Thursday, October 10, 2013

Sometimes they really are out to get you

Someone tried to backdoor the Linux kernel in 2003.  The seemingly paranoid control procedures of the kernel development team caught the attempt:
This is a very clever piece of work. It looks like innocuous error checking, but it’s really a back door. And it was slipped into the code outside the normal approval process, to avoid any possibility that the approval process would notice what was up.

But the attempt didn’t work, because the Linux team was careful enough to notice that that this code was in the CVS repository without having gone through the normal approval process. Score one for Linux.

Could this have been an NSA attack? Maybe. But there were many others who had the skill and motivation to carry out this attack. Unless somebody confesses, or a smoking-gun document turns up, we’ll never know.
Me, I'm not so worried about stupid hackers.  I lose sleep at night over really smart ones.  They really are out to get you, and are very good at flying below the radar.

If I come across as paranoid, remember that I was professionally trained to be that way by the Finest Minds in the Free World.

10 comments:

Tango said...

HA! I read about this one the other day. Linux developers: Doing it right.

Tango said...

Ooh... that's a T-Shirt!

"Linux developers do it with a CMS."

Old NFO said...

They done good! :-)

eiaftinfo said...

Nothing wrong with being paranoid - there are plenty of folks out there to get you. And speaking of paranoid . . . have a question.

Are any of your security friends wondering if the government is slipping something into your machine while you're signing up for Obamacare? It would seem like the perfect opportunity since the fast majority of folks will touch that site at one time or another.

Thoughts? Or am I just being overly paranoid?

Tango said...

The most they can do from a webpage standpoint is give you a tracking cookie and steal your info. Well, they already have your info. They don't need your bank account numbers or PIN (they have the former and don't need the latter) so there's nothing for them to gain. Having been watching the interwebs for the past several YEARS, they already know if you download illegal material or kiddy porn. They just can't get a warrant for it with it being fruit of the forbidden tree.

Borepatch said...

eiafinfo, that's tin foil hat talk. Of course, lately that just means that it's more than a little plausible.

R.K. Brumbelow said...

@tango

I have to strongly disagree with you there. They can also grab your MAC address and correlate it to your personal machine (very useful in other forms of tracking) and recall that TOR has been recently breached at least 2x by cookie usage.

So, yes they could use the exchange boards to keylog/ cookie/mac trace/ infect your machine. A few years ago I would have said it is not worth the effort for then to gather such data. I would have been wrong.

In the early 2k's I did a stint while switching from security to development as an engineer/ forensics tech for a high end PI firm in Dallas, TX. My motto eventually got adopted by the sales weasels: The question is not 'are you paranoid', it is 'are you paranoid enough'

Tango said...

But to what end? Tor is 50% compromised already. Just by the IP address alone, they know that it's you. Even with DHCP, if you don't think they've got the ability to get the exact 'who' of the other end of the line.... Sure they can get that, but I seriously doubt anything that can compromise the actual 'security' of the PC involved.

Remember, this website was cobbled together in a rush by the lowest bidder. This isn't NSA stuff and the NSA doesn't need it. The government is after your medical data anyway.

AnarchAngel said...

"You may think "Oh that could never happen... no-one would bother... isn't that kinda farfetched"... Ma'am, that's my job. I'm a professional paranoid, and I'm very good at it".

Archer said...

To quote the movie Taken:

Kim: Mom said your job made you paranoid.
Bryan: Well, my job made me aware.

There's a subtle difference.