Linked by runjorel on Thu 13th Jan 2011 19:35 UTC
Linux "At the end of 2010, the 'open-source' software movement, whose activists tend to be fringe academics and ponytailed computer geeks, found an unusual ally: the Russian government. Vladimir Putin signed a 20-page executive order requiring all public institutions in Russia to replace proprietary software, developed by companies like Microsoft and Adobe, with free open-source alternatives by 2015."
Thread beginning with comment 457946
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Security is a big concern
by fisherman2 on Fri 14th Jan 2011 16:57 UTC in reply to "RE: Security is a big concern"
fisherman2
Member since:
2011-01-14

You are definitely underestimating the cleverness of a resourceful opponent.

"As I said before, it would be quite easy to track outgoing connections (even if you can't establish the content of the traffic)."

At some point these machines will connect back to MS or google or some other website under US jurisdiction through it's normal course of use.

It would not be impossible to hide information in the tcp stack such that neither the sender nor receiver knows about a hidden channel, all that would be necessary would be for the government to wire tap the traffic. Slight variations in ACK/PSH behavior or window boundaries could in fact contain hidden information at the IP level. The tcp timestamp field could easily leak a few bits of information per packet.

Numerous tricks could happen at the HTTP level. The information could be hidden in a combination of layers.

Information could be leaked across multiple connections. For instance, the simple choices of pseudo random port numbers and sequence numbers can leak information.

Short of reverse engineering the windows kernel, no one can prove the absence of a leak from traffic alone. It may be there, it may not, we'll never know.

Any network admin who claims otherwise is misinformed. The best we can do to put a ceiling on the amount of traffic leaked if it is indeed there.


Of course, if I were a government interested in back doors, I'd simply utilize the existing vulnerabilities and blame everything on "hackers" since the public is always willing to accept that as an excuse. The likelihood of being discovered this way is very slim.



"The Russian Government wouldn't be using a special build of Windows, thus if there's backdoors in the Russian builds then there's going to be backdoors in everyones build."

At the very least, the language/locale/timezones change, that could potentially change the behavior.


"So what you're essentially suggesting is that globally there isn't a single network administrator with Windows clients or servers in their infrastructure that is competent enough to notice unauthorised outgoing network connections."

As another poster already said, you've completely ignored stenography within perfectly legal connections.

"Personally I think the more likely answer is that the whole 'MS build backdoors to monitor governments' is just scaremongering from the kind of tin-hat wearing conspiracy theorists that think the moon landings were faked."

It's certainly paranoia, but there is little doubt that the government/ms have the technical ability to pull it off if they wanted to. Open source is clearly superior in this regards.


"Furthermore, you wouldn't write such a backdoor into the kernel itself. It would be completely useless there. You'd want it in userspace albeit still built into the OS framework."

This one is laughable. Do you really expect attackers to follow your rules about where to put backdoors? They'll put it where they please, thank you very much.

Reply Parent Score: 1

Laurence Member since:
2007-03-26

You are definitely underestimating the cleverness of a resourceful opponent.

I'm not. I think you're underestimating the cleverness of every other person in IT who has administrated a Windows platform.

At some point these machines will connect back to MS or google or some other website under US jurisdiction through it's normal course of use.

I'm still yet to hear a convincing way how they could without being noticed

It would not be impossible to hide information in the tcp stack such that neither the sender nor receiver knows about a hidden channel, all that would be necessary would be for the government to wire tap the traffic. Slight variations in ACK/PSH behavior or window boundaries could in fact contain hidden information at the IP level.

But so little information that such hack would be pointless

Numerous tricks could happen at the HTTP level. The information could be hidden in a combination of layers.

HTTP isn't encrypted so no it couldn't.
HTTPS perhaps, but again a network admin somewhere in the world would notice updates to a network location where they've not requested it.

Information could be leaked across multiple connections. For instance, the simple choices of pseudo random port numbers and sequence numbers can leak information.

Not if you're sat behind a firewall with restrictive port access - as most businesses and governments would be.

Short of reverse engineering the windows kernel, no one can prove the absence of a leak from traffic alone. It may be there, it may not, we'll never know.

You can't prove something that isn't there.

Any network admin who claims otherwise is misinformed. The best we can do to put a ceiling on the amount of traffic leaked if it is indeed there.

True. But the laws of probabilities are that if MS were leaking data, someone in the world would have noticed before now.


"The Russian Government wouldn't be using a special build of Windows, thus if there's backdoors in the Russian builds then there's going to be backdoors in everyones build."

At the very least, the language/locale/timezones change, that could potentially change the behavior.

Fair point but that sounds awfully like clutching at straws.

It's also just as likely that changing the timezones doesn't change the behaviour.

As another poster already said, you've completely ignored stenography within perfectly legal connections.

I've already discounted that possibility. Read my reply to the guy who suggested that.


It's certainly paranoia, but there is little doubt that the government/ms have the technical ability to pull it off if they wanted to. Open source is clearly superior in this regards.

It's 100% just paranoia. Sure MS have the technical ability, but then so does open source.
When was the last time you compiled your own binaries rather than pulling binaries from US repositories?
Sure, you can download the source too, but like Windows' source code, who's to say that backdoors weren't added after the source was published?

You see, we could all make worthless speculation about backdoors in any OS that we haven't programmed personally.


"Furthermore, you wouldn't write such a backdoor into the kernel itself. It would be completely useless there. You'd want it in userspace albeit still built into the OS framework."

This one is laughable. Do you really expect attackers to follow your rules about where to put backdoors? They'll put it where they please, thank you very much.

erm ok. Clearly you haven't the slightest clue what you're talking about.

Putting such a backdoor in the kernel itself would be too low level. The minimum you need is keylogger and access to a TCP/IP stack - thus you need the backdoor in user space.

It's not "rules", it's pretty much the unbreakable laws of computer physics.

However lets not let actual computer science get in the way of hysteria. *rollseyes*

Edited 2011-01-15 02:01 UTC

Reply Parent Score: 2

fisherman2 Member since:
2011-01-14

"I'm still yet to hear a convincing way how they could without being noticed"

It may be unlikely, but only an idiot would claim it couldn't be done.

"But so little information that such hack would be pointless"

I certainly hope your not suggesting that because the pipe is small that it's of no danger! Maybe all they need is password/credentials/keys. Such could easily compromise VPN encryption or admin account.

"HTTP isn't encrypted so no it couldn't"

Use your head!! Just because the HTTP protocol isn't encrypted doesn't mean someone couldn't hide a covert message within perfectly normal IIS/HTTP variables.

"...a network admin somewhere in the world would notice updates to a network location where they've not requested it."

You either didn't read or didn't comprehend my previous message. An entity with the ability to wiretap doesn't strictly need to direct packets to a tracable IP.

Furthermore, if a backdoor leaked the information through normal connections over the course of several days using stenography, then even the most determined sysadmin would fail to detect a leak since every single packet would appear to be normal traffic.


"Not if you're sat behind a firewall with restrictive port access - as most businesses and governments would be."

This makes you sound like a novice. Even with a firewall, connections must get through. These open up attack vectors. Firewalls do not protect normal connections from being exploited.

"So You can't prove something that isn't there."

I've never claimed that there was a backdoor, only that there is the possibility for one which you cannot disprove by looking at traffic alone. That is after all what we're talking about.

"I've already discounted that possibility. Read my reply to the guy who suggested that."

You're reply was mistaken, stenography can apply to much more than just embedded images within emails.
Examples: session id, timestamps, tcp windows, source port numbers, dns transaction id, maybe even bits in a word document...it only needs to be one bit here and there to achieve a leak.

A sysadmin looking at a network trace is helpless; the data appears normal to him.

"It's 100% just paranoia. Sure MS have the technical ability, but then so does open source."

Well, if they (ms/gov) posses the technical ability, then the only thing stopping them from doing it is ethics. Just because you believe them doesn't mean other people do.

It could happen to open source too, but then it would be much more difficult to hide successfully for a prolonged period.

"When was the last time you compiled your own binaries rather than pulling binaries from US repositories?"

For what it's worth, I have my own distribution.

"Sure, you can download the source too, but like Windows' source code, who's to say that backdoors weren't added after the source was published?"

md5/sha1

"You see, we could all make worthless speculation about backdoors in any OS that we haven't programmed personally."

I'm not asserting there is a back door, only that your reasoning for claiming there are none is faulty.


"Putting such a backdoor in the kernel itself would be too low level. The minimum you need is keylogger and access to a TCP/IP stack - thus you need the backdoor in user space. It's not 'rules', it's pretty much the unbreakable laws of computer physics."

You're unbelievable! Are you for real? Of course the kernel can do keylogging and access the tcp stack. How could you possibly think otherwise?? What do you think a kernel does??

Forget it, based on the lack of intelligence in your responses, I'm not interested in continuing this dialog.

Reply Parent Score: 1