Sunday, 18 December 2016

LInux and the UK IPbill

Will openSUSE have a backdoor or will it be safe?

isn't Suse part of Micro Focus, which is British? Hence my concern.

openSUSE Chairman replies on :-

[–]rbrownsuseopenSUSE Chairman 30 points 6 days ago* :-

SUSE is part of Micro Focus, correct.
openSUSE is a community producing Linux distributions with all of its code and submissions very much in the open.

Our primary code servers are hosted in Germany, sponsored by SUSE Linux GmbH

If the IPbill does apply to the openSUSE Project (I believe it does not), I have no intention of following the provisions which give the UK government an opportunity to meddle in our communities code before release.

If any backdoor were added it would be done so in a transparent way that would be easily noticed in OBS. note: the project already firmly follows upstream projects first and very strictly documents divergence from those upstreams. It's very easy to see every patch we carry in every package.

Even if I had a different opinion, I still think it would be unworkable- the Tumbleweed release process alone would probably overwhelm Her Majesties Government with more requests per week than most companies would produce in many years.. "

Linux chief: ‘Open source is safer, and Linux is more secure than any other OS’ (exclusive)

J. O'Dell    November 26, 2013 9:27 AM

VentureBeat: Security and privacy has been the hottest topic this year, bar none. We’ve heard rumors that Linus [Torvalds, Linux creator] OK’d a Linux backdoor for the government.

Zemlin: If there were a backdoor in Linux, you’d know it.

The whole world can see every line of code in Linux. This is one of the reasons Linux is more secure than other operating systems and why open-source software overall is a safer than closed software. The transparency of the code ensures it’s secure.

And for the record: He wasn’t approached.

Father says Linus was approached:

"When my oldest son [Linus Torvalds] was asked the same question: “Has he been approached by the NSA about backdoors?” he said “No”, but at the same time he nodded. Then he was sort of in the legal free. He had given the right answer …everybody understood that the NSA had approached him."

Did Linus Torvalds backdoor Linux random number generation?:-
"Two years ago Linus overrode a decision by the maintainer of /dev/random and made a decision to include a patch by Intel which would make Linux rely blindly on output from RdRand (an implementation sealed in a chip and impossible to audit)
Matt Mcall, the maintainer of the Linux RNG was so appalled by this decision that he felt that he had no alternative but to quit the project." :-
Matt Mackall, the former maintainer of /dev/random, actually stepped down over this issue, because Linus overrode Matt and applied Intel's patch that used their hardware random number generator directly:

Ted Ts'o later reverted this, separating out Intel's hardware random number generation into a separate function that could be used to seed the entropy pool but wouldn't be trusted directly as the main kernel source of random numbers:
"If I had to guess what happened, some intel people pushed this as a feature, probably pushing it via one of the x86 git trees, and Linus either (a) didn't notice, or (b) didn't understand the implications, and then Matt quit in a huff --- by just stopping to do work, and not even updating the entry in the MAINTAINERS file."

 tytso 1199 days ago [-]
Not only did it happen before, just TODAY I had to fight back an attempt by a Red Hat engineer who wanted to add a configuration option which would once again allow RDRAND to be used directly, bypassing the entropy pool:

"It's unlikely that Intel (for example) was paid off by the US Government to do this, but it's impossible for them to prove otherwise --- especially since Bull Mountain is documented to use AES as a whitener. Hence, the output of an evil, trojan-horse version of RDRAND is statistically indistinguishable from an RDRAND implemented to the specifications claimed by Intel. Short of using a tunnelling electronic microscope to reverse engineer an Ivy Bridge chip and disassembling and analyzing the CPU microcode, there's no way for us to tell for sure." :-
Technology companies maintain that they work with the intelligence agencies only when legally compelled to do so.

The Guardian has previously reported that Microsoft co-operated with the NSA to circumvent encryption on the email and chat services.  
The company insisted that it was obliged to comply with "existing or future lawful demands" when designing its products.

The IPbill just brings this point out into the open.

No comments:

Post a Comment