General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsThe NSA Has Inserted Its Code Into Android OS - SmartPhones
http://www.zerohedge.com/news/2013-07-09/nsa-has-inserted-its-code-android-os-bugging-three-quarters-all-smartphonesOver a decade ago, it was discovered that the NSA embedded backdoor access into Windows 95, and likely into virtually all other subsequent internet connected, desktop-based operating systems. However, with the passage of time, more and more people went "mobile", and as a result the NSA had to adapt. And adapt they have: as Bloomberg reports, "The NSA is quietly writing code for Googles Android OS."
Is it ironic that the same "don't be evil" Google which went to such great lengths in the aftermath of the Snowden scandal to wash its hands of snooping on its customers and even filed a request with the secretive FISA court asking permission to disclose more information about the governments data requests, is embedding NSA code into its mobile operating system, which according to IDC runs on three-quarters of all smartphones shipped in the first quarter? Yes, yes it is.
Google spokeswoman Gina Scigliano confirms that the company has already inserted some of the NSAs programming in Android OS. "All Android code and contributors are publicly available for review at source.android.com." Scigliano says, declining to comment further.
Snip ...
Is the NSA code malevolent? That is unknown.
NineNightsHanging
(47 posts)Earlier reports have indicated that the NSA has the ability to record nearly all domestic and international phone calls -- in case an analyst needed to access the recordings in the future. A Wired magazine article last year disclosed that the NSA has established "listening posts" that allow the agency to collect and sift through billions of phone calls through a massive new data center in Utah, "whether they originate within the country or overseas." That includes not just metadata, but also the contents of the communications.
sabrina 1
(62,325 posts)Money, is my theory. Nothing to do with security. THAT is the scandal they are trying to cover up.
gordianot
(15,237 posts)Did they pay to get access? Are they using blackmail and extortion? Sounds like a recipe for chaos.
Recursion
(56,582 posts)It's a module that allows for better security auditing.
mwooldri
(10,303 posts)With this, unlike Proprietary Software like MS Windows, anyone can contribute code. Peer review means that there are many people looking at that code... if there is any malware in there the Android Community will spot it, as is the case with Linux.
I for one am not concerned. The NSA even had a Linux distribution at one point with their code in it. With Proprietary software, I don't have that confidence because I can't see in.
Oh, and Linux is free (as in beer) - Android is too.
Recursion
(56,582 posts)It's a bit dated at this point (10 years old) and there have been some developments in security philosophy since then, but it's good stuff.
dkf
(37,305 posts)Apple appears to be immune from this unprecedented breach of customer loyalty, if only for now, although open-sourced Linux may not be as lucky:
Apple (AAPL) does not accept source code from any government agencies for any of our operating systems or other products, says Kristin Huguet, a spokeswoman for the company. Its not known if any other proprietary operating systems are using NSA code. SE for Android is an offshoot of a long-running NSA project called Security-Enhanced Linux. That code was integrated a decade ago into the main version of the open-source operating system, the server platform of choice for Internet leaders including Google, Facebook (FB), and Yahoo! (YHOO). Jeff Zemlin, the executive director of the Linux Foundation, says the NSA didnt add any obvious means of eavesdropping. This code was peer-reviewed by a lot of people, he says.
From OPs link
Chemisse
(30,809 posts)It's amazing all the other companies sold us out so readily. Although I suppose, in addition to a bundle of cash, they were given assurances that the public would never know.
Heywood J
(2,515 posts)systems or other products,
Because we review every line of code out of tens of millions inserted by "our employees" or those with back doors into our servers. Anyone who thinks they've escaped from this stuff isn't looking hard enough.
mwooldri
(10,303 posts)Apple: closed system where you can not see all the code. Who knows what is in that Apple device code? However when you have the NSA, and government agencies in other countries reviewing the same code (as well as professionals and hobbyists) then I have more assurance. Android - same way.
Volaris
(10,270 posts)What if all code for all operating systems were required to be open, but read-only? That way, we could know what's actually IN THERE, but it couldnt be altered by a third-party without permission from whoever wrote the code in the first place. If that were the case, I would be a hell of a lot more likely to trust an Apple or a Google when they tell me stuff like this...
Recursion
(56,582 posts)Windows will let you see their code if you get a very expensive bond.
Personally, I only run software I can audit, but that's more because I do a lot of debugging and need that than it is out of principle.
jeff47
(26,549 posts)Recursion
(56,582 posts)jeff47
(26,549 posts)Changes from third parties are not automatically added to open source software. The people running the project review the changes and add them if appropriate.
Also, your proposal would not work at all for closed-source software. Because you can still compile the "read-only" copy into a fully functioning operating system. The reason companies stay closed-source is to avoid that.
mwooldri
(10,303 posts)that's the wonderful thing about open source. If some people working on an open source software project disagree with the direction the project is going, they're free to split and continue the development of the project their way - hence forking. You can't do that with Windows, or iOS. OSX has some open source parts (BSD, FreeBSD) but an awful lot is closed off and proprietary.
As for SE Linux, it's not a specific distribution, but patches available for the Linux kernel - introduced around 2000-2003. Some Linux distributions have SE Linux in their kernels, others don't. Red Hat Linux (later Fedora) has SE Linux in it... and Red Flag Linux is a fork off of Red Hat Linux (Red Flag Linux - Chinese govt. distro), as would be Red Star OS (N Korean Linux distro). I'm sure their guys have gone through all the patches to ensure the NSA doesn't have a back door and maybe install one of their own.
Volaris
(10,270 posts)Recursion
(56,582 posts)The NSA's contributions to Linux and Android are available for anyone to read.
Recursion
(56,582 posts)Their code base contains code written by the University of California at Berkeley.
jeff47
(26,549 posts)If you're worried about secret malevolent code, you want open source software. Because everyone can read the source code and find that malevolent code.
Proprietary operating systems can hide whatever they want in their software.
East Coast Pirate
(775 posts)Because they can.
Laelth
(32,017 posts)-Laelth
Recursion
(56,582 posts)Laelth
(32,017 posts)I wasn't aware of this, and I suspect I am not alone in that. If it's old news to you, then I bow to your superior knowledge.
-Laelth
Recursion
(56,582 posts)and I don't like seeing it talked down.
djean111
(14,255 posts)Whose watch?
Who benefits?
If you are not doing anything wrong, why worry?
Who gets to decide what is wrong, what is a pattern, etc.?
Who gets swept up into a net via idle curiosity, wrong numbers, using keywords in jest, doing a little research on a passingly interesting news story, not knowing that one's friend is being investigated because they made 100 copies of a school flyer for their child, registered as Independent or Green - possibilities are endless.
What's the answer? Demand changes? Everyone use a keyword in every conversation, rendering classification meaningless?
Now that we are cognizant of this stuff, will that make it moot, in a way? Once a person knows they are being watched, their behavior changes, IMO, and negates the watching.
a2liberal
(1,524 posts)I'm as anti-NSA-spying as anyone (seriously, check my recs and comment history), but SELinux (and its counterpart SE for Android) are no spying tools. They are ways to make Linux (and Android) "more secure" *) by adding privilege lists for users and actions beyond the traditional Unix permissions system. As stated in the article (and shrugged off dismissively for some reason), this code has been reviewed by many many people, and you can go review it yourself. Just because an agency does bad things doesn't mean everything they do is bad.
And for those saying Apple is better just because they claim they don't have any NSA code, keep in mind that nobody can verify what Apple says because it's all closed-source. With open source everybody can check. With closed-source you're relying on what the company is telling you, because companies are soooo trustworthy and can't be coerced by the government to lie....
(*) I actually hate SELinux because I think it's overkill, makes systems difficult to use when fully enabled, and doesn't actually provide much more security above properly-configured regular permissions, but that's a technical debate that I've had on the local LUG mailing list. Not because of some FUD spying concern.
Recursion
(56,582 posts)That was a pretty epic flame war on openbsd-misc.
a2liberal
(1,524 posts)went looking for it now and didn't find anything that Theo was involved in... http://kerneltrap.org/mailarchive/openbsd-misc/2007/9/22/272545" target="_blank">this is the closest I found. Thanks for the heads-up, that was an interesting read. Let me know if there was something else too
kenny blankenship
(15,689 posts)People are understandably suspicious of anything attached to or originating in the NSA. But while on the one hand the NSA is tasked now by whoever actually runs the USA to spy on every intimate detail of citizen's lives via signals intelligence, it also has legitimate tasks of keeping an eye on foreign governments and non-state actors who represent a threat to our nation. It also has the task of trying to shore up the cyber security infrastructure of the US government and US based corporations. This is the kind of work it is supposed to be doing. Not everything they're tasked with is sinister - at least from the vantage of the interests of US citizens. Unfortunately the other shit they have been told to do overshadows their legitimate work and calls it into question.
Code contributions by NSA to an open source system like Linux and derivatives like Android are going to be scrutinized over and over by Linux developers as well as developers of rival systems, as well as by security experts not part of any OS devel team. Whitehat hackers will be suspicious of it and poke at it and kick it from every angle to find the suspected backdoor. It will be examined by researchers in university comp sci departments around the whole world.
from the fearmongering article:
SE for Android is an offshoot of a long-running NSA project called Security-Enhanced Linux. That code was integrated a decade ago into the main version of the open-source operating system*, the server platform of choice for Internet leaders including Google, (etc, etc)...
and I'll add to that list of critical internet infrastructure that runs on Linux-
the Godalmighty NEW YORK STOCK EXCHANGE, along with a great many trading house systems that interface with the NYSE. The ability to launch a successful cyber-attack on the NYSE would relieve a hostile power of the need and expense to build a nuclear arsenal competitive with the US.
...just to make it clear for all how the NSA would have a legit interest and role in making sure Linux as used by big corporations sourcing it from vendors like HP have security enhancements of the sort already developed for big government UNIX systems.
*Although few Linux installations will actually have SE extensions to the OS present or enabled.
Recursion
(56,582 posts)Since the theory is to remove a single super privileged operator from the mix.
L0oniX
(31,493 posts)that will hurt MicroSux.
bunnies
(15,859 posts)Recursion
(56,582 posts)That's the beauty of open source. NSA made some epic contributions to Linux already. And they didn't install "back doors" in Windows, they and a few thousand other vendors installed keys that verify the operating system to software. Nobody requires malware to verify on the client side.
rtracey
(2,062 posts)Does your aluminum foal hat fit? The spy network of our government has been spying on us for decades, why now is everyone so up in arms about it. We choose to live in an internet, quick access, get it now, 24 hour a day world, and this living situation calls for different and changing security measures. If the spying from the NSA bothers you, why aren't you pissed at the fact that private companies are spying on you too, watching your every move, recording your every key stroke. If not, then how did Golf Galaxy know I wanted the new Nike driver, or how did Adobe know I looked at the new CC software. NSA does have a chip in all new phones... IT'S CALLED GPS.... they can spy on anyone at anytime, and we all know it, so just tilt the hat to the left and smile...
sir pball
(4,741 posts)..at the time there was bad noise about the alterations being a weakening or an outright "backdoor", but it turns out the NSA (and IBM) had secretly discovered an entirely new type of attack and were actually strengthening the cipher:
There was some criticism from various parties, including from public-key cryptography pioneers Martin Hellman and Whitfield Diffie, citing a shortened key length and the mysterious "S-boxes" as evidence of improper interference from the NSA. The suspicion was that the algorithm had been covertly weakened by the intelligence agency so that they but no-one else could easily read encrypted messages. Alan Konheim (one of the designers of DES) commented, "We sent the S-boxes off to Washington. They came back and were all different."
-------
Some of the suspicions about hidden weaknesses in the S-boxes were allayed in 1990, with the independent discovery and open publication by Eli Biham and Adi Shamir of differential cryptanalysis, a general method for breaking block ciphers. The S-boxes of DES were much more resistant to the attack than if they had been chosen at random, strongly suggesting that IBM knew about the technique in the 1970s. This was indeed the case; in 1994, Don Coppersmith published some of the original design criteria for the S-boxes Bruce Schneier observed that "It took the academic community two decades to figure out that the NSA 'tweaks' actually improved the security of DES."
It's not like the NSA is making changes to the binaries, that would be difficult to figure out even with sophisticated tools and knowledge - it's open changes to the code; I'm reserving judgement until I see an analysis of what it is and what it does but logically and historically it's likely to be at least benign if not outright positive. The spooks have the resources to do their dirty work behind the scenes, without having to insert obfuscated code (which is harder than it sounds) into the repository.
Recursion
(56,582 posts)Though I'm more of a fan of Blowfish.
FarCenter
(19,429 posts)Be very afraid.
randome
(34,845 posts)...that much of the divide on DU is between those lacking knowledge of technology and those who are steeped in it.
I am not as knowledgeable of the details as some of the posters on this thread are but I know enough to recognize when something sounds authentic and when it sounds like bullshit.
The 'NSA has back doors into everything!' claim has always been bullshit.
[hr]
[font color="blue"][center]Birds are territorial creatures.
The lyrics to the songbird's melodious trill go something like this:
"Stay out of my territory or I'll PECK YOUR GODDAMNED EYES OUT!"[/center][/font]
[hr]
winter is coming
(11,785 posts)randome
(34,845 posts)[hr]
[font color="blue"][center]Birds are territorial creatures.
The lyrics to the songbird's melodious trill go something like this:
"Stay out of my territory or I'll PECK YOUR GODDAMNED EYES OUT!"[/center][/font]
[hr]
jeff47
(26,549 posts)The NSA has two branches.
One branch does the spying. The other branch prevents spying on the US. And this information is so hard to find that it's on the NSA's fucking home page on the Internet.
That second branch has written all sorts of enhancements to the Linux operating system, distributed as SE Linux. It makes the operating system much more secure. They're doing the same kind of thing for Android.
As for "Is the NSA code malevolent? That is unknown.", that is extremely, extremely stupid. Android is open source. Everyone can read the "NSA code" and see what it does. So either everyone is part of a vast NSA conspiracy, or it's not malevolent.
If you are going to criticize the government, you have two choices:
1) Decide what parts are "evil" based entirely on what you vaguely remember hearing from anecdotes, and then scream loudly about your position.
2) Take the time to find out what is actually going on, and then have rational discussions about it.
Republicans chose #1. It used to be Democrats mostly chose #2. It looks like that isn't the case anymore.
cantbeserious
(13,039 posts)eom
jeff47
(26,549 posts)cantbeserious
(13,039 posts)eom
TampaAnimusVortex
(785 posts)How many coders out there would love to become famous and make a name for themselves by exposing malicious code designed to spy on everyone that was "hidden in plain view".
You might as well just edit that word "faith" out of your last comment, because it doesn't take faith if one is a coder... All it takes a pair of eyes.
cantbeserious
(13,039 posts)eom
randome
(34,845 posts)There are probably tens of thousands (maybe hundreds of thousands?) of Android coders who have looked at that code and understand what it does.
It's like the heating elements in your microwave oven. You don't need to understand how they work but it's pretty obvious they do.
There is nothing 'tricky' about code any more than there is something 'tricky' about a hammer.
[hr]
[font color="blue"][center]Birds are territorial creatures.
The lyrics to the songbird's melodious trill go something like this:
"Stay out of my territory or I'll PECK YOUR GODDAMNED EYES OUT!"[/center][/font]
[hr]
cantbeserious
(13,039 posts)eom
avaistheone1
(14,626 posts)napoleon_in_rags
(3,991 posts)NSA contributes to open source projects, which isnt the same as backdoors. This particular thing may not be as scary as it sounds...
cantbeserious
(13,039 posts)eom
napoleon_in_rags
(3,991 posts)But I'm pretty confident that if they are, the publicly reviewed code NSA contributed to Android/Linux isn't to blame. I suspect the method would be sneakier than that.
cantbeserious
(13,039 posts)eom
Recursion
(56,582 posts)cantbeserious
(13,039 posts)eom