Linked by Thom Holwerda on Wed 21st Sep 2011 22:06 UTC, submitted by kragil
Windows After the walled garden coming to the desktop operating system world, we're currently witnessing another potential nail in the coffin of the relatively open world of desktop and laptop computing. Microsoft has revealed [.pptx] that as part of its Windows 8 logo program, OEMs must implement UEFI secure boot. This could potentially complicate the installation of other operating systems, like Windows 7, XP, and Linux.
Thread beginning with comment 490421
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: Comment by OSbunny
by malxau on Thu 22nd Sep 2011 23:52 UTC in reply to "RE[3]: Comment by OSbunny"
malxau
Member since:
2005-12-04

"Or when debian ran valgrind on openssl and shipped a broken version for years before it was detected, resulting in piles of compromised keys? The code was there for all to see. http://blogs.fsfe.org/tonnerre/archives/24


This was a bug, an error, a mistake. It was not malware. Malware is where someone deliberately tries to put malicious code into the system for their benefit at users expense.

I repeat, AFAIK, "the track record is that malware has never been distributed to users via open source repositories".
"

How do you know if it's a mistake? As the competition link illustrates, a key point here is plausible deniability - when code is caught, it can be plausibly said to be a mistake rather than malicious. But we have no way to know when that's really true; only the person who put it there knows their intention. A backdoor is planted in both cases, and we're left guessing as to why, and who knew about it, and whether it was being actively exploited.

Put another way, if the Debian openssl maintainer was malicious, we can clearly see that no OSS safeguard would protect against large scale compromise of machines. Plausible code can be included and distributed without sufficient review to ensure that it's secure.

Reply Parent Score: 2

RE[5]: Comment by OSbunny
by lemur2 on Fri 23rd Sep 2011 00:01 in reply to "RE[4]: Comment by OSbunny"
lemur2 Member since:
2007-02-17

Put another way, if the Debian openssl maintainer was malicious, we can clearly see that no OSS safeguard would protect against large scale compromise of machines. Plausible code can be included and distributed without sufficient review to ensure that it's secure.


No machines were compromised. The mistake that the Debian maintainer made reduced the security of machines by reducing the randomness of generated keys.

The machines were less secure than they should have been, but not insecure.

No one can guarantee that there is no unintentional bug in code. No one is claiming any such a thing anyway.

You are the one who is making the extraordinary claim that it is possible to put intentional malware into an open source product and then have it distributed to end users using the repository system, yet you have absolutely zero instances when this has ever happened.

Put up or shut up.

Edited 2011-09-23 00:05 UTC

Reply Parent Score: 3

RE[6]: Comment by OSbunny
by Alfman on Fri 23rd Sep 2011 01:18 in reply to "RE[5]: Comment by OSbunny"
Alfman Member since:
2011-01-28

lemur2,

"No one can guarantee that there is no unintentional bug in code. No one is claiming any such a thing anyway."

No one can guarantee that there is no intentional bug in code either. The difference between intentional bugs and unintentional bugs is...intent. Well intentioned programmers succeed in getting exploitable bugs into OSS every now and then, yet you make it sound like it is impossible for maligned programmers to do the exact same thing? Why?

How do we distinguish between deliberate vulnerabilities or accidental ones? Can you supply a test which differentiates between these cases?


"You are the one who is making the extraordinary claim that it is POSSIBLE to put intentional malware into an open source product and then have it distributed to end users using the repository system," (my emphasis)

It's not likely, but it's certainly not impossible.

"yet you have absolutely zero instances when this has ever happened."

There are around 30K packages in Ubuntu, have they closely vetted each one for intentional vulnerabilities? Unless someone was caught red handed, how would we know?

It would not be *technically impossible* for a maintainer in possession of the signing key to deliberately sign malware either and distribute it in a targeted attack such that no one other than the victim would see evidence of the attack. Repositories work because we trust the character of its maintainers.

As an example: If an evil entity wanted to, they could create a new linux distro complete with it's own repository. This is certainly possible. Then, using the exact same technology other distros use, they could then distribute malware via that repository. Do you admit that there is nothing about the repository technology itself which makes malware impossible? Isn't the only difference here the integrity of the maintainers?

These are all legitimate questions, I'd be grateful for legitimate answers.

Edited 2011-09-23 01:22 UTC

Reply Parent Score: 2