Linked by runjorel on Thu 13th Jan 2011 19:35 UTC
Linux "At the end of 2010, the 'open-source' software movement, whose activists tend to be fringe academics and ponytailed computer geeks, found an unusual ally: the Russian government. Vladimir Putin signed a 20-page executive order requiring all public institutions in Russia to replace proprietary software, developed by companies like Microsoft and Adobe, with free open-source alternatives by 2015."
Permalink for comment 458153
To read all comments associated with this story, please click here.
RE[5]: Security is a big concern
by Laurence on Sat 15th Jan 2011 14:40 UTC in reply to "RE[4]: Security is a big concern"
Laurence
Member since:
2007-03-26


It may be unlikely, but only an idiot would claim it couldn't be done.

I didn't say it couldn't. I just said it's unlikely.


I certainly hope your not suggesting that because the pipe is small that it's of no danger! Maybe all they need is password/credentials/keys. Such could easily compromise VPN encryption or admin account.

Fair point.


Use your head!! Just because the HTTP protocol isn't encrypted doesn't mean someone couldn't hide a covert message within perfectly normal IIS/HTTP variables.

No need to get offensive. Particularly when you're point is still invalid:
IIS has nothing to do with it as workstations shouldn't have a webserver installed (if they do, then that's a larger security risk anyway).

So it's just HTTP headers being sent by IE - which is plain text and well documented. Thus someone would have noticed before now if there was anything unusual in plain text HTTP headers. (in fact, this point is just as valid for IIS as well).

You either didn't read or didn't comprehend my previous message. An entity with the ability to wiretap doesn't strictly need to direct packets to a tracable IP.

No, but they still need to send packets and packets can still be analysed. Thus my point stands.


Furthermore, if a backdoor leaked the information through normal connections over the course of several days using stenography, then even the most determined sysadmin would fail to detect a leak since every single packet would appear to be normal traffic.

That's a cyclic argument.
You're arguing that stenography would be impossible to trace because it's using stenography. However you've not given an example that I haven't been able to find a method of detection.



"Not if you're sat behind a firewall with restrictive port access - as most businesses and governments would be."

This makes you sound like a novice. Even with a firewall, connections must get through. These open up attack vectors. Firewalls do not protect normal connections from being exploited.

You call me a novice yet you seem to be in the dark about how to lock down a network.

if you block outgoing connections on all but a small subset of ports, then you significantly reduce the attack vector already.
The port 80 and 443 would only be open via a HTTP/S proxy. So you couldn't get non-HTTP traffic over those ports.

Generally speaking, a business / government IT infrastructure would use Exchange to manage e-mail. Thus ports typical to e-mail would be blocked on all IPs bar the Exchange server.

The only obvious work around that now springs to mind is a HTTP tunnel. But to do so, you're creating a clear outgoing link that will be logged by the proxy. So if MS were sending out bucket loads of HTTP tunnels then someone somewhere would have noticed by now.


I've never claimed that there was a backdoor, only that there is the possibility for one which you cannot disprove by looking at traffic alone. That is after all what we're talking about.

I'm sure there is a way - albeit nobody has even come close to describing it on here.
I just think it's unlikely that MS are using it.

You're reply was mistaken, stenography can apply to much more than just embedded images within emails.

Yeah, sorry. I was responding to the e-mail example directly and missed the larger point.

"It's 100% just paranoia. Sure MS have the technical ability, but then so does open source."

Well, if they (ms/gov) posses the technical ability, then the only thing stopping them from doing it is ethics. Just because you believe them doesn't mean other people do.

Again, that could apply for any piece of software so you could argue that every single application and OS you've used was potentially spyware.


It could happen to open source too, but then it would be much more difficult to hide successfully for a prolonged period.

No it wouldn't. You just ship binaries with the backdoor and source without it.
Basically exactly the same as what MS would have to do with the organisations that have licences to Redmond's source.

For what it's worth, I have my own distribution.

Excellent. What is it?


"Sure, you can download the source too, but like Windows' source code, who's to say that backdoors weren't added after the source was published?"

md5/sha1

Which depends on you compiling clean source manually to create a trustworthy base reference. You certainly couldn't trust an md5 from the distributors if they were one ones compiling the repositories.

"You see, we could all make worthless speculation about backdoors in any OS that we haven't programmed personally."

I'm not asserting there is a back door, only that your reasoning for claiming there are none is faulty.

Well clearly it's not faulty if you then admit yourself that there might not be a backdoor.

I'm not definitely saying there isn't one. Just that it's highly improbable because of the difficulty to keep hidden and the backlash when they get found out.

These days it's much easier to get information legitimately - from social networks and hotmail to Bing. MS could even buy up a number of pipes and listen in on them if they really cared.
It's so easy to get "private" data in the information age as so much stuff is transmitted publicly. So there's no point in having backdoors leaking information.

"Putting such a backdoor in the kernel itself would be too low level. The minimum you need is keylogger and access to a TCP/IP stack - thus you need the backdoor in user space. It's not 'rules', it's pretty much the unbreakable laws of computer physics."

You're unbelievable! Are you for real? Of course the kernel can do keylogging and access the tcp stack. How could you possibly think otherwise?? What do you think a kernel does??

You do realise that NT's TCP/IP stack runs in user space.

I guess you could argue that backdoors could be built in kernel space. But realistically it would make much more sense building it in user space - it's just easier to implement as you wouldn't have to write kernel code for every case scenario (proxy servers et al) where as the framework is already there in userspace. Plus doing steganography in the kernel would be a bloody nightmare! The kernel wouldn't know the difference between HTTP from POP3 from telnet. It just see's a series of data packets to send to a NIC.
Thus building backdoors in user space would give you access to the framework already in place to reliably implement steganographical (is that a word?) techniques.

However, you clearly already knew all this....

Forget it, based on the lack of intelligence in your responses, I'm not interested in continuing this dialog.

Put the claws away and grow up.
My rebuttals have made perfect sense but you're too blinded by your own arrogance to acknowledge that anyone could counter your "expert" opinion.

The fact is, the examples you have given have been flawed. Now I'm not saying it's impossible. Just impractical and thus it's improbable that MS have implemented one.

If you want to continue discussing this, then please do so maturely. Else leave gracefully please because flouncing isn't helping your arguments.

Reply Parent Score: 2