"Open source is less secure because everyone can see it" Ah, but you see, that is exactly what makes it more secure. Windows vulnerabilities get discovered when a new attack is launched. Linux vulnerabilities get discovered by inspection, patched and then blogged about to share expertise
This is also the same reason why Linux is less secure than BSDs. Anyone can push code. There's now so much of it it's difficult to go back and fix known vulnerabilities. If there was less code (BSD) it's easier to maintain.
What would happen if the linus allowed backdoors in Linux: 1. Someone would find it 2. They would fix it and push it back to the official repository 3. If Linus refuses, then someone would just fork linux and fix the bug and then we would have the Linux kernel and some other forked kernel like LibreLinux of SafeLinux, or some other stupid shit. Basically it's in nobody's interest except the NSA's.
The simple answer is that nobody is using Linux for case management, the original PROMIS was coded with grant money so is actually technically open-source and its all one big backdoor...
@TheJooomes's-comment/post "Windows doesn't have a backdoor, it has a loading dock.": And every new version, they make it prettier and more welcoming for snoopers and peeping-toms :-) . Right-now?, they have a loading-dock[/loading-bay] with a VERY fancy Welcome-mat, a red-carpet fancier than the ones they use at Hollywood, free drinks, and all this other stuff.
Windows 8 and 10 are two greatest things that happened to the computer world in last decade. It made so many developers turn away in disgust and pushed so many people to switch to Linux.
I use debian and freebsd for servers. But for desktop, not a single distro can ever compare to windows. They suck ass so bad. Although it is hopeful that linux will catch up in 5 years.
Oh man you have no idea. I was so mad with what's been happening with Windows 10 I migrated to Arch Linux. I've been using Windows for many years and this year, Microsoft started forcing Windows 7 and 8 users to migrate to 10 by stopping these operating systems from getting updates. Do a factory reset of a Windows 7 OS and you'll see that I'm right; it happened last week with my laptop. Windows 7 may be ending extended support in 3 years, but this is unacceptable. The amount of data collection by Microsoft is also unwarranted. Microsoft, *I'm done.*
ikr? I am a somewhat novice user of Linux and I have to say there is no way in any universe that the backdoor would go unnoticed (especially by people that like to look at kernel source just for fun)
I wouldn't be so sure. Remember how Dennis Ritchie put a backdoor into Unix for service purposes? You could remove it from the compiler source, remove it from the kernel source and then when the compiler compiled either, it would just pop it back in again. The backdoor in the kernel and the instructions to add the the backdoor to the compiler when it recognised it was compiling the kernel. The only way to see it was to disassemble the kernel. But you could also just modify the OS to snip out the assembly for the backdoor when reading the kernel. Then it would be practically undetectable. The classic rootkit approach. Although obviously you would have to make it so when reading for copying or writing to tape or serving it over ftp it wouldn't snip out the backdoor. The only way to detect it then would be to read the file on a computer that doesn't use your kernel.
To my memory it wasn't Ritchie who did that, it was Ken Thompson. But the GCC compiler itself is open source as is Watcom and most other compilers, so that's avoidable as well. Just don't use any compiler that Ken Thompson pre-compiled for you...lol
It's a "warrant canary". People aren't allowed to say yes so you need to watch and see whether they say no, if they don't directly say no then it is an indirect yes.
Luckily Linus Torvalds is as paranoid and honorable as I want him to be not to let any malicious code influence his lifetime work and at the same time tell us indirectly that there are people wo want him to. I love Linux =)
You are right. He is adamant about security. However, the NSA would never have given Linus the choice _not_ to include a backdoor, no matter how adamant he was. He simply didn't have the ability to hide any backdoor from his community, and the NSA would have a scaling problem trying to bribe a rotating roster of thousands of individual volunteers. Linus accidentally had the perfect excuse not to help the NSA, by deciding to share his work.
@@tech-nomade yo dont need to check every line, every time, just check commits... theres tons of people eyeing the code, im pretty sure someone would notice.
@@yasserarguelles6117 At least I'm not that naive. If you want me to convince - prove it. Otherwise I have to assume that Linux Kernel might be full of malware.
@@yasserarguelles6117 ... which on the other hand doesn't mean I'm not using it and it's worse than macOS or Windows. I just don't like those fairytales about Linux being super secure because it's open source.
Strange, the NSAkey was a whole panic among the IT guys at my school, and I also caught wind of it out of interest. Luckily I don’t use windows anymore, though.
literally the only way she could spin the argument in her favor is if she said "by making software open source it becomes much easier for ill-intentioned people to find security flaws in the code and exploit it", and even then there's the counter-argument that in the case such security flaw is found in closed source software it'll also likely take much longer for the vulnerability to be known and fixed.
I absolutely agree, but to play devils advocate even further, there is potential for problems with the inconsistency of how distributions (mostly regarding linux based systems) are able to tackle vulnerabilities in a timely manner. As most users are using Debian or Fedora derivations, with dedicated security teams this is in practice perhaps not that big of an issue. But while Archlinux based distro have a good track record as far as I'm aware they probably are more reliant on upstream.
@@BattousaiHBr I would say that criminals and government agencies are far more inclined to find vulns in proprietary software than people with a genuine interest in fixing vulns. Closed source makes finding vulns harder for everyone, but more so for bug fixers.
"Linus Torvalds was approached by NSA for backdoor in Linux" Oh, ok, so the NSA has no idea what opensource software is. That's like saying "go hide in that glass house"
It's not even a glass house, glass is mostly transparent but does absorb some light. It's more like saying "go hide by standing straight up in the middle of that open field"
Well.. that’s true if they tried to directly put in a back door without disguising it as a genuine update. Bugs are natural back doors which hide in plain sight until someone notices it. The NSA just needs an insidiously “bug prone” kernel developer, who’s otherwise an excellent developer that people trust. It just boils down to the arms race of patching vs exploiting.
That's why one university tried to hide a backdoor in various other patches to see if it's possible to actually do that. That university is now banned from contributing.
@@Littlefighter1911 The University of Minnesota tried to introduce vulnerabilities to the Linux kernel disguised as regular updates, but the community caught them and prevented the "hypocrite commits" from being implemented.
Why am i not surprised the MS women is claiming open soure is less secure than closed source. And no one can tell me MS has no "NSA backdoors" in Windows.
Cold Dark it is probably one of those legal statements where they use the structure of the sentence to dodge having to tell the truth. if it is a MS backdoor that the NSA is welcome to use then she was not telling a lie. so the direct question of NSA backdoor can be shot down as it is "not for the NSA" and thus not an NSA backdoor so MS is being straight. but we all know no matter what name it goes by the fact is we have seen proof that MS has worked directly with them and there are backdoors and as she said she could not tell you about them anyway so her answers are wastes of time. the best part is her saying she would not be able to discuss if there was one and then says there is not one.. so really there is no way to build trust at all. a total contradiction of what she said she wanted to do work on with customers.
+Botrax - This is why I will not upgrade to Windows 10... Ive been moving to Linux. Im getting the fuck off the microsoft train and hopping on the express track to Linux. and yes im choosing the selection button that says "Encrypt installation" when installing.
+RecordTrance They are "updating" (or already have "updated") Windows 7 and 8 for the same data collection. Staying away from Windows 10 isn't enough to protect our data. I am using Linux Mint now, dual booting into Windows for a few games that won't play properly in Linux BUT with the Wifi turned off when in Windows (I am not doing this just because of the data collection, I also have wifi turned off in Windows because every time they sent an update, it broke something else in the system... no wifi, no "updates.")
i dont understand how people so easily believe this. if you understand how open source works you know that a community of tens of thousands of people checking over code, poking around for bugs/security risk etc, vs a microsoft support team of 30 idiots (not literally but seams like it alot) working 8 hrs a day but mainly just punching the clock..... more eyes, more passion, people who actually care..... no comparison....
That's why Linux and Android so secure than windows aren't they? Remember the wannacry virus? It was just because of a closed source software and it's vulnerability. Were it open source, it would have been detected and fixed earlier. No other os has had that kind of infection.
The Snowden documents shows that Microsoft was one of the first tech companies to agree to NSAs backdoors... It is impossible to trust closed software. Obviously, any closed software provider will fervently deny that their software contains backdoors, even when it's obvious it is so. In fact, you have to assume that there are backdoors in all closed software of any importance, it's simply too important to ignore for an organisation like the NSA. Open source software isn't exactly easy to review or trust either but at least it's possible.
@@flashfire4 In a world where NSA can send you a national security letter and an accompanying gag order and get everything you have without you being able to tell anyone, yes, closed source software is untrustworthy.
2:08 Nils Torvalds, father of Linux founder Linus Torvalds speaking about his son Linus: Some guy asked Linus "Have you been approached by the NSA about backdoors?" Linus answered "no", but at the same time he nodded.
The idea that FOSS software is vulnerable compared to closed source software is genuine FUD! If a backdoor was found in open sourced software it would be fixed by the community and it would be sent upstream so everyone can benefit from the added security.
even my backup.. backup.. backup android phone (htc sensation) received the WPA KRACK patch from the community (not htc). i sure confirm your statement. sadly there are always companies that decide some devices are not worth patching be it IoT, Smartphones, Smarthome, Cars, Tablets and other stuff.
The key word in your comment is 'if'. We're not talking about a piece of code that's only purpose is to be a backdoor, because that could easily be found, no what we're talking about is a few low-key vulnerabilities that together could make for a backdoor.
I love that he actually understands what he's talking about. He did not forget what everyone else seems to forget - that bugs have huge potential to become backdoors as well.
I would say there's a fundamental difference between a backdoor that's purposefully built into and concealed within a software system, with the express intention of securing secret access to that system to some undisclosed party, that is, knowingly withholding that information from the user of the system, and an accidental programming flaw that produces a security vulnerability that unintentionally provides access to some random party that happens to find it. Intentional vs accidental. Quite an important difference.
nope - it is the kernel but - will the kernel-supporting software stay public / open-source - if more corps - also Microsoft - implement opensource elements in their commercial products..
@ippos_khloros It isn't an os or a collection of os, it is just a kernal that operating systems can be built upon. Chrome os and Android are also built on the Linux kernal, operating systems like unbuntu or mint or manjaro are technically Gnu/Linux but poeple just call them Linux for short.
"bug backdoors" are entirely false - microsoft designed their backdoors to look like bugs. they were just as well documented as the most well-written API.
What is most interesting about this is that Microsoft just admitted to having backdoors in their products. They claimed that they don't give governments access to those backdoors unless they deem it necessary or they don't have a choice, but they have those backdoors nonetheless.
i think they mean that it is hard to ensure that no aspect of your code can be successfully exploited and caused to misbehave - not that they deliberately create code that explicitly grants alternate hidden access-channels.
To believe that any corporation would protect you from the government is incredibly naive. That's why open source is so good for security. Linus couldn't rat you out even if he tried.
Wait ... WHAT? Listen at the part of her answer at 6:06 ... she says "If there was one (NSA backdoor), then I assume that I am not allowed to be told because it's part of the secret rules which I have to apply not to talk ... but I tell you that there is no backdoors." So basically she says that if there were an NSA backdoor she would either not know or would not be allowed to talk about it - but then states that there are no such backdoors!?
@Dex4Sure What are you talking about, he has some big threadripper rig now. Him touching an apple device to display a slideshow doesn't imply he doesn't use linux. Now, a lot of people with big seats on the linux foundation don't use linux, but remember, companies at microsoft bought their seats there, so those placeholders guys don't even need to know and understand linux, but that's another topic.
@@otljaymz3611 The FBI has the 2nd largest collection of child porn on Earth...(The Vatican being the 1st..) Do you know why the FBI collects and keeps all the child porn? ..So they can place it anywhere they want on anyones property that they want to takedown through digital backdoors.,. The FBI is the largest home grown terror organization in America. They are actively staging terror attacks and shootings on Americans in order to justify legislatively removing Liberty in the name of safety.. These sub human sacks of shit have NO problem putting child porn on your computer if they need you silenced for any reason. - who the fuck do you think murdered Jeffery Esptien?? ...The FBI/Mossad.
Microsoft representatives are manipulating the meaning of the word backdoor. They are exclusively stating that backdoors are program bugs meaning that if you actually deliberately program a backdoor then it effectively is not a backdoor but a feature. Clever play on words.
@@StellaEFZ yes, but no QA system test is complete. The QA process assumes that there is a limited amount of effort/time/other resources to test for, and that if a bug is not found early and is easily documentable, then it's not a bug that deserves a QA flag.
Last week Microsoft closed a -backdoor- bug enabling anyone to take control of any Exchange server. And it was used by nefarious foreign hacker groups. Let's get serious: any backdoor for NSA will be used by other actors on the long run, this should stop. Kudos for Linus and his father.
NSA computer guys are mainly hackers from my understanding, so I don't think they actually need any deliberate backdoor to begin with, as they have already plenty of attack surface to play with as you mentioned. Though I do think that the idea of a backdoor can be implemented in a rather secure manner. sshd can be seen a backdoor server. The obvious issue is what happens when the master private key gets compromised. Linux package manager keys are highly sensitive, and can be seen as an authority over a large group of systems. Similar issues can happen with website certificates being tampered with and/or stolen. I don't think any approach is truly secure unless cutting internet access off. About Windows having backdoors, I actually don't know about this. Proving that can be challenging but a motivated hacker could very well decompile the code of some critical sections of Windows to figure that out. I think a huge issue for NSA is that they operate very similarly to black hat hackers and these other foreign hackers, governmental or not. They have no motivation to patch backdoors they figured out. They exploit them for their own interest instead.
@@HyperMario64 they also have an incredible budget to create backdoors, billions on the long-run in fact, adding to that is their capacity to use personal information and intimate access to -blackmail- convince devs. And I totally respect the hackers they have, the NSA is probably the most advanced organisation in this matter, with brilliant if not genius people. sha[-0] was briliant but was broke, sha-1 is incredible. You have to respect your adversary, and understand its strength and its goals.
The irony is that Security Enhanced Linux is written by the NSA, but still source-code eyeballed and tested by people around the world so not much chance of any backdoor going undetected.
@@xxXXuser69420XXxx Enlighten me what it is. And I don't think I will change my mind on downloading linux from agency that actively tries to spy on people
Let's give an analogy: What if Linux Foundation and Microsoft were construction companies instead of IT-firms and an intelligence agency asked for a physical secret door to every building they construct. Microsoft could do it because their business-model gives their customers a pre-built building. Linux-foundation only gives the blue-prints on how to make the building and anyone with any construction skills can see the design-flaws that's left there
Disagree. Microsoft would build the whole thing for you and only tell you about the things they want you to know about. Linux would build the building as well and let you inspect the entire process of building as well as showing all the blueprints
Microsoft would eject you out of the building every two weeks because of mandatory maintenance to the building. Microsoft would only give you access to certain rooms and floors. Microsoft would open and close doors, and when you ask to change this programming, flat-out denies this request. Microsoft doesn't let you put your name on the building, it puts its own name on the building. You don't own the building, you are just a renter. Microsoft purposefully breaks a window or two every week, so that eventually, you're inclined to purchase a new and "improved" version of the same building. This time, with more floors you can't access, more programming you can't change, and more proprietary stuff to your left, right, and center.
Microsoft admitted they had back doors. They spent a great deal of time explaining how they comply with legal requests, court orders, to access customer information. We still don't know if they're accessing our data without our knowledge.
"There's no backdoors" If a subpoena can get private user information via compliance by MS, then the software is insecure even if it isn't explicitly backdoored.
NSA: "Hey Linus, we need you to put backdoors in Linux" Linus: * *uncontrolled laughter* * NSA: "What's so funny?" Linus: * *Hands over "Open-Source For Dummies" book* * New Linux Kernel Source: /** * NAS Dack Boor Section **/
They have simply bypassed all kernels and gone straight for UEFI and Hypervisors. As well, the residential gateways, DSL(siemens especially), Cable, Fiber are all, no doubt, comprised.
Yeah I find it very funny how Linux fanboys are pushing for Linux for security, when it doesn't even matter anymore because the very processor you are running your PC on has already pledged allegiance to NSA
@@AhnafAbdullah Well not _really,_ there's little a processor or UEFI or motherboard can really do if the OS is designed correctly. Also, people are praising Linux for its security from hackers and not the NSA.
@@RadikAlice i think the point Adam was making was, at least the EU politicians know enough about technologies to talk about them without sounding clueless. compare this to the zucc's hearing in the senate, all the people questioning him had no idea what they were talking about.
There should be more discussion upon the ethics of hardware level intrusion by Intel and AMD. Libreboot should be the norm. The potential for abuse is too high, absolute power corrupts absolutely.
The Intel Management Engine was originally intended (as its name implies) for enabling remote management of computers owned by corporate offices. However, this capability has the potential to be abused...
One big difference is that the good folks at "open source" are not actively trying to screw us. The same cannot be said about Microsoft and Apple where best case scenario, "we" are the product. Worst case scenario, well, I hate to think about it. Again, the difference here is that Microsoft and Apple are working against our best interest and/or certainly in their best interest.
+Jan Věrný But those kind of bugs are more easily found when every single person in the world with programming knowledge can look through the code and help out maintain it. When you have closed source software there may only be 50 persons who keep the code maintained, maby less. Then its clearly the safest to use open source software.
Screw You And how can you prove this? Why wasn´t heartbleed found sooner? The problem I have with claims of this backdoor free, more secure open sourced software is no one can prove it. I can say with the same amount of evidence (none) that because the code is open, hackers can more easily find the security flaws. I like open source, but for different reasons, since I am not convinced that openness brings that much more security over closed professionally maintained code.
Jan Věrný At open-source, the minute that something is found, it is posted. The developers themselves are usually the ones that find it, but also the community. They then work together to resolve. You yourself can join in and see everything that is going on. Can the same be said about Microsoft & Apple? they will stay tight lipped until an independent finds it. This faith you have in Microsoft & Apple is sorrily misplaced.
I'm not sure the story is true that the NSA approached Linus for a backdoor into Linux. Here is why: Linus has the oversight of the main line kernel. Nothing more. The kernel is open software with a developer hierarchy that is transparent. Anybody at all times can see the patches made to the kernel. Most people use popular distributions of Linux which derive their Kernels (but modify) from the Linus's kernel. (but they are also open source). This means if one wants to install a backdoor, thousands of developers will need to turn a blind eye. This is impossible. The NSA knows this (it is that obvious). It's much easier to approach KDE or Gnome developers, as less people will view their software. But it's also open software. So also not a good group to ask. The best group of people to ask for a backdoor is the guys that build distributions. But that is also open source for most distributions and there are signature keys to check if binaries (executables) match the source code. Lastly, the NSA can try to ask Nvidia if they are willing to add a backdoor. But that is unlikely because many people watch what these drivers do. Backdoors are only useful in combination with networking. So as a conclusion: dedicated backdoors (and involving people to do so) into Linux is very, very, very unlikely. It's much easier to exploit bad code and it's bugs. Everybody (should) in security knows this.
The NSA is never going to approach KDE and GNOME to implement a backdoor. Those aren't the systems they're targeting. They're likely targeting certain very specific devices which use custom Linux installations. The only way they'd be able to benefit from a backdoor then is to try and sneak one into the kernel itself.
Even if the Windows didn't had a backdoors which they do It would be pointless One critical backdoor is built into Intel CPUs and AMDs motherboards since 2008
Actually, a bit earlier than that. Think it all changed with the 2001 patriot act, and the sudden change in hardware lines from AMD/Intel in the same month. Untested, but suspected.
"what is a backdoor?" You can't be seriously insinuating it's not clear enough. It's a way to bypass system security that is placed there by the author of the software (intentionally or unintentionally).
Lol! she says that open source software might be more vulnerable than propriety software. Nmap Microsoft servers for OS guess and see how they are NOT using windows, curious.
simonbour Well, it may as well be true, speaking purely hypothetically of course, because let´s MS says to NSA: "No backdoors", then they´re screwed. But Linus says to NSA: "No backdoors", well, they can just submit new code to be implemented over and over and one day maybe they´ll have their own backdoor, of course the Linux community will discover it in about a year or so, but by that time another one may pass,....
@@JanVerny but don't forget that once one backdoor is found, all commits by the same group are instantly not trusted and checked intensely. I also don't doubt that because it's the NSA, some people would look at it a bit more closely.
2:55 this is the correct point. NSA does not implement a backdoor that says NsaBackdoorW32Run(arg). They introduce little bug that you can exploit and that are not obvious to other coders. Especially if you only ever have a handful of people look at the code because it's closed source. And even if you find that planted bug, it's just some coder who did a mistake.
"Did you know of any program that behaves like that?" "We had no part in ..." *clarifies question multiple times* "I think you should be asking..." So... they knew about it? I'm not exactly sure what this is about, but why don't they just lie? They dance around the truth and give themselves away, why don't they lie?
AFAICT, if they tell the truth, they get in trouble with the NSA, but if they lie, they get in trouble with the EU, so they have to hint at the truth without explicitly saying it.
NSA just went upstream for the backdoor. NSA has both Intel's ME and AMD's PSP and Acorn/ARM has belonged to the British government since it started in the 70's. Now they don't care what OS you run; they're on the silicon itself.
Honestly I'm cool with that. I consider the equivalent to no knock raids. They should require a warrant every time they backdoor into someone's property tho. From what iv read, their not spying on people, but rather have it incase they can exploit it when a country like Iran or China starts using these chips in anything that pertains to national security. Backdoors are common knowledge. If the gov didn't want us to know abt their bsckdoors, we wouldn't know.
The correct response to any request for private user information should be "we can't give you any information." Not "we refuse" but "it's not possible for us to do so."
This reminds me of the knights and the knaves. She basically admitted to being a knave. Also, she's giving standard answers by saying that open source is more vulnerable. That is categorically untrue.
When large powerful and wealthy organisations are being queried about dubious practices, they field people who are genuinely ignorant of such matters, but are highly educated on the official line, to be repeated ad nauseam.
What is this? I mean, the actual meeting, who are they kind of thing? I'd be dead interested in watching more of these conferences or whatever you'd call them.
Yeah @TFiR should have really gave more context in the video description. Through Nils Torvalds wiki page I was able to determine that this was the 'LIBE Committee Inquiry on Electronic Mass Surveillance of EU Citizens[24] - 11th Hearing, 11 November 2013' but I still don't know who the woman saying "there's no backdoor" is.
"it's all about trust" according to Microsoft. That's a relief because Microsoft is of course completely trustworthy. for instance they promised for three versions of Windows that there was preemptive multitasking at the heart of windows and everybody in the audience that I was in who heard that claim, laughed.
the backdoor is built into your intel or amd chip at the hardware level with the the Intel Management Engine and the AMD Platform Security Processor so having totally secure software is irrelevant
@@lewis_base they are linked with menioned engines, but the security problem is still there, as those engines are physical chips on the motherboard, that run proprietary MINIX that has exclusive OS-independent access to your system RAM, network card and other hardware. thus, you cant monitor what the engine is doing from a perspective of an OS. and since these chips OS is closed-source, it may have vulnerabilities, which, if detected, might be abused to infect/compromise security of x86-64 systems all over the world. all amd and intel-compatible motherboards since around 2010 have those engines. this is also the reason why libreboot cant be installed on modern laptops, since now you cant even disable intel ME with custom bios
also I dont agree, simply because those engines are for governments, that are not going after you, at least not yet. but you still need a more efficient system where you have all the control. and yes, truly good security is very costly(at this point you might go full isolated from outside world and store everything important on an offline machine). and yet, open source is still much better for your daily tasks if you're willing to learn, it's not that hard really in the modern era
The NSA would require a software company to neither confirm nor deny the existence of a backdoor. The fact that they are denying the accusation, as opposed to a 'no comment' or 'cannot disclose' says they are either truthful or lying uneccessarily.
Not the NSA. The NSA would absolutely tell them to deny, deny, deny. Once you get into the deeper levels of government, especially when they are doing highly illegal things, all of that sides peak goes out the window.
5:20 Completely False 5:35 Completely False (Closed source software is not inherantly safer than open source software) Example Compare the number of existing viruses for Windows closed source system vs. Linux open source system. Guess what the number of viruses for windows in the MILLIONS, over 7 digits and for Linux it's less than 100, ... only 2 digits The difference is huge!
Yes, she just easily said that open source means that anyone can read code and find vulnerability, How she just said, if millions people can't able to find such vulnerability then she think one men can able to find. ( By Millions means their contributor ). And yes, linux is highly secure this is why most major tech giant company like Oracle, Google using linux instead windows.
You are right, but your example is not very good. Not only there are other, more likely reasons on why Windows gets more malware (mind you that Windows is orders of magnitude more popular than GNU/Linux), but also, there are notorious examples of security issues within Open Source products. Remember OpenSSL (heartbleed), Android (Stagefright, FakeID, others) etc...
@@searcyredd9520 During my internship, I saw Linux Desktops in Amazon for tech and non tech employees as their main computers. So there is a possibility of that happening.
I think NSA could commit an binary blob to the kernel as Netflix and such did with DRM. Linux has parts that are proprietary software, granted you can disable those modules
I see what you're saying, but just so you know, the kernel itself is FOSS. Yes, Linux systems may load proprietary kernel-mode drivers. As more drivers move to user-mode, such backdoor will be mitigated. Additionally, it is beyind impossible to hide such a thing; just use a kernel debugger and watch syscalls or watch network traffic externally. Due to self-protection features in the kernel and modern CPU hardware, no way the NSA could use the whole kernel address space to hide the infection either.
Linus and his people are correct, open source is potentially more dangerous to be hacked. So, not allowing a back door or limiting access via their servers is paramount in protecting users. I suspect some government agencies and companies are trying to find a way to hack Linux systems, either for their own gain or to obtain information.
These people have obviously never heard of IDA and reverse engineering… For all of the windows driver and the kernel there are PDBs available to make it even easier to reverse the files.
potentially, yes. and no, not everything. learn about coreboot/libreboot devices. and other architectures, since amd/intel me is only for x86_64 systems
"You show some governments your source code, but they can't verify that THAT source code is the same that gets compiled into the distributed binary." Compile the source code and compare the resulting binary with the retail version?
The first speaker says it's impossible to verify whether the source code they are being shown is the same as in the applications. This is NOT ACCURATE. You can simply do the following: 1. Compile the application from the source code they give you. 2. Hash the compiled application and hash any copy of the application you want to verify. 3. If the hashes match, it's verified.
the problem is that the source code they are shown might not be the same as what is going to be used in prod (just changing some config files the source uses, but not actually changing the source, will change compiled program). you can get around this, but not all applications will be designed like that (to use env variables for instance) unless they are given the exact source and configuration that is used for production compilation (which could have secrets in it), they wont be able to verify it
It is possible to verify it. Surely, you could just read the instructions as they were loaded into ram and compare them with compiled byte code from the non-backdoor source
Few problems: That would only detect monkey patched backdoor but it would not verify that there is no backdoor in the source. This is the MAIN problem. Why it would need to be monkey patched anyway. And secondly if you don't have the source, then this approach is pointless. And thirdly checking byte code in a scale of OS would take ages, in practical terms impossible.
In ASM you can see only params but just use IDAPro and custom naming convention to understand. just write quick little script in python or js deobfuscates string and address based fuckery. how do you think scene keygen is made?
If you want to see backdoors , connected the host to an vpn network and lunch tcpdump on the gateway , it’s amazing what you will discover especially windows a lot calls back home
Outlook is designed to spread viruses, it ignores the file content of attachments, it allows scripting for automation. Its over powered for most users.
microsoft doesn't need a back door into windows for the nsa, the front door is open. Even for linux a back door is not necessary when most users use other programs that have their front doors open.
Probably best to do a search on: Ken Thompson's "Reflections on Trusting Trust" To think Linux (even versions without systemD) don't already have multiple backdoors is very Naive.
if there are backdoors, people will know it because it is an open source code, its just the matter of time some programmer will find out the backdoors from the open source code
To everyone that keeps claiming that backdoors in Linux are impossible just because it's open source, absolutely not even close to true. Innocuous memory errors which can lead to severe exploits have gotten into the kernel on numerous occasions, and I don't imagine a skilled programmer would have a hard time disguising one in such a way that it just appears like a small mistake, if it's noticed at all. Someone with good knowledge of compiler optimizations could probably even design a piece of code that on the surface looks perfectly memory safe, but in reality is not after certain (legal) optimizations that rely on obscure UB are run.
i liked the guy who said i'm busy doing a status update telling that he is in the same room as Linus Torvalds's dad, seems like linus has some supporters(fans) in every corner of the world.
There is no scientific method for telling if a person is lying. However, you don't need to read anything to intuit that a representative for a company that relies entirely on intellectual property is never telling the whole truth about anything.
The claims that "open source software is more vulnerable because anybody could easily develop exploits when the source is available" (or similar wording) really make me laugh. I wish everybody understood that there is no such thing as securiry from obscurity.
You know, theres a clear difference between having some entity, that accesses data and changes it to where there could be a case of security breach between the user/client/software relationship and the user not being able to check him or herself who changed what and what was changed and where that change took place and who overlooked this change! Theres the difference between private entities taking private changes in private circles between private people to put it hyperboly!
I'm a software engineer. The reason why proprietary software doesn't have back-doors is very simple, they're written so poorly that they don't need it. A toddler could've access to most proprietary software in mere minutes. Proprietary code is written by frustrated and stressed developers being micromanaged by a tech illiterate baboon. Open source code is written by relaxed developers, that want to write some honorable clean code. Open source is the way to go!
@@timmy7201 Wasn't it obvious? Proprietary software does have backdoors, Windows being the biggest player. If Autodesk has a way to know how many pirated copies of their niche software are being used, what makes you think that Windows, a software used by billions of people, don't have backdoors?
@@GoldSrc_ I recommend you read my previous comment again. I'm joking about proprietary software (Windows) being so badly coded, everything becomes a backdoor. Or at least that's my experience working as a software engineer. Management wants everything fast, rather than good. Problems, issues and bugs are left in with the idea to patch them later on. Proprietary commercial software is a mess... I work on a lot of open-source projects in my free time, I've never seen such amounts of clean code at my full time jobs...
@@timmy7201 You are deluded if you think Windows doesn't have backdoors in place, backdoors that were put in place because the goverment asked for them.
"Open source is less secure because everyone can see it"
Ah, but you see, that is exactly what makes it more secure. Windows vulnerabilities get discovered when a new attack is launched. Linux vulnerabilities get discovered by inspection, patched and then blogged about to share expertise
You can have a schematic of the most secure bank in the world, that doesn't mean you'll be able to break into it.
Half true... it all depends on how diligent and thorough the community is and how quickly vulnerabilities are patched when discovered.
@@Woodside235 the difference is also that changing the building is hard, while upgrading the software is much easier.
it's both more and less secure in different ways
This is also the same reason why Linux is less secure than BSDs. Anyone can push code. There's now so much of it it's difficult to go back and fix known vulnerabilities. If there was less code (BSD) it's easier to maintain.
What would happen if the linus allowed backdoors in Linux:
1. Someone would find it
2. They would fix it and push it back to the official repository
3. If Linus refuses, then someone would just fork linux and fix the bug and then we would have the Linux kernel and some other forked kernel like LibreLinux of SafeLinux, or some other stupid shit.
Basically it's in nobody's interest except the NSA's.
The simple answer is that nobody is using Linux for case management, the original PROMIS was coded with grant money so is actually technically open-source and its all one big backdoor...
Linus has no control over today's linux versions
@Jon Doe Oh no, you're totally right. I posted that as way of sort of refuting the implied fud in the OP comment of the thread.
Account YEAH THEY WOULD FIND IT BUT THATS NOT WHAT HAPPENED TO UBUNTU
the Power and Beauty of Open Source Software.
Windows doesn't have a backdoor, it has a loading dock.
It has a badonkadonk.
Actually hilarious. Had me in the first half not gonna lie
@TheJooomes's-comment/post "Windows doesn't have a backdoor, it has a loading dock.":
And every new version, they make it prettier and more welcoming for snoopers and peeping-toms :-) . Right-now?, they have a loading-dock[/loading-bay] with a VERY fancy Welcome-mat, a red-carpet fancier than the ones they use at Hollywood, free drinks, and all this other stuff.
Just like pretty much any cloud service does. Apple, Google, Meta, Microsoft, and many others - take your pick
Where?
Windows 8 and 10 are two greatest things that happened to the computer world in last decade. It made so many developers turn away in disgust and pushed so many people to switch to Linux.
I use debian and freebsd for servers. But for desktop, not a single distro can ever compare to windows. They suck ass so bad. Although it is hopeful that linux will catch up in 5 years.
Oh man you have no idea. I was so mad with what's been happening with Windows 10 I migrated to Arch Linux. I've been using Windows for many years and this year, Microsoft started forcing Windows 7 and 8 users to migrate to 10 by stopping these operating systems from getting updates. Do a factory reset of a Windows 7 OS and you'll see that I'm right; it happened last week with my laptop. Windows 7 may be ending extended support in 3 years, but this is unacceptable. The amount of data collection by Microsoft is also unwarranted. Microsoft, *I'm done.*
kind of tge
xubuntu is way better and faster and controllable
Of course i tried that. The last opportunity i gave just the day before I posted. Error after the first update. Ubuntu has gone too far.
When Microsft closes a backdoor, they open a Window
Epic!
@ I have no words.
Great Comment!!
🤣🤣🤣🤣🤣🤣
Apple will call it a feature. Ahahah
how did the nsa expect to get a backdoor into linux without the community noticing..? lol
ikr? I am a somewhat novice user of Linux and I have to say there is no way in any universe that the backdoor would go unnoticed (especially by people that like to look at kernel source just for fun)
I wouldn't be so sure. Remember how Dennis Ritchie put a backdoor into Unix for service purposes? You could remove it from the compiler source, remove it from the kernel source and then when the compiler compiled either, it would just pop it back in again. The backdoor in the kernel and the instructions to add the the backdoor to the compiler when it recognised it was compiling the kernel. The only way to see it was to disassemble the kernel. But you could also just modify the OS to snip out the assembly for the backdoor when reading the kernel. Then it would be practically undetectable. The classic rootkit approach. Although obviously you would have to make it so when reading for copying or writing to tape or serving it over ftp it wouldn't snip out the backdoor. The only way to detect it then would be to read the file on a computer that doesn't use your kernel.
To my memory it wasn't Ritchie who did that, it was Ken Thompson. But the GCC compiler itself is open source as is Watcom and most other compilers, so that's avoidable as well. Just don't use any compiler that Ken Thompson pre-compiled for you...lol
By getting a backdoor into the compiler tools.
You mean the OPEN SOURCE compiler tools? Don't think anyone will be watching changes to those eh?
"There is no back door, but if there was and I wasn't allowed to tell you I wouldn't tell you".
How very reassuring.
It's a "warrant canary". People aren't allowed to say yes so you need to watch and see whether they say no, if they don't directly say no then it is an indirect yes.
@@20quid then they would lie and say no. Haven't you read catch 22 by heller?
@@eddyecho The point is that if they want to say yes but they can't then they will use a warrant canary.
@@20quid If they "wanted" to say yes, they wouldn't even be there answering questions.
@@eddyecho What makes you say that?
Luckily Linus Torvalds is as paranoid and honorable as I want him to be not to let any malicious code influence his lifetime work and at the same time tell us indirectly that there are people wo want him to. I love Linux =)
yup
will linux be able to maintain the life-patch or no-reboot update power ?
He isn't paranoid. Windows has a backdoor and so does OSX.
It's not paranoia when you are directly asked to compromise security.
You are right. He is adamant about security. However, the NSA would never have given Linus the choice _not_ to include a backdoor, no matter how adamant he was. He simply didn't have the ability to hide any backdoor from his community, and the NSA would have a scaling problem trying to bribe a rotating roster of thousands of individual volunteers. Linus accidentally had the perfect excuse not to help the NSA, by deciding to share his work.
LMAO!!! Backdoor in linux? That would be like sending 50 Cent to infiltrate the KKK.
Hahaahaha
kk boomer
@@tech-nomade yo dont need to check every line, every time, just check commits... theres tons of people eyeing the code, im pretty sure someone would notice.
@@yasserarguelles6117 At least I'm not that naive. If you want me to convince - prove it. Otherwise I have to assume that Linux Kernel might be full of malware.
@@yasserarguelles6117
... which on the other hand doesn't mean I'm not using it and it's worse than macOS or Windows. I just don't like those fairytales about Linux being super secure because it's open source.
Translation of Microsoft Executive: "If you have no proof we are conspiring with the NSA, then we're not".
**cough** **cough** NSAKEY **cough**
@@deidara_8598None credible believes NSAKey was a backdoor
Strange, the NSAkey was a whole panic among the IT guys at my school, and I also caught wind of it out of interest. Luckily I don’t use windows anymore, though.
Source(s):
Dude trust me
Except we have the proof.
5:35 ok so closed source software is better becaus "security through obscurity" , it is a rediculous argument
literally the only way she could spin the argument in her favor is if she said "by making software open source it becomes much easier for ill-intentioned people to find security flaws in the code and exploit it", and even then there's the counter-argument that in the case such security flaw is found in closed source software it'll also likely take much longer for the vulnerability to be known and fixed.
I absolutely agree, but to play devils advocate even further, there is potential for problems with the inconsistency of how distributions (mostly regarding linux based systems) are able to tackle vulnerabilities in a timely manner. As most users are using Debian or Fedora derivations, with dedicated security teams this is in practice perhaps not that big of an issue. But while Archlinux based distro have a good track record as far as I'm aware they probably are more reliant on upstream.
security is always close source also in Linux
How do you mean? If you mean non-disclosure policies of vulnerabilities in the kernel sources that's not being "closed source".
@@BattousaiHBr I would say that criminals and government agencies are far more inclined to find vulns in proprietary software than people with a genuine interest in fixing vulns. Closed source makes finding vulns harder for everyone, but more so for bug fixers.
"Linus Torvalds was approached by NSA for backdoor in Linux"
Oh, ok, so the NSA has no idea what opensource software is.
That's like saying "go hide in that glass house"
It's not even a glass house, glass is mostly transparent but does absorb some light. It's more like saying "go hide by standing straight up in the middle of that open field"
Well.. that’s true if they tried to directly put in a back door without disguising it as a genuine update. Bugs are natural back doors which hide in plain sight until someone notices it. The NSA just needs an insidiously “bug prone” kernel developer, who’s otherwise an excellent developer that people trust. It just boils down to the arms race of patching vs exploiting.
That's why one university tried to hide a backdoor in various other patches
to see if it's possible to actually do that.
That university is now banned from contributing.
@@Littlefighter1911 The University of Minnesota tried to introduce vulnerabilities to the Linux kernel disguised as regular updates, but the community caught them and prevented the "hypocrite commits" from being implemented.
@@InventorZahran Exactly.
Among other valid patches.
Why am i not surprised the MS women is claiming open soure is less secure than closed source.
And no one can tell me MS has no "NSA backdoors" in Windows.
Cold Dark it is probably one of those legal statements where they use the structure of the sentence to dodge having to tell the truth. if it is a MS backdoor that the NSA is welcome to use then she was not telling a lie. so the direct question of NSA backdoor can be shot down as it is "not for the NSA" and thus not an NSA backdoor so MS is being straight. but we all know no matter what name it goes by the fact is we have seen proof that MS has worked directly with them and there are backdoors and as she said she could not tell you about them anyway so her answers are wastes of time.
the best part is her saying she would not be able to discuss if there was one and then says there is not one.. so really there is no way to build trust at all. a total contradiction of what she said she wanted to do work on with customers.
Cold Dark With Windows10 and Skype they collect all your data, you show, you speak, you type...
+Botrax - This is why I will not upgrade to Windows 10... Ive been moving to Linux.
Im getting the fuck off the microsoft train and hopping on the express track to Linux.
and yes im choosing the selection button that says "Encrypt installation" when installing.
+RecordTrance When Windows 10 was out, I immediately upgraded to Ubuntu for work and gaming so you are not the only one
+RecordTrance They are "updating" (or already have "updated") Windows 7 and 8 for the same data collection. Staying away from Windows 10 isn't enough to protect our data. I am using Linux Mint now, dual booting into Windows for a few games that won't play properly in Linux BUT with the Wifi turned off when in Windows (I am not doing this just because of the data collection, I also have wifi turned off in Windows because every time they sent an update, it broke something else in the system... no wifi, no "updates.")
The idea that open source is less secure than proprietary is very misinformed... classic Microsoft
i dont understand how people so easily believe this. if you understand how open source works you know that a community of tens of thousands of people checking over code, poking around for bugs/security risk etc, vs a microsoft support team of 30 idiots (not literally but seams like it alot) working 8 hrs a day but mainly just punching the clock..... more eyes, more passion, people who actually care..... no comparison....
That's why Linux and Android so secure than windows aren't they? Remember the wannacry virus? It was just because of a closed source software and it's vulnerability. Were it open source, it would have been detected and fixed earlier. No other os has had that kind of infection.
@@3ddan148 linux allows for 3rd party binary drivers (Nvidia, etc)
@@tomservo5007 yes........ i dont see how this is relative to my comment tho...
@@3ddan148 an open source project that allows binary blobs , makes it just as secure as what the microsoft support team produces.
The Snowden documents shows that Microsoft was one of the first tech companies to agree to NSAs backdoors...
It is impossible to trust closed software. Obviously, any closed software provider will fervently deny that their software contains backdoors, even when it's obvious it is so. In fact, you have to assume that there are backdoors in all closed software of any importance, it's simply too important to ignore for an organisation like the NSA.
Open source software isn't exactly easy to review or trust either but at least it's possible.
flashfire4 Not even close
@@flashfire4 In a world where NSA can send you a national security letter and an accompanying gag order and get everything you have without you being able to tell anyone, yes, closed source software is untrustworthy.
@@flashfire4 closed source software is someone cooking the books on everything they do.
Snowden is also a traitor.
@@HamguyBacon how is snowden a traitor? He exposed what nsa was doing which is borderline illegal
2:08 Nils Torvalds, father of Linux founder Linus Torvalds speaking about his son Linus:
Some guy asked Linus "Have you been approached by the NSA about backdoors?"
Linus answered "no", but at the same time he nodded.
The incident he is talking about is actually on youtube. /watch?v=7gRsgkdfYJ8
MaGariShun saved
yep and later they admit to have to lie about it.
@@MaGariShun But he clearly does that, in a very exaggerated manner, as a joke.
@@kelkun8628 You would think his own father would know if it was "sarcasm"
The idea that FOSS software is vulnerable compared to closed source software is genuine FUD! If a backdoor was found in open sourced software it would be fixed by the community and it would be sent upstream so everyone can benefit from the added security.
even my backup.. backup.. backup android phone (htc sensation) received the WPA KRACK patch from the community (not htc). i sure confirm your statement. sadly there are always companies that decide some devices are not worth patching be it IoT, Smartphones, Smarthome, Cars, Tablets and other stuff.
OMFG SPATRY IM A BIG FAN, WHY'D YOU STOP MAKING VIDS?
The key word in your comment is 'if'. We're not talking about a piece of code that's only purpose is to be a backdoor, because that could easily be found, no what we're talking about is a few low-key vulnerabilities that together could make for a backdoor.
Jan-Stefan Janetzky Not if it on the hardware itself. Intel ME.
and that's why opensource is breaking schemes for everyone having the power and the $$$ and that's why plans are running for taking over.
I love that he actually understands what he's talking about. He did not forget what everyone else seems to forget - that bugs have huge potential to become backdoors as well.
I would say there's a fundamental difference between a backdoor that's purposefully built into and concealed within a software system, with the express intention of securing secret access to that system to some undisclosed party, that is, knowingly withholding that information from the user of the system, and an accidental programming flaw that produces a security vulnerability that unintentionally provides access to some random party that happens to find it.
Intentional vs accidental. Quite an important difference.
@@radornkeldamno one said the programming flaw was accidental. A bug may be intentional.
Only the European Union talks about this. good thing this inquires happened
@Dex4Sure lol
Dex4Sure past China-level. Look up the theme, it isn‘t good I agree, but not anywhere that bad
Linux is not a os that owned by a company linux belongs to all people and they contribute to develop a cool opensource os
and you can get the source code your self and verify if its secure to your own standards.
Linux isn't an os
nope - it is the kernel
but - will the kernel-supporting software stay public / open-source - if more corps - also Microsoft - implement opensource elements in their commercial products..
People Inc.
@ippos_khloros It isn't an os or a collection of os, it is just a kernal that operating systems can be built upon.
Chrome os and Android are also built on the Linux kernal, operating systems like unbuntu or mint or manjaro are technically Gnu/Linux but poeple just call them Linux for short.
"bug backdoors" are entirely false - microsoft designed their backdoors to look like bugs. they were just as well documented as the most well-written API.
Good thing their documentation sucks ass, so it wouldn't be understandable anyway
Thank God for the whistle blowers.
Today they are torturing Julian Assange.
whistle blowers are controlled leaks.
All Freemasonry, nothing gets out unless they want it out.
What is most interesting about this is that Microsoft just admitted to having backdoors in their products. They claimed that they don't give governments access to those backdoors unless they deem it necessary or they don't have a choice, but they have those backdoors nonetheless.
i think they mean that it is hard to ensure that no aspect of your code can be successfully exploited and caused to misbehave - not that they deliberately create code that explicitly grants alternate hidden access-channels.
To believe that any corporation would protect you from the government is incredibly naive.
That's why open source is so good for security. Linus couldn't rat you out even if he tried.
They said they give governments access to data saved on their servers. That’s something different (though still bad, but that is long known).
Wait ... WHAT? Listen at the part of her answer at 6:06 ... she says "If there was one (NSA backdoor), then I assume that I am not allowed to be told because it's part of the secret rules which I have to apply not to talk ... but I tell you that there is no backdoors."
So basically she says that if there were an NSA backdoor she would either not know or would not be allowed to talk about it - but then states that there are no such backdoors!?
She said is not allowed to talk. She didn't say would obey
Frank Souza
So why would you prefer to not talk about something and be transparent if you have nothing to worry about if people know?
@Dex4Sure What are you talking about, he has some big threadripper rig now.
Him touching an apple device to display a slideshow doesn't imply he doesn't use linux.
Now, a lot of people with big seats on the linux foundation don't use linux, but remember, companies at microsoft bought their seats there, so those placeholders guys don't even need to know and understand linux, but that's another topic.
@Dex4Sure He uses Linux on his MacBook, you idiot.
If NSA makes backdoor then cybercrime should be legal
laws only apply to the slave class, not the political class.
@@otljaymz3611 The FBI has the 2nd largest collection of child porn on Earth...(The Vatican being the 1st..) Do you know why the FBI collects and keeps all the child porn? ..So they can place it anywhere they want on anyones property that they want to takedown through digital backdoors.,. The FBI is the largest home grown terror organization in America. They are actively staging terror attacks and shootings on Americans in order to justify legislatively removing Liberty in the name of safety.. These sub human sacks of shit have NO problem putting child porn on your computer if they need you silenced for any reason.
- who the fuck do you think murdered Jeffery Esptien?? ...The FBI/Mossad.
The Purge: Cybercrime
WHEN?
That like saying if the US military slaughters civilians in 3rd world countries murder should be legal.
@deidara_ Yeah or that private citizens should be allowed to declare war.
Microsoft representatives are manipulating the meaning of the word backdoor.
They are exclusively stating that backdoors are program bugs meaning that if you actually deliberately program a backdoor then it effectively is not a backdoor but a feature.
Clever play on words.
i think what they mean is that accidental backdoors (ie exploitable aspects) are hard to test for and exclude from software.
@@otljaymz3611 And that's why QA exists, lmao
@@StellaEFZ yes, but no QA system test is complete. The QA process assumes that there is a limited amount of effort/time/other resources to test for, and that if a bug is not found early and is easily documentable, then it's not a bug that deserves a QA flag.
6:16 , that woman raising her head is just comedy gold... "i would not be allowed to tell you but I tell you there is none"
1 dislike from me, That's not Linus Torvalds, this is not NSA and They are discussing Windows not Linux!
Evil Thinker it does sat nils torvalds in the title.. but the mention of linus being approached is a very minimal side mention
Evil Thinker This channel is the king of misleading titles
Evil Thinker It's is Dad bro
Evil Thinker The title clearly says it's Nils. Nils is Linus's dad.
1:14 is the relevant timestamp though
Last week Microsoft closed a -backdoor- bug enabling anyone to take control of any Exchange server.
And it was used by nefarious foreign hacker groups.
Let's get serious: any backdoor for NSA will be used by other actors on the long run, this should stop.
Kudos for Linus and his father.
NSA computer guys are mainly hackers from my understanding, so I don't think they actually need any deliberate backdoor to begin with, as they have already plenty of attack surface to play with as you mentioned. Though I do think that the idea of a backdoor can be implemented in a rather secure manner. sshd can be seen a backdoor server. The obvious issue is what happens when the master private key gets compromised. Linux package manager keys are highly sensitive, and can be seen as an authority over a large group of systems. Similar issues can happen with website certificates being tampered with and/or stolen. I don't think any approach is truly secure unless cutting internet access off. About Windows having backdoors, I actually don't know about this. Proving that can be challenging but a motivated hacker could very well decompile the code of some critical sections of Windows to figure that out.
I think a huge issue for NSA is that they operate very similarly to black hat hackers and these other foreign hackers, governmental or not. They have no motivation to patch backdoors they figured out. They exploit them for their own interest instead.
@@HyperMario64 they also have an incredible budget to create backdoors, billions on the long-run in fact, adding to that is their capacity to use personal information and intimate access to -blackmail- convince devs.
And I totally respect the hackers they have, the NSA is probably the most advanced organisation in this matter, with brilliant if not genius people. sha[-0] was briliant but was broke, sha-1 is incredible.
You have to respect your adversary, and understand its strength and its goals.
The NSA has also been installing backdoors in popular hardware chips since at least the 1990s.
Timothy Hitchcock they have in Routers too so they are maybe the ones some DDOS everything
Oh, 1990s... thought that happened many years later
good ol' Ken Thompson hack
The irony is that Security Enhanced Linux is written by the NSA, but still source-code eyeballed and tested by people around the world so not much chance of any backdoor going undetected.
I wanna use a distro that's been made by the NWA
Not that I would take their Linux anyway
@@realdragon do you even know what SELinux is?
@@xxXXuser69420XXxx Enlighten me what it is. And I don't think I will change my mind on downloading linux from agency that actively tries to spy on people
@@realdragonah, the infamous conundrum of attributing art to the artist and their morales.
Let's give an analogy: What if Linux Foundation and Microsoft were construction companies instead of IT-firms and an intelligence agency asked for a physical secret door to every building they construct. Microsoft could do it because their business-model gives their customers a pre-built building. Linux-foundation only gives the blue-prints on how to make the building and anyone with any construction skills can see the design-flaws that's left there
Disagree. Microsoft would build the whole thing for you and only tell you about the things they want you to know about. Linux would build the building as well and let you inspect the entire process of building as well as showing all the blueprints
Microsoft would eject you out of the building every two weeks because of mandatory maintenance to the building.
Microsoft would only give you access to certain rooms and floors.
Microsoft would open and close doors, and when you ask to change this programming, flat-out denies this request.
Microsoft doesn't let you put your name on the building, it puts its own name on the building. You don't own the building, you are just a renter.
Microsoft purposefully breaks a window or two every week, so that eventually, you're inclined to purchase a new and "improved" version of the same building. This time, with more floors you can't access, more programming you can't change, and more proprietary stuff to your left, right, and center.
@@supernenechi
Nope. You don't download "linux", you download a specific OS based on linux like ubuntu or red hat or sth.
Microsoft admitted they had back doors. They spent a great deal of time explaining how they comply with legal requests, court orders, to access customer information. We still don't know if they're accessing our data without our knowledge.
They admitted? Got proof?
@@DyoKasparov do a quick google for their statement. This is not a theory that they have back doors. Its a known fact.
@@BrotherO4 I don't give enough of a shit, I hate them since Win8, I dont use their trash
"There's no backdoors"
If a subpoena can get private user information via compliance by MS, then the software is insecure even if it isn't explicitly backdoored.
If "closed source" were the solution, we would not have any security issues, on windows.
But every admin know that story better.
NSA: "Hey Linus, we need you to put backdoors in Linux"
Linus: * *uncontrolled laughter* *
NSA: "What's so funny?"
Linus: * *Hands over "Open-Source For Dummies" book* *
New Linux Kernel Source:
/**
* NAS Dack Boor Section
**/
They have simply bypassed all kernels and gone straight for UEFI and Hypervisors. As well, the residential gateways, DSL(siemens especially), Cable, Fiber are all, no doubt, comprised.
Yeah I find it very funny how Linux fanboys are pushing for Linux for security, when it doesn't even matter anymore because the very processor you are running your PC on has already pledged allegiance to NSA
Well said.
@@AhnafAbdullah Well not _really,_ there's little a processor or UEFI or motherboard can really do if the OS is designed correctly. Also, people are praising Linux for its security from hackers and not the NSA.
To be fair, there are sec improvements there too. There are IME videos all over youtube.
@@AhnafAbdullah no longer a problem with amd. they made it so you can drop their own ime.
I'm impressed at the politicians[?] understanding of technology. We could only hope for this kind of conversation in the US
Is this EU Court?
It's a Parliamentary Comittee hearing of the European Parliament.
So yes EU Politicians.
Sadly, they're all either all in the pockets of corporations or too cowardly to speak out
@@RadikAlice i think the point Adam was making was, at least the EU politicians know enough about technologies to talk about them without sounding clueless. compare this to the zucc's hearing in the senate, all the people questioning him had no idea what they were talking about.
@@user-lb1ib8rz4h I got that, but if we're being real. Exceptions to the rule
There should be more discussion upon the ethics of hardware level intrusion by Intel and AMD. Libreboot should be the norm. The potential for abuse is too high, absolute power corrupts absolutely.
The Intel Management Engine was originally intended (as its name implies) for enabling remote management of computers owned by corporate offices. However, this capability has the potential to be abused...
its much more cloaks and daggers then you may think. All it takes is for one planted engineer for things to start to fall apart.
@@InventorZahran Of course. If it wasn't indented for that, they would have called it Intel Spying Engine.
Microsoft wants US to trust Them! LMFAO! By the way, the fact that open source IS open source negates ANY backdoors from being put in place.
sal colon No, it doesn´t there could simply be backdoors that nobody can find. Like heartbleed for example, how long it took to find it, huh?
One big difference is that the good folks at "open source" are not actively trying to screw us. The same cannot be said about Microsoft and Apple where best case scenario, "we" are the product. Worst case scenario, well, I hate to think about it. Again, the difference here is that Microsoft and Apple are working against our best interest and/or certainly in their best interest.
+Jan Věrný But those kind of bugs are more easily found when every single person in the world with programming knowledge can look through the code and help out maintain it. When you have closed source software there may only be 50 persons who keep the code maintained, maby less.
Then its clearly the safest to use open source software.
Screw You And how can you prove this? Why wasn´t heartbleed found sooner? The problem I have with claims of this backdoor free, more secure open sourced software is no one can prove it. I can say with the same amount of evidence (none) that because the code is open, hackers can more easily find the security flaws. I like open source, but for different reasons, since I am not convinced that openness brings that much more security over closed professionally maintained code.
Jan Věrný At open-source, the minute that something is found, it is posted. The developers themselves are usually the ones that find it, but also the community. They then work together to resolve. You yourself can join in and see everything that is going on. Can the same be said about Microsoft & Apple? they will stay tight lipped until an independent finds it. This faith you have in Microsoft & Apple is sorrily misplaced.
I'm not sure the story is true that the NSA approached Linus for a backdoor into Linux. Here is why: Linus has the oversight of the main line kernel. Nothing more. The kernel is open software with a developer hierarchy that is transparent. Anybody at all times can see the patches made to the kernel. Most people use popular distributions of Linux which derive their Kernels (but modify) from the Linus's kernel. (but they are also open source). This means if one wants to install a backdoor, thousands of developers will need to turn a blind eye. This is impossible. The NSA knows this (it is that obvious). It's much easier to approach KDE or Gnome developers, as less people will view their software. But it's also open software. So also not a good group to ask. The best group of people to ask for a backdoor is the guys that build distributions. But that is also open source for most distributions and there are signature keys to check if binaries (executables) match the source code. Lastly, the NSA can try to ask Nvidia if they are willing to add a backdoor. But that is unlikely because many people watch what these drivers do. Backdoors are only useful in combination with networking. So as a conclusion: dedicated backdoors (and involving people to do so) into Linux is very, very, very unlikely. It's much easier to exploit bad code and it's bugs. Everybody (should) in security knows this.
The NSA is never going to approach KDE and GNOME to implement a backdoor. Those aren't the systems they're targeting. They're likely targeting certain very specific devices which use custom Linux installations. The only way they'd be able to benefit from a backdoor then is to try and sneak one into the kernel itself.
@@obiwac Then probably PAM would be a target. It is not part of linux but used on most multiuser linux systems
Why you not believe that? They already did to Truecrypt (now Veracrypt) encryption software.
Even if the Windows didn't had a backdoors which they do
It would be pointless
One critical backdoor is built into Intel CPUs and AMDs motherboards since 2008
intel ME can be disabled with firmware
Actually, a bit earlier than that. Think it all changed with the 2001 patriot act, and the sudden change in hardware lines from AMD/Intel in the same month. Untested, but suspected.
It's amazing how adamantly Microsoft's rep is saying that they're not doing everything on a long list of things that they were actually doing.
Best use TempleOS just to be safe 👀
Cant be monitored if your os has no Network capabilities :D
@@AredioVani I mean you can implement TCP/IP because you're running in ring level 0 AFAIK. 😉
TempleOS had a backdoor to heaven.
"what is a backdoor?"
You can't be seriously insinuating it's not clear enough.
It's a way to bypass system security that is placed there by the author of the software (intentionally or unintentionally).
Lol! she says that open source software might be more vulnerable than propriety software. Nmap Microsoft servers for OS guess and see how they are NOT using windows, curious.
simonbour Well, it may as well be true, speaking purely hypothetically of course, because let´s MS says to NSA: "No backdoors", then they´re screwed. But Linus says to NSA: "No backdoors", well, they can just submit new code to be implemented over and over and one day maybe they´ll have their own backdoor, of course the Linux community will discover it in about a year or so, but by that time another one may pass,....
@@JanVerny but don't forget that once one backdoor is found, all commits by the same group are instantly not trusted and checked intensely. I also don't doubt that because it's the NSA, some people would look at it a bit more closely.
Now I see where Linus gets his sense of humour. :)
Bit of a description about what we're seeing here would have been nice.
hear, hear! I agree, instead of the off-beat title remarking a statement by Linus's dad.
+John O'Shaughnessy i think the german lady is defending windows while senior torvalds is telling the truth =)
+antred11 read the description before commenting, LOL
+ɥɔɐǝʎqǝpısʎʇʇɐɯʎʇʇɐɯ What *description*? There is no description. What there is is a very vague video title.
When someone goes on a tirade after a simple question then you know they're hiding something
2:55 this is the correct point. NSA does not implement a backdoor that says NsaBackdoorW32Run(arg). They introduce little bug that you can exploit and that are not obvious to other coders. Especially if you only ever have a handful of people look at the code because it's closed source. And even if you find that planted bug, it's just some coder who did a mistake.
How is it OK for the NSA to request backdoors and not OK for Huawei to comply with the Chinese government requests?
I have always suspected that the campaign against Huawei is because they don't have the backdoors that the US administration demands.
It's not okay.
Do you comprehend the concept of groups of people being against each other and disagreeing?
"Open source is a security risk, and closed source is better, where everything is based on trust." - my as*
"Did you know of any program that behaves like that?"
"We had no part in ..."
*clarifies question multiple times*
"I think you should be asking..."
So... they knew about it?
I'm not exactly sure what this is about, but why don't they just lie?
They dance around the truth and give themselves away, why don't they lie?
AFAICT, if they tell the truth, they get in trouble with the NSA, but if they lie, they get in trouble with the EU, so they have to hint at the truth without explicitly saying it.
NSA just went upstream for the backdoor. NSA has both Intel's ME and AMD's PSP and Acorn/ARM has belonged to the British government since it started in the 70's. Now they don't care what OS you run; they're on the silicon itself.
Honestly I'm cool with that. I consider the equivalent to no knock raids. They should require a warrant every time they backdoor into someone's property tho. From what iv read, their not spying on people, but rather have it incase they can exploit it when a country like Iran or China starts using these chips in anything that pertains to national security. Backdoors are common knowledge. If the gov didn't want us to know abt their bsckdoors, we wouldn't know.
China can probably make its own computer chips.
@@maxthexpfarmer3957 They already do lol. Have you not read the news about Huawei and 5G?
@@honkhonk8009 They're spying on interests all over the the world, a lot of them American citizens.
The correct response to any request for private user information should be "we can't give you any information." Not "we refuse" but "it's not possible for us to do so."
Like father, like son. I appreciated his intervention. Kudos to that man!
This reminds me of the knights and the knaves.
She basically admitted to being a knave.
Also, she's giving standard answers by saying that open source is more vulnerable.
That is categorically untrue.
When large powerful and wealthy organisations are being queried about dubious practices, they field people who are genuinely ignorant of such matters, but are highly educated on the official line, to be repeated ad nauseam.
What is this? I mean, the actual meeting, who are they kind of thing? I'd be dead interested in watching more of these conferences or whatever you'd call them.
I think it's a court hearing? I'm guessing though
@@Mbeluba It's the European Parliament
Yeah @TFiR should have really gave more context in the video description. Through Nils Torvalds wiki page I was able to determine that this was the 'LIBE Committee Inquiry on Electronic Mass Surveillance of EU Citizens[24] - 11th Hearing, 11 November 2013' but I still don't know who the woman saying "there's no backdoor" is.
Fight NSA and others keep Linux clean and Beautiful keep Evil Out.
"it's all about trust" according to Microsoft. That's a relief because Microsoft is of course completely trustworthy. for instance they promised for three versions of Windows that there was preemptive multitasking at the heart of windows and everybody in the audience that I was in who heard that claim, laughed.
Surprised they have lights on in the room given how much these people glow in the dark.
4:44 did i just hear somebody respond "that's intercourse"?
the backdoor is built into your intel or amd chip at the hardware level with the the Intel Management Engine and the AMD Platform Security Processor so having totally secure software is irrelevant
Spectre and Meltdown were vulnerabilities and not backdoors.
@@lewis_base they are linked with menioned engines, but the security problem is still there, as those engines are physical chips on the motherboard, that run proprietary MINIX that has exclusive OS-independent access to your system RAM, network card and other hardware. thus, you cant monitor what the engine is doing from a perspective of an OS. and since these chips OS is closed-source, it may have vulnerabilities, which, if detected, might be abused to infect/compromise security of x86-64 systems all over the world. all amd and intel-compatible motherboards since around 2010 have those engines. this is also the reason why libreboot cant be installed on modern laptops, since now you cant even disable intel ME with custom bios
also I dont agree, simply because those engines are for governments, that are not going after you, at least not yet. but you still need a more efficient system where you have all the control. and yes, truly good security is very costly(at this point you might go full isolated from outside world and store everything important on an offline machine). and yet, open source is still much better for your daily tasks if you're willing to learn, it's not that hard really in the modern era
I love the reaction at 6:18 , exactly how I would expect someone to react to those two statements.
The NSA would require a software company to neither confirm nor deny the existence of a backdoor. The fact that they are denying the accusation, as opposed to a 'no comment' or 'cannot disclose' says they are either truthful or lying uneccessarily.
Not the NSA. The NSA would absolutely tell them to deny, deny, deny. Once you get into the deeper levels of government, especially when they are doing highly illegal things, all of that sides peak goes out the window.
There are backdoors in processors, the NSA already has what they want.
5:20 Completely False
5:35 Completely False (Closed source software is not inherantly safer than open source software)
Example Compare the number of existing viruses for Windows closed source system vs. Linux open source system.
Guess what the number of viruses for windows in the MILLIONS, over 7 digits
and for Linux it's less than 100, ... only 2 digits
The difference is huge!
Yes, she just easily said that open source means that anyone can read code and find vulnerability, How she just said, if millions people can't able to find such vulnerability then she think one men can able to find. ( By Millions means their contributor ). And yes, linux is highly secure this is why most major tech giant company like Oracle, Google using linux instead windows.
You are right, but your example is not very good. Not only there are other, more likely reasons on why Windows gets more malware (mind you that Windows is orders of magnitude more popular than GNU/Linux), but also, there are notorious examples of security issues within Open Source products. Remember OpenSSL (heartbleed), Android (Stagefright, FakeID, others) etc...
@@searcyredd9520 During my internship, I saw Linux Desktops in Amazon for tech and non tech employees as their main computers. So there is a possibility of that happening.
I think NSA could commit an binary blob to the kernel as Netflix and such did with DRM. Linux has parts that are proprietary software, granted you can disable those modules
I see what you're saying, but just so you know, the kernel itself is FOSS.
Yes, Linux systems may load proprietary kernel-mode drivers. As more drivers move to user-mode, such backdoor will be mitigated. Additionally, it is beyind impossible to hide such a thing; just use a kernel debugger and watch syscalls or watch network traffic externally. Due to self-protection features in the kernel and modern CPU hardware, no way the NSA could use the whole kernel address space to hide the infection either.
Linus and his people are correct, open source is potentially more dangerous to be hacked. So, not allowing a back door or limiting access via their servers is paramount in protecting users. I suspect some government agencies and companies are trying to find a way to hack Linux systems, either for their own gain or to obtain information.
you see there is such a thing as "removing code" and "removing backdoors"
heard of it?
These people have obviously never heard of IDA and reverse engineering… For all of the windows driver and the kernel there are PDBs available to make it even easier to reverse the files.
Just found out about Intel ME. Everything is vulnerable.
potentially, yes. and no, not everything. learn about coreboot/libreboot devices. and other architectures, since amd/intel me is only for x86_64 systems
Is there anything that allows direct and unfettered access? Yes, get in touch with the customer you're trying to get info on directly.
"You show some governments your source code, but they can't verify that THAT source code is the same that gets compiled into the distributed binary." Compile the source code and compare the resulting binary with the retail version?
So what he is saying your software should be open source so that we can see what is going on. Tell that to samsung, apple Microsoft
Where is Linus Torvalds in this video??
The first speaker says it's impossible to verify whether the source code they are being shown is the same as in the applications.
This is NOT ACCURATE.
You can simply do the following:
1. Compile the application from the source code they give you.
2. Hash the compiled application and hash any copy of the application you want to verify.
3. If the hashes match, it's verified.
the problem is that the source code they are shown might not be the same as what is going to be used in prod (just changing some config files the source uses, but not actually changing the source, will change compiled program). you can get around this, but not all applications will be designed like that (to use env variables for instance)
unless they are given the exact source and configuration that is used for production compilation (which could have secrets in it), they wont be able to verify it
I can put the backdoor in my compiler. You can look at all the source code you like, and you won't see it there
Linus' dad grilling #Microsoft about #NSA #backdoors - pure gold! #LinuxTorvald #Linux #OpenSource
geez
“Judicial authorization” or “lawful requisition” does not imply actual legality.
Theres obviously a backdoor if they are able to get access to your computer for legal reasons.lol lawyers are so good at bending the truth good lord
It is possible to verify it. Surely, you could just read the instructions as they were loaded into ram and compare them with compiled byte code from the non-backdoor source
Few problems: That would only detect monkey patched backdoor but it would not verify that there is no backdoor in the source. This is the MAIN problem. Why it would need to be monkey patched anyway. And secondly if you don't have the source, then this approach is pointless. And thirdly checking byte code in a scale of OS would take ages, in practical terms impossible.
learning x86-64 assembly makes everything open source :)
even with asm, good luck trying to understand huge programs
no it doesnt .... firstly EULAs and secondly there are great mechanisms to disguise variables and functions in your compilation ergo in asm aswell
In ASM you can see only params but just use IDAPro and custom naming convention to understand. just write quick little script in python or js deobfuscates string and address based fuckery. how do you think scene keygen is made?
If you want to see backdoors , connected the host to an vpn network and lunch tcpdump on the gateway , it’s amazing what you will discover especially windows a lot calls back home
Outlook is designed to spread viruses, it ignores the file content of attachments, it allows scripting for automation. Its over powered for most users.
microsoft doesn't need a back door into windows for the nsa, the front door is open. Even for linux a back door is not necessary when most users use other programs that have their front doors open.
Probably best to do a search on: Ken Thompson's "Reflections on Trusting Trust" To think Linux (even versions without systemD) don't already have multiple backdoors is very Naive.
AMD PSP and intel management engine
nobody is safe no matter what, power in numbers people
surprised to see so few comments address this.
Its SE-Linux, security enchanged linux. NSA uses this. It was introduced to kernel in 2000's
NSA developed this. Security is their job. Unfortunately they work for both sides :-(
Backdoor aka "remote servicedesk from the internet"
LOL..."We are telling you the truth when we are". That is a direct quote, not out of context, does anyone else catch this?
Actually, this is called a tautology. It's like saying, "It is raining when it is". A statement that will always be true.
if there are backdoors, people will know it because it is an open source code, its just the matter of time some programmer will find out the backdoors from the open source code
To everyone that keeps claiming that backdoors in Linux are impossible just because it's open source, absolutely not even close to true. Innocuous memory errors which can lead to severe exploits have gotten into the kernel on numerous occasions, and I don't imagine a skilled programmer would have a hard time disguising one in such a way that it just appears like a small mistake, if it's noticed at all. Someone with good knowledge of compiler optimizations could probably even design a piece of code that on the surface looks perfectly memory safe, but in reality is not after certain (legal) optimizations that rely on obscure UB are run.
Not impossible, but not impossible to fix either.
tldr "someone out there smart enough could theoretically do it, not me tho but some big smarty might"
What bothers them is the "open" part of the source. Open means No Control by these control freaks!
SO when do we get the right to opt out of the NSA search unless they produce a warrant by a judge in good standing!
5 years down the line, and we're hardly a step closer to that reality
@@karlnul Still not there.
i liked the guy who said i'm busy doing a status update telling that he is in the same room as Linus Torvalds's dad, seems like linus has some supporters(fans) in every corner of the world.
Looked up an article about "detecting lies" while listening that microsoft women... Well the article pretty much predicted what she actually did
Yeah those don’t work
There is no scientific method for telling if a person is lying. However, you don't need to read anything to intuit that a representative for a company that relies entirely on intellectual property is never telling the whole truth about anything.
You're delusional.
Even closed source can be detected. Set up a network packet capture on a switch with a firewall.
The claims that "open source software is more vulnerable because anybody could easily develop exploits when the source is available" (or similar wording) really make me laugh. I wish everybody understood that there is no such thing as securiry from obscurity.
You know, theres a clear difference between having some entity, that accesses data and changes it to where there could be a case of security breach between the user/client/software relationship and the user not being able to check him or herself who changed what and what was changed and where that change took place and who overlooked this change! Theres the difference between private entities taking private changes in private circles between private people to put it hyperboly!
I'm a software engineer.
The reason why proprietary software doesn't have back-doors is very simple, they're written so poorly that they don't need it.
A toddler could've access to most proprietary software in mere minutes.
Proprietary code is written by frustrated and stressed developers being micromanaged by a tech illiterate baboon. Open source code is written by relaxed developers, that want to write some honorable clean code. Open source is the way to go!
Nice try NSA.
@@GoldSrc_ I'm not sure if your comment was addressed against open source or against proprietary software?
@@timmy7201 Wasn't it obvious?
Proprietary software does have backdoors, Windows being the biggest player.
If Autodesk has a way to know how many pirated copies of their niche software are being used, what makes you think that Windows, a software used by billions of people, don't have backdoors?
@@GoldSrc_ I recommend you read my previous comment again.
I'm joking about proprietary software (Windows) being so badly coded, everything becomes a backdoor.
Or at least that's my experience working as a software engineer. Management wants everything fast, rather than good. Problems, issues and bugs are left in with the idea to patch them later on. Proprietary commercial software is a mess...
I work on a lot of open-source projects in my free time, I've never seen such amounts of clean code at my full time jobs...
@@timmy7201 You are deluded if you think Windows doesn't have backdoors in place, backdoors that were put in place because the goverment asked for them.
There should be a backdoor checking for the infrastructure the system is running on being from the NSA, preventing the kernel from working then.