Sunday, September 22, 2013

Can Linux Be Trusted? Linus Confirms NSA Backdoor Request

NSA Headquarters (from Wikipedia)
At the keynote speech at LinuxCon, Linus Torvalds, creator and lead developer of the Linux kernel, was asked if the National Security Agency (NSA) had asked him to insert a backdoor into the popular open source operating system. Linus responded by nodding yes while saying the word, "no," implying that he had been asked to do so, but was not able to discuss it.

This has caused quite a stir in the Linux community, who has always considered the 'open' nature of the source, that is, anyone can view the code, would make it impossible to hide such a deliberate security hole. But how many actually have looked at the kernel code and how many could identify such a backdoor in the millions of lines, especially if care were taken to obfuscate the process?

This commenter spoke for millions of Linux users when replying to this article on the subject from e-week:

"What they should have asked is: Did you, in fact put a backdoor in the Linux Kernel?"

And there was this:

"All further development on the kernel, modules, etc... should be halted until a thorough audit has taken place by those skilled enough to do so. Linux is no longer trustworthy"

Sound paranoid? Perhaps not so much. Lets look at some facts we know to be true.

NSA Thwarts Encryption Through Influencing Standards, Hacking, Inserting Backdoors:
Recently leaked documents from Edward Snowden show a concerted effort by federal agencies to access encrypted data, either through pressuring companies to install backdoors and provide encryption keys, stealing keys from company servers or hacking the computers of end users. According to this article from the NY Times:
"The N.S.A. hacked into target computers to snare messages before they were encrypted. In some cases, companies say they were coerced by the government into handing over their master encryption keys or building in a back door. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world."
A leaked NSA memo from 2006 showed that the NSA managed to not only influence encryption standards, but was able to become the creator and sole editor and pressure international standards groups to ratify it. A year later, a 'fatal' security hole was discovered in the new encryption standard. It appears the security hole was actually a purposeful creation of the NSA.

NSA Scoops Up Google, Facebook, Apple, User Data 
The Guardian reports the NSA has gained direct access to servers used by Internet tech giants to collect user data. The companies either dispute this is true or maintain they have no knowledge of such access. Google responded with this statement:
"Google cares deeply about the security of our users' data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government 'back door' into our systems, but Google does not have a back door for the government to access private user data."
Their cooperation with of thousands of FISA Court subpoenas has been widely reported and several companies, eager to reassure nervous customers, have filed a law suit requesting permission to disclose to users what data they have disclosed to the Fed. (See Google, Microsoft, Facebook Sue for More NSA Transparancy, 08/31/2013)

Windows 8 'Trusted Computing' Not So Trustworthy: is reporting that German government IT officials contend the new 'trusted computing' built into Windows 8, which is supposed to protect against trojans and viruses can be used as a snooping device for the NSA. German government officials suggest staying with Windows 7 for the time being. According to this Business Insider article:
"Experts at the BSI, the Ministry of Economic Affairs, and the Federal Administration warned unequivocally against using computers with Windows 8 and TPM 2.0. One of the documents from early 2012 lamented, “Due to the loss of full sovereignty over the information technology, the security objectives of ‘confidentiality’ and ‘integrity’ can no longer be guaranteed.”
Microsoft Opens Outlook, Hotmail, Skype and SkyDrive to NSA Snooping: 
According to this article in The Guardian, Microsoft has worked closely with NSA and made changes to popular e-mail and video phone programs to make it easier for NSA to obtain full access to user emails and voice communications. According to the article:
• The agency already had pre-encryption stage access to email on, including Hotmail;
• The company worked with the FBI this year to allow the NSA easier access via Prism to its cloud storage service SkyDrive, which now has more than 250 million users worldwide;
• Microsoft also worked with the FBI's Data Intercept Unit to "understand" potential issues with a feature in that allows users to create email aliases;
• In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism;
• Material collected through Prism is routinely shared with the FBI and CIA, with one NSA document describing the program as a "team sport".
NSA Collects Millions of Internet and Cell Phone Records
In this report from The Guardian shows Verizon is collecting millions of customer phone record 'metadata' by order of a secret FISA court.  Normally, the national security court requests information on specific customers but this order is significant due to its sweeping nature. According to The Guardian's report:
The order, a copy of which has been obtained by the Guardian, requires Verizon on an "ongoing, daily basis" to give the NSA information on all telephone calls in its systems, both within the US and between the US and other countries.
Lest customers of other cell phone and Internet companies feel safe, you can probably assume your company is also under some type of similar order. It was only a few years ago when it was disclosed that AT&T had a secret switching room devoted to collecting all internet and phone traffic coming through it's hub in San Francisco then sending the data on to the NSA. According to the Electronic Frontier Foundation (EFF):
"The undisputed documents show that AT&T installed a fiberoptic splitter at its facility at 611 Folsom Street in San Francisco that makes copies of all emails web browsing and other Internet traffic to and from AT&T customers and provides those copies to the NSA. This copying includes both domestic and international Internet activities of AT&T customers. As one expert observed, “this isn’t a wiretap, it’s a country-tap.” Secret government documents,  published by the media in 2013, confirm the NSA obtains full copies of everything that is carried along major domestic fiber optic cable networks."
FBI Consultant Claims Backdoors in Open BSD Operating System
In December 2010, man who had worked on funding the Crypto Framework in the Open BSD Operating System claimed the FBI had inserted several backdoors into the Open BSD code a decade before. He said he could not disclose the information before that time because he had to comply with a ten year Non-Disclosure Agreement (NDA). 

In an email to Theo, de Raadt, Gregory Perry, who says he was an FBI consultant working on cryptography for NETSEC, writes:
"My NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI."
To my knowledge, no backdoor was found in Open BSD when this was disclosed ten years later. Whether it existed at one time and was quietly removed or if Mr. Perry is being untruthful is left to the reader to decide. In light of the governments obsession with breaking or bypassing encryption (see above) it certainly seems plausible.

What about Linux? 
At this point, we don't know. Linus isn't allowed to tell and hopefully he won't get into trouble with the Feds for the 'heads-up' he gave the community already. I am sure there will suddenly be many more people taking an interest in the Linux kernel or other components in the operating system which may be vulnerable to snooping.

There is an adage in the Open Source Community that "many eyes make all bugs shallow" (Ironically, this is known as 'Linus's Law') Lets hope that applies to backdoors too and if such a thing exists in Linux, it is discovered and (dis)closed very soon.