Linked by Thom Holwerda on Wed 21st Sep 2011 22:06 UTC, submitted by kragil
Windows After the walled garden coming to the desktop operating system world, we're currently witnessing another potential nail in the coffin of the relatively open world of desktop and laptop computing. Microsoft has revealed [.pptx] that as part of its Windows 8 logo program, OEMs must implement UEFI secure boot. This could potentially complicate the installation of other operating systems, like Windows 7, XP, and Linux.
Thread beginning with comment 490396
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Comment by OSbunny
by malxau on Thu 22nd Sep 2011 20:08 UTC in reply to "RE: Comment by OSbunny"
malxau
Member since:
2005-12-04

"If you want to hide malicious code you can do it in open source as well. There was that news a few months ago about openbsd having malicious code. Don't know whether it was true or not but the possibility remains.


Quote please. AFAIK the track record is that malware has never been distributed to users via open source repositories. The only way it happens is to distribute modified code binary-only executables to Windows users.
"

Do you remember this? I believe the code was distributed over CVS, but never made it into a release.

http://www.theregister.co.uk/2003/11/07/linux_kernel_backdoor_block...

Or when debian ran valgrind on openssl and shipped a broken version for years before it was detected, resulting in piles of compromised keys? The code was there for all to see.

http://blogs.fsfe.org/tonnerre/archives/24

As a paranoid afterthought, note we only know about these when they're detected. We don't know about the ones that are too good - which may be zero or may be large. We have no way to know.

I think as everyone else is saying, it's difficult, but not impossible. The code just needs to look correct even when it's not. That's a high bar, but it can be met. There's even a competition over who can do it well:

http://underhanded.xcott.com/

Reply Parent Score: 3

RE[3]: Comment by OSbunny
by lemur2 on Thu 22nd Sep 2011 23:23 in reply to "RE[2]: Comment by OSbunny"
lemur2 Member since:
2007-02-17

"If you want to hide malicious code you can do it in open source as well. There was that news a few months ago about openbsd having malicious code. Don't know whether it was true or not but the possibility remains. Quote please. AFAIK the track record is that malware has never been distributed to users via open source repositories. The only way it happens is to distribute modified code binary-only executables to Windows users.
Do you remember this? I believe the code was distributed over CVS, but never made it into a release. http://www.theregister.co.uk/2003/11/07/linux_kernel_backdoor_block... "

I had not heard of that one, that is as subtle as it can get. Note that despite this attempt, my original statement is still correct, "the track record is that malware has never been distributed to users via open source repositories".

Or when debian ran valgrind on openssl and shipped a broken version for years before it was detected, resulting in piles of compromised keys? The code was there for all to see. http://blogs.fsfe.org/tonnerre/archives/24


This was a bug, an error, a mistake. It was not malware. Malware is where someone deliberately tries to put malicious code into the system for their benefit at users expense.

I repeat, AFAIK, "the track record is that malware has never been distributed to users via open source repositories".

As a paranoid afterthought, note we only know about these when they're detected. We don't know about the ones that are too good - which may be zero or may be large. We have no way to know. I think as everyone else is saying, it's difficult, but not impossible. The code just needs to look correct even when it's not. That's a high bar, but it can be met. There's even a competition over who can do it well: http://underhanded.xcott.com/


You have come up with just one unsuccessful attempt in over ten years of open source development, through countless versions, of many thousands of open source products.

One unsuccessful attempt. It was defeated by the very checks built in to open source development process, even as long ago as 2003. Now that open source development tools, such as git, have moved on from there, another such an attempt today would have considerably less chance of getting even as far as the one you identified from 2003.

Contrast this to the situation with closed source distribution on Windows, with literally hundreds of millions of Windows computers infected worldwide, and two million new pieces of Windows malware written every year.

It cannot be said definitively that an attempt to put malware into an open source product and get it shipped to users via open source repositories is absolutely impossible, but we can say that as far as anyone can determine (to a very high level of confidence), no such attempts have ever been successful.

One cannot prove a negative, but "the track record is that it has never been done" gets as close as you can, for all practical intents and purposes.

Reply Parent Score: 2

RE[4]: Comment by OSbunny
by malxau on Thu 22nd Sep 2011 23:52 in reply to "RE[3]: Comment by OSbunny"
malxau Member since:
2005-12-04

"Or when debian ran valgrind on openssl and shipped a broken version for years before it was detected, resulting in piles of compromised keys? The code was there for all to see. http://blogs.fsfe.org/tonnerre/archives/24


This was a bug, an error, a mistake. It was not malware. Malware is where someone deliberately tries to put malicious code into the system for their benefit at users expense.

I repeat, AFAIK, "the track record is that malware has never been distributed to users via open source repositories".
"

How do you know if it's a mistake? As the competition link illustrates, a key point here is plausible deniability - when code is caught, it can be plausibly said to be a mistake rather than malicious. But we have no way to know when that's really true; only the person who put it there knows their intention. A backdoor is planted in both cases, and we're left guessing as to why, and who knew about it, and whether it was being actively exploited.

Put another way, if the Debian openssl maintainer was malicious, we can clearly see that no OSS safeguard would protect against large scale compromise of machines. Plausible code can be included and distributed without sufficient review to ensure that it's secure.

Reply Parent Score: 2