Snowden: What Happened In 2013 Couldn't Have Happened Without Free Software (networkworld.com) 120
An anonymous reader writes from a NetworkWorld article: NSA whistleblower Edward Snowden spoke at Free Software Foundation's LibrePlanet 2016 on free software, privacy, and security. He credited free software for his ability to help disclose the U.S. government's far-reaching surveillance projects. "What happened in 2013 couldn't have happened without free software," he said, particularly citing projects like Tor, Tails (a highly secure Linux distribution) and Debian. "I didn't use Microsoft machines when I was in my operational phase, because I couldn't trust them," Snowden stated. "Not because I knew that there was a particular back door or anything like that, but because I couldn't be sure."
Re: (Score:2)
gnupg.org
Re: (Score:3)
Sure! It's secure-free-software-here.totally-not-the-nsa.gov.sorry-i-mean.org
No more BASIC (Score:1)
Yeah, that's why I stopped programming in MS-BASIC. It just couldn't be trusted any more.
Slashdotter's response: ". . . What's MS-BASIC? Is that like COBOL and FORTRAN's love-child?"
Re: (Score:2)
MSX Basic was quite secure due MSX not supporting any sort of networking.
Of course, if your Datassette was the loud annoying kind, NSA probably can record your data with a hidden mic.
Soon... War on Open Source (Score:3, Insightful)
Re: (Score:1)
Thanks Snowden for pointing this out, now we will see a movement against open source software because it aids terrorists, just like unlockable iphones or other means of secure communications.
We are already there. [slashdot.org] Now we'll see routers begin to lock out open source software, but is it outside the realm of possibility to think that this could slowly extend to all wifi devices, including those in, say, laptops?
After all, Windows 10 can't have other operating systems allowing people to use computers without sending everything about you to Microsoft and any government and/or corporate entities that they are partnering with.
See Snowden's talk and understand nonfreedom (Score:5, Informative)
You can see Edward Snowden's talk for yourself [libreplanet.org].
There are no configuration changes you can make, programs you can install, or other changes you can make to make proprietary (user-subjugating, nonfree) software trustworthy. It won't matter what the "privacy" settings say you can do; the proprietor has the upper hand and can easily write software to rat you out. Software freedom is a prerequisite for computer privacy and security and all of the other things that go into treating computer users ethically. All computer users deserve software freedom.
Re: (Score:1)
Bullshit, Stallmanite. Surprised you didn't throw out the word "Slavery" a few times. That's one of his favorites.
And... then along comes Windows 10 to prove Stallman's point spectacularly.
Re: (Score:2)
If, in 2016, after the Windows 10 debacle
What "Windows 10 debacle"?
Windows 10 appears to be doing quite well, it is now installed on 1/3 of the machines as reported by Steam, it runs very well, on a vast array of hardware, with no fuss.
---
Now of course I can read between the lines and assume that you meant "evil M$ released Windoze 10 that you don't like", but that doesn't make it a debacle.
---
I can't help you. *shakes head*
Many of us are shaking our head right back at you.
?? The majority of people, me included, are based outside the US. What was that about?
The NSA is legally able to spy on you. They probably aren't, because they don't care about you, but they
Re: (Score:1)
Astute and trenchant. As with all interactions involving humans, you can only trust that which you can verify.
Re: (Score:2)
but these days I think assuming it's not backdoored by the NSA would be naive.
The problem the NSA is up against is that they have to compromise every copy of the source code that's out there, or even a large number of binaries to make a backdoor work reliably.
There are literally hundreds of mirrors of Ubuntu alone, each with hashes that need to match. That's only one distribution of one OS. Then there's the BSDs, which are dying, according to Netcraft.
--
BMO
Re: (Score:2)
Re: (Score:2)
It is important, to me, to realize that it doesn't have to be in isolation. Innocuous looking code may be truly benign -- until it is compounded by externalities beyond the control of the user and their systems. Who's to say, for example, that there's no hidden magic where packets are injected with content while in transit and that the injection doesn't alter the results? There's no reason to believe it needs to be simple, there could be many varied (and trivial-seeming) manipulations that chance the expect
Re: (Score:2)
Security is a process, not an application. Nothing is completely secure - nor will it ever be.
It may not be an application, but I'd like the see the NSA, et al recover from one of these. [ssiworld.com]
I jest, of course, but these things fascinate the little kid in me.
Wait, (Score:1)
What does this have to do with anything? His "operational" phase consisted of him asking clueless users for their passwords. Open Source or backdoors had nothing to do with what he did, or how he did it.
Yeah, I get that Snowden gets a lot of love around here, but on a technical or knowledge basis, he's one of the least interesting people out there. Ever most script kiddies are more interesting than he is.
Note for whiplash (Score:5, Interesting)
Note the following:
[...] citing projects like Tor, Tails (a highly secure Linux distribution) and Debian.
"Tor" and "Debian" are well known and probably don't need explanation, while "Tails" is more obscure and has a quick explanatory note.
This is how you do it, this is a good method. (It's in the original article.)
Looking through the past 3 pages of Slashdot I couldn't find any examples of obscurity, but I found lots of examples of references that had a hint of help for the reader - a word of context or a placing phrase or something that illuminates the subject for the reader.
It looks like things are getting better. Keep up the good work.
Re: (Score:2)
I think there's a pretty sharp cap for where slashdot can go, as far as participants. Websites now compete on controversy, and slashdot, as an early entrant into this, only flirts with it- it's too information heavy to swing in that arena. You can't dogpile someone with downvotes or jerk yourself off by upvoting platitudes, instead you only have a few mod points some of the time, and have expectations for using them to get actual conversations. You can't have a whole thread with everyone saying the same
Undo moderation. (Score:2)
Make A Bet (Score:4, Informative)
Bull! FOSS on closed hardware is not 100% secure. (Score:1)
Government surveillance uses Open Source (Score:2)
Free and open source software can be _used_ for any purpose, good or evil.
Sure we can acknowledge the good that is done, but lets not forget the evil its used for.
If there was an ethical licence, it would not be considered free or open, unfortunately.
Bad publicity for free software (Score:2)
Snowden used free software to commit what is basically a crime and brags about it...
That his crime is defensible using whistleblower protection, that it is "for greater good" doesn't make it different from a technical standpoint.
And while anyone that understand the idea behind free software and encryption know that it can help good citizens and criminals alike but it may not be the same for the general public. And many of them view Snowden as a traitor.
is this good for OSS? (Score:2)
Is this a good thing for OSS, that Snowden mentions it made what he did possible? Snowden may get thumbs up by most on this site, i believe the average joe takes the side of the government and think he's a 'terrorist'. What people know about OSS (if at all) is what MS and other companies have bombarded them with the last +10 years or so (communist, cancer, etc). So putting these two together, how will this affect the reputations of OSS more? might give the government more free play to limit OSS development.
Re: "Couldn't be sure" (Score:3)
Re: (Score:2)
Re: (Score:2)
And this applies to closed sores as well.
It's a lot easier to find the bug when you have the source code.
Re: (Score:2)
But it's impossible to audit the source code of closed source software if you don't have the source code.
Correct, but I think the NSA is much more motivated to find an exploit in millions of lines of code than other people are to audit the same.
Re: (Score:2)
Snowden is fighting against people, who have the source for software, where he does not have the source. This makes it even worse for him.
Re: (Score:2)
It's a lot easier to find the bug when you have the source code.
1. Many security researchers have claimed that this is not true. They often find bugs just by pushing the running code past its limits: giving it more input data that it is expecting, giving it binary data when it is expecting ascii, or exploiting corner cases, like negative numbers when it is expecting only positive numbers or triggering arithmetic overflow on a pointer, etc. You don't need the source to do any of this.
2. Just because you don't have access to the source, doesn't mean the NSA/CIA/FBI/FI
Re: (Score:2)
Re: "Couldn't be sure" (Score:2)
But that proves my point
No, it doesn't; however, your misplaced confidence in your intellectual abilities definitely does amuse. ;)
Re: (Score:3)
But that proves my point that having the source code helps to find bugs
They don't want the source code to "find bugs". They want the source code so they can modify the source, insert backdoors, and install/distribute the compromised binaries ... like they did with Cisco switches and Xerox printers.
Re: "Couldn't be sure" (Score:1)
The US, Russian and Chinese security services have all the source code to Windows. The difference is that security researchers don't have access to it.
So, the adversaries have it but none of the people we would hope to be protecting it.
The NSA has essentially been shown to have known vulnerabilities they use for eavesdropping, but never notify the vendor. Why would they? They have a key to the kingdom. What possible motive would they have to fix that vulnerability? They don't care a bit about privacy and se
Re: (Score:2)
And this applies to closed sores as well.
It's a lot easier to find the bug when you have the source code.
What makes you think the NSA doesn't have access to the source code of any but the smallest closed source project they wish to examine?
Re: (Score:2)
Re: "Couldn't be sure" (Score:2)
Re: (Score:2)
And it's a lot easier to keep that exploit hidden (i.e. available) when the source is closed
Having the source code allows you to find the really subtle exploits that can remain hidden for a long time. Also, people aren't as likely to audit old code that they and others have already looked at before.
Re: (Score:2)
> Did you have a point?
Just recently they began posting in abundance. I'd speculate sockpuppet but who knows? I'll let you draw any conclusions you might wish about their reasoning and logic skills. They have some.. Some, shall we say, unusual opinions and seem inclined to stick with those opinions regardless of evidence presented. I don't really have much/any interaction. Such is simply an observation.
I've an odd habit of reading the "by" field prior to reading the post. Given that I'm retired, it affor
Re: "Couldn't be sure" (Score:5, Interesting)
Re: (Score:2)
I had not heard or read anything about this. That is not even remotely surprising. I know the Russians use it and I know that there are some paid posters with various companies. I'm not terribly surprised that the US government would be involved though I guess it's a bit surprising that it is in the hands of the Army as opposed to something a bit more clandestine or tasked with a different charter. I could envision the US Army wanting to do so for defensive and offensive purposes when dealing with externali
Re: "Couldn't be sure" (Score:2)
though I guess it's a bit surprising that it is in the hands of the Army as opposed to something a bit more clandestine or tasked with a different charter.
Considering their choice of location, it's easy to surmise that this is a joint military/intelligence endeavor of some sort...
Re: (Score:2)
It looks to me like "Type44Q" is confused about this program that has been previously discussed on Slashdot IIRC:
U.S. Central Command 'friending' the enemy in psychological war [washingtontimes.com]
Not really what is implied by him.
Re: (Score:2)
Yeah, it is Meade. Hmm... I'll see what I can dredge up about it. I have some friends that are still in and have increased in rank a great deal. However, they're all Marines or Navy. Still, they might have some scuttlebutt. If anything interesting pops up, I'll email you. No need to respond, obviously.
Re: (Score:1)
There's a disinfo unit out of Fort Meade that uses low-grade nerds in uniform to overwhelm people in chatrooms when certain subjects come up; the government has openly solicited bids for software to allow these clowns to "handle multiple simultaneous chatbots and user accounts."
"Clowns," huh? Unless you have some other info you seem to be confused about this program:
U.S. Central Command 'friending' the enemy in psychological war [washingtontimes.com]
By Shaun Waterman - The Washington Times - Tuesday, March 1, 2011
The U.S. Central Command is stepping up psychological warfare operations using software that allows it to target social media websites used by terrorists.
The Tampa, Fla.-based military command that runs the wars in Iraq and Afghanistan recently bought a special computer program that troops use to create multiple fake identities on the Internet. The military uses the fictitious identities to infiltrate groups and in some cases spread disinformation among extremist organizations such as al Qaeda and the Taliban with the goal of disrupting their operations, according to documents and U.S. officials.
Re: (Score:2)
You do not get it: Nobody at all (except morons like you) claim OSS is bug-free. The claim is that closed-source software is much, much worse. From some code security reviews I did under NDA, I fully and completely agree to that claim.
Re: (Score:2)
Nobody at all (except morons like you) claim OSS is bug-free
I didn't claim it either, moron.
Re: (Score:2)
Apparently you also have bad memory and dyslexia. And your creativity in insults is lacking, as you cannot even do more than copy. Seems my estimation of your level of insight is exactly right, namely none at all.
Re: (Score:1)
Listen, you choose to wheel out a Matt Damon quote, and that's cool, that's fine. I don't have a problem with that. But do at least try to get the quote right, would ya? [youtube.com]
Re: (Score:1)
No but other people have.
If that were the case then there wouldn't be the number of security issues they've found, the number of exploits they've found, the show stopping bugs that exist.
Re: "Couldn't be sure" (Score:2)
Re: (Score:2)
Indeed. The stupid is strong with that one. The thing is that in OSS, backdoors will be found sooner or later, sometimes much later. And that is something the NSA/GCHQ/GeStaPo dreads as it exposes them. Does not matter that much even if it is 5 years or 10 years later.
Re: "Couldn't be sure" (Score:5, Insightful)
With OSS you still need to trust people, but you need to trust fewer people, you know who those people are, and you can see who else trusts them. With proprietary code, there is a chain of trust that is only as strong as its weakest link. With OSS, there is a web of trust. I can look at the git log and see who wrote a particular algorithm, and I can often see what other code they have written. I can see the changes that were made later, and who made them. For many OSS projects, I can see who reviewed/audited the code. None of this is magic, and there is never a 100% assurance, but OSS has come clear advantages.
Re: "Couldn't be sure" (Score:3, Insightful)
And yet.. Heartbleed.
Re: "Couldn't be sure" (Score:5, Informative)
Which is a good example how and why OSS works: It was found, documented, traced back (no sign of foul play) and fixed. What do you think would have happened in a commercial, closed library?
Re: (Score:2)
Which is a good example how and why OSS works: It was found, documented, traced back (no sign of foul play) and fixed. What do you think would have happened in a commercial, closed library?
In commercial software it would be found, documented, traced back, and fixed. Documentation would be internal.
I'm pretty strongly against using proprietary stuff in my tool chain, but I just don't think this is a real difference.
Re: "Couldn't be sure" (Score:4, Insightful)
In commercial software it would be found, documented, traced back, and fixed.
Only if the company made it a priority and budgeted for it. Then it would be rolled into the next release, which may not come for months, or even years. Oh, and the next release will only be installed by users that can afford the upgrade fee.
Re: (Score:2)
Same is true for open source.
On github this week, I fixed a bug where the ticket was over 5 years old, and the project owner finally realized it is a real bug and the solution is harmless.
It hasn't been accepted yet, of course. Give it a couple more years.
Re: (Score:1)
In commercial software it would be found, documented, traced back, and fixed.
How would you know?
Documentation would be internal.
Case in point.
Re: (Score:2)
Ahahahahahaha, your naivety is cute.
Re: (Score:2)
Also known as "professional experience," but maybe you have a hard time dealing with word meanings?
"He says something different than what I believe" doesn't imply naivety. It only implies we're different people.
Make a point next time, beyond the raw pejorative.
Re: (Score:2)
Which is a good example how and why OSS works: It was found, documented, traced back (no sign of foul play) and fixed. What do you think would have happened in a commercial, closed library?
In commercial software it would be found, documented, traced back, and fixed. Documentation would be internal.
Not in the vast majority of companies. I've been a professional software engineer for better than 25 years, and I've worked for a lot of different companies. In almost none of them is there any focus at all on going back to identify and fix problems in existing code. It's always about the next product release, or the next customization request... what will bring in more money.
There are some exceptions, but they're mostly companies and products who are facing significant outside scrutiny. These days, I'm s
Re: (Score:1)
Re: "Couldn't be sure" (Score:5, Informative)
Think the other way round: try to sneak in a backdoor in opensource.
1) You're never sure, who reads the source and finds it. And when this will happen
2) It can probably be attributed to you in some way
3) The big security does not come from the source alone, but from the open development process. Go, read the Linux source and look for security holes. Much work? Indeed! But now go and look at the commits from today. Read the summary, read the code, check if it seems to match, watch out for possible security hole. This can be done and this is done by many people.
On the closed source side: You get from time to time one big update, no code at all. If you want to make yourself some work, you can try to disassamble the binary. People do so and people find security bugs and backdoors, but it's a lot more efford.
And the third thing: If you already suspect something, you can go and read the corresponding code of the misbehaving part, while you are still without source when using closed source.
So yeah, nobody has a guarantee for no backdoors, but it's harder to sneak one in.
Re: (Score:2)
And if it gets discovered, there is an excellent chance it will also be attributed and whoever out it in will be burned and that makes such an attack extremely costly. For example, the forward-hashes of git serve exactly this purpose: No revision of the change-history after commit.
Re: (Score:2)
Of course. But this takes a lot more efford and you still have the chance, that somebody fixed your "small bug" before you finish your evil masterplan.
Re: (Score:2)
That's the whole point, your odds are better... Nothing is perfect.
With closed source only a single party really has access to the source, anyone else they grant access to will be under the terms (eg NDA) of the vendor and so may be unable to disclose finding anything bad even if they do, plus if they're working together they likely have the same agenda.
There is also the chance that source code has leaked, in which case blackhats have it, even if they do find backdoors or bugs such people are more likely to
Re: (Score:2)
Exactly; it is a really weak claim.
He could have used proprietary encryption products, a self-hosted commercial VPN instead of Tor, an obscure proprietary OS not on the list of things worth backdooring, etc.
He did use some libre software, so we know what happened could happen using those tools. But we don't know anything about this idea that he couldn't have done it otherwise.
Avoiding Windows in particular is prudent for a wide variety of reasons; not least, products designed for the masses will have sacrif
Re: (Score:2)
I'm inclined to disbelieve you. Given the sheer volume associated with the task, I've absolutely no reason to believe that you've read every line of code that you use. There's simply not enough time in the day to do so and remain even remotely close to secure - you'd be reading code from years and years ago. There are simply too many component pieces for me to believe you.
Yes, yes I am calling you a liar. I'm not sorry, if I was sorry I'd not be doing it. You have not read all the code in your OS and in the