The NSA has asked Linus Torvalds to inject covert backdoors into the free and open operating system GNU/Linux. This was revealed in this week’s hearing on mass surveillance in the European Parliament. Chalk another one up of the United States NSA trying to make information technology less secure for everyone.
The father of Linus Torvalds, Nils Torvalds, is a Member of the European Parliament for Finland. This week, Nils Torvalds took part in the European Parliament’s hearing on the ongoing mass surveillance, and brought a revelation:
The United States security service NSA has contacted Linus Torvalds with a request to add backdoors into the free and open operating system GNU/Linux.
The entire inquiry is available here on YouTube (uploaded by Hax).
Nils Torvalds’ revelation was presented in an episode which started (at 3:06:58) by me pointing out to the Microsoft representative in the panel, that in a system like GNU/Linux, built on open source, you can examine the source code to see that there aren’t any back doors. In Microsoft’s systems, this possibility is absent, since the source code is secret to outsiders.
My question to the Microsoft representative was whether she’d be allowed to disclose if there are deliberate back doors in their systems, in the event that there are. She never responded to that question, but obviously, she didn’t have to. From other sources, we know that the NSA always prohibits the private companies they force into cooperation from disclosing any of it.
Nils Torvalds spoke after me, and starting at 3:09:06, he said,
When my oldest son [Linus Torvalds] was asked the same question: “Has he been approached by the NSA about backdoors?” he said “No”, but at the same time he nodded. Then he was sort of in the legal free. He had given the right answer, [but] everybody understood that the NSA had approached him.
The story does not tell us how Linus Torvalds responded to the NSA, but I’m guessing he told them he wouldn’t be able to inject backdoors even if he wanted to, since the source code is open, and all changes to it are reviewed by many independent people. After all, that’s the whole point of open source code, and the reason that open source is the only kind you can trust when it comes to security.
Still, it’s very interesting to hear confirmation that the NSA has tried to attack Linux at its lead developer, too.
No surprise there. I’m glad that both Torvalds are standing up for privacy.
Good times for cyber crime, human trafficking, drug dealing, child pornography and hit man rentals have come. All thanks to mr Snowden.
Yeah lets ask all the mass shooters, and child pornographers how they started after snowden leaked that shizzle…
Nice isn;t it?
all criminals use Linux!? wtf
nice try NSA
Screw the nsa – you are sooooooooooo transparent.
Good thing snowden battles scare-mongering fascists like emkill.
emkill you are either stupid or in league with the true forces of evil on this planet or both. . . i think both . . .
emkill you are suspect . . . your reaction is wrong. . . and you are not an American. . fucking traitor
emkill you are suspect
You guys do realize emkill was mocking Siedem’s support of the NSA and is actually pro-Snowden, right?
NSA… Please rm -rf youself. K Thanks Bye.
“All the mass shooters”
You mean those pulling all these CABALA rituals as has been proven mathematically on my blog?
ie: 9/11, 7/7, Boston Bombings, Norway MIND CONTROL VICTIM/bomber/Mason, etc. etc.
(BALI and a dozen others in our “Red terror” part deux!
Debunk THAT, if you can, but please not with simple minded ad hominems or other ‘communist’ Joolag Archipelago type attacks.
Regards from N.Cal/USA,
TwA
If you trade liberty for security, you will have or deserve neither.
Yeah, they didn’t exist before he leaked the information, did they?
Let me know how giving the US government every single piece of information about your life works out for humanity in 20-30 years.
We can come back and thank you for your contribution towards the totalitarian state, you sad sack of shit.
exactly he is a sad sack of propagandist shit
You are an idiot.
I got news for ya, “Ace”.
Cybercrime, human trafficing, drug dealing and Child pronagraphy are mostly taking place on Windows computers. Linux or Not Linux has nothing to do with it.
As for Snowden’s revealed info, Sorry – that shits all political, has nothing to do with what your trying to imply here.
Basically all you have revelaed here is that you completely misunderstand how things are done on the internet.
“Cybercrime, human trafficing, drug dealing and Child pronagraphy are mostly taking place on Windows computers. Linux or Not Linux has nothing to do with it.”
you don’t really know how the internet works, do you? yes, the home computers mostly run on windows, but many, if not most, WEB SERVERS run linux. they run linux because it’s very lightweight in terms of resource consumption compared to windows. also consider DNS servers and other pieces of infrastructure
MOST, if not ALL cybercrime, due to the nature of the internet, interacts with Linux at some point or other. just not on their home PCs.
You think adding government-mandated security flaws to the software platforms that run world commerce will somehow make cybercrime less common? Seriously?
Do you actually trust the government and all of its many contractors and subcontractors to do what is best for the people? Do you trust large government bureaucracy to be able to keep these these security flaws hidden forever? Do you trust secret courts to make fair decisions in the best interests of the public? Seriously?
Secret government coercion is never a precursor to good. Snowden is a hero for those who value freedom.
Marvelous response! It’s upsetting that citizens don’t appreciate the implications of the total surveillance mechanism.
Hello there, close minded guy trembling in fear. It’s all good, the good guys will surely surveil the shit out of your life, so you don’t have to worry.
Is it okay for you if the government comes over and installs cameras in everyone bathrooms including yours? Is it okay for you if NSA knows what type of porn you like? Is it okay if the government watches you jacking off without you even knowing? It should be okay, because everything helps against cyber crime and drug dealing. You don’t have anything to hide, do you?
It’s good that the government helps fighting crimes, but when they start invading the private life of other people, that’s too far. Not only that, but the fact that they’re actually doing it is kept secret too. And they’re using “to fight against crime” or “for the safety of our nation” as an excuse for everything.
So you’ve got strange kinks, huh?
You really think the government is interested in what kind of porn you like?
@Ryan:
They just have to claim they’re looking for users of child porn to start surveillance of all people who watch porn.
Ryan:
No I don’t think the government are interested in what porn you like. However some guy who’s into blackmailing may want to know what porn you like. 😉
People with criminal intent probably have managed to get a contact or two who’s a “contractor” of NSA. If you’re a criminal you’ll want better information than the police ( if possible ).
Imagine some crazy religious leader becomes president. Now he knows you like to watch girls in diapers porn. His God cannot accept that, so he just sends someone to kill you at home. It is a ridiculous scenario, but you can think about lighter versions of that, with what’s “wrong” and “right” changing after a couple of years. It may come a time when the government IS interested in minor details of your life.
The more the government knows about every last detail about you, the better they can create psychological profiles about you. They can also use anything other than standard missionary as a means of controlling you if you ever become ” Upity ” and try to become a reformer like martin luther king, they will blast ever detail about you and try to debase every part of you because you become a threat to their opperation. The supporting evidence is in the book from pulitzer-prize winner Tim Weiner on J. Edgar Hoover’s reign. With his information collection from the FBI he BROKE the KKK in the south at a whim. Information is power, and these guys grab as much power as they can.
Nice try ,NSA.
Government Astroturfing probably. The National security agency is responsible for forcing software firms to accommodate the biggest liabilities to security so that they can collect all your personal data.
Yeah, because everyone’s a human trafficker, child pornographer, and hit man, right?
I am not a criminal and I do not want to be treated like one, thank you very much. If you really want to live that way, go move to china, north korea, or venezuela.
Freedom and mass unchecked surveillance are fundamentally incompatible.
dont feed the troll everyone!
So, which one are you? Since I cannot find anything in your post leading to a physical person, that must mean that you have chosen to remain anonymous. Now, why would you want to be anonymous on the web if you are not a cyber criminal, drug dealer, child pornographer, or hit man?
Anyone with intent of creating a business that really matters (can compete with existing businesses) would want to be anonymous and difficult to surveille.
Otherwise the surveillers can just steal their ideas and sell them to the highest bidder – or sell the service to fuck with them – to the more established companies with steady cash flows.
Crimes can be prevented with good old fashioned police work.
Trying to make us feel like criminals for not wanting to be dominating and raped by psychopathic government control freaks? thanks, now go collect your paychack.
These spying programs are all designed so that once we get into a state of war (which is inevitable) the real fucking over begins.
Thank God I’m not the first reply saying this. The tech community still has some sense.
Mass surveillance on the whole planet, saving every SMS ,email or phone call made by any human on hard disk for 100years and building a supercomputer to parse this data into a social graph is NOT necessary if you want to fight against child porn, drug or terrorism.
It only necessary for totalitarian regime or for a new 3rd reich.
US use the excuse of terrorism, chid porn etc… to justify NSA’s action but they use people’s lack of understanding of technology to make them belive the only way to fight against crime is mass surveillance.
There is that…
But there is also that the US NSA using the information to blackmail people.
They use the information to determine who their political enemies are, and to retaliate against them.
The use the back doors to plant incriminating evidence on innocent people’s computers, to both control them and remove them.
The problem is, the US NSA believes, and the US president has stated, that they can murder people anywhere in the world for whatever reason they want; no trial, no public disclousre, nothing. And they do it.
So yes, privacy.
Fear mongering FUD is still FUD.
They did just fine solving and preventing crime prior to the inception of internet surveillance.
Surveillance does nothing other than hurt and endanger law abiding people if there are back doors, don’t you think for a split instant that there are potentially teams of individuals dissecting any compromised OS to.
A: Find said hole.
B: Exploit the living hell out of it to their own ends.
If there is a backdoor I would personally like to thank my government for placing it there so they can be discovered and exploited “and they will” eventually. This is what happens when elections become a popularity contest as opposed to actually choosing the best and brightest to lead.
So only USA is allowed to have their secret and secret of any other country doesn’t matter to you, is that so?
Not everyone in this world live in USA, and we don’t want any other Govt. to interfere in our life at all. Your govt. is not allowed to invade our privacy. What if I invade your privacy and track your information? Would you be happy?
My trust in open source is increased many folds after reading this article.
Snowden is a hero. You are not realizing this now, but you’ll.
PS: Don’t think that Criminals are idiots. They have fully technical people at their disposal.
Criminals use linux. Let’s ban it! Criminals use bit coin BAN IT! Criminals use spoons, ban them. I bet every thief, rapist, or murder has used toilet paper too. Let’s ban that!
The govt is corrupt
You missed the point, open source’s nature made the request pointless. He didn’t “refuse”, he didn’t need to.
Right, because a subtle bug introduced in one of the big pulls could never go unnoticed.
Why do you people feel entitled to spy on the rest of the World? Sovereign nations, mind you.
You are entitled to nothing. You’ve had a glorious era, now see it crumble.
A subtle bug introduced in one of the big pulls … was publicly rejected.
See https://www.schneier.com/blog/archives/2013/09/surreptitiously.html
With many eyes, all bugs are shallow.
Such a stupid comment, oh my.
Get your propagandist shit out of my technology you asswipe.
Way deep down inside we are born with the feeling of right and wrong. Way deep down inside. That small feeling of right and wrong. But yet by some strange sense of family loyalty, loyalty to friends, racial loyalty or loyalty to ones own country we do wrong to protect or standby that friend. That family member or country mate. We think by doing that we are helping them in way. STOP AND REALIZE that if you standby what’s right what’s truth till the end no matter what you’ll find that when the smoke you clears, you will stand with G-D, Hashem, Blessed Be He! And with HIS love you will be with all you love! Its in the story of Abraham and his son Isaac. Do what’s right, Do what’s good and all you love will follow!
ARRRRRGGGG I hate the stupidity of people. He should have said YES. YES. YES. By allowing them to inject back doors into Linux it would have stopped the spying world wide.
Here is how this would have gone.
Steps:
1 – They ask and he says ok
2- NSA injects back door into Linux
3- Linux updated source code (open source) Goes out for everyone to see/use
4 – Spying stops nearly immediately. Now that everyone on the planet with and inet connection has their secret code, it can now be eliminated or modified. The smartest use here would be to modify the code so that it appears to be working correctly and then just have it send a bunch of fake information to the NSA.
PROBLEM SOLVED.
I like your idea. It’s a good idea.
Maybe he could install it just so that the public can view the code?
Yeah and you think these people take No for an answer. Dream on!!!
Precisely! Research Brendon OConnell in Perth to find out what happens to those who go against their M4sonic hegemony!
Hint:Ritual Murders and ‘coincidental’ deaths via health and ‘accidents’.
“Torvalds are standing up for privacy.”
Somewhat of a LEAP considering he avoided answering the question.
Is this not called lying via omission?
Why not just answer and how could avoid their threats and stalking should he have given the wrong answer? (He’s in a MASONIC country like most of us and they have footsoldiers to attack those who refuse, AT FIRST.
Thank you for keeping hackers out of my comp.
Let me point out that the Linux kernel has for some time included blobs of compiled code, which are supposedly propriety firmware for some devices. This is the place where NSA could easily have implanted backdoors. Another reason why we should be rejecting such practices by the Linux team with all the strength we can. The software we use has to be completely free. If it’s only “mostly” free, then it’s as bad as propriety.
While it’s true that firmware can contain backdoors, most of the blobs have tight control of what they can and cannot access in the kernel. So while we do not know what a firmware does, we know what it might do.
However, even if we had a 100% free kernel – There’s still no telling that the actual hardware itself has spyware in either it’s firmware or even deeper than that. Think a keylogger built in to your keyboard, a network card that sends out extra intel to the NSA or similar.
Used to be we could trust these kind of things. No longer. Both Chinese and American equipment is tainted by mistrust already.
There is hope though. In 100 years, I think 3D printing has become sufficiently advanced to enable the print-out of advanced, multi-material objects. At that stage we’ll be able to print our own electronics, without needing soldering or anything, really.
Looking forward to that day. 🙂
There is also no telling that anybody *actually* read all that code *and* understood all its implications, even regarding previous patches that did lay the groundwork.
Except that practically all code gets rigorously examined by peers and is available before being merged into a release branch. Not to mention anyone can download and inspect the code…
Of course not.
But having the source out there means it’s much more likely that someone will review it, understand it well enough to spot a security hole and actually do something about it, than there is with proprietary code. Especially proprietary “write-once-never-touch-again” code…
On the other hand having the source out there makes it easier to find the exploits in the first place. Oh well.
More important fact is that if Linus was asked to add backdors amd hadn’t really commented it in public it means his hands are already tied. It also means that since we don’t have a clear answer we must assume that Linux has been compromised as much as other systems. The open source claim of code being available for inspection is a lame duck since no one in reality is actually doing it. People are downloading pre-compiled code and packages. They may not be compiled from the same source code that is publicly available.
You sir, are an ignorant. Just because you’re not reading the source code doesn’t mean “no one” is doing it. Tell that to the thousands of contributors and developers that look at the Linux source code every single day.
You missed the point I think. He didn’t say no one is checking new code, he’s saying no one is checking the code before they install it, its assumed that what they install it the code which has been checked, compiled with no changes made.
For example whose to say Canonical hasn’t added the requested changes to Ubuntu in the published compiled version which aren’t in the public code?
You’re dumb. The source code for the ubuntu kernel is available in their repositories.
This is why their are checksums a valuable to download.
People who look over the source code use these checksums. If I dl something and it had the same checksum I can be assured that this is exactly the same code the other person was looking at.
I do get the point he incorrectly stated which is the masses aren’t looking at the source code. Generally the open source community has a few people who are hard at work so the masses don’t have to but you people are always looking for the exception to pry on so aby further discussion is almost pointless.
This comment is a legitimate concern. The only way around this problem is deterministic builds, decompilation and looking for backdoors, or building your own kernel. None of which are practical right now.
“This is why their are checksums a valuable to download.”
Yes, but there is a problem, if your checksum is presented over the same channel as the source code, it also might be tampered with in accordance with the tampered source code.
No one knows diff?
There is no need to read entire code, a simple diff between vanilla source and “suspect” source will show what’s changed, added or removed.
You can build the kernel from the source if you chose to. That way you can ensure a free system
You sir pointed something really important!
Although many people collaborate to open source code it is probable that not all code is read.
Moreover, pre-compiled code adds this risk of coming with a virus.
Furthermore, we should remember Thompson’s Backdoor (http://cm.bell-labs.com/who/ken/trust.html).
TL;DR: He wrote a backdoor as part of the compiler, so, to compile your compiler you need a first stage compiler or a well known one. Even though the source code of the compiler was available and free of a backdoor, the available compiler would add it to the compiler being compiled ! 🙂
He didn’t write that compiler. He came with a theory of a compromissed C compiler.
Since the whole compiler thing is a bit of a chicken/egg story it was quite scary at the time.
Nowadays a compromissed compiler would have to cope with many security features SELinux, firewall/iptables, netstat, iostat and all basic OS functions. (Size, Runtime for example)
And a small program would have a considerable bigger file. Using a different compiler would give you very different results, which would be weird as well.
Just Linux, not GNU/Linux (which is the Linux kernel with GNU tools, libc, etc). This is important because this would also apply to the kernel in Android phones.
Android’s got Google behind them though, and they have links to the NSA, so to dismiss it as a safe haven seems quite ignorant to me.
Perhaps Nvidia and AMD allowed them to put backdoors into their graphics card drivers.
*THIS*.
The certainty of this happening is 100% +- epsilon.
You sir are a genious!!!!!!!
I’ve never thought this way. We are fucking screwed in any way.
Not for so long. ‘Till the day reptilians will be forced to go away………
Yeah, if you don’t think SELinux is a backdoor, you’re a moron.
And if you think somebody you can personally trust actually 1. read the *whole* source (including the compiler that compiled the compiler that …), and 2. looked through all the obfuscations, you’re an even bigger moron.
Luckily, barely anybody is *that* stupid. (Except Ubuntutards of course. But they don’t count as Linux anyway.)
“Ubuntutards”
The thorough work you and your likes do to make sure Linux stays a minor nerds-only fringe OS never seizes to amaze me.
Ubuntu is Linux for the stupid. It’s adware, spyware, DRMware, etc.
Linux a minority? Hah!
Linux is dominating the Microsoft and the Apple. It has over twice the share what Microsoft own NT operating system has.
There is only one Operating System what is more widely used and it is ITRON from Japan.
Microsoft and Apple own operating systems are in minority positions when it comes to operating systems.
You are a socially awkward bully who actually brings the silly platform war down to the distribution level. Amazing. Dude, get some perspective in life. Go out and meet someone, read a book (the paper kind), go on a hike, something, instead of this bitter cynicism taken to its most ludicrous conclusion.
But then again, you could be just 14 years old.
I read every contribution to SEAndroid. Takes a few moments of my morning.
Most linux distributions are distributed in binary. So it will not be impossible to hide backdoors in a binary linux kernel. So what are this distris doing ? whats cononical, Oracle and so on doing ?
nobody knows, cause their CD images are binary, so they could contain backdoors and nobody could know.
So saying that linux, that OpenSource is more secure is just a Myth, at least as long as you dont compile your very own linux distribution out of the sourcecode and i think nobody is doing that. To make linux secure we need a source distribution such as Gentoo wich is compiled out of the sources on the users computer and not using binaries.
Seen it that way, 99% of all linux PCs have no quarantee that they do not contain an NSA backdoor.
Excellent point, for some reason everyone ignore the fact 95% of Linux installations are using Binary ISO and it would be better to have some kind of independent SHA1 verification of binary using the same sources.
Also people tend to forget the fact Intel WifI are supported using Windows drivers in the binary form.
It would be interesting to see what Redhat, CentOS, Ubuntu say on the integrity of their distributions.
Builds are reproducible. That means you download the code, hit make, and compare the iso you downloaded with the one you just build. So if you trust the code, the binaries are OK.
You are wrong. The current Linux distributions are aiming for deterministic builds, but none of them have completed the work.
It’s true, many people are lazy and don’t download and compile their own source code, but that’s why I run Debian – 100% free software, 100% open source.
On the other hand, do you honestly think no one in anonymous or any of the other hacking gangs has decompiled Ubuntu or any of the firmware blobs mentioned elsewhere on this page? What the hell do you think nerds do for fun, watch TV?
Decompiling single applications is very difficult if obfs’d. Decompiling entire OSes, even if not obfs’d, is time-consuming.
sorry about my words because this is too much soo i will try to be very very gentle in my words .
and this is what i want to say to NSA (the same word that linus said to NVIDIA) and thats FY NSA AND GO TO HELL.
Think quick….flash, and it’s gone…………….
Well, I don’t think their goal was to ask Torwalds add a backdoor. You really think that they didn’t know that Open Source code can be read? That it can be looked-through and searched for the backdoors?
Think that they already have unimpeded access to the linux systems, they just want to cover it up.
Thank you, have a very safe and productive day 🙂
Spool, in all honesty, yes I believe they didn’t know that. Don’t forget, in the early 2k’s, our government’s security people spent several tens of millions of dollars developing software package called carnivore, claiming it was going to bring hackers to their knees. No one said a word to them while they were spending gazillions on it’s development. Once it shipped, and the NSA and FBI started bragging about how it could capture all the data on a network, everyone I know started laughing their heads off, because the govt. had just squandered megabucks writing their own, buggy, over-priced, underpowered version of tcpdump.
This is what a lot of people just don’t get – they really ARE that dumb.
Maybe that is what they want us to believe. Reverse psychology. “Lets spend a few % of our budget to make a crappy surveillance program, brag about it, and then let everyone see that it is crappy, so they think we are incompetent and can’t monitor the internet, then they are off garde and we catch ’em”
what is there is Reverse REVERSE psychology
All you have to look at to know how dump they are is to look at Obama origin document that they put up on whitehouse.gov.
It has dozens of problems including layers of pixels where the pixels in the back are lighter than the pixels in the front, a miss-spelling, binary signature letters mixed with grey scale letters, characters not on typewriter grid, overlaid “safety” paper, and on and on. They really are dump, but they love power.
“Thank you, have a very safe and productive day :)”
Hehe, yeah. The only safe way to not be fucked over once you’ve voiced your opinion against NSA is to keep machines offline. At least the ones you want to get any serious work done on…
Just wonder why Mr. Torvalds did not speak things out aloud.
Thought he is a Finnish citizen and thus not bound by US laws.
He is working in silicon valley IIRC, and as long as he’s in states he’s bound by US law.
Depends if he ever visits the US he can be arrested there for a start.
Linus is living in the US, has been for a long time now. So yeah, he’s subject to US law.
because he is an american citizen as of 2010.
What about distributions like Ubuntu?? Linux could be safe, but who knows what Canonical is up to…
Actually, there is a theoretical attack by which one can insert a backdoor into the C compiler. In this situation, no matter what is in the Linux source code, and even assuming that the binary blobs don’t have malicious code, anyone who compiles source code without the backdoor would have the backdoor inserted in the compilation process. Similarly, in this attack, the backdoor wouldn’t even be in the source code of the C compiler, because even though it would have had to be inserted at some point, it could later be easily removed.
http://scienceblogs.com/goodmath/2007/04/15/strange-loops-dennis-ritchie-a/
This kind of trojan is easily defeated by recompiling the compiler with a *different* compiler. Unless they’re both compromised with the same trojan, in which case you can add a *third* compiler to the mix. It’s not feasible to bug ALL binaries of ALL compilers with a matching trojan code.
And yes, there are security researchers out there who do exactly that, and compare outputs of multiple builds of the same compiler compiled with different compilers to detect exactly this kind of trojan code. There’s lots of scientific literature on this subject, too.
Mashable says Torvalds told them it was a joke and that NSA has never asked him.
http://mashable.com/2013/09/19/linus-torvalds-backdoor-linux/
In a repressive regime such as the United States, unfortunately, that’s the only thing you can legally answer to such a question.
His father – wearing a Member of Parliament hat, in a formal hearing in the European Parliament – appears to be of a different opinion.
“He had given the right answer, [but] everybody understood that the NSA had approached him.” — Wow. Did we all watch the same video [rhetorical question]? The moment in question: https://www.youtube.com/watch?v=84Sx0E13gAo&t=1455
Linus is smiling and laughing as he’s nodding, and immediately afterwards shakes his head and says no. And later on explains after one too many of these stories:
“Oh, Christ. It was obviously a joke, no government agency has ever asked me for a backdoor in Linux. Really. Cross my heart and hope to die, really.” (http://mashable.com/2013/09/19/linus-torvalds-backdoor-linux/)
I’d guess that Nils Torvalds either hasn’t spoken to Linus in a while, or he’s simply rehashing the story for his own political purposes.
Establishing firm privacy rights and protecting users becomes more difficult when people are making up stories to suit their political aspirations.
Rick Falkvinge calling the United States a repressive regime is either ignorant or trolling — in either event it’s all tinfoil hat speculation in absence of any evidence that such an event occurred since the word of the person it allegedly happened to isn’t sufficient reason to doubt hearsay from a person who apparently wasn’t party to any conversations.
It is impossible for the public to take you seriously with smug pithy commentary that isn’t based on evidence or facts, and it hurts the cause of privacy advocates to not hold ourselves to the highest standards.
In 2003, someone broke into the Linux CVS and installed a backdoor in linux. It was quickly discovered. I’m willing to bet Linus had access to that server, it would make sense.
https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-attempt-of-2003/
I think he told them, “If I do it, it will be noticed” and they said “Do it or you get the thumb screws”
About the addition of code… To me it seems pretty obvious.
I don’t want to seem like “the paranoid one”, but it looks like a classical diversion to obtain some kind of consequence. For a kernel programmer to write “x=0” instead of “0=x” is like writing with a red, bold, caps, 72 size font, screaming, look at me, there might be a missing “=” here!
This is just a supposition, but perhaps the timing of this was chosen deliberately close to a certain event (like the answer of Mr. Torvalds to a backdor installation request, that left a certain agency with a reason to try to install it fraudulently).
The review of the code might have been dictated by common sense after such an event. And the “classical backdoor” was found a little to easy, to lift the concern.
There might have been (or still might be) another backdoor much more covert, or as a consequence of finding this one someone was promoted, or new “better” servers started to be used, or some newer “better” firewalls, or even the appearence of a new linux distribution.
This are just suppositions and I’m shooting in the dark… but someone with better knowledge of the moment and mechanisms in question should review the events of the time.
Am I the only that thinks like this?
That’s a very good point. Kernel programmers tend to follow safe coding habits religiously, for obvious reasons. Having the variable on the LHS and the constant on the RHS when you don’t need to is an amateur’s (and rookie’s) mistake you might see in some production code, but definitely not in critical parts where such bugs could break the whole system.
I’d also bet this bug wanted to be found. I’m not so sure about the reasons, though. It might also be a “Kansas City Shuffle”.
What if Linus Torvalds was threatened to include it in a binary but not in the source code. How far could it spread? I suppose there is always some programmer tinkering with every piece of the source code at some time, so it would be unfeasible to include it there – someone would sound the alarm sooner or later?
This thing with the compiler compiling backdoored login programs and backdoored compilers sounds like a dream for the NSA. Is someone or some organization or company capable of making a compiler in machine code to compare results, or analyzing the machine code of a compiler? If there is, has it been done and what were the results?
The Linux team does not provide any binaries. Only source code.
If the evil guys wanted to plant a binary-only backdoor, they’d need to attack the distros – not the upstream kernel.
the best thing to do is to make it an offense to do any of this shit in the first place! now everyone knows what the USA has been up to, not just via the NSA but by the other two dozen or more security agencies (does a country really need so many agencies? no wonder they are in financial shit street! it must cost a fortune to run this lot!!) and with the UK being willing collaborators in the scheme, crapping all over it’s people just to keep ‘the special relationship’ with the USA going, there will hopefully be greater caution exercised. if anyone discovers anything that looks suspicious, let it be reported, not to the next in line of command, but to an independent research lab and to the press. once the person behind it is known, take severe action against them and the organisation represented and, ultimately, the government and nation concerned!
Linus can tell the NSA to pound sand… he is not an American. Fuck the NSA… here’s to hoping an asteroid takes out Langley.
Um… his current residence is in Portland, Oregon, USA.
So… yeah.
Oregon, silicon valley, which is it..?
Since he was naturalized a few years ago… Yes he is.
Readable code isn’t a guarantee: http://cm.bell-labs.com/who/ken/trust.html
Somehow you are all missing the point.
Backdoors are not only found by examining source code. It is also seen by security and virus experts. They monitor network traffic, etc. Linux runs mainly on servers and they have high security supervision.
BTW for any, and I mean ANY Linux distribution, to build in a backdoor, risks that the backdoor will be found and there is a good chance that it will happen. Once that happens their reputation is gone and the end of their distribution. We all accept Windows to have security flaws but Linux …. not really except the normal problems.
Also, it is not only the distro that will lose fame; any modern version control system (The Linux community used Git, which is also Linus-driven open source tool) tracks individual commits by developers, and anybody can trace any change anybody has made at any time in the history of the code. Any suspicion of code with malicious intent inside the developer community can be traced down to the individual user who has made a change at a particular time, and the earlier version of code can be compiled and tested against the changed code. Every change is completely transparent, visible and searchable in the development history, and cannot be hidden in a way not leaving at least clear traces of manipulation. And it is a standard practice to include the commit with an written explanation of changes made, a commit log message, to communicate the intent of the change or other related thoughts.
Here is the video of the talk that this blog references:
https://www.youtube.com/watch?v=84Sx0E13gAo&feature=player_detailpage#t=1455
the USA has this opinion that only it and it’s businesses matter, everyone else are ‘also rans’. i sincerely hope that the EU doesn’t go down the same road in an effort to keep up with what the USA is demanding. this goes for TPP as well as all other treaties and backdoor entrances for their corporations, because this is all it’s ever about! trying to con every other country, in one way or another, by building in back doors into systems and software so their security forces get advantages by having the ability to spy on everyone or by instigating what are supposed to be negotiations, which actually turn out to be secret meetings that only involve USA corporations and industries, so as to benefit them and only them. the public, the biggest section involved in anything, is never allowed to have representation, let alone input and as soon as one of the other countries tryo to do the same as the USA by implementing conditions that would benefit them and their people, the USA has another hizzy fit and threatens the representatives. that leads to caving in by those representatives and the USA then gets everything it wants, benefitting all it’s businesses and build in conditions which forbid ant changes in the future. the idiots are all the other countries for starting the discussions in the first place, thinking there will be some good come out of it for them. in actual fact, they end up being totally screwed along with everyone else. and the UK are starting down the same path! the EU needs to start watching it’s back because it is going to get caught in a pincer movement if it isn’t careful, and it will be the people, as usual who get shafted while the politicians carry on doing whatever the fuck they like, with the blessing of every US industry and politician concerned, with, of course, the usual ‘Thank you guys’!
Why is everyone’s panties in a bunch?!?! Nobody is secure, not while the NSA exists.
Take that to heart and quit acting all butthurt about the subject!
Crying like a little girl with a skinned knee is not going to fix anything.
As Admiral Akbar would say it’s a trap, Facebook is a trap, most emails are traps
but the first thing in avoiding a trap is knowing of it’s existence. – Dune
Nobody is safe unless they take proactive action and install programs
that do not leave your a@@ hanging in the breeze. If you’re not smart enough to
understand this way of thinking just go to Facebook and publish all of your information because if you’re on Facebook that is exactly what you are doing!
The reaction from Mr Allen of Facebook to that grilling was classic. “Oh my god, I’m in the same room as Linus Torvalds’ dad” He had his smartphone out and had obviously texted something while testifying.
U.S.A is “satan country” with pro-satanic involve the gov. Satan always lies, pretend like an angel but always actually satan. I do never trust to U.S.A.
Please read Ken Thompson, Reflections on Trusting Trust. An ACM Classic (September 1995). If you trojaned the compiler, even if the source code is clean, you can always trojan the compiled code. 🙂
Linux kernel already has a backdoor. but you have to add CONFIG_BACKDOOR=y to your config file before you compile your kernel 😛
For all those distrusting binary distribution of Linux. That doesn’t make sense. Even if you’d download the source code, the host of that source code needs to be trusted, the kernel team for not switching stuff around and so on. Trust is a hierarchy, it’s about being able to verify things if so desired but in the end you have to delegate trust and all authentication somewhere. There is no distribution possible without ending up with the same dilemma. Unless you code your own OS , install it on your own designed and produced hardware in a house you build yourself on another planet you own.
And if you use your own compiler….
@percane: So? They are what is called “mere conduit” unless the country in question has gone completely upside-down. Even if the bad stuff interacts with it, the guilty parties almost always run Windows. So if there are backdoors in Windows that are in use frequently or constantly by the NSA, you should blame the NSA for letting it happen. If we necessarily need to live under constant surveillance (which we of course shouldn’t), at least they could use it against bad crime. But they don’t. They tell us “fuck you” twice.
I’d like to see more evidence than just an ambiguous nod that someone else interpreted as a “yes”.
They used to need warrants or at least probable cause for this.
Now they’re just doing it because they can.
The USA is a country that claims to represent freedom, but sadly, behind the smoke and mirrors they’re just going for world domination.
Plausible scenario, with no guarantees of not getting caught:
NSA creates a persona that starts to land patches to the kernel, several programmers can work on making good, legit patches. At some point down the line Linus is made to merge a patch with some very subtle bug. Having a good rep user and being merged by Linus would make the patch seem legit. Of course, people *will* examine the code and they may find the bug. But well crafted enough and with no previous suspicion, it could well have a good chance of passing the reviews. We’re after all talking about some very smart people with very good understanding of code, attacks and exploits, that may well have knowledge of techniques others haven’t thought of – it’s their job, after all.
Now I personally believe that Linus would never go along with something like that, as it would go totally against everything we know of the man. But it’s still a workable scenario that does not demand binary blobs and could work in an open source system – at least have good enough odds that the NSA would chance it and the maintainer would still have plausible deniability provided the attack was really well crafted.
They might even try something like this anyway, without Linus helping… we can but hope that the many eyes are good enough.
Linus has said on more than one occasion he wasn’t serious, and that he was just kidding around like he often does. It really pisses me off when people need to invent scary stories considering the truth should be sufficiently upsetting.
“Torvalds was asked if he had ever been approached by the U.S. government for a backdoor at the Linuxcon conference in New Orleans on Thursday. (A backdoor is term used to describe a hidden vulnerability in a program that could conceivably allow an entity to access information on Linux computers without users’ knowledge.) Torvalds, in his usual tongue-in-cheek style, answered “no” while nodding yes.
His response drew loud laughter from the crowd, but the joke didn’t land with some, and “news” of his admission circulated on Twitter.
But, as it turns out, he was just kidding.
“Oh, Christ. It was obviously a joke, no government agency has ever asked me for a backdoor in Linux,” Torvalds told Mashable via email. “Really. Cross my heart and hope to die, really.”
http://mashable.com/2013/09/19/linus-torvalds-backdoor-linux/
“While it’s a relief that Torvalds has flatly denied receiving any such government pressure (“Oh, Christ. It was obviously a joke, no government agency has ever asked me for a backdoor in Linux,” Torvalds told Mashable . “Really. Cross my heart and hope to die, really”), such government intrusion into the very structure of the Internet is all too real.”
http://www.salon.com/2013/09/20/linus_was_joking_about_nsa_backdoor/
The gub’mint can surveil my bowel movements
I’m sorry, but i saw the interview with Linus and he was clearly making joke. I’m quite disturbed by all the spying around, but in this case the father clearly wanted to have his “5 minutes on the sun.”
You know that Ubuntu explicitly avoids SELinux, instead opting for the alternative AppArmor, right?
One thing which I think is missing is a technical risk analysis of HOW you’d go about trojanizing/red threading Linux, or any other large piece of open source software.
From my PoV, the NSA (or the other 5EYES agencies) would be looking for:
1. Covert and obscure (ie. well hidden, both to see, and to trigger)
2. Resilient (eg. in relatively static code)
3. Deniable (ie. credibly accidental if discovered)
4. Widely applicable (not tied to a specific ISA implementation, so it will work across environments)
5. Low risk (ie. not relying on anything they wouldn’t want known, eg. deep CPU exploits)
6. Identifiable if other services started to use it (eg. Snort detectable)
7. Fixable (if (6) happens)
8. Redundant (they will have multiple backdoors)
From my PoV, and I have been discussing this with a notable academic (I won’t name him here), that we need to stop thinking like victims and start thinking like attackers. Any modern OS has a HUGE attack surface: let’s start thinking like attackers and wonder how we’d do it, then look THERE. Let’s also think like attackers when architecting new parts of the kernel.
It will be interesting to see what we find. I am fairly sure the NSA has gotten multiple individual “enablement” vectors in there, many of which are probably not being exploited right now. They wouldn’t have needed Linus’s involvement: Linux development is a collaborative process. You just need a small number of plants, and a clever enough backdoor to slip past review. If they’re deniable, the plant developer goes “oops, thanks for catching that”.
And if anyone thinks this means closed source is better, you’re very much mistaken. Getting backdoors into most closed source is a trivial exercise.
I tried to actually do the above in a previous (very closely tied to the US government) employer. The interest was zero: absolutely nothing. Oh well….
There is absolutely no guarantee that there is no such backdoor in Linux. One just can’t examine huge amount of code of Linux kernel (its thousands of strings now). And of course, no government-introduced backdoor is visible “at a glance”. It’s always hidden between the lines and triggered by at least 3 different factors. For example, at first we need to send, say, a special IP packet to machine – this packet would not look like any threat, but checksum or its length or some pattern in payoad would be recieved by backdoor. Then it would be waiting for something else (data string, passphrase, process ID and so on). When this condition is met, backdoor is on “yellow alert” but still inactive. And only when it recieve some other data (keyboard mapping, system call and so on) it would be activated and ready for use (and still hiding). Even at this point there may be no trace of backdoor until it is used for it’s purpose – but it would be too late.
For this reason some countries use customised Linux distributions – and this distributions are very old (10 years as an example of russian military distro) – just because at the time of this distros Linux was really secure – it was only for enthusiasts and no one considered it seriously. Modern Linux is too complex and source code is too huge to be sure there is no backdoors in it.
¿Podría haber un backdoor en un sistema operativo de código abierto?…
Que la NSA propuso a Linus Torvalds introducir una puerta trasera en Linux era un rumor que el propio creador del kernel ya reconoció en septiembre durante la conferencia LinuxCon. Ahora sin embargo ya es un hecho confirmado porque así se reveló durant…
Intressting stuff!
It is somewhat disconcerting that the NSA would even think this was feasible on an open source platform. And how long will it be before someone exploits the backdoor for Microsoft Windows.
What jurisdiction does the NSA have to tell Linus he has to keep silent anyway?
Here i read some instance of backdoors. The linux kernel one and the d-link one is interesting http://arjunsreedharan.org/post/67970413047/of-backdoors-and-bad-codes
This was originally a joke by Linus Torvalds:
No, the Government Never Asked Linus Torvalds for a Backdoor in Linux
http://mashable.com/2013/09/19/linus-torvalds-backdoor-linux/
I understand the point about open source, however, if Linus was asked to do it, he wouldn’t have been able to say no. That guy is a naturalized US citizen (and a traitor to holy mother Europa) which means he is obligated to serve to the interests of the United States and must protect the country from all enemies inside and outside. Remember, because of the fascistic citizenship oath of the United States, any American is a potential spy!
For example, in Twilight Meyer stated that Edward was handsome.
Our server gave us a presentation, possibly about
the day’s specials, entirely in Japanese. The nice thing about a game with such strict, reliable rules is the
reassurance that the designers had to work very hard to make sure everything works and has a purpose.
Still, compared to Toy Story 3 and How To Train Your Dragon, the scores look low by the year’s high bar for animation.
Be warned, however, that your character will lose their spells and start
back as level one with the new class. Hidden Mickey, blended historical fiction title with action, adventure and mystery is a
novel about Walt Disney and Disneyland released last
September. Some of the rolls had hearts that had been created with
the help of poppy seeds. It is evident that the creators had their tongues
buried deep within their cheeks. Your little American girl can pose
for a picture at the Photo Studio and take home a souvenir issue of
American Girl. Zodiac, Super Normal, Phone Braver, Mister Maker, Crayon Shin Chan Movie, Nobita
& The Tin Labrynth, Happily Ever After, Space Chimps, The King and I.
Who needs a backdoor to Linux? Not the NSA, when the front door is wide open! Think about it, all those giant server farms out there, with all that juicy data, all running “secure”, “open source” Linux… The NSA knocks on the front door, asks the giant server farm owner to give them your data when they hand them the gag order that prevents the gatekeeper to your data disclosing that they”gave it all away” when asked! You have all been lured into looking at the red herring (not a new Linux distro), instead of the root of the problem. State sanctioned lying, not spying! When you look someone in the face and they can lie to you without breaking a sweat because it’s their job! That’s truly scary… What’s worse is that a democratic system with freely elected officials built the entire thing. What hope does the rest of the non-free world have?
[…] NSA Asked Linus Torvalds To Install Backdoors Into GNU/Linux […]
[…] se non confermato, sembra che Linus Torvalds non abbia accettato la richiesta della NSA, secondo Rick Falkvinge del Partito Pirata Svedese, è quasi impossibile introdurre backdoor in Linux dato che il progetto è open source e quindi gli […]
“you can examine the source code to see that there aren’t any back doors. In Microsoft’s systems, this possibility is absent, since the source code is secret to outsiders.” What about disassemblers?
[…] es mucho menos propenso a la censura y espionaje de las autoridades o la propia empresa. Ahí está Linus Torvalds reconociendo que la NSA le “sugirió” colocar en Linux (y por tanto Andro…: una contraseña maestra para permitir que hagan con los aparatos de todo el mundo lo que les […]
Didn’t the NSA add this to Linux 2.6?
http://www.nsa.gov/research/selinux/
http://en.wikipedia.org/wiki/Security-Enhanced_Linux
The NSA added their “security enhancement” already. Besides, they’ve got an entry via the Intel Microprocessor – as I understand it, the random number generator has been compromised so it only provides 32 bits of “randomness” – which the NSA can crack.
[…] about Linux. Some advocate it’s use, if you’re careful. It’s well known that The NSA asked Linux Torvalds to install a back door into Linux to allow them access to any system running it. Linux also used a random number generator […]
[…] China cannot create a complete OS from the scratch then there will always be high security risk. Remember that last year, NSA did ask Torvalds to install backdoor on Linux. Reply With […]
China cannot create a complete OS from the scratch then there will always be high security risk. Remember that last year, NSA did ask Torvalds to install backdoor on Linux
LINUX IS N O T O P E N S O U R C E !!!!!!!!
Linux is P A R T L Y open source, since Linus Torvalds had decided to accept to inject closed-source binary elements into the rest of the source, so-called binary blobs (http://en.wikipedia.org/wiki/Binary_blob).
No one of us knows what those binary blobs contain and what they do! So if the NSA has approached him to insert a backdoor they could very well have inserted a backdoor in form of a binary blob and no one would be able to know it.
The only solution is to stay strictly open source and to stay strictly Free Software according to the Free Software Foundation’s definition. Linus Torvalds never was interested in their ethics, but he only saw the GPL as a means for making his Linux popular.
There is a solution: Linux-libre (http://en.wikipedia.org/wiki/Linux_libre). This is a project of the South American Free Software Foundation which takes the Linux kernel and removes all binary blobs. There are many GNU/Linux distributions that use Linux-libre as a kernel, e.g. Trisquel, GNewSense, etc.
Spread the word!
And every distribution that uses it is thoroughly useless for anything beyond morons shouting “look at me, I kiss Richard Stallman’s ass.”
Last I checked, the binary blobs aren’t in the tree, it just ACCEPTS binary blobs. Huge difference.
[…] NSA pediu para que Linus instalasse backdoor no Linux […]
Most of you are wrong ! Knowledge is power and information what so ever is weapon for those who know and posses it ! That’s why NSA and others are so eager to record anything and everything, one may newer know what information my come handy beside mass surveillance of criminals and terrorists that are direct threats for west way of living but NSA is gone far over the end line ! Absolute no one is to be trusted and for playing games NSA can record until record servers are dead and gone, email is to used just for social fun ! Anything sensitive is not to be put into computer and serious work should be done on cut of internet/network computers within encrypted boot and data should be also encrypted ! That’s why German Authorities go back to mechanical typing machines – prehistoric IT tech ! HaHA ! And others should to ! Not only NSA is threat to us normal people Google is also mass data collector and that could in near future for people like newcomer in politics and other fields be very problematic !
[…] NSA Asked Linus Torvalds To Install Backdoors Into GNU/Linux – Falkvinge on Infopolicy The NSA has asked Linus Torvalds to inject covert backdoors into the free and open operating system GNU/Linux. This was revealed in this week’s hearing on mass surveillance in the European Parliament. Chalk another one up of the United States NSA trying to make information technology less secure for everyone. The father of Linus Torvalds, [&] […]
He probably did cave in and put in a backdoor. Linus insisted on using the direct output from the Intel hardware random number generator, now known to be compromised. Others wanted to just feed it into the scrambler that Linux uses to generate crypto-grade random numbers. There were arguments about this on the Linux kernel mailing list. Linus forced his way through.
That’s when he sold out.
Pfft, coudlnt care less, these guys and they’re cyber-hard-on are not hackers, you know when you get a load of seniour developers all sitting around looking stern faced all shaking there head, maybe it’s a sign to quit whilst your ahead. GNU has been shakey at best for years, in 1983 they promised the world a better Kernel, they did it by handing it to those guys at Berkley who then added crappola to the distribution some of us remember as Unix. Suddenly POSIX with dynamic linked libraries and all that shizzle where all the rage, when if you face facts, any library that dynamicly links all it’s libraries to other libraries means when one thing breaks, then all the other stuff that was compiled against it and is dependant on it for smooth operation also breaks. Unix wars.. and people really thought all that was old news… It’s never been old news, there still having there WAR.
Nobody is secure, not while the NSA exists. Take that to heart and quit acting all butthurt about the subject!
The USA should just change their motto to “Truth and Privacy will not be tolerated”. Actually that goes for all those 5 spying freedom hating countries.
It’s remarkable to pay a quick visit this web site
and reading the views of all mates about this
paragraph, while I am also keen of getting familiarity.
I loved as much as you’ll receive carried outt righht here.
The sketch iss tasteful, youjr authored
material stylish. nonetheless, you command
get got an nervousness over that yoou wish be delivering the following.
unwell unquestionably come further formerly again since exactly
the same nearly a lot often inside case you shield this
hike.
From what I understand now, Linux is becoming more and more closed source today than it was several years ago. It’s picking up the cathedral mindset where only core developers have direct access to Linux innards. Open source has become a loose leaf term, it now applies to the idea that the source code is open to anyone who wants to take it upon themselves to make their own modifications/additions but unless their on the list of core developers. Their changes are their own and not part of mainstream Linux, this is actually getting worse because the core developers want to cut out the middle man or unless you prove significant changes. You will never have direct access to source in those terms. Which makes you rethink the whole stance on open and closed source models.
Someone really needs to make several forks of Linux so it isn’t lost to time, Linux-Libre is a start.
From what I understand now, Linux is becoming more and more closed source today than it was several years ago. It’s picking up the cathedral mindset where only core developers have direct access to Linux innards. Open source has become a loose leaf term, it now applies to the idea that the source code is open to anyone who wants to take it upon themselves to make their own modifications/additions but unless their on the list of core developers. Their changes are their own and not part of mainstream Linux, this is actually getting worse because the core developers want to cut out the middle man or unless you prove significant changes. You will never have direct access to source in those terms. Which makes you rethink the whole stance on open and closed source models.
Someone really needs to make several forks of Linux so it isn’t lost to time, Linux-Libre is a start.