[GLLUG] RedHat spooked ?

Nix nix at esperi.org.uk
Mon Jun 23 10:55:41 UTC 2014

On 20 Jun 2014, Mike Brodbelt uttered the following:
>> * Have I been complacent in assuming that Open Source distributions have not been spooked ?
> [...] there have in the past been attempts made by parties unknown to place
> privilege escalation backdoors in the kernel

We can be almost certain that any such attempt was not the doing of the
NSA (or any major intelligence agency). It's both easily detectable and
pointless, since the kernel already contains lots of privilege
escalation vulnerabilities unintentionally introduced by its actual
developers. All the agencies need to do is find some, or pay someone
else with a tiny slice of their immense budgets to do so.

(Some agencies, such as China, have even less need to do so -- they
don't need to be subtle to spy on their own people, they can just decree
the use of specific OSes that everyone *knows* contain spyware. From
their perspective having everyone know they're being spied on is
actually a benefit if you're social-stability-at-all-costs obsessives
like the Chinese government has long been: knowing you're being spied on
is known to discourage behaviour that the surveilled might be ashamed of
-- heck, working under a *poster of a pair of eyes* is known to have
this effect, you don't need to actually spy on anyone at all!)

> I'd find it surprising if RedHat has not been the target of the NSA.
> The questions to ask is whether or not the company has been compelled
> to assist. The only safeguard is transparency - all binaries must have
> full source available, and it must be demonstrably possible to cleanly
> rebuild identical binaries.

Of course this needs special measures to be taken: some object files
include timestamps, random padding, effective randomness from
profile-guided optimization -- and many symbol names, unless
specifically requested, are randomly generated (see -frandom-seed).

So one cannot simply say 'ooh, this binary is different from one I built
myself, proof of nefarious intent!'. Binaries built at different times
or on different systems will almost always be different unless
explicit measures were taken to make them the same.

>                               You should also be suspicious of drivers
> that upload binary blob firmware, as that could have been backdoored
> separately.

Heck, if they're specifically interested in you they could have
undetectably bugged your flashable firmware or dumped a retro-reflector
on your system, which appears to work by modulating radio signals from
elsewhere, thus is almost undetectable anyway. But if an intelligence
agency is specifically interested in you there's not much you can do:
we're presumably talking about preventing dragnet-style mass population
surveillance here.

(The worrying thing is that the flashable stuff is potentially usable in
a dragnet mode: upload something that probes to see if you have model X
of disk controller and install an "implant" on *all* such systems. I
presume they're not doing this because these things are relatively
high-value and hard to produce, and because there is enough variability
in such hardware that it is quite likely that such things would break a
detectable fraction of the systems they were applied to, revealing the
attack. So I suspect dragnet surveillance will remain more or less
passive, tapping various central points with or without the connivance
of the operators of those central points and decrypting rather than
modifying individuals' systems to report back on a large scale.)

NULL && (void)

More information about the GLLUG mailing list