Saturday, June 24, 2006

Car Counter Offer Sample

"confident"

LinuxUser
www.linuxuser.co.uk - June 2006.

Written by Jeremy Allison

One of the most disturbing news of recent days was to see the Chinese president, Hu Jintao, meeting with Mr. Bill Gates at the Gates mansion, even before the President Bush. A smiling Jintao mentioned as the operating system used by Mr. Gates every day, while Bill promised to help with technical support. But apparently, Bill Redmond and people could be helping more than simple technical support, and not just to help the Chinese government. Let

a small diversion to 1982.

The largest non-nuclear explosion ever recorded by satellite took place in Russia in 1982. It was a blast in a pipeline in Siberia. The disturbs and little known truth about this disaster was that it was caused directly by the CIA after having deliberately modified software to the Soviet Union (in binary form only, of course). Software that was designed to destroy the aqueduct.

you may think it's another paranoid fantasy (and certainly sounds like I know), but this was documented in the book "At the Abyss: An Insider's History of the Cold War", by Thomas C. Reed, former Secretary of the Air Force, who served on the National Security Council, and was also reported by the Washington Post in 2004, and even mentioned in a magazine article CIA's "Studies in Intelligence."

This was not simply an attack on the Soviet Union, but also affected gas prices in Western Europe (the pipeline was designed to transport gas to Europe), all as a side effect of attempts to disrupt U.S. Soviet foreign exchange earnings.

I wonder if the Chinese consider this part of history. Judging by his inclination to run Windows on their infrastructure, and the recent promises of PC makers in China to include "Windows Genuine" on PCs shipped from China, seems not.

This single incident of a software only in binary, causing enormous economic damage study should be mandatory for the decision makers of any nation that might have conflicts of interest with the U.S.. That's all the rest of the world, in case you were wondering. Furthermore, this normally very docile pet Americana, the United Kingdom, has rejected the control software only in binary, for the new joint fighter manufacturing, and have threatened to cancel the order if you do not access the source code.

Perhaps it is that the UK is not as docile as it sounds, since the British militarres seems to understand the need to control the software in at least some critical parts of their infrastructure.


So, who can you trust in computing? and Why?.

I love to say that open source companies are reliable because you get the source code, whereas proprietary source companies are not trusted because the source code is unavailable. But not so simple. Microsoft announces widely

that will give the source code for Windows to China and any country that complains about the possibility of such threats by way of binary code only.

Are you hoping for a Linux distributor will say NO to the U.S. government if asked (nicely, desde luego) que colocaran una puerta-trasera a las imágenes binarias de Linux que se entregan como parte de su producto?

¿Quienes de nosotros, de hecho, usan el código fuente, tan gentilmente incluido en los CD adicionales, para compilar su propia versión?.

Con Windows, desde luego, ya hay tantas puertas traseras, conocidas y desconocidas, que el gobierno de los EE UU quizás ni se molestará de pedirle nada a Microsoft. Puede que ya hayan conseguido una, lista para ser aprovechada a su antojo.
¿Qué hay de Intel o AMD y el microcódigo que viene en el propio procesador?.

Aún con acceso al código fuente de Windows, todavía no es digno de confianza, unless you compile it yourself and you just install the binary versions that you create on your own machine.

have a source claiming to be the one corresponding to a software product does not prove anything about the binary version of the product you are using, unless you have created you by yourself. How many versions of Windows, installed on computers from the Chinese Government were in fact compiled by the Chinese themselves?. No, it's my bet.

The same applies, of course, for the United Kingdom.

What this means is that many governments around the world that accept binary packaged software for software companies in the United States, are at the mercy of intelligence services of the U.S. who might have decided to add "little something extra" to the code. If you think I'm getting paranoid, talk to the Russians.

For completeness, however, for the truly paranoid, you even compile the code itself is NOT sufficient to ensure that you get "trusted" computing. In his article
fundamental
1984, "Reflections on Trusting Trust" (Reflections on trusting trust) Ken Thompson, one of the original authors of Unix, tells the story of how he hack the system C compiler Unix, the software used to create the new binary from source code, add a completely undetectable backdoor to Unix. Once assembled, there was no trace of the back door that said none of the source code available for Unix públicamentes. It was cleverly hidden in the binary and was designed to reproduce and spread itself in any new binary created in the system.

That was a theoretical attack. It is not something that actually did, but something that could have done. At least that's what I expect, but I am inclined to trust him.

The only way to get reliable code you are designing the processor itself (Yes, there may be backdoors in the microcode of the processor as well as in binary code) write their own compiler and audit all open source code you created it for use in their command and control systems. Anything else is to trust in untrustworthy.


I leave you with some words from the article by Ken Thompson that are as true today in 1984 com. "The moral is obvious. You can not trust code that you did not create it yourself (especially code companies that employ people like me). No amount of source code verification or scrutiny will protect you from using untrusted code. To prove the possibility of these kinds of attacks, I chose the C compiler I could have chosen any programs that manipulate other programs, such as an assembler, un cargador o incluso el hardware del micródigo. En la medida en que el nivel de los programas baje, esos gazapos serán más y más difíciles de detectar. Un gazapo instalado en el micródigo será casi imposible de detectar".

Jeremy Allison es desarrollador líder del Equipo Samba.

Traducido libremente por Jacinto Dávila.
Memoria Libre: Don Luis Zambrano. Conversando en la memoria.
Posted by admin at 1:02 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)