent level of confidence simply by keeping tabs on who's watching you.
But you've got other fish to fry when the bank itself says, 'You don't need to know about what security measures we've put into place. Just trust us.'
FOSS is not a cure-all, and making something open source doesn't magically make it secure or even trustworthy. The only benefit is that it makes it possible to verify. Which is more than can be said for proprietary software.
Re:... well that's one reason open source is super (Score:5, Insightful)
Anyway, I like how you present it : "I'm not an open source zealot, I'm merely an opponent to secret backdoors"
Re: (Score:3, Insightful)
If I buy a bit of software from apple or microsoft, it has to be understood that I control the security. I bought the OS. I bought the machine. I own that license.
HaHaHaHaHa, HoHoHoHoHo, HaHa, Hoooo....
Eh, turn your keyboard around, gullible is written under it.
Re:... well that's one reason open source is super (Score:5, Informative)
I bought the OS. I bought the machine.
Technically, while you bought the hardware, you did not buy the OS.
With the machine, you've got the right to do whatever you please with. (Modify, lease ...) Not so with the OS you believe you purchased.
Typically with proprietary software, you only buy a license to use it as-is, and you are not even entitled to study how it works, or even look for backdoors.
IMHO, this is the major problem with proprietary software, and an outrage that such agreements have any legal stance in a free-market society.
Re:... well that's one reason open source is super (Score:4, Informative)
Nothing has to be understood, you didn't buy the software you are renting it and the license agreement says so... It also says that you have no comeback against the company providing it. If you didn't like those terms, then you shouldn't have accepted them.
Companies exist to make profit, its only logical that they would sell you (a small fry) out to a large government willing to pay a lot more money and open up a potentially huge market to them. This is what companies do, welcome to capitalism.
Re:... well that's one reason open source is super (Score:4, Insightful)
To everyone that's telling "oh you didn't buy it, you licensed it!" or "But you clicked OK on the EULA!" or any variation on that theme. I'm pretty confident I could effortlessly sue the silly pants off any company that did this to me... especially if I could show damages in court. What jury is going to sit there and say "oh, he clicked OK on the EULA..." From a legal standpoint, EULAs are almost worthless against consumers and I even question how effective they are against corporations. There are different legal standards here. A big corporation for example has a legal obligation to actually read everything to the last line and appreciate what all the various legal terms mean. One person that has no special legal knowledge can't be reasonably expected to sign such things.
The basis of legal contracts is that BOTH sides know, understand, and agree to the contract. If it can be demonstrated that either side could not be expected to reasonably know, understand, or agree to everything in a contract then the contract is invalid.
For example, if a blind man signs a 500 pages legal contract it's almost certainly invalid. To make such a contract valid there would have be documentation that made it clear throughout that the man read or understood the contract. That might mean having a notary read it and occasionally inital segments of the contract to signify that given portions had been communicated. Or it might mean giving the man a copy of the contract in braille or something.
The problem with EULAs is that no one reads them and worse no one can really be expected to read them. How many EULAs do you see in a day? I see about three on average and I think I've only read about two of them... and that was because I was bored.
EULAs mostly exist not to restrain consumers because they can't reasonably be applied to them. They exist to restrain other corporations who also use the software. Because other corporations don't have this protection. It's one of the big differences legally between small and large organizations. Small groups generally are given a lot of legal slack. Big companies have to make a point of dotting every i and crossing every t. They have to read all these EULAs. And while I bet they don't even do it, they would have a much harder time making the same legal argument in court that they simply don't have the reasonable expectation of reading or understanding such documents.
If Microsoft or Google did something that meant thousands of credit card numbers were stolen. Something where you could show damages. There is no EULA that would defend them. They'd get their silly pants sued off if it could be demonstrated that it was their fault.
Now if it was an issue of malware or something then they can probably successfully argue that end users have a responsibility to secure their systems and MS or Google didn't steal the numbers in any case or intentionally make them available. However, if MS and google intentionally used backdoors to get such information or sold the keys to those back doors to a third party that then used them to get the information. THEN those companies would be screwed sideways.
If the twentieth paragraph in the EULA says "oh by the way, we reserve the right to let third parties pilfer your data at will" it wouldn't stand in court.
Re: (Score:3)
Huh? How has a government or large corporation been wronged?
Re: (Score:3)
IF I was involved in anything where security was paramount. I mean here life or death basically. I'd certainly need to be sure of all my code and that would mean analyzing and compiling code. As for my own, individual security I feel more comfortable with a linux distro. It might be backdoored but I'm absolutely certain that Windows is compromised and I'm almost as sure about OS X.
Probably not just Apple (Score:5, Insightful)
At the same time, if you are concerned about the possibility of backdoors, it's awfully easy to bury one in deep in some standard hardware component that user space processes and most of the OS don't normally interract with. Since most of our cellphones and PCs (and GPSs and media boxes and cameras and
Re:Probably not just Apple (Score:5, Insightful)
Re:Probably not just Apple (Score:4, Interesting)
For Android phones with the Market app installed, an explicit backdoor isn't even necessary. Application installation is performed by the user requesting something from the Market, and the Market subsequently "pushing" the application to the device by sending an install command through Google's XMPP-based notification service. The installation itself does not require any interaction from the user. This is why, for example, you can install an app on your phone from the Android Market web site.
Well guess what, this means that Google, or anyone who can leverage control over them, doesn't need a backdoor already on your phone. The government could just use the Market's normal installation mechanisms to install SpyOnStuff.apk over the air on an as-needed basis.
Re:Probably not just Apple (Score:5, Insightful)
It would be very hard indeed to check the code that has been burned into a chip and is running some spy software, unless you could pull apart an Iphone 4s and analyze the whole circuitry and firmware for the back-doors code. I am not sure how difficult that would be, surely more than just a logic probe and some spare time.
Putting in a "hardware" backdoor of that nature would be exceptionally difficult. You would have to know all kinds of things about the whole system, not just the chip your company is responsible for. That was why Stuxnet was such a big deal. Putting a backdoor into a piece of equipment is easy. Putting it to use in anything more complex than a toaster oven will be very difficult and require massive knowledge of the total system. Hell, even for all its sophistication, Stuxnet still failed to go unnoticed. There are just too many ways that it fails, and causes someone to go see why their system is behaving odd. All it takes is one person at the device manufacturer to start digging into a consistent equipment failure, and soon the light is revealed. You basically need a bunch of spies on the ground at the device designer to tell you what chip sets they're using, what interconnects, what OS, what extra software... It would be far easier to just put a sleeper on the ground to put your backdoor in the software.
-=Geoskd
Awesome headline. (Score:5, Insightful)
How RIM, Nokia and Apple becomes just Apple is beyond me. Magic?
Re:Awesome headline. (Score:4, Informative)
Re:Awesome headline. (Score:4, Insightful)
Re:Awesome headline. (Score:5, Insightful)
TFA was just badly worded. The leaked document makes it clear that it was just RIM, Nokia and Apple, or RINOA as they are abbreviated to. The backdoor would probably need to be at the OS level so it stands to reason that only companies which make mobile OSs are on the list, and Google is not there (nor is Microsoft).
I think Google got burned by their experience in China which turned out to be an impossible situation for them. It seems unlikely they would then jump into bed with India and give them what they refused the Chinese.
Re:Awesome headline. (Score:5, Insightful)
Re:Awesome headline. (Score:5, Insightful)
Only open source can be secure (Score:3, Insightful)
What's surprising is that anyone with secrets worth protecting doesn't already know this, or hasn't already hired someone competent enough to tell them this.
Re:Only open source can be secure (Score:5, Insightful)
News from a twit. (Score:5, Insightful)
Re: (Score:3, Funny)
Re:News from a twit. (Score:5, Funny)
Now a tweet and a few images are considered legit news?
You're right. We're completely missing the celebrity angle here. What does Lady Gaga think about all this? /sarcasm
Seriously, guys (Score:5, Insightful)
How can anyone be so naive to assume that any system that is commercially produced in large numbers these days does *not* have in-built backdoors for the alphabet soup agencies? Living under a rock much, are we?
Same goes for Google, Facebook and all the rest. If you, even for one second, assume that the three letter agencies do not have permanent liaison staff at the HQs of these companies, and are not free to browse the data accumulated by these companies at will (including specially built data mining apps that cater for their needs, and their needs alone), you are seriously deluded.
Sorry to put it this bluntly, but reality can be a bit harsh at times.
The only real question is what to do about this status quo, and whether it is both possible, or realistic, to ever change it. All things considering, our society is arguably (still) the most free society on the planet. "They" are listening to everything, which is most definitely not the way it should be. But then, "they" have also not been hugely disruptive of discourse within society so far - mainly, I would wager, because "they" are mostly fairly normal citizens who work for the *** agencies. In particular, "they" are not a pampered, segregated elite of any sort, e.g. like the IT minions of the investment banking crooks^H^H^H^H^H^Hcrowd, or the secret service bastards of the former communist countries (who enjoyed considerable privileges beyond what normal citizens ever got). Rather, due to the never-too-stellar payment schemes of government services, the people in charge of all this are, by and large, fairly normal people. Most of them, at least. To quite some degree, I would wager that we can fairly safely count on that sort of people not being all too willing to cooperate in the creation of an actively evil 1984-ish state (as opposed to the passively listening one we have at the moment).
This is not to say that these developments are in any way positive. Nor is it to say that we should just roll over, and stop fighting developments like that. No way. We need to sharpen our instincts for (as it were) "digital freedom" much, much more. But as a part of this, we also need to be realistic about the status quo. Which is currently... odd: theoretically fairly evil, but in practice, apparently still fairly manageable.
Just my 0.2$
A.
Re: (Score:3)
How can anyone be so naive to assume that any system that is commercially produced in large numbers these days does *not* have in-built backdoors for the alphabet soup agencies? Living under a rock much, are we?
Because of the huge lawsuit that will follow once it backfires.
Which of course is only a valid objection if said backdoors are reliably traceable to the perpetrators. But if one of the *** agencies orders a company X to place such a backdoor in a product, you can bet that every last bit of discussion about this activity is an official secret, removed from public scrutiny for at least several decades. Good luck with "proving" anything in this regard, even in court.
And without any proof, good luck with having this publicly backfire on the *** agencies in any measurable w
Re:Seriously, guys (Score:5, Interesting)
The Stasi is a very interesting example. That deserves a closer look, to dispel any notions that any of the current *** outfits is remotely comparable.
First, the Stasi might not have been all that well paid in monetary terms. But the sum total of what a full Stasi employee in good standing had access to (by local standards very nice holiday opportunities for the family, better housing, sometimes even a car, and whatnot) arguably pretty much made them a separate class within the East German state. Not as well off as the actual party apparatchiks, but far ahead of any normal citizen. In a communist society, money couldn't buy you all that much anyway, so one has to look at the broader picture to assess how "well off" someone was in that sort of society.
Second, the Stasi was never the same thing as the regular police of East Germany. They were always a separate entity that was tasked with things such as (counter-)espionage both at home and abroad (by all means, including dirty ones), and the silencing of political dissenters (again by all means deemed necessary) - but never with regular policing as such. This distinction, and in particular their refreshing openness about "any means necessary for the job" being acceptable, is, at least in my opinion, an important point to note. The Stasi never had any pretensions about being an organisation that deemed itself entirely above the law. They were the "sword and shield of the party" (that was actually their official motto) - and to them, no moral or legal standards applied, except their own.
Which is a *huge* difference from even a very corrupt U.S. police department, or the bad parts of, say, an alphabet soup agency. Nowhere in the U.S. will you find members of the intelligence community who are openly contemptuous of the rule of law. Corrupt and evil things unfortunately do happen in law enforcement circles, but they are never an *accepted part of the organisation's official culture* like they were with the Stasi.
And by extension, there is also a third point that follows from what I just said. The Stasi was an organisation which actively recruited persons who were, well, fairly "special" in that they felt right at home in that sort of environment. The only really valid criticism of the (otherwise fantastic) film "The Lives of Others" that I have head so far is that someone like the protagonist (a Stasi officer who develops second thoughts about his "work") would never have been recruited in the first place, because the Stasi was very good at avoiding anyone who might be liable to start asking questions later. During the entire existence of the DDR, there were practically no defections worth mentioning of anyone within the Stasi. Which is a pretty impressive track record, given the huge size of that organisation.
This has implications for the existing U.S. intelligence services insofar as running an outfit like the Stasi apparently required active psychological monitoring to seed out dissenters, in order to build up the very special cadre of people you need for such a psychopathic organisation. For instance, the Stasi reputedly had an extremely anti-intellectual "work culture", which, amongst many other things, helped to get rid of anyone who was likely to think too much on his own.
The existing U.S. intelligence services are all *not* built on such psychopathic foundations. Recruitment happens pretty much from the general population (pending security clearance, and all that, but still), so the personnel base of the *** agencies is nowhere near the kind of pathological personality mix you would need to run a Stasi. Or, even more importantly, to transform an existing *** agency into a Stasi. Even with the more or less scary developments of the past few years, this should give some consolation to those of you who worry where all this will lead to. Something like the Stasi does not happen easily, and not overnight. And it does *not* grow out of the institutions of a normal society. The *** agencies might not all be very nice and cuddly, but fortunately, there is a world of difference still.
Treason or not? (Score:3, Interesting)
Who'd have thought? (Score:5, Interesting)
The shiny backdoors the US government was so keen on to spy on its own citizens are also used by foreign governments to spy on the US government. Maybe security and privacy is worth something after all.
Not a surprise, but the issue is more complicated (Score:5, Insightful)
And face it, the worst is not the possible surveillance by the ones that originally placed this. These people did invest significantly to place and hide the backdoor. They will use information gained from it only sparingly, to protect the source. After all, if they are caught possessing information that they can only have gotten this way, the backdoor becomes worthless.
IMO the real problem is if the backdoor can be used by others that do not have to protect their investment or respect laws (however flimsy). For an example of surveillance software made by people without much of a clue about security, look to the German "Bundestrojaner", recently analyzed by the CCC. Severe flaws include no authentication or encryption on data transfer, a hard-coded AES key that seems to be the same in all instances used for command transfer (still no authentication), and data-transfer via a foreign server (which is likely illegal). In addition, these cretins are of course not liable if somebody uses their backdoor and likely will not even notice.
Same old story: For a few temporary small benefits, people are willing to accept enormous potential damage. That is my personal definition of evil.
On the protection side: Use reputed open-source. There is at least some chance that somebody will notice a backdoor and that the person will not be easy to silence. And once somebody has found such a problem, anybody can verify it. Not so with closed-source. There it would be a lot more difficult to find anything, and then to get taken seriously as others cannot easily verify a finding. Some postings here already demonstrate that problem. In addition, use restrictive firewall settings and encryption. Difficult to do in a mobile setting, I know, so as a last measure, do not trust any device not under your own system-administration. In particular, do not trust any mobile phone or similar system. You may also want to add markers to any document you do put on potentially backdoored devices, so you can identify the source. This last step also helps against insiders leaking data.
Of course, if your secrets are transient and not worth risking the backdoor for (even fore a 3rd party user of said backdoor), then you are probably reasonably secure. This should apply to most people for private use.
It's all just "Lawful Interception" . . . (Score:5, Informative)
Nothing new here: http://en.wikipedia.org/wiki/Lawful_interception [wikipedia.org]
You may not like that, but that's the way it is. Communications providers can be forced to provide back doors for "legal spying" by governments. All governments know this, and use other methods to protect "sensitive" communications. Any other stuff is, well, who cares?
"Liberated"? (Score:3, Insightful)
an internal memo of India's Military Intelligence that has been liberated by hackers
Let's set the record straight: that memo was stolen.
the taxpayers own memos created by (Score:4, Insightful)
the government. how can it be considered stealing?
Manning v. Apple? (Score:4, Interesting)
Bradley Manning provided access to U.S. government secrets to everyone, because (or ostensibly because) the U.S. government was not duly informing the United States Citizens of the military's actions in their name.
Apple(*) provided access to U.S. government secrets to a foreign national government, because they wanted that foreign national government to give them quid pro quo access to a lucrative market.
Seems pretty clear Apple will be facing more severe charges than Bradley Manning, right? ... Or, at least, it's going to be in the same ballpark, right? ... Well, OK, at least, same kind of national debate, where questions of treason get raised, right? ... No? ... OK, then, well, umm, WTF?!?
* Note: RIM and Nokia are foreign -- an interesting angle to consider, but not as similar to Manning as Apple.
ok. ok. i guess you MIGHT have a Conspiracy case (Score:5, Informative)
the two situations are not exactly the same. Manning is accused of giving information about the national defense to other parties. it would be very hard to argue that apple did that. they just gave instructions to India about how to backdoor their phones.
now the more accurate analogy would not be Bradley Manning, it would be the 'Cambridge Associates' who went under Grand Jury investigation in 2011 regarding their alleged assistance to Wikileaks (and are still under investigation). They are charged with Conspiracy to Commit Espionage. 18 USC 793 g.
now, the other law i think applies here would be the Computer Fraud and Abuse Act. why? the Espionage Act only applies to 'national defense information'. but the Computer Fraud and Abuse Act has its own sort of 'mini-espionage-act' inside of it... that applies to not just national defense information, but also "foreign relations" information. This is the only reason Manning could be sued on so many counts of violating the CFAA, for example the Reyjkavic 13 memo about Icelandic Bank Fraud - thats under the CFAA.
what you have here against Apple, could, theoretically, be Conspiracy to violate the Computer Fraud and Abuse Act, section (1) I believe is the Computer Espionage section.
--
another analogy would be George Hotz + FailOverflow, who published information about how to jailbreak the playstation 3. They were sued by Sony - but that was in civil court, not in criminal court. the DOJ never went after Hotz.
Haven't you guys ever seen a spy show before? (Score:4, Funny)
Why do you think it's so easy for spies to steal your cell phone data? You see it on shows like Chuck and 24 all the time! Spies all have a magical device that plugs into any cell phone and downloads all the data in exactly as long as it takes for the phone's owner to almost get back from the bathroom, giving them just enough time to put it back where it belongs.
How could they do that if Apple (i.e. every evil phone maker) wasn't providing them with a back door?
That's why I always carry a dummy phone with decoy data on it while my bluetooth headset is secretly connected to my real phone, which is hidden in my shoe!
Reality check (Score:4, Insightful)
There was a time when efficient encryption was considered a weapon and could not be exported from the US. This was given up later.
Looking back this was just logical. The point is that controlling what code is being exported is very hard and anyway coming up with good encryption is not that hard anyway. But once you have devices everywhere that can use end-to-end encryption of communications very easily and cheaply, everyone can use that and encrypted communication is basically out of control.
The only halfway practical way to deal with this is: Just allow all of this but make sure that you get access to the devices at a point BEFORE any encryption takes place (and after decryption).
I don't like the very idea, but on the other hand I really can't imagine any state or government to accept safe encryption in communications being the norm with no way to listen in. Democracy or not, but ubiquitous encrypted communication for everyone (including criminals, terrorists, whoever) is something that is impossible to accept for any government that sees controlling and policing as part of the job description.
Re:Manan Kakkar could be less of an idiot (Score:4, Insightful)
"If Apple is providing governments with a backdoor to iOS, can we assume that they have also done so with Mac OS X?."
Such an uninformed idiot to not have noticed, how serious the issue but rather wants to gain publicity by making this, big against Apple.
Ridiculous
This is not at all unfair to single out apple in this. It has been apparent for some time that M$ would sell their users security to the highest bidder. Nokia and Rim don't make desktop software, so that leaves apple providing a backdoor on one platform as perfectly viable evidence that they would do this on their other major platform, especially since the two share a significant codebase. The revelation here isn't that only apple would do this, its that apple would do this, and risk their brand at all. All the other players had a bad reputation to start. The big question is: What has google done?
-=Geoskd
Re:Manan Kakkar could be less of an idiot (Score:5, Interesting)
And because they're guilty of one type of bad act, they're guilty of all types of bad acts? Like when I shoplifted last week, got caught, and am now on death row for murder, because being guilty of shoplifting makes me guilty of all other crimes.
Let me know when you find the article that says MS sold access to their phones and operating systems to open up a lucrative market. Anti-trust is bad, but it's not remotely related to selling backdoors for market access.
Re:Manan Kakkar could be less of an idiot (Score:5, Insightful)
Re:Manan Kakkar could be less of an idiot (Score:5, Interesting)
I think we can safely assume any closed operating system is backdoored. If I was a foriegn government I'd never use an operating system that I couldn't compile from source myself. I think this is one reason that MS was let off from the Fedreal Lawsuit so easily, so they could aid in surveillance. It makes sense, if I was in their shoes I'd do the same.
Re:Manan Kakkar could be less of an idiot (Score:4, Informative)
"I think we can safely assume any closed operating system is backdoored."
http://opensource.apple.com/ [apple.com]
A.
Re: (Score:3, Informative)