Sunday, September 22, 2013

Can Linux Be Trusted? Linus Confirms NSA Backdoor Request

NSA Headquarters (from Wikipedia)
At the keynote speech at LinuxCon, Linus Torvalds, creator and lead developer of the Linux kernel, was asked if the National Security Agency (NSA) had asked him to insert a backdoor into the popular open source operating system. Linus responded by nodding yes while saying the word, "no," implying that he had been asked to do so, but was not able to discuss it.

This has caused quite a stir in the Linux community, who has always considered the 'open' nature of the source, that is, anyone can view the code, would make it impossible to hide such a deliberate security hole. But how many actually have looked at the kernel code and how many could identify such a backdoor in the millions of lines, especially if care were taken to obfuscate the process?

This commenter spoke for millions of Linux users when replying to this article on the subject from e-week:

"What they should have asked is: Did you, in fact put a backdoor in the Linux Kernel?"

And there was this:

"All further development on the kernel, modules, etc... should be halted until a thorough audit has taken place by those skilled enough to do so. Linux is no longer trustworthy"

Sound paranoid? Perhaps not so much. Lets look at some facts we know to be true.

NSA Thwarts Encryption Through Influencing Standards, Hacking, Inserting Backdoors:
Recently leaked documents from Edward Snowden show a concerted effort by federal agencies to access encrypted data, either through pressuring companies to install backdoors and provide encryption keys, stealing keys from company servers or hacking the computers of end users. According to this article from the NY Times:
"The N.S.A. hacked into target computers to snare messages before they were encrypted. In some cases, companies say they were coerced by the government into handing over their master encryption keys or building in a back door. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world."
A leaked NSA memo from 2006 showed that the NSA managed to not only influence encryption standards, but was able to become the creator and sole editor and pressure international standards groups to ratify it. A year later, a 'fatal' security hole was discovered in the new encryption standard. It appears the security hole was actually a purposeful creation of the NSA.

NSA Scoops Up Google, Facebook, Apple, User Data 
The Guardian reports the NSA has gained direct access to servers used by Internet tech giants to collect user data. The companies either dispute this is true or maintain they have no knowledge of such access. Google responded with this statement:
"Google cares deeply about the security of our users' data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government 'back door' into our systems, but Google does not have a back door for the government to access private user data."
Their cooperation with of thousands of FISA Court subpoenas has been widely reported and several companies, eager to reassure nervous customers, have filed a law suit requesting permission to disclose to users what data they have disclosed to the Fed. (See Google, Microsoft, Facebook Sue for More NSA Transparancy, 08/31/2013)

Windows 8 'Trusted Computing' Not So Trustworthy: is reporting that German government IT officials contend the new 'trusted computing' built into Windows 8, which is supposed to protect against trojans and viruses can be used as a snooping device for the NSA. German government officials suggest staying with Windows 7 for the time being. According to this Business Insider article:
"Experts at the BSI, the Ministry of Economic Affairs, and the Federal Administration warned unequivocally against using computers with Windows 8 and TPM 2.0. One of the documents from early 2012 lamented, “Due to the loss of full sovereignty over the information technology, the security objectives of ‘confidentiality’ and ‘integrity’ can no longer be guaranteed.”
Microsoft Opens Outlook, Hotmail, Skype and SkyDrive to NSA Snooping: 
According to this article in The Guardian, Microsoft has worked closely with NSA and made changes to popular e-mail and video phone programs to make it easier for NSA to obtain full access to user emails and voice communications. According to the article:
• The agency already had pre-encryption stage access to email on, including Hotmail;
• The company worked with the FBI this year to allow the NSA easier access via Prism to its cloud storage service SkyDrive, which now has more than 250 million users worldwide;
• Microsoft also worked with the FBI's Data Intercept Unit to "understand" potential issues with a feature in that allows users to create email aliases;
• In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism;
• Material collected through Prism is routinely shared with the FBI and CIA, with one NSA document describing the program as a "team sport".
NSA Collects Millions of Internet and Cell Phone Records
In this report from The Guardian shows Verizon is collecting millions of customer phone record 'metadata' by order of a secret FISA court.  Normally, the national security court requests information on specific customers but this order is significant due to its sweeping nature. According to The Guardian's report:
The order, a copy of which has been obtained by the Guardian, requires Verizon on an "ongoing, daily basis" to give the NSA information on all telephone calls in its systems, both within the US and between the US and other countries.
Lest customers of other cell phone and Internet companies feel safe, you can probably assume your company is also under some type of similar order. It was only a few years ago when it was disclosed that AT&T had a secret switching room devoted to collecting all internet and phone traffic coming through it's hub in San Francisco then sending the data on to the NSA. According to the Electronic Frontier Foundation (EFF):
"The undisputed documents show that AT&T installed a fiberoptic splitter at its facility at 611 Folsom Street in San Francisco that makes copies of all emails web browsing and other Internet traffic to and from AT&T customers and provides those copies to the NSA. This copying includes both domestic and international Internet activities of AT&T customers. As one expert observed, “this isn’t a wiretap, it’s a country-tap.” Secret government documents,  published by the media in 2013, confirm the NSA obtains full copies of everything that is carried along major domestic fiber optic cable networks."
FBI Consultant Claims Backdoors in Open BSD Operating System
In December 2010, man who had worked on funding the Crypto Framework in the Open BSD Operating System claimed the FBI had inserted several backdoors into the Open BSD code a decade before. He said he could not disclose the information before that time because he had to comply with a ten year Non-Disclosure Agreement (NDA). 

In an email to Theo, de Raadt, Gregory Perry, who says he was an FBI consultant working on cryptography for NETSEC, writes:
"My NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI."
To my knowledge, no backdoor was found in Open BSD when this was disclosed ten years later. Whether it existed at one time and was quietly removed or if Mr. Perry is being untruthful is left to the reader to decide. In light of the governments obsession with breaking or bypassing encryption (see above) it certainly seems plausible.

What about Linux? 
At this point, we don't know. Linus isn't allowed to tell and hopefully he won't get into trouble with the Feds for the 'heads-up' he gave the community already. I am sure there will suddenly be many more people taking an interest in the Linux kernel or other components in the operating system which may be vulnerable to snooping.

There is an adage in the Open Source Community that "many eyes make all bugs shallow" (Ironically, this is known as 'Linus's Law') Lets hope that applies to backdoors too and if such a thing exists in Linux, it is discovered and (dis)closed very soon.

Saturday, August 31, 2013

Google, Microsoft, Facebook Sue for More NSA Transparency

In a battle of behemoths, a group of the largest Internet companies is moving forward with a law suit against the Obama Administration. Following an outcry by customers, they are suing to release specific information on the data they provided to national security investigators about users.

Finding a balance between security and privacy which is acceptable to all parties has proven frustrating and negotiations between the US Government and the Internet giants have broken down.

According to this report, Microsoft announced they are moving forward with the suit which allows more transparency on the information that has been shared with the National Security Agency. They deny reports that they allowed government access to their servers or provided widespread access to users data and communications.

Faced with secret subpoenas and non-disclosure orders by the Foreign Intelligence Surveillance Act (FISA), companies have been limited as to what they can disclose publicly about government requests for information or their compliance. The recent leaks regarding corporate co-operation in these investigations has led to wide spread concern among users about how much and what information is being shared with federal investigators.

Microsoft General Council, Brad Smith said, "With the failure of our recent negotiations, we will move forward with litigation in the hope that the courts will uphold our right to speak more freely,”

Colin Stretch, General Council for Facebook stated, “We are deeply disappointed that despite months of negotiations and the efforts of many companies, the government has not yet permitted our industry to release more detailed and granular information about those requests.”

James Clapper, Director for National Intelligence has stated that the US Government will soon release more information on its intelligence gathering practices. Many are skeptical that government will be willing to provide meaningful answers to the public privacy concerns. As Google responded in an emailed statement:
"While the government’s decision to publish aggregate information about certain national security requests is a step in the right direction, we believe there is still too much secrecy around these requests and that more openness is needed. That's why we, along with many others, have called on the U.S. government to allow us to publish specific numbers about both FISA and NSL requests."
As more disclosures show massive and often illegal collection of data by the FISA court and internet companies, Google, Microsoft, Facebook and others are trying to reassure nervous users that they are capable of protecting personal information while still complying with reasonable and specific government requests for information.

Wednesday, August 21, 2013

MERS Death Toll Rises; CDC Funds Increased Local Monitoring

Saudi Death Toll Rises to 76:
MERS virus (image from
The Saudi Health Ministry has announced that 76 people have died so far from the MERS virus which has health officials on alert in the Middle East, Europe and indeed worldwide.

MERS (Middle East Respiratory Syndrome) was first reported in 2012 in isolated clusters on the Arabian Peninsula. It was still unknown if the virus could be transmitted by personal contact. At that time, there were about eleven known cases of the virus, five fatal.

Human to human transmission was confirmed in March, 2013 with the infection and death of a man in Britain. By then, the number of cases had increased to fourteen with eight fatalities. April and May saw a total of 23 infections in eastern Saudi Arabia.

The death toll rose as the disease spread, and by mid-August the numbers had jumped to nearly a hundred total confirmed cases with 46 fatalities. Saudi government officials now report the infection has claimed at least 76 lives in that country alone.

In a more optimistic sign, no new cases of MERS have been reported in Saudi since August 1, 2013 despite thousands of Ramadan pilgrims visiting the country during July and August. Countries are advised to be alert for signs of acute respiratory illness in people having recently returned from the area.

CDC Funds Efforts to Increase Local Monitoring:
The CDC (Center for Disease Control and Prevention) has awarded nearly 76 million dollars to assist state and local communities to beef up epidemiology and laboratories to better identify, track and respond to possible outbreaks of infectious disease. This is in addition to the 13.7 million dollars which was dispersed to local agencies in January, 2013.

The money will be used to hire more than a thousand full and part time epidemiologists, laboratory technicians and health information systems personnel. Noting that many outbreaks of infectious disease are first identified at the local level, the announcement states:
"The annual ELC investment provides public health officials with improved tools to respond to more outbreaks, conduct surveillance faster and prevent more illnesses and deaths from infectious diseases...This crucial CDC investment helps build a competent public health workforce, able surveillance systems, modern and efficient laboratory facilities and information networks."
More information on funding for specific states is available at this CDC website.

See MERS Watch for updated information on this topic.

Wednesday, August 14, 2013

Worldwide Health Groups Issue MERS Updates

Middle East Respiratory Syndrome (Middle East Respiratory Syndrome Coronavirus, or MERS-CoV; aka Novel Virus) has been quietly spreading on the Arabian Peninsula. There have been nearly a hundred confirmed cases so far, half fatal. (See Deadly New Virus Spreads Through Human Contact)

MERS Coronavirus
Photo from HO-US National Institute for Allergy and Infectious Diseases
Several health organizations, including The Center for Disease Controls (CDC), The World Health Organization (WHO) and The European Centre for Disease Prevention and Control (ECDC) have issued new guidelines or updated information regarding the dangerous MERS virus which has killed 45 people in the Arabian Peninsula and southern Europe, with the majority of deaths in Saudi Arabia.

Increased Testing for MERS Recommended:
The CDC updated its advice to health professionals, advising them to increase testing for MERS, including in those who meet specific epidemiological and clinical criteria even if those illnesses could be explained by another cause. They also recommend testing for the virus in clusters of severe acute respiratory illnesses, even when there is no apparent link to other MERS infections.

Nations Watch for Outbreaks as Ramadan Pilgrims Return From Saudi Arabia:
To date, 94 cases have been laboratory confirmed, with an additional sixteen unconfirmed.The WHO reports that new infections are still occurring in the Arabian Peninsula but there have been no known exported cases for several months. They urge vigilance however, as thousands of Ramadan pilgrims have recently returned from Saudi Arabia. Ramadan ended on August 8.

Update 08/16/2013:
In a possibly ominous sign, a forty year old man in Mumbai, India is suspected of contracting the MERS virus after returning to India from 35 days in Saudi Arabia. He is currently quarantined at Kasturba Hospital in Chinchpokli while testing for the virus is being conducted. 

Update: 08/18/2013: The suspected case from India (above) has tested negative for MERS. He is responding well to treatment and will be released soon. 

Majority of Saudi Cases Spread Through Human Contact:
In response to a recent report that camels may be spreading the virus, the ECDC issued a statement cautioning that no clear link has been found. In fact, most of those infected had no known contact with camels or other animals.

Much of the spread of the disease appears to be through human contact. According to this article from the New England Journal of Medicine, 21 of 23 confirmed cases in Saudi Arabia were caused by person to person contact in three different health care facilities and among family care givers.

See MERS Watch for updated information on this topic.

Monday, July 22, 2013

Emergency Flip-Flop Fix

This plastic bread tie can save your broken flip-flop
It's happened to everyone. You're out enjoying the summer with friends and family at the beach or park. Suddenly, with an awkward stumble, your cheap flip-flops break and you are left shoeless or spend the day repeatedly reassembling them and hoping they don't come apart (again.)

I recently learned a very clever trick for a quick and sturdy repair.

Find a plastic bread tie, the square, flat type with a hole and slit. They are commonly found on breads, rolls and buns.
Slide the button through the slit in the bread tie

Push the strap button through the hole and then, on the bottom of the shoe, slide on the bread tie through the slit. Position the flat plastic piece so it prevents the button from pulling out through the hole.

This simple repair should last a long time, at least until you can grab another pair of those cheap flip-flops.

Thursday, July 11, 2013

A Look Back at Ubuntu 5.10: Breezy Badger

What were you doing in October, 2005?

The original Ubuntu 5.10 CD set
as shipped by Canonical
The Mars Reconnaissance Orbiter was speeding towards Mars and clean up had just begun following Hurricane Katrina. A new Disneyland had opened in Hong Kong. A relatively new Linux upstart company called Canonical released Ubuntu 5.10, codenamed 'Breezy Badger'.

Breezy was the third release following 'Warty Warthog' (4.10; October, 2004) and Hoary Hedgehog (5.04). Ubuntu was built on the shoulders of Debian, but designed to be easy to use and updated regularly.

Live CDs were a new idea at this time. Knoppix had been loading a fully functional OS, complete with hardware detection (hurray!) for a while, but it was not designed to be installed on your system. It was Ubuntu who brought Live CDs to the masses.

In those early days, the Live CD and the Install CD were on separate disks. I came upon my old CDs (ordered free from Canonical in those days) and popped the 'Breezy' Live CD into my Asus netbook.

It still booted fine and hardware mostly worked. It didn't find either my wired or wireless connection and screen resolution was stubbornly stuck at 800 x 600, despite instructing it to use 1024 x 768. Both of these issues could probably have been fixed with a boot code or driver search. Mostly, it worked fine and fast. With system requirements of 2 GB hard drive space and 128 MB RAM, that isn't surprising.

Old Gnome 2.12.1 had that retro-looking blocky style and Ubuntu was experimenting with the brown theme which it would be well known for later. Compiz and it's whiz bang features for window compositing were still under development by Novell.

Many of us have ridden this Ubuntu train for many years. Sometimes we like the direction Canonical takes, sometimes we don't, but we usually can still customize our boxes to our liking. You can't help but smile as you look at how far we have come and yet how little has changed.

Here's some screenshots of Ubuntu 5.10 and some familiar apps as they appeared in 2005. Enjoy the trip down memory lane.

The Install CD and Live CD were separate
Early distros required a Linux boot floppy for installation.
Knoppix brought us on-the-fly hardware detection and setup.

Breezy boot screen.
Add your boot perimeters here.

The Breezy Desktop

Hardware support was sketchy in those days and Ubuntu began compiling their Hardware Database Collection.

Gnome 2.12.1 System Menu

Computer window

File System

A simple 'Add/Remove Programs' simplified software installation.

Synaptic looks familiar

If brown doesn't suit you,
you can change it in Theme Preferences

OpenOffice Writer was becoming a viable alternative to MS Word.
Breezy included OO 2.0 Beta 2

Calc could replace Excel for most tasks.

Firefox browser and Ubuntu home page.
It seems they have kept the promises they made all those years ago.

Firefox was gaining popularity with the public.
Breezy sported version 1.07 by default.

Gimp 2.2 provided a free image editing tool which rivaled Photoshop.

AisleRiot Solitaire hasn't changed much.

System Monitor shows the light footprint of those early applications.

Monday, May 20, 2013

What You Should Know About E-Waste Disposal

Electronics make our lives easier and have become pervasive in the 21st century. Prices have fallen to a level where many devices are considered nearly 'disposable' as they are frequently upgraded.

Electronic Waste, or e-waste, is everything from televisions to cell phones, laptop computers to hard drives.According to the EPA, of the 1,440,000 tons of e-waste generated in 2010, only 649,000 tons was recycled, or only 27%. Where does the rest go? A staggering 1,790,000 tons winds up in landfills in far off places like China, India and Africa. Barges loaded with tons of your discarded gadgets are dumped in many developing countries with loose environmental regulations.

An entire industry has grown up around picking through these mountains of electronic junk to collect metals, parts, and other recyclable materials. The health effects to the people who struggle to make a living doing this, and the consequences to the local environment is huge.

The city of Guiyu, China was once a rice farming village. It now is a major e-waste dumping ground and the local pollution has rendered the area unable to produce crops and poisoned the drinking water. According to Wikipedia:
"Many of the primitive recycling operations in Guiyu are toxic and dangerous to workers' health with 88% of children suffering from lead poisoning. Higher-than-average rates of miscarriage are also reported in the region. Workers use their bare hands to crack open electronics to strip away any parts that can be reused- including chips, or valuable metals such as gold, silver, etc. Workers also "cook" circuit boards to remove chips and solders, burn wires and other plastics to liberate metals such as copper; use highly corrosive and dangerous acid baths along the riverbanks to extract gold from the microchips; and sweep printer toner out of cartridges. 
Children are exposed to the dioxin-laden ash as the smoke billows around Guiyu, and finally settles on the area. The soil has been saturated with lead, chromium, tin, and other heavy metals. Discarded electronics lie in pools of toxins that leach into the groundwater, making it so polluted that the water is undrinkable. To remedy this, water must be trucked in from elsewhere."
Aside from the environmental impacts, a huge amount of personal data remains on these devices and can be retrieved and sold on the black market. In fact, your old hard drive could be worth as much as $200 USD to criminal organizations which use the information for identity theft, fraud and blackmail.

According to David Brown, manager of Tech Guys in California, most people don't consider what happens to their data after the computer becomes obsolete. "We remove confidential information from donated machines every day," he said. (see Discarded Computers Reveal Your Secrets 10/03/2011)

Cities like Guiyu exist all over the developing world. They are slowly poisoning the environment and the people who live there while providing rich picking for identity thieves. What can you do to make sure your old electronics are disposed of safely?

Be sure to donate your old equipment to a reputable e-waste recycling company which has been certified through the EPA. Ask for your old hard drive back when you upgrade or remove it from the machine before you donate. You can wipe your hard drives' data using a powerful and free program like 'Darik's Boot and Nuke', (DBAN

In the Butte County, California, area your choices for certified e-waste disposal include 'All Green Recycling' at 800-780-0347 and 'Computers for Classrooms' at 530-895-4175 or you can search for e-waste recycling for more options.

Saturday, March 9, 2013

Deadly New Virus Spreads Through Human Contact

UPDATE: August 10, 2013 - Camels Suspected of Spreading the Deadly Virus
  • Camels are suspected to be carriers of Middle East Respitory Syndrome (MERS, previously called Novel Coronavirus) and may be responsible for some human infections.
  • MERS has sickened at least 94 people worldwide and claimed 46 lives.
MERS-CoV virus (Wikipedia article)
According to this BBC report, infected camels may be capable of passing the virus to humans. Blood samples were taken from livestock worldwide. Antibodies to the virus were discovered in camels from Oman and Spain, suggesting the virus has become widespread in that region. Antibodies were not found in sheep, goats, cattle or other animals.

Original Article:

A previously unknown virus, nicknamed the 'Novel Coronavirus' has been blamed for the deaths of eight people and is capable of being transmitted directly through person to person contact.

The new virus, known as  HCoV-EMC, is from a family of coronaviruses which are responsible for the common cold and the SARS virus which killed more than 800 people worldwide during an outbreak in 2002 and 2003. It is genetically related to a type found in bats and the unusual virus seems to have mutated to a form which is capable of not only infecting humans, but alarmingly, can be spread from human contact alone.

The international medical community has been aware of the new illness since last year when it broke out in the middle east. At that time, eleven cases were reported including five deaths. Until now, it was unclear if the outbreak clusters were due to personal transmission or if they were all exposed to the same non-human source.

Now, the death of a man in Britain has ended all doubt. The BBC has reported the first cases of transmission of the Novel Coronavirus through close contact with an infected person. An ill man returning from Pakistan infected two of his sons. One later died, possibly complicated by a previous medical condition.

Officials in the UK have located all fellow passengers on the man's flight from Pakistan and are checking to see if any of those may have also been infected.

Currently there are only 14 known cases worldwide, with limited and clustered outbreaks reported in Saudi Arabia, Qatar, Jordan, and the United Kingdom. Eight of those victims have died.

Most of those sickened experienced severe lower respiratory symptoms with one instance of a mild infection where the victim recovered without medical treatment.

There are no travel restrictions currently in place, but the Center for Disease Control (CDC) is asking health professionals to report cases of acute respiratory infection in persons who have travelled to the Arabian Peninsula within the previous 10 days, or anyone who may have had close contact with persons who have recently returned from the Arabian Peninsula or neighbouring countries. More information can be found in this FAQ from the CDC.

See MERS Watch for updated information on this topic.

Image: coronaviruses 004 lores.jpg: