Re: Wiretapping Linux?

[Måns Rullgård]

Willy Tarreau <willy@xxxxxxxxx> writes:

> On Tue, May 16, 2006 at 06:24:38AM -0700, Marc Perkel wrote:
>> As most of you know the United States is tapping you telephone calls and 
>> tracking every call you make. The next logical step is to start tapping 
>> your computer implanting spyware into operating systems. Since Windows 
>> and OS-X are proprietary this can be done more easilly with the 
>> cooperation of Microsoft and Apple.
>> 
>> So what about Linux? With thousands of people working on the Kernel if 
>> someone from the NSA wanted to slip a back door into the Kernel, could 
>> the do that? I know it's open source and it could be found if anyone 
>> looks but is anyone looking? Is this something that would get noticed if 
>> someone tried to do it? I'd like to think it would, but I'm going to ask 
>> anyway just to make sure.
>
> There is no warranty that this cannot happen. Indeed, it has already
> happened and will probably do again. A backdoor was found in some code
> introduced in the bitkeeper repository, but it was noticed almost
> immediately.

The code was not added to the bitkeeper repository, but to a CVS
mirror of it.  It was spotted quickly thanks to rigorous checksumming
done by the CVS exporter in BK.

One of the current trends in version control software is toward
cryptographically signed changesets, meaning that sneaking something
in without access to a trusted private key is about as close to
impossible as you can get.

There is still the question of who you can *really* trust of course.
After all, how do we know that Dave Miller (who was "credited" for the
mentioned backdoor attempt) isn't really a bad guy?

-- 
Måns Rullgård
mru@xxxxxxxxxxxxx

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/