Linked by runjorel on Thu 13th Jan 2011 19:35 UTC
Linux "At the end of 2010, the 'open-source' software movement, whose activists tend to be fringe academics and ponytailed computer geeks, found an unusual ally: the Russian government. Vladimir Putin signed a 20-page executive order requiring all public institutions in Russia to replace proprietary software, developed by companies like Microsoft and Adobe, with free open-source alternatives by 2015."
Thread beginning with comment 457684
To read all comments associated with this story, please click here.
Security is a big concern
by drcoldfoot on Thu 13th Jan 2011 22:10 UTC
drcoldfoot
Member since:
2006-08-25

One thing proprietary software such as Microsoft's offerings add, is the ability to introduce code that could create backdoors, or even send data back to the source or government w/o the end user's consent or knowledge... all done vis the OS's kernel or via a driver of the Proprietary OS's signing. And since the OS is proprietary, it's extremely easy to introduce, either by the behest of a foreign government, or by the behest of the home government. At least with Opensource OSs I believe it is much more costly, resource intensive, and difficult to do or even keep in the wild without someone recognizing a "security flaw".

Reply Score: 1

RE: Security is a big concern
by Laurence on Fri 14th Jan 2011 09:46 in reply to "Security is a big concern"
Laurence Member since:
2007-03-26

One thing proprietary software such as Microsoft's offerings add, is the ability to introduce code that could create backdoors, or even send data back to the source or government w/o the end user's consent or knowledge... all done vis the OS's kernel or via a driver of the Proprietary OS's signing. And since the OS is proprietary, it's extremely easy to introduce, either by the behest of a foreign government, or by the behest of the home government. At least with Opensource OSs I believe it is much more costly, resource intensive, and difficult to do or even keep in the wild without someone recognizing a "security flaw".


As I said before, it would be quite easy to track outgoing connections (even if you can't establish the content of the traffic).

The Russian Government wouldn't be using a special build of Windows, thus if there's backdoors in the Russian builds then there's going to be backdoors in everyones build.

So what you're essentially suggesting is that globally there isn't a single network administrator with Windows clients or servers in their infrastructure that is competent enough to notice unauthorised outgoing network connections.

Personally I think the more likely answer is that the whole "MS build backdoors to monitor governments" is just scaremongering from the kind of tin-hat wearing conspiracy theorists that think the moon landings were faked.

Furthermore, you wouldn't write such a backdoor into the kernel itself. It would be completely useless there. You'd want it in userspace albeit still built into the OS framework.

Edited 2011-01-14 09:49 UTC

Reply Parent Score: 3

RE[2]: Security is a big concern
by Veran on Fri 14th Jan 2011 13:02 in reply to "RE: Security is a big concern"
Veran Member since:
2011-01-14

I know, that one is old: but Microsoft would never do something like implementing backdoors to their software... http://www.heise.de/tp/r4/artikel/5/5263/1.html

We can't know, if there are backdoors within windows Vista / Windows 7.
One thing is for sure if they would like to implement any backdoors into Windows they could.

Reply Parent Score: 1

fisherman2 Member since:
2011-01-14

You are definitely underestimating the cleverness of a resourceful opponent.

"As I said before, it would be quite easy to track outgoing connections (even if you can't establish the content of the traffic)."

At some point these machines will connect back to MS or google or some other website under US jurisdiction through it's normal course of use.

It would not be impossible to hide information in the tcp stack such that neither the sender nor receiver knows about a hidden channel, all that would be necessary would be for the government to wire tap the traffic. Slight variations in ACK/PSH behavior or window boundaries could in fact contain hidden information at the IP level. The tcp timestamp field could easily leak a few bits of information per packet.

Numerous tricks could happen at the HTTP level. The information could be hidden in a combination of layers.

Information could be leaked across multiple connections. For instance, the simple choices of pseudo random port numbers and sequence numbers can leak information.

Short of reverse engineering the windows kernel, no one can prove the absence of a leak from traffic alone. It may be there, it may not, we'll never know.

Any network admin who claims otherwise is misinformed. The best we can do to put a ceiling on the amount of traffic leaked if it is indeed there.


Of course, if I were a government interested in back doors, I'd simply utilize the existing vulnerabilities and blame everything on "hackers" since the public is always willing to accept that as an excuse. The likelihood of being discovered this way is very slim.



"The Russian Government wouldn't be using a special build of Windows, thus if there's backdoors in the Russian builds then there's going to be backdoors in everyones build."

At the very least, the language/locale/timezones change, that could potentially change the behavior.


"So what you're essentially suggesting is that globally there isn't a single network administrator with Windows clients or servers in their infrastructure that is competent enough to notice unauthorised outgoing network connections."

As another poster already said, you've completely ignored stenography within perfectly legal connections.

"Personally I think the more likely answer is that the whole 'MS build backdoors to monitor governments' is just scaremongering from the kind of tin-hat wearing conspiracy theorists that think the moon landings were faked."

It's certainly paranoia, but there is little doubt that the government/ms have the technical ability to pull it off if they wanted to. Open source is clearly superior in this regards.


"Furthermore, you wouldn't write such a backdoor into the kernel itself. It would be completely useless there. You'd want it in userspace albeit still built into the OS framework."

This one is laughable. Do you really expect attackers to follow your rules about where to put backdoors? They'll put it where they please, thank you very much.

Reply Parent Score: 1

Phloptical Member since:
2006-10-10

tin-hat wearing conspiracy theorists that think the moon landings were faked.


....weren't they?

Reply Parent Score: 2