Security of source-code

8 réponses [Dernière contribution]
sg.germany
Hors ligne
A rejoint: 09/28/2011

Hi Mates,
the worldwide discussion of cooperation of the NSA with software-producers make me unsure of using Linux. I want to know, how secure Trisquel Linux is ? How much NSA is in Trisquel ? Are there backdoors ? How will it be prevented, that unwanted code will be installed ? Are there auditing instances, that the sourcecode checked ?

dudeski

I am a member!

Hors ligne
A rejoint: 07/03/2013

As a general rule, free software by it's very nature is substantially less likely to have backdoors and other malicious functions, simply on account of the code being out in the open for all to see.

That being said, a well-designed backdoor can be almost impossible to spot (or differentiate from an unintentional bug) even if tons of people are combing through the source code, so to be perfectly honest, who knows?

Even so, obviously it seems much more prudent to place ones trust in a free operating system like Trisquel rather than, say, the gigantic bloated blobs from Microsoft, which we know is riddled with malicious features, including backdoors.

lembas
Hors ligne
A rejoint: 05/13/2010

Linux is a kernel. Trisquel GNU/Linux is an operating system.

What do you think contains less NSA than Linux? I think the only thing NSA related in Linux is SELinux which is a mandatory access control system not active by default. Windows and OSX certainly are full of NSA.

Trisquel is based on Ubuntu which is based on Debian. There isn't any official certifications in place I know of. However, there are plenty of eyes looking at the code. And if you're so inclined, you can take a look at it or hire somebody to do so for you.

So, I'd say the baseline security is fairly decent and anybody is welcome to modify the parts to make a more secure system. There isn't too many other operating systems that can make a similar claim.

Free software is the only thing that gives you a fighting chance.

Chris

I am a member!

Hors ligne
A rejoint: 04/23/2011

It does not work the way you think it does. The NSA has what are zero day exploits. These are bugs which can be exploited and are not publicly known or fixed. Microsoft has informed the NSA of these zero day exploits before they have provided users with a patch to fix it (security update). Development is generally more public with free software and GNU/Linux. If there is a security exploit report it gets fixed and patched. The NSA might know about it although so does everyone else. That is short of it being silently reported (that is the reporter bypasses the public system). Generally I believe it is normal to bypass the public system to report such bugs as this gives the developers (free or non-free) time to create patches to fix the holes.

Long story short there are more eyes looking at the code where free software is concerned although that doesn't necessarily mean it is any harder/easier to exploit from the attackers standpoint. What is clear is Microsoft is providing these zero day exploits to the NSA before they've released patches and that is a clear betrayal of trust. No other organization can fix the holes whereas if it was reported in a free application publicly there at least would be the possibility of third parties providing a fix/disabling a feature which made the hole exploitable, etc.

oralfloss
Hors ligne
A rejoint: 06/20/2013

On 07/13/2013 02:30 PM, name at domain wrote:
> It does not work the way you think it does. The NSA has what are zero
> day exploits. These are bugs which can be exploited and are not publicly
> known or fixed. Microsoft has informed the NSA of these zero day
> exploits before they have provided users with a patch to fix it
> (security update). Development is generally more public with free
> software and GNU/Linux. If there is a security exploit report it gets
> fixed and patched. The NSA might know about it although so does everyone
> else. That is short of it being silently reported (that is the reporter
> bypasses the public system). Generally I believe it is normal to bypass
> the public system to report such bugs as this gives the developers (free
> or non-free) time to create patches to fix the holes.

Yes it is true that there are exploits that can be used to run programs
without the users consent for spying purposes. However, Trisquel has a
strong security system and unlike Microsoft, devs don't give these
"zero-day" exploits away. The fact that Microsoft has to tell the NSA
about them shows that the NSA isn't too good at finding the exploits
themselves, which probably means they can't easily find any for
Trisquel. It's all theoretical though, so you just have to make sure you
trust everything you download.

> Long story short there are more eyes looking at the code where free
> software is concerned although that doesn't necessarily mean it is any
> harder/easier to exploit from the attackers standpoint. What is clear is
> Microsoft is providing these zero day exploits to the NSA before they've
> released patches and that is a clear betrayal of trust. No other
> organization can fix the holes whereas if it was reported in a free
> application publicly there at least would be the possibility of third
> parties providing a fix/disabling a feature which made the hole
> exploitable, etc.

I would agree that there are more eyes looking at the code where free
software is concerned but finding an exploit isn't as easy as it sounds,
even with the source code.

According to a poorly written statement by a Microsoft security team
employee, free software source code ISN'T looked at a lot.
http://www.securityfocus.com/news/191 I am not trying to prove you wrong
here but rather just showing something on-topic that shows how stupid
Microsoft can be. He contradicts himself 5 times.

Microsoft could however be giving away exploits for legitimate reasons
(as some people call them). An example is Stuxnet which was most likely
started by the NSA. When interviewing Iran's nuclear facilities, the
U.S. was denied access to see the actual nuclear plants. This means that
Iran could be developing nuclear weapons of sorts, and the government
doesn't like stuff being hidden from them. In response, only a few
months later, Iran's nuclear facilities were targeted by the Stuxnet
virus. It targeted the exact PLC chipsets they used (hundreds exist) and
information on the PLC chipsets was probably something the U.S. gained
from their interviews on the facilities.

This clearly shows that the NSA does have some purpose for their
security attacks, but I am strongly against these mishaps and breaches
on civilian privacy. As Benjamin Franklin once said: "Those who would
give up essential liberty to purchase a little temporary safety deserve
neither liberty nor safety." Shows that the U.S. government needs to
learn more about U.S. History if you ask me.

Chris

I am a member!

Hors ligne
A rejoint: 04/23/2011

It seems the lesson that should have been learned from the Stuxnet attack by Iran is that allowing others into your facilities has its risks.

sg.germany
Hors ligne
A rejoint: 09/28/2011

I am very thankful for all the articles. It fortifies me to use Trisquel and try to persuade the people in my neighborhood to use this wonderful distribution.

Thank you all.

matthias
Hors ligne
A rejoint: 07/15/2013

This is a very interesting discussion. And prism-break.org lead me to Trisquel as well.
I don't trust Ubuntu anymore (not just because of their intended spyware): it's an English company and the main servers are hosted in the USA (both countries have now a pretty bad spying reputation). I guess it would be pretty easy for the NSA to place some backdoors in binary packages on the main Ubuntu servers. And so far I understood this, those binary packages are replicated through the whole world without a single check. So a backdoor would be everywhere on the world.

So my question is: Does Trisquel compile ALL packages from the source code or only the kernel?

lembas
Hors ligne
A rejoint: 05/13/2010

>So my question is: Does Trisquel compile ALL packages from the source code or only the kernel?

Looking at this (outdated) graphic, the answer is yes https://trisquel.info/en/wiki/how-trisquel-made

(Which makes a lot of sense from both the freedom and security perspectives.)