2006-05-16 13:24:40

by Marc Perkel

Subject: Wiretapping Linux?

As most of you know the United States is tapping you telephone calls and
tracking every call you make. The next logical step is to start tapping
your computer implanting spyware into operating systems. Since Windows
and OS-X are proprietary this can be done more easilly with the
cooperation of Microsoft and Apple.

So what about Linux? With thousands of people working on the Kernel if
someone from the NSA wanted to slip a back door into the Kernel, could
the do that? I know it's open source and it could be found if anyone
looks but is anyone looking? Is this something that would get noticed if
someone tried to do it? I'd like to think it would, but I'm going to ask
anyway just to make sure.

Conversely, if Microsoft or Apple cooperated with the US government
could they implant sptware without packets or hidden files being noticed?

I'm in the process of writing some articles about it and want to raise
the issue of US government implanted spyware everywhere. I know some
people might think this a little off topic but I'd rather be safe than
sorry. Who better to ask this question of than those who develop the kernel?

Thanks in advance.

2006-05-16 13:48:40

by Steven Rostedt

Subject: Re: Wiretapping Linux?

On Tue, 16 May 2006, Marc Perkel wrote:

> As most of you know the United States is tapping you telephone calls and
> tracking every call you make. The next logical step is to start tapping
> your computer implanting spyware into operating systems. Since Windows
> and OS-X are proprietary this can be done more easilly with the
> cooperation of Microsoft and Apple.
>
> So what about Linux? With thousands of people working on the Kernel if
> someone from the NSA wanted to slip a back door into the Kernel, could
> the do that?

Well, yes and no.

It's highly unlikely that it would get into the kernel. Definitely not
kernel.org, since all patches are public.

But it's not the kernel that you have to always worry about. But it's
what you install. Especially as root.

There's so much free stuff out there, that people download and install
blindly, that I'm sure if someone wanted to really badly, they could get
it on some boxes. If they were slime and added something to a binary,
and supplied the source without the backdoor, that might last a while.
Unless you compile everything yourself, it's not easy to make sure that
all binaries came from the source you have.

But there are a lot of hackers out there (the good kind, not the crackers
that the press call "hackers"). And they are aways looking at things
and breaking them to see how they work.

So, really, I doubt anyone could really get a lot on lots of people's
Linux boxes. But, if we ever had an evil Debian maintainer, that allowed
it, then it might happen. But that would usually be discovered rather
quickly.

-- Steve

> I know it's open source and it could be found if anyone
> looks but is anyone looking? Is this something that would get noticed if
> someone tried to do it? I'd like to think it would, but I'm going to ask
> anyway just to make sure.
>
> Conversely, if Microsoft or Apple cooperated with the US government
> could they implant sptware without packets or hidden files being noticed?
>
> I'm in the process of writing some articles about it and want to raise
> the issue of US government implanted spyware everywhere. I know some
> people might think this a little off topic but I'd rather be safe than
> sorry. Who better to ask this question of than those who develop the kernel?
>
> Thanks in advance.
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>

2006-05-16 13:56:07

by Marc Perkel

Subject: Re: Wiretapping Linux?

Steven Rostedt wrote:
> On Tue, 16 May 2006, Marc Perkel wrote:
>
>
>> As most of you know the United States is tapping you telephone calls and
>> tracking every call you make. The next logical step is to start tapping
>> your computer implanting spyware into operating systems. Since Windows
>> and OS-X are proprietary this can be done more easilly with the
>> cooperation of Microsoft and Apple.
>>
>> So what about Linux? With thousands of people working on the Kernel if
>> someone from the NSA wanted to slip a back door into the Kernel, could
>> the do that?
>>
>
> Well, yes and no.
>
> It's highly unlikely that it would get into the kernel. Definitely not
> kernel.org, since all patches are public.
>
> But it's not the kernel that you have to always worry about. But it's
> what you install. Especially as root.
>
> There's so much free stuff out there, that people download and install
> blindly, that I'm sure if someone wanted to really badly, they could get
> it on some boxes. If they were slime and added something to a binary,
> and supplied the source without the backdoor, that might last a while.
> Unless you compile everything yourself, it's not easy to make sure that
> all binaries came from the source you have.
>
> But there are a lot of hackers out there (the good kind, not the crackers
> that the press call "hackers"). And they are aways looking at things
> and breaking them to see how they work.
>
> So, really, I doubt anyone could really get a lot on lots of people's
> Linux boxes. But, if we ever had an evil Debian maintainer, that allowed
> it, then it might happen. But that would usually be discovered rather
> quickly.
>
> -- Steve
>
>

Thanks for your reply Steve. I've thought it would be discovered but
thought I'd ask the question anyway just to make sure. But - do you
think if OS-X or Windows had a government hack that it would be
discovered. I know it would be discovered as easilly, but I wonder if
that would get noticed?

2006-05-16 14:40:46

by Jakob Oestergaard

Subject: Re: Wiretapping Linux?

On Tue, May 16, 2006 at 09:48:25AM -0400, Steven Rostedt wrote:
...
> > So what about Linux? With thousands of people working on the Kernel if
> > someone from the NSA wanted to slip a back door into the Kernel, could
> > the do that?
>
> Well, yes and no.
>
...
> There's so much free stuff out there, that people download and install
> blindly, that I'm sure if someone wanted to really badly, they could get
> it on some boxes. If they were slime and added something to a binary,
> and supplied the source without the backdoor, that might last a while.
> Unless you compile everything yourself, it's not easy to make sure that
> all binaries came from the source you have.

Read "Reflections on Trusting Trust" to see why compiling things from
source gets you absolutely *zero* extra security in this regard.

http://www.acm.org/classics/sep95/

--

/ jakob

2006-05-16 15:05:53

by linux-os (Dick Johnson)

Subject: Re: Wiretapping Linux?

On Tue, 16 May 2006, Marc Perkel wrote:

> As most of you know the United States is tapping you telephone calls and
> tracking every call you make. The next logical step is to start tapping
> your computer implanting spyware into operating systems. Since Windows
> and OS-X are proprietary this can be done more easilly with the
> cooperation of Microsoft and Apple.
>
> So what about Linux? With thousands of people working on the Kernel if
> someone from the NSA wanted to slip a back door into the Kernel, could
> the do that? I know it's open source and it could be found if anyone
> looks but is anyone looking? Is this something that would get noticed if
> someone tried to do it? I'd like to think it would, but I'm going to ask
> anyway just to make sure.
>
> Conversely, if Microsoft or Apple cooperated with the US government
> could they implant sptware without packets or hidden files being noticed?
>
> I'm in the process of writing some articles about it and want to raise
> the issue of US government implanted spyware everywhere. I know some
> people might think this a little off topic but I'd rather be safe than
> sorry. Who better to ask this question of than those who develop the kernel?
>
> Thanks in advance.


The United States Government already implants
spy-ware into the Windows Operating System.
It's called "Magic Lantern" and it was part
of the settlement that the government made
with Microsoft when it had been charged with
restraint of trade and other federal law
violations. The settlement was made when
most persons' attention was diverted after
9/11.

Since most firewalls are open for the mail
port and the http port, rumor has it that
Microsoft networking looks at spare bits in
the header (where the ECN bits are), and
if it sees a certain combination, the packet
is not a real mail or http packet, but an
instruction for Magic Lantern. Presumably,
the OS answers any request using the same
method.

http://www.wired.com/0,2100,48648,00.html

Putting such a method into Linux would not
be difficult now that networking is done
as a separate issue. An evil network-code
maintainer could duplicate the protocol.
However, there are certain implementation
details that would certainly attract the
attention of other kernel developers.

The most likely scenario would be for an
application to answer queries from the
outside world and send along private
information. Any distributor could do
this, even Red Hat!

FI, do you truly __know__ what all this stuff does?

PID TTY STAT TIME COMMAND
1 ? S 0:00 init [5]
2 ? SW 0:00 [migration/0]
3 ? SWN 0:01 [ksoftirqd/0]
4 ? SW< 0:02 [events/0]
[SNIPPED 85 lines...]
24006 tty1 S 0:00 /sbin/mingetty tty1
26778 ? SW 0:00 [pdflush]
27253 tty2 S 0:00 -bash
27656 tty2 R 0:00 ps ax

That's the stuff that's running on my "typical" system.
How many Trojans are running? Maybe none, but don't
bet your job on it. Just don't ever use any computer
for anything you wouldn't want to be caught doing.
It's just that simple!

Many Windows "drivers" periodically "call home." Hewlett
Packard printer drivers report how much ink is being used,
etc. They use a something called "backweb".

http://www.cexx.org/dlgli.htm

Backweb is spyware, deliberately introduced into products
so that manufacturers can keep track of product usage.
They don't tell you that they are spying on you. They
just do it.

It's hard to find Windows products that don't contain
such spyware. As Linux becomes more prevalent on the
desktop, you can expect to find such spyware there
too.

Cheers,
Dick Johnson
Penguin : Linux version 2.6.16.4 on an i686 machine (5592.89 BogoMips).
New book: http://www.lymanschool.com
_


****************************************************************
The information transmitted in this message is confidential and may be privileged. Any review, retransmission, dissemination, or other use of this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient, please notify Analogic Corporation immediately - by replying to this message or by sending an email to [email protected] - and destroy all copies of this information, including any attachments, without reading or disclosing them.

Thank you.

2006-05-16 15:55:31

by Lee Revell

Subject: Re: Wiretapping Linux?

On Tue, 2006-05-16 at 11:05 -0400, linux-os (Dick Johnson) wrote:
> http://www.wired.com/0,2100,48648,00.html
>

404.

I wonder if someone got to them ;-)

Lee

2006-05-16 16:12:11

by Chase Venters

Subject: Re: Wiretapping Linux?

On Tue, 16 May 2006, linux-os \(Dick Johnson\) wrote:

>
> On Tue, 16 May 2006, Marc Perkel wrote:
>
>> As most of you know the United States is tapping you telephone calls and
>> tracking every call you make. The next logical step is to start tapping
>> your computer implanting spyware into operating systems. Since Windows
>> and OS-X are proprietary this can be done more easilly with the
>> cooperation of Microsoft and Apple.
>>
>> So what about Linux? With thousands of people working on the Kernel if
>> someone from the NSA wanted to slip a back door into the Kernel, could
>> the do that? I know it's open source and it could be found if anyone
>> looks but is anyone looking? Is this something that would get noticed if
>> someone tried to do it? I'd like to think it would, but I'm going to ask
>> anyway just to make sure.
>>
>> Conversely, if Microsoft or Apple cooperated with the US government
>> could they implant sptware without packets or hidden files being noticed?
>>
>> I'm in the process of writing some articles about it and want to raise
>> the issue of US government implanted spyware everywhere. I know some
>> people might think this a little off topic but I'd rather be safe than
>> sorry. Who better to ask this question of than those who develop the kernel?
>>
>> Thanks in advance.
>
>
> The United States Government already implants
> spy-ware into the Windows Operating System.
> It's called "Magic Lantern" and it was part
> of the settlement that the government made
> with Microsoft when it had been charged with
> restraint of trade and other federal law
> violations. The settlement was made when
> most persons' attention was diverted after
> 9/11.
>
> Since most firewalls are open for the mail
> port and the http port, rumor has it that
> Microsoft networking looks at spare bits in
> the header (where the ECN bits are), and
> if it sees a certain combination, the packet
> is not a real mail or http packet, but an
> instruction for Magic Lantern. Presumably,
> the OS answers any request using the same
> method.
>
> http://www.wired.com/0,2100,48648,00.html
>
> Putting such a method into Linux would not
> be difficult now that networking is done
> as a separate issue. An evil network-code
> maintainer could duplicate the protocol.
> However, there are certain implementation
> details that would certainly attract the
> attention of other kernel developers.
>
> The most likely scenario would be for an
> application to answer queries from the
> outside world and send along private
> information. Any distributor could do
> this, even Red Hat!
>
> FI, do you truly __know__ what all this stuff does?
>
> PID TTY STAT TIME COMMAND
> 1 ? S 0:00 init [5]
> 2 ? SW 0:00 [migration/0]
> 3 ? SWN 0:01 [ksoftirqd/0]
> 4 ? SW< 0:02 [events/0]
> [SNIPPED 85 lines...]
> 24006 tty1 S 0:00 /sbin/mingetty tty1
> 26778 ? SW 0:00 [pdflush]
> 27253 tty2 S 0:00 -bash
> 27656 tty2 R 0:00 ps ax
>
> That's the stuff that's running on my "typical" system.
> How many Trojans are running? Maybe none, but don't
> bet your job on it. Just don't ever use any computer
> for anything you wouldn't want to be caught doing.
> It's just that simple!
>
> Many Windows "drivers" periodically "call home." Hewlett
> Packard printer drivers report how much ink is being used,
> etc. They use a something called "backweb".
>
> http://www.cexx.org/dlgli.htm
>
> Backweb is spyware, deliberately introduced into products
> so that manufacturers can keep track of product usage.
> They don't tell you that they are spying on you. They
> just do it.
>
> It's hard to find Windows products that don't contain
> such spyware. As Linux becomes more prevalent on the
> desktop, you can expect to find such spyware there
> too.
>

I really don't think there's much of a place for spyware in Linux. I'm
sure that some company (should that be plural?) will manufacture such
crap -- the issue is getting users to install it. (The +x bit
goes a long, long way here to preventing users from doing this
unknowingly.)

I feel about a billion times safer bringing everything in from Portage and
kernel.org than I do running *anything* I got for money. (specifically,
anything I can't tear open...) I think the possibility of deliberate
malware being sent out through official channels isn't too terribly
likely.

Free software isn't totally safe from malicious tinkering... this bit from
Ken Thompson says a lot:

http://cm.bell-labs.com/who/ken/trust.html

The thing is that there is enough peer review in the open source world
that not only would it be *difficult* to slip in some intentionally
malicious code (and I don't think any malicious code of much potential
would be likely to make it past LKML, especially if it doesn't closely
adhere to CodingStyle :P) but it would not be long before someone noticed it.

Think about it - let's suppose we all fell asleep at the wheel, and
someone did manage to get something nasty into Linus's tree. Not having a
stable kernel API wins *yet again* because sooner or later the malicious code is
going to break, and someone is going to end up asking questions. :)

What's the saying - "Given enough eyeballs, all bugs are shallow?" How
about "Given enough eyeballs, all malware is in plain sight."

>
> Cheers,
> Dick Johnson
> Penguin : Linux version 2.6.16.4 on an i686 machine (5592.89 BogoMips).
> New book: http://www.lymanschool.com

Thanks,
Chase

2006-05-16 16:15:19

by Steven Rostedt

Subject: Re: Wiretapping Linux?

On Tue, 16 May 2006, Jakob Oestergaard wrote:

>
> Read "Reflections on Trusting Trust" to see why compiling things from
> source gets you absolutely *zero* extra security in this regard.
>
> http://www.acm.org/classics/sep95/
>

Interesting article, and thanks for the link. In your *zero* extra
security comment, I still disagree.

Nothing is secure, but having the soure at least stops those that are not
as capable as Ken Thompson and Dennis Ritchie. OK, I'm sure lesser
programmers could also do it. But it limits the script kiddies that can
do easy and obvious stuff if they had access to modify the source of
closed source software.

But the source does help when lots of users are using it and seeing it.
So when a bug happens, anyone can fix it. In this act, the backdoor can
be discovered. Where close source doesn't have that luxury, since the one
who put the backdoor in would probably be the same programmer to fix the
bug.

Now, to bring up Marc's point about the NSA. They do have very clever
people. But usually the open source projects are a community of people,
and you have to first get trusted in what you do before it gets submitted
into the code. And if someone discovers that you planted a backdoor, that
would discredit you quite badly.

I also do lots of sniffing of my networks to see if suspicious packets are
floating around, as well as nmapping my computers to know that all ports
that are open are open to tools that I know about. And there has been
times I didn't like what I saw from the program and looked at the source
to see what was up, and then discovered it was nothing.

Again, this is not perfect, and I can still be fooled, but I trust it
_more_ than I would if I didn't have access to the source. So, I agree
that open source is still not secure. I still think it's more secure than
close source, just because it's harder to get things by people.

-- Steve

2006-05-16 17:13:00

by Ingo Oeser

Subject: Re: Wiretapping Linux?

Hi,

On Tuesday, 16. May 2006 17:05, linux-os (Dick Johnson) wrote:
> It's hard to find Windows products that don't contain
> such spyware. As Linux becomes more prevalent on the
> desktop, you can expect to find such spyware there
> too.

Recent examples:
- Update availability checkers (e.g. Adept).
- Installation routines of a certain distribution
calling all a predefined NTP server instead of pool.ntp.org on first start.

The NTP variant is a clever idea with low traffic and tells
you first usage and usage at all.


Regards

Ingo Oeser

2006-05-16 17:27:38

by Chase Venters

Subject: Re: Wiretapping Linux?

On Tue, 16 May 2006, Ingo Oeser wrote:

> Hi,
>
> On Tuesday, 16. May 2006 17:05, linux-os (Dick Johnson) wrote:
>> It's hard to find Windows products that don't contain
>> such spyware. As Linux becomes more prevalent on the
>> desktop, you can expect to find such spyware there
>> too.
>
> Recent examples:
> - Update availability checkers (e.g. Adept).
> - Installation routines of a certain distribution
> calling all a predefined NTP server instead of pool.ntp.org on first start.
>
> The NTP variant is a clever idea with low traffic and tells
> you first usage and usage at all.

Granted, but in this sense, your cable modem is also spying on you,
because your cable company can see that you're actively speaking DOCSIS to
them.

There's a definite difference between merely knowing that a host is out
there, versus knowing that host is listening to / downloading
This-is-legally-protected-format-shifting-in-action-but-you-will-probably-sue-anyway.mp3
because you've got a purpose-built agent running on its CPU.

>
> Regards
>
> Ingo Oeser

Thanks,
Chase

> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>

2006-05-16 20:03:27

by Willy Tarreau

Subject: Re: Wiretapping Linux?

On Tue, May 16, 2006 at 06:24:38AM -0700, Marc Perkel wrote:
> As most of you know the United States is tapping you telephone calls and
> tracking every call you make. The next logical step is to start tapping
> your computer implanting spyware into operating systems. Since Windows
> and OS-X are proprietary this can be done more easilly with the
> cooperation of Microsoft and Apple.
>
> So what about Linux? With thousands of people working on the Kernel if
> someone from the NSA wanted to slip a back door into the Kernel, could
> the do that? I know it's open source and it could be found if anyone
> looks but is anyone looking? Is this something that would get noticed if
> someone tried to do it? I'd like to think it would, but I'm going to ask
> anyway just to make sure.
>
> Conversely, if Microsoft or Apple cooperated with the US government
> could they implant sptware without packets or hidden files being noticed?
>
> I'm in the process of writing some articles about it and want to raise
> the issue of US government implanted spyware everywhere. I know some
> people might think this a little off topic but I'd rather be safe than
> sorry. Who better to ask this question of than those who develop the
> kernel?
>
> Thanks in advance.

There is no warranty that this cannot happen. Indeed, it has already
happened and will probably do again. A backdoor was found in some code
introduced in the bitkeeper repository, but it was noticed almost
immediately. Nobody has a full knowledge on the kernel today, but there
are *many* people with complementary knowledge, with experts in every
area. All code gets reviewed by hundreds of eyeballs all the time, and
such events might happen from time to time, with fixes proposed by other
people as soon as they get discovered as simple bugs or vulnerabilities.

The only way for such attacks to be effective would be to introduce
thousands of them, in the hope that one of them would not get noticed.
But do you think that kernel gods would accept to be fed patches very
long if this happened ? I don't think so. There already are discussions
about a cleanup step on current code while no backdoor seems to be in
the air.

In the hope that I have reassure you,
Willy

2006-05-16 20:30:18

by Måns Rullgård

Subject: Re: Wiretapping Linux?

Chase Venters <[email protected]> writes:

> The thing is that there is enough peer review in the open source world
> that not only would it be *difficult* to slip in some intentionally
> malicious code (and I don't think any malicious code of much potential
> would be likely to make it past LKML, especially if it doesn't closely
> adhere to CodingStyle :P) but it would not be long before someone
> noticed it.

Some details on a real attempt: http://kerneltrap.org/node/1584

--
M?ns Rullg?rd
[email protected]

2006-05-16 20:47:58

by Chase Venters

Subject: Re: Wiretapping Linux?

On Tue, 16 May 2006, M?ns Rullg?rd wrote:

> Chase Venters <[email protected]> writes:
>
>> The thing is that there is enough peer review in the open source world
>> that not only would it be *difficult* to slip in some intentionally
>> malicious code (and I don't think any malicious code of much potential
>> would be likely to make it past LKML, especially if it doesn't closely
>> adhere to CodingStyle :P) but it would not be long before someone
>> noticed it.
>
> Some details on a real attempt: http://kerneltrap.org/node/1584
>

Wow. Did anyone ever find out who edited CVS, and how they did it? (I
assume David Miller didn't have anything to do with it :P)

Yeah, so to wrap this malware conversation up -- the most effective way to
implant malicious code in Linux is to crack into developer machines and
sneak the changes in.

And hope that someone doesn't notice.

The original poster speaks of spyware - I think spyware would end up being
a few lines more than a fake current->uid test(set). So it's not proper to
say malicious code couldn't be inserted into Linux; rather, it's just not
very likely to get anything very complicated in there. The bigger the
elephant, the harder it is to dress it up as an elf.

Thanks,
Chase

2006-05-16 21:02:32

by Måns Rullgård

Subject: Re: Wiretapping Linux?

Willy Tarreau <[email protected]> writes:

> On Tue, May 16, 2006 at 06:24:38AM -0700, Marc Perkel wrote:
>> As most of you know the United States is tapping you telephone calls and
>> tracking every call you make. The next logical step is to start tapping
>> your computer implanting spyware into operating systems. Since Windows
>> and OS-X are proprietary this can be done more easilly with the
>> cooperation of Microsoft and Apple.
>>
>> So what about Linux? With thousands of people working on the Kernel if
>> someone from the NSA wanted to slip a back door into the Kernel, could
>> the do that? I know it's open source and it could be found if anyone
>> looks but is anyone looking? Is this something that would get noticed if
>> someone tried to do it? I'd like to think it would, but I'm going to ask
>> anyway just to make sure.
>
> There is no warranty that this cannot happen. Indeed, it has already
> happened and will probably do again. A backdoor was found in some code
> introduced in the bitkeeper repository, but it was noticed almost
> immediately.

The code was not added to the bitkeeper repository, but to a CVS
mirror of it. It was spotted quickly thanks to rigorous checksumming
done by the CVS exporter in BK.

One of the current trends in version control software is toward
cryptographically signed changesets, meaning that sneaking something
in without access to a trusted private key is about as close to
impossible as you can get.

There is still the question of who you can *really* trust of course.
After all, how do we know that Dave Miller (who was "credited" for the
mentioned backdoor attempt) isn't really a bad guy?

--
M?ns Rullg?rd
[email protected]

2006-05-17 00:58:12

by Peter Chubb

Subject: Re: Wiretapping Linux?

>>>>> "Ingo" == Ingo Oeser <[email protected]> writes:

Ingo> Hi, On Tuesday, 16. May 2006 17:05, linux-os (Dick Johnson)
Ingo> wrote:
>> It's hard to find Windows products that don't contain such
>> spyware. As Linux becomes more prevalent on the desktop, you can
>> expect to find such spyware there too.

Ingo> Recent examples: - Update availability checkers (e.g. Adept). -
Ingo> Installation routines of a certain distribution calling all a
Ingo> predefined NTP server instead of pool.ntp.org on first start.

For that matter, the Debian `popularity' package is spyware. But at
least youi have the choice whether to install it or not.
--
Dr Peter Chubb http://www.gelato.unsw.edu.au peterc AT gelato.unsw.edu.au
http://www.ertos.nicta.com.au ERTOS within National ICT Australia

2006-05-17 01:27:47

by Valdis Klētnieks

Subject: Re: Wiretapping Linux?

On Tue, 16 May 2006 06:24:38 PDT, Marc Perkel said:
> So what about Linux? With thousands of people working on the Kernel if
> someone from the NSA wanted to slip a back door into the Kernel, could
> the do that?

Actually, if the NSA wanted to slip in a back door, they'd have done so
in the SELinux code. :)

As others have mentioned, the kernel code isn't the best place to try
to put a back door in, precisely because of the depth of scrutiny. A
much more likely avenue is to backdoor some popular userspace code (as
did happen to Sendmail and OpenSSH within a few weeks of each other a
few years ago).

And then there's the Underhanded C Code contest:

http://www.brainhz.com/underhanded/

:)

Attachments:

2006-05-17 04:21:25

by Willy Tarreau

Subject: Re: Wiretapping Linux?

On Tue, May 16, 2006 at 10:01:36PM +0100, M?ns Rullg?rd wrote:
> Willy Tarreau <[email protected]> writes:
>
> > On Tue, May 16, 2006 at 06:24:38AM -0700, Marc Perkel wrote:
> >> As most of you know the United States is tapping you telephone calls and
> >> tracking every call you make. The next logical step is to start tapping
> >> your computer implanting spyware into operating systems. Since Windows
> >> and OS-X are proprietary this can be done more easilly with the
> >> cooperation of Microsoft and Apple.
> >>
> >> So what about Linux? With thousands of people working on the Kernel if
> >> someone from the NSA wanted to slip a back door into the Kernel, could
> >> the do that? I know it's open source and it could be found if anyone
> >> looks but is anyone looking? Is this something that would get noticed if
> >> someone tried to do it? I'd like to think it would, but I'm going to ask
> >> anyway just to make sure.
> >
> > There is no warranty that this cannot happen. Indeed, it has already
> > happened and will probably do again. A backdoor was found in some code
> > introduced in the bitkeeper repository, but it was noticed almost
> > immediately.
>
> The code was not added to the bitkeeper repository, but to a CVS
> mirror of it. It was spotted quickly thanks to rigorous checksumming
> done by the CVS exporter in BK.
>
> One of the current trends in version control software is toward
> cryptographically signed changesets, meaning that sneaking something
> in without access to a trusted private key is about as close to
> impossible as you can get.
>
> There is still the question of who you can *really* trust of course.
> After all, how do we know that Dave Miller (who was "credited" for the
> mentioned backdoor attempt) isn't really a bad guy?

That's true, and even for all other people, those who design the code
and make choices. At one moment, you have to decide whether you trust
those people and their code or whether you prefer to switch back to
closed commercial code with the same risk of backdoors but without a
way to detect them. I decided to trust them as well as some people
trust me for the hotfixes I release from time to time. And when
someone does crap, he's not trusted anymore. That's very simple.

> --
> M?ns Rullg?rd
> [email protected]

Regards,
Willy

2006-05-17 08:07:07

by Joerg

Subject: Re: Wiretapping Linux?

Hello all,
while I agree with the points made in this discussion that it is harder to
get a backdoor into Linux I'm left wondering about the whole computing
system Linux is running on. Modern network card have enough computing
power to easily run wiretapping that you won't see in the driver code. If
you are concerned about wiretapping, then the large binary blobs of
firmware needed to run your peripherals should be of real concern.

The same is true for the BIOS. Even older CPUs come with a system mode
that exists outside the realm controlled by the OS.

Regards
Joerg






___________________________________________________________
Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de

2006-05-17 10:24:40

by linux-os (Dick Johnson)

Subject: Re: Wiretapping Linux?

On Wed, 17 May 2006, Joerg Pommnitz wrote:

> Hello all,
> while I agree with the points made in this discussion that it is harder to
> get a backdoor into Linux I'm left wondering about the whole computing
> system Linux is running on. Modern network card have enough computing
> power to easily run wiretapping that you won't see in the driver code. If
> you are concerned about wiretapping, then the large binary blobs of
> firmware needed to run your peripherals should be of real concern.
>
> The same is true for the BIOS. Even older CPUs come with a system mode
> that exists outside the realm controlled by the OS.
>
> Regards
> Joerg
>

CPUs inside network cards (if any) don't run in the same address-space
as your host CPU, memory, etc. Data is DMAed (set up on the host-CPU
side) to/from this private bus, using the PCI bus. You would need
very extensive cooperative code running on the host CPU (in the
driver) to do anything useful. If you are going to write such
driver code, you don't need the CPU inside the controller card
at all because you are already running with high privileges on
the correct bus.


Cheers,
Dick Johnson
Penguin : Linux version 2.6.16.4 on an i686 machine (5592.89 BogoMips).
New book: http://www.AbominableFirebug.com/ http://www.LymanSchool.com/
_


****************************************************************
The information transmitted in this message is confidential and may be privileged. Any review, retransmission, dissemination, or other use of this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient, please notify Analogic Corporation immediately - by replying to this message or by sending an email to [email protected] - and destroy all copies of this information, including any attachments, without reading or disclosing them.

Thank you.

2006-05-17 12:02:07

by Joerg

Subject: Re: Wiretapping Linux?

--- "linux-os (Dick Johnson)" wrote:
>
> CPUs inside network cards (if any) don't run in the same address-space
> as your host CPU, memory, etc. Data is DMAed (set up on the host-CPU
> side) to/from this private bus, using the PCI bus. You would need
> very extensive cooperative code running on the host CPU (in the
> driver) to do anything useful. If you are going to write such
> driver code, you don't need the CPU inside the controller card
> at all because you are already running with high privileges on
> the correct bus.

Wiretapping is about listening in on communication. Network cards are the
means this communication is carried out and see all the traffic somebody
might want to tap into. This clearly makes it at least theoretically
possible to use them as a listening device (and it sees all the other
traffic on its network segment, too).

Additionally its listening on the system bus. Question: Can it tap into
data addressed to another peripheral (say the hd controller)? If so, then
only the system RAM is outside its scope.

Regards
Joerg






___________________________________________________________
Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de

2006-05-17 12:16:39

by Avi Kivity

Subject: Re: Wiretapping Linux?

Joerg Pommnitz wrote:
> Additionally its listening on the system bus. Question: Can it tap into
> data addressed to another peripheral (say the hd controller)? If so, then
> only the system RAM is outside its scope.
>

A pci device can read system RAM and other memory-mapped PCI devices
(such as display framebuffers) using DMA. In addition, a pci (but not
pci-express) device can snoop on pci bus traffic to other devices.
Typically, however, hard drive controllers will be integrated into the
chipset so the data is not on the bus.

--
error compiling committee.c: too many arguments to function

2006-05-17 13:25:13

by Joerg

Subject: Re: Wiretapping Linux?

--- Avi Kivity schrieb:
>
> A pci device can read system RAM and other memory-mapped PCI devices
> (such as display framebuffers) using DMA. In addition, a pci (but not
> pci-express) device can snoop on pci bus traffic to other devices.
> Typically, however, hard drive controllers will be integrated into the
> chipset so the data is not on the bus.

Thanks for providing this information. This makes the binary firmware
required for peripherals even more interesting for security conscious
people.

Regards
Joerg

--
Regards
Joerg







___________________________________________________________
Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de

2006-05-17 14:17:42

by Avi Kivity

Subject: Re: Wiretapping Linux?

Joerg Pommnitz wrote:
> --- Avi Kivity schrieb:
>
>> A pci device can read system RAM and other memory-mapped PCI devices
>> (such as display framebuffers) using DMA. In addition, a pci (but not
>> pci-express) device can snoop on pci bus traffic to other devices.
>> Typically, however, hard drive controllers will be integrated into the
>> chipset so the data is not on the bus.
>>
>
> Thanks for providing this information. This makes the binary firmware
> required for peripherals even more interesting for security conscious
> people.
>

Note that some machines have IOMMUs so it may be possible to prevent a
device from reading main memory, perhaps at a performance cost.

My AMD machine disables the IOMMU on startup.

If you don't trust your hardware there are only two solutions: keep it
off the net or keep it off.

--
error compiling committee.c: too many arguments to function

2006-05-17 18:47:14

by Jan Engelhardt

Subject: Re: Wiretapping Linux?

>> > A pci device can read system RAM and other memory-mapped PCI devices
>> > (such as display framebuffers) using DMA. In addition, a pci (but not
>> > pci-express) device can snoop on pci bus traffic to other devices.
>> > Typically, however, hard drive controllers will be integrated into the
>> > chipset so the data is not on the bus.
>>
>> Thanks for providing this information. This makes the binary firmware
>> required for peripherals even more interesting for security conscious
>> people.
>
> Note that some machines have IOMMUs so it may be possible to prevent a device
> from reading main memory, perhaps at a performance cost.
>
> My AMD machine disables the IOMMU on startup.
>
> If you don't trust your hardware there are only two solutions: keep it off the
> net or keep it off.

It gets even more complex with remote management solutions, ranging from
simple PCI boards that can reset the machine to fully-integrated [like
Sun's RSC] processors that can poke anything.


Jan Engelhardt
--

2006-05-18 11:28:57

by Helge Hafting

Subject: Re: Wiretapping Linux?

Chase Venters wrote:

>
> Yeah, so to wrap this malware conversation up -- the most effective
> way to implant malicious code in Linux is to crack into developer
> machines and sneak the changes in.
>
> And hope that someone doesn't notice.

The maintainer will. Over and over, we see maintainers tell developers
to fix their patch - often the problem is something as small as
"bad withespace" or "stupid name for a variable".

Now try to get a backdoor in, and see the maintainer get a fit over
the changes that are clearly unrelated to the problem mentioned
in the changelog.

And if you succeed with the spyware anyway, then someone will notice
the strange packets going out. That you cannot prevent, and it will then
be tracked down. Or you get a backdoor in? It will be found as soon as
it sees some use, or likely earlier with all the more or less automated
vulnerability chacking going on.

Helge Haftinjg

2006-05-18 12:45:05

by Helge Hafting

Subject: Re: Wiretapping Linux?

linux-os (Dick Johnson) wrote:

>On Thu, 18 May 2006, Helge Hafting wrote:
>
>
>
>>Chase Venters wrote:
>>
>>
>>
>>>Yeah, so to wrap this malware conversation up -- the most effective
>>>way to implant malicious code in Linux is to crack into developer
>>>machines and sneak the changes in.
>>>
>>>And hope that someone doesn't notice.
>>>
>>>
>>The maintainer will. Over and over, we see maintainers tell developers
>>to fix their patch - often the problem is something as small as
>>"bad withespace" or "stupid name for a variable".
>>
>>Now try to get a backdoor in, and see the maintainer get a fit over
>>the changes that are clearly unrelated to the problem mentioned
>>in the changelog.
>>
>>And if you succeed with the spyware anyway, then someone will notice
>>the strange packets going out. That you cannot prevent, and it will then
>>be tracked down. Or you get a backdoor in? It will be found as soon as
>>it sees some use, or likely earlier with all the more or less automated
>>vulnerability chacking going on.
>>
>>Helge Haftinjg
>>
>>
>
>Remember this back door?
>
>
>
[attack snipped]

># exit
>logout
>Connection closed by foreign host.
>LINUX> exit
>
>Script done on Thu 18 May 2006 07:39:27 AM EDT
>
>Early sendmail went years with the wizard back-door and the
>code wasn't obscured in any way.
>
>
Not a linux kernel backdoor.
There sure are lots of software systems running on linux, some of them
may be easy to mess up like that. If you worry about that, go for
sw with a good security record. qmail for your mail, perhaps?

Also, a nice thing with these application backdoors is that not
everybody have them. There are many mail packages to choose
from, and there are many systems with none at all even. The same applies
to almost every other app. You probably find "bash" on just about every
linux though.

Helge Hafting

2006-05-18 15:29:26

by Jan Engelhardt

Subject: Re: Wiretapping Linux?

[...]
[and other stuff]

By the way, how does GIT handle issues like http://kerneltrap.org/node/1584
will the push (resp. GIT equivalent) fail too?


Jan Engelhardt
--