Backdoors in my OS?

[Deleted member 9563]

I do have some 5.25 floppies, but they're dedicated to an OS/2 setup. But, maybe you could twist my arm ...

I think I used a version of the IBM with eight inch floppies, IIRC.

Thanks for the offer but I actually have a good supply of 5.25 floppies - both single and double density. In fact some recently purchased. So, I was partially kidding. But it would indeed be interesting to run a UNIX system on a floppy only system. I'm a big fan of the double floppy computer but they're mostly, if not all, 8088 based so not a good candidate for *nix. I've actually got a stack of XT boards with 1M soldered-in RAM if somebody wants one.

 

[tomxor]

That's nothing compared to the hazzle I get when I plunk down my IBM 5155 and go looking for a plug. It got so bad that I started bringing my Honda generator which resulted in them banning me completely. That's the price of freedom! So I make coffee at home now.

...And I thought I was old with my Compaq SLT and Atari STFM, these look like modern computers compared to that beast!

On topic: was the hardware in any of these old machines really any more knowable from a hardware level? They have more discrete collections of ICs but ultimately there is still some proprietary CPU at the centre of it all.

 

[Crivens]

Maybe one should consider to 'roll your own'. Since it can be done, why not do it again? That should make it hard to backdoor any system, when you are only compatible on source level. Also, it might be fun. Not our beloved OS, but we left that limit behind several posts ago.

 

[Deleted member 13721]

Makes me tempted to obtain an IBM Thinkpad R40 and relive my days in high school. Haha.

 

[Snurg]

Isn't the Unix philosophy of (relatively) simple (and maybe even open sourced and relatively easily auditable) programs doing only one thing and doing this well contrary to the needs of a secret service?

Wouldn't it make much more sense to introduce some monolithic large programs (that can easily control and divert all data the system handles) disguised as "progress", as "must-have-improvement" in a way that practically everybody is forced (or even wants) to use them?

Wouldn't gigantic code chunks like systemd or pulseaudio that are hard to impossible to audit as whole with their lots of (deliberate and accidental) hidden "bugs" that potentially could serve as tapping device or even as "kill switch" suit the state security agencies' needs better?

Doesn't it make people wonder why a big part of the massive pressure to introduce such "innovations" on a wide scale stems from Black Red Hat Linux, whose customer base to a large part consists of US government agencies of all sorts, some of them quite shady, and who employ people like Mr. Poettering to implement their needs?

 

[tobik@]

monolithic large programs (that can easily control and divert all data the system handles) disguised as "progress", as "must-have-improvement" in a way that practically everybody is forced (or even wants) to use them?

You mean a kernel?

Wouldn't gigantic code chunks like systemd or pulseaudio that are hard to impossible to audit as whole with their lots of (deliberate and accidental) hidden "bugs" that potentially could serve as tapping device or even as "kill switch" suit the state security agencies' needs better?

Maybe? Systemd is harmless as is PulseAudio with regards to code size. Ever look at a web browser's code (+ all the libraries they use)?

 

[ronaldlees]

You mean a kernel?

Yeah - but Linus vets every line (here's hoping).

 

[Snurg]

You mean a kernel?

Don't have kernels some intrinsic problems as attack vector?
Won't make the multitude of different, relatively short-lived kernels that get much attention make the introduction of some helpful "bugs" difficult?
Wouldn't the need for specially tailored individual "per-kernel-treatment" be quite uneconomical?
Wouldn't such activities raise the risk to draw undesirable attention to unacceptable levels?

Couldn't other vectors than kernels be more attractive from a secret service's standpoint?
Wouldn't things that allow the injection of exploitable tricks from a single, apparently innocuous spreader outlet be much more efficient for state services?

Maybe? Systemd is harmless as is PulseAudio with regards to code size. Ever look at a web browser's code (+ all the libraries they use)?

Honestly, I am not sure whether one really can compare large userland applications with "relatively small" things that run as root.
Compared to usual kernel modules' code size systemd is already a giant.
And it is growing steadily, as more and more control functionality over more and more previously untouched system components is being added.

Wouldn't it be a big success for the big brothers if they'd manage that all Linux computers (maybe except those of a few unimportant nerds) are equipped with a PID 1 they can access should the need arise?
Wouldn't such a thing be a glorious covert take-over of Linux, effectively making it a "secure" OS kernel with an attached remotely controllable "wrapper"?

 

[zirias@]

Main functions of OS:
[...]

Well you could have a more abstract view on this: The main functions of an OS are

1. manage the machine it's running on (somehow, e.g. abstract the hardware) and
2. support the application that's valuable to the user

and that's it. The application is what counts, well, normally. In very narrow cases, like setting up a firewall box for your network, the OS is the application. But most of the time, it isn't, and you must ask yourself: which OS will support my intended application the best under given circumstances, like hardware it should run on, or other non-functional requirements like performance and security/privacy ...

"Nerds" like us mistrust anything closed-source and might even ask questions about open-source as soon as it grows big enough, so we can't review all of the code ourselves. And we take the security/privacy requirement even more important than the actual functional requirements (getting work done using the application). But be aware these aren't the priorities of the majority of users

 

[gofer_touch]

This thread was an interesting read. Has anyone ever heard of these guys: https://www.raptorengineering.com/TALOS/prerelease.php

Otherwise the only semi-modern alternative for secure hardware seems to be based on the Interlagos and Valencia Opteron CPUs and the corresponding Asus motherboards which can be coreboot flashed.

 

[tingo]

Raptor Engineering and TALOS, yes, I've heard about them. The crowd funding campaign for the TALOS failed. So: people think that security is important, but there is a limit to how much people want to pay for better security.

 

[gofer_touch]

There seems to be some consensus building that it really doesn't matter how secure the OS is. As long as there are hardware level CPUs that can act independently of the OS, with access to RAM and the networking hardware its still possible to take over control of a system (i.e. Intel Management Engine and AMDs Platform Security Processor in their new CPUs). Hence the argument for open hardware that can be audited.

Raptor Engineering tried with OpenPower, but it was more costly than what people were willing to pay. AMD's bulldozer chips seems to be the most recent CPUs without the extra CPU cooked into the die.

Now there are calls for AMD to open up the PSP on Ryzen. Perhaps it will get somewhere.

 

[Mjölnir]

Simple answer: by making sure said computer isn't connected to the Internet. In FreeBSD terms: by running this command: # service netif down. Or, if you'd like to remain connected to your local network: # route del default.

But in the end there are no certainties.

Nowadays, at least on UEFI machines that's definitely NOT enough. The ME is still running below the OS...
For non-Intel machines these "things" just have other names. And even on older BIOS-based machines, including consumer devices (e.g. ThinkPad), similar OOB can sometimes be found if the machine was targeted for buisness use.

 

[kpedersen]

A lot has changed since this thread was resurrected from 2017 and luckily Raptor has managed to start manufacturing and selling their hardware without relying on crap like crowd funding. They have actually been really great as a company it seems. I really do hope that one day they can (almost single-handedly) free us from Intel's clutches.

And even on older BIOS-based machines, including consumer devices (e.g. ThinkPad).

I really wanted to argue against this and say "no, you meant IdeaPad!" or something along those lines but no. You are right. ThinkPads unfortunately are absolutely consumer devices. There doesn't exist a non-consumer laptop brand it seems. Shame that they are still pretty much the best option :/

 

[Mjölnir]

[...] I really wanted to argue against this and say "no, you meant IdeaPad!" or something along those lines but no. You are right. ThinkPads unfortunately are absolutely consumer devices. There doesn't exist a non-consumer laptop brand it seems. Shame that they are still pretty much the best option :/

I'm interested in getting FreeBSD running on the tablet and phone of Pine64. I think a tablet-pro will come when the pinebook-pro has reasonable acceptance. Anyone interested to join?

 

[k3y5]

I'm interested in getting FreeBSD running on the tablet and phone of Pine64. I think a tablet-pro will come when the pinebook-pro has reasonable acceptance. Anyone interested to join?

Count me in.