Money, is my theory. Nothing to do with security. THAT is the scandal they are trying to cover up.

Did they pay to get access? Are they using blackmail and extortion? Sounds like a recipe for chaos.

It's a module that allows for better security auditing.

With this, unlike Proprietary Software like MS Windows, anyone can contribute code. Peer review means that there are many people looking at that code... if there is any malware in there the Android Community will spot it, as is the case with Linux.

I for one am not concerned. The NSA even had a Linux distribution at one point with their code in it. With Proprietary software, I don't have that confidence because I can't see in.

Oh, and Linux is free (as in beer) - Android is too.

It's a bit dated at this point (10 years old) and there have been some developments in security philosophy since then, but it's good stuff.

Apple appears to be immune from this unprecedented breach of customer loyalty, if only for now, although open-sourced Linux may not be as lucky:

“Apple (AAPL) does not accept source code from any government agencies for any of our operating systems or other products,” says Kristin Huguet, a spokeswoman for the company. It’s not known if any other proprietary operating systems are using NSA code. SE for Android is an offshoot of a long-running NSA project called Security-Enhanced Linux. That code was integrated a decade ago into the main version of the open-source operating system, the server platform of choice for Internet leaders including Google, Facebook (FB), and Yahoo! (YHOO). Jeff Zemlin, the executive director of the Linux Foundation, says the NSA didn’t add any obvious means of eavesdropping. “This code was peer-reviewed by a lot of people,” he says.

From OPs link

It's amazing all the other companies sold us out so readily. Although I suppose, in addition to a bundle of cash, they were given assurances that the public would never know.

systems or other products,”

Because we review every line of code out of tens of millions inserted by "our employees" or those with back doors into our servers. Anyone who thinks they've escaped from this stuff isn't looking hard enough.

Apple: closed system where you can not see all the code. Who knows what is in that Apple device code? However when you have the NSA, and government agencies in other countries reviewing the same code (as well as professionals and hobbyists) then I have more assurance. Android - same way.

What if all code for all operating systems were required to be open, but read-only? That way, we could know what's actually IN THERE, but it couldnt be altered by a third-party without permission from whoever wrote the code in the first place. If that were the case, I would be a hell of a lot more likely to trust an Apple or a Google when they tell me stuff like this...

Windows will let you see their code if you get a very expensive bond.

Personally, I only run software I can audit, but that's more because I do a lot of debugging and need that than it is out of principle.

Changes from third parties are not automatically added to open source software. The people running the project review the changes and add them if appropriate.

Also, your proposal would not work at all for closed-source software. Because you can still compile the "read-only" copy into a fully functioning operating system. The reason companies stay closed-source is to avoid that.

that's the wonderful thing about open source. If some people working on an open source software project disagree with the direction the project is going, they're free to split and continue the development of the project their way - hence forking. You can't do that with Windows, or iOS. OSX has some open source parts (BSD, FreeBSD) but an awful lot is closed off and proprietary.

As for SE Linux, it's not a specific distribution, but patches available for the Linux kernel - introduced around 2000-2003. Some Linux distributions have SE Linux in their kernels, others don't. Red Hat Linux (later Fedora) has SE Linux in it... and Red Flag Linux is a fork off of Red Hat Linux (Red Flag Linux - Chinese govt. distro), as would be Red Star OS (N Korean Linux distro). I'm sure their guys have gone through all the patches to ensure the NSA doesn't have a back door and maybe install one of their own.

The NSA's contributions to Linux and Android are available for anyone to read.

Their code base contains code written by the University of California at Berkeley.

If you're worried about secret malevolent code, you want open source software. Because everyone can read the source code and find that malevolent code.

Proprietary operating systems can hide whatever they want in their software.

Because they can.

-Laelth

I wasn't aware of this, and I suspect I am not alone in that. If it's old news to you, then I bow to your superior knowledge.

-Laelth

and I don't like seeing it talked down.

Whose watch?
Who benefits?
If you are not doing anything wrong, why worry?
Who gets to decide what is wrong, what is a pattern, etc.?
Who gets swept up into a net via idle curiosity, wrong numbers, using keywords in jest, doing a little research on a passingly interesting news story, not knowing that one's friend is being investigated because they made 100 copies of a school flyer for their child, registered as Independent or Green - possibilities are endless.
What's the answer? Demand changes? Everyone use a keyword in every conversation, rendering classification meaningless?
Now that we are cognizant of this stuff, will that make it moot, in a way? Once a person knows they are being watched, their behavior changes, IMO, and negates the watching.

I'm as anti-NSA-spying as anyone (seriously, check my recs and comment history), but SELinux (and its counterpart SE for Android) are no spying tools. They are ways to make Linux (and Android) "more secure&quot *) by adding privilege lists for users and actions beyond the traditional Unix permissions system. As stated in the article (and shrugged off dismissively for some reason), this code has been reviewed by many many people, and you can go review it yourself. Just because an agency does bad things doesn't mean everything they do is bad.

And for those saying Apple is better just because they claim they don't have any NSA code, keep in mind that nobody can verify what Apple says because it's all closed-source. With open source everybody can check. With closed-source you're relying on what the company is telling you, because companies are soooo trustworthy and can't be coerced by the government to lie....

(*) I actually hate SELinux because I think it's overkill, makes systems difficult to use when fully enabled, and doesn't actually provide much more security above properly-configured regular permissions, but that's a technical debate that I've had on the local LUG mailing list. Not because of some FUD spying concern.

That was a pretty epic flame war on openbsd-misc.

went looking for it now and didn't find anything that Theo was involved in... http://kerneltrap.org/mailarchive/openbsd-misc/2007/9/22/272545" target="_blank">this is the closest I found. Thanks for the heads-up, that was an interesting read. Let me know if there was something else too

People are understandably suspicious of anything attached to or originating in the NSA. But while on the one hand the NSA is tasked now by whoever actually runs the USA to spy on every intimate detail of citizen's lives via signals intelligence, it also has legitimate tasks of keeping an eye on foreign governments and non-state actors who represent a threat to our nation. It also has the task of trying to shore up the cyber security infrastructure of the US government and US based corporations. This is the kind of work it is supposed to be doing. Not everything they're tasked with is sinister - at least from the vantage of the interests of US citizens. Unfortunately the other shit they have been told to do overshadows their legitimate work and calls it into question.

Code contributions by NSA to an open source system like Linux and derivatives like Android are going to be scrutinized over and over by Linux developers as well as developers of rival systems, as well as by security experts not part of any OS devel team. Whitehat hackers will be suspicious of it and poke at it and kick it from every angle to find the suspected backdoor. It will be examined by researchers in university comp sci departments around the whole world.

from the fearmongering article:
SE for Android is an offshoot of a long-running NSA project called Security-Enhanced Linux. That code was integrated a decade ago into the main version of the open-source operating system*, the server platform of choice for Internet leaders including Google, (etc, etc)...

and I'll add to that list of critical internet infrastructure that runs on Linux-
the Godalmighty NEW YORK STOCK EXCHANGE, along with a great many trading house systems that interface with the NYSE. The ability to launch a successful cyber-attack on the NYSE would relieve a hostile power of the need and expense to build a nuclear arsenal competitive with the US.

...just to make it clear for all how the NSA would have a legit interest and role in making sure Linux as used by big corporations sourcing it from vendors like HP have security enhancements of the sort already developed for big government UNIX systems.

*Although few Linux installations will actually have SE extensions to the OS present or enabled.

Since the theory is to remove a single super privileged operator from the mix.

that will hurt MicroSux.

That's the beauty of open source. NSA made some epic contributions to Linux already. And they didn't install "back doors" in Windows, they and a few thousand other vendors installed keys that verify the operating system to software. Nobody requires malware to verify on the client side.

Does your aluminum foal hat fit? The spy network of our government has been spying on us for decades, why now is everyone so up in arms about it. We choose to live in an internet, quick access, get it now, 24 hour a day world, and this living situation calls for different and changing security measures. If the spying from the NSA bothers you, why aren't you pissed at the fact that private companies are spying on you too, watching your every move, recording your every key stroke. If not, then how did Golf Galaxy know I wanted the new Nike driver, or how did Adobe know I looked at the new CC software. NSA does have a chip in all new phones... IT'S CALLED GPS.... they can spy on anyone at anytime, and we all know it, so just tilt the hat to the left and smile...

..at the time there was bad noise about the alterations being a weakening or an outright "backdoor", but it turns out the NSA (and IBM) had secretly discovered an entirely new type of attack and were actually strengthening the cipher:

Though I'm more of a fan of Blowfish.

Be very afraid.

...that much of the divide on DU is between those lacking knowledge of technology and those who are steeped in it.

I am not as knowledgeable of the details as some of the posters on this thread are but I know enough to recognize when something sounds authentic and when it sounds like bullshit.

The 'NSA has back doors into everything!' claim has always been bullshit.

[hr]
[font color="blue"][center]Birds are territorial creatures.
The lyrics to the songbird's melodious trill go something like this:
"Stay out of my territory or I'll PECK YOUR GODDAMNED EYES OUT!"[/center][/font]
[hr]

The NSA has two branches.

One branch does the spying. The other branch prevents spying on the US. And this information is so hard to find that it's on the NSA's fucking home page on the Internet.

That second branch has written all sorts of enhancements to the Linux operating system, distributed as SE Linux. It makes the operating system much more secure. They're doing the same kind of thing for Android.

As for "Is the NSA code malevolent? That is unknown.", that is extremely, extremely stupid. Android is open source. Everyone can read the "NSA code" and see what it does. So either everyone is part of a vast NSA conspiracy, or it's not malevolent.


If you are going to criticize the government, you have two choices:

1) Decide what parts are "evil" based entirely on what you vaguely remember hearing from anecdotes, and then scream loudly about your position.

2) Take the time to find out what is actually going on, and then have rational discussions about it.

Republicans chose #1. It used to be Democrats mostly chose #2. It looks like that isn't the case anymore.

eom

eom

How many coders out there would love to become famous and make a name for themselves by exposing malicious code designed to spy on everyone that was "hidden in plain view".

You might as well just edit that word "faith" out of your last comment, because it doesn't take faith if one is a coder... All it takes a pair of eyes.

eom

There are probably tens of thousands (maybe hundreds of thousands?) of Android coders who have looked at that code and understand what it does.

It's like the heating elements in your microwave oven. You don't need to understand how they work but it's pretty obvious they do.

There is nothing 'tricky' about code any more than there is something 'tricky' about a hammer.

[hr]
[font color="blue"][center]Birds are territorial creatures.
The lyrics to the songbird's melodious trill go something like this:
"Stay out of my territory or I'll PECK YOUR GODDAMNED EYES OUT!"[/center][/font]
[hr]

eom

NSA contributes to open source projects, which isnt the same as backdoors. This particular thing may not be as scary as it sounds...

eom

But I'm pretty confident that if they are, the publicly reviewed code NSA contributed to Android/Linux isn't to blame. I suspect the method would be sneakier than that.

eom

eom