FreeBSD and Apple connection

[throAU]

Is the bird encrypted lol?

It's just IP, if you encrypt your payloads with IPSec, yes. You will however need to trust the remote party with a pre-shared key, or trust that they protect their certificate if you use certificate based auth.

re: Konqueror, my bad. However, apple did contribute to KHTML before they forked it into webkit if I recall correctly.

Do you trust Trolltech? They wrote QT and KDE (thus, Konqueror) uses QT.

Proof-of-concepts and the percent of occurrences are different. Chance for that is low and even after escaping the VM, with right priveleges set what can an automated software do? And what's more you can have extra security with hardening like grsecurity or similiar (on FreeBSD there should be an alternative).

Depending on how paranoid you are - proving an occurrence may be extremely difficult if your hardware lies to you. If your CPU microcode is subverted (and it is far more "closed" than FreeBSD), all bets are off. I would argue that the chances of FreeBSD being tainted by Apple are "low" but in your book it is cause for concern. VM escape is of similar level of risk, if not more so, in my opinion. People have actually demonstrated exploits for it in the past - no one has demonstrated that FreeBSD is compromised yet. If I was the NSA, I'd be getting Intel and AMD on board to subvert the CPU, and I'm sure the NSA has far more devious people than me on board who are paid in full-time employment to think up ways to do this sort of thing.

My machine adapter, my router, my firewall..etc - I don't think all of them would hide connections. Chances for that are low. Combining devices/software helps.

Don't think? Why not? You can't be sure. If you're paranoid enough to not trust open source software because Apple has contributed (even though the source is available for you to analyze and compile yourself), then I don't think you're being sufficiently paranoid enough (i.e., paranoid to the same level) here.

Why would I use IPSec? Mostly companies use that. Home hosts, private servers, company server..etc are different in many ways and shouldn't be treated the same way

You'd use IPSec so that only the intended party can see the contents of your packets. Otherwise, you can take all the precautions you like on your own computer and your own network, but as soon as the packets hit the internet, they can be intercepted and analyzed.

All that said - this level of paranoia is just not something you can mitigate. What you CAN do is to run open source software, encrypt your data, don't trust any sort of "encryption" where you didn't personally generate and hold the private key(s) and consider what you expose to the internet. Beyond that, unfortunately it's simply too hard.

 

[Crivens]

Is the bird encrypted lol?

No, but it may be hacked in transit. But you will see that in the packet loss

The cost ./. benefit was mentioned in this thread. May I add the "risk" dimension in this? Open source enables people to check code, and if you want to place something in the source then you have the risk of being found out. And with analyzing the traffic, checking for dodgy remote maintainance traffic - it is sufficient that one check for this is turning up proof for the yell to go around the planet. You want to secretly mess with someone, you need to limit the risk of being found out. If you are found out, but do not know that, then you might be fed "interesting" things. So, considering you want to do $BAD_THING to other users, how big is the risk that more than zero users judges the cost/benefit ratio acceptable to check for something going on? Like some PhD students? Or some other agency/company who might love to catch you in the cookie jar?

There is no absolute trust. There is only zool^h probabilities. You can modulate that some, by choosing to work with tools not easily compromized - but what is acceptable for you is up to you.

 

[Avyd]

Don't think? Why not? You can't be sure. If you're paranoid enough to not trust open source software because Apple has contributed (even though the source is available for you to analyze and compile yourself), then I don't think you're being sufficiently paranoid enough (i.e., paranoid to the same level) here.

You can't be sure about anything actually and everything is relative, right?

You'd use IPSec so that only the intended party can see the contents of your packets. Otherwise, you can take all the precautions you like on your own computer and your own network, but as soon as the packets hit the internet, they can be intercepted and analyzed.

I meant to ask why use IPSec when we have OpenVPN which is faster and more simple? But that can be just personal preference of course.

All that said - this level of paranoia is just not something you can mitigate. What you CAN do is to run open source software, encrypt your data, don't trust any sort of "encryption" where you didn't personally generate and hold the private key(s) and consider what you expose to the internet. Beyond that, unfortunately it's simply too hard.

Trying. Some people do, some not, but if you don't even try your best because it's "too hard".. well, you can use Windows.

Probably you think it's paranoia because you are glued to an American way of thinking. European people think differently - try to think like a German and you will understand.

Apple is not trusted in dealing with privacy. Anyone who trust them is not so clever. You can easily avoid their software.

You still speak about paranoia, but the question if we can trust the code base that is inside the system or not? That is still not clarified. We know only that the code is not really reviewed and some codes are accepted from Apple.

For further information I will contact the devs because this topic does not seem to have an and and we are not so close to the point.

 

[drhowarddrfine]

Apple is not trusted in dealing with privacy. Anyone who trust them is not so clever. You can easily avoid their software.

Yeah. That's why you should use Microsoft ... oh ... wait ...
Yeah. That's why you should use Intel ... oh ... wait ...
Yeah. That's why you should use ... oh ... wait ...

 

[Anonymous]

@Avyd, you are not the only German in the world, so please speak for yourself and not for others. How about putting a "I think, ..." or "In my opinion, ..." or even more friendly and abbreviated "IMHO, ..." in front of your statements?

IMHO, as a German, @drhowarddrfine is right with his perception about your paranoia.

... try to think like a German and you will understand.

Apple is not trusted in dealing with privacy. Anyone who trust them is not so clever. You can easily avoid their software. ...

I am following the activities of Apple since 1984, and I trust Apple much more then I ever would trust you. You come here with a completely anonymous profile, finally claiming to be German, and are trolling against companies, communities, people of other nations and cultures. For me this is enough.

@all please understand, that not all Germans think like the OP.

Many people in the world disagree or are even upset about the NSA activities. By the way, according to recent surveys about 45-50 % of the US people do not like it too much, this accounts for about 150 million US people and this is well more than the total population of Germany.

 

[jrm@]

..try to think like a German and you will understand.

I tried it once, but my basal ganglia nearly exploded, so I vowed to never do it again.

For further information I will contact the devs because this topic does not seem to have an and and we are not so close to the point.

I appreciate your skepticism, really, but it's not clear how to give you the information you are looking for. Others have told you, generally, what Apple contributes and the code is open. Unfortunately, nobody can give you a guarantee that all code is bonafide.

 

[kpa]

What really amuses me is this very naive perception that code contributed by someone is readily usable on the target platform and there for it is easy to have things "slip trough the cracks" when it gets imported. This is very very far from the reality. If you take the ZFS implementation in FreeBSD as an example, the code from OpenSolaris was totally unusable in its pristine form for FreeBSD because the kernel internals are so different. Essentially a number of people, very bright and professional people, had read trough the code and figure out how to make that mess into something that could work on FreeBSD. You are suggesting that it was still possible to something slip by in that process and make it into FreeBSD and form an exploitable backdoor and nobody would notice? You're living in a fantasy land my friend.

 

[graudeejs]

After rummaging through my drawers looking for my tin-foil hat I found an old document I think you should read. Even if you have access to the code and can read it it's still no guarantee there's nothing 'bad' going on. But at some point you have to trust something.

Reflections on Trusting Trust

Awesome read.

 

[drhowarddrfine]

IMHO, as a German, @drhowarddrfine is right with his perception about your paranoia.

Well, I am half German. Some call me a half-wit.

 

[throAU]

Also... Apple were involved in mklinux (contributed code) which has since been pulled into the mainline kernel if I'm not mistaken.

So, the Linux kernel is potentially "tainted" too. CUPS (printing) has had Apple's hand in it.


Confirming: Apple have contributed much code to KHTML: http://blogs.kde.org/2005/05/13/webcore-khtml-firefox-know-your-facts

 

[Avyd]

@Avyd, you are not the only German in the world, so...

So it looks like you misunderstood: I didn't say I'm German by any words, but I know many of them. Some of them are hackers, sysadmins and programmers - all of them take privacy seriously.

@kpa,
Nobody is speaking about script kids.

Also... Apple were involved in mklinux (contributed code) which has since been pulled into the mainline kernel if I'm not mistaken.

Contributing and reviewing is not the same as contributing. It's not only about Apple since we can't see a clean process how code is added/modified.

I'm not saying it's only about FreeBSD, but ignoring clean processes leads to a worst quality.

 

[Crivens]

Probably you think it's paranoia because you are glued to an American way of thinking. European people think differently - try to think like a German and you will understand.
...
We know only that the code is not really reviewed and some codes are accepted from Apple.

It's not so much (only) a way of thinking. Thinking can only draw from experiences and imagination. Norway, for example, is a European country but the citizens there had never any reason to distrust on that level you find in Germany or some other countries. Hopefully they will never have reason to do.

And as far as code reviews go - you can only spot things in a review if the one placing them there puts them where you may find them. If someone who is a lot smarter or a lot more experienced than you wants to slip something past you - you are likely not going to find it. Reviews are not the silver bullet they are thought to be.

I tried it once, but my basal ganglia nearly exploded, so I vowed to never do it again.

Ouch, that hurts my national pride.
Oh, wait - with our current buffoons-in-power (a nice example of Germans who think nothing of spying) this pride is somewhat limited.

@kpa Please do not state that ZFS was a mess without citing proof. I'd love to read other opinions about that code base. Most software, once ripped out of it's native habitat and being shoe-horned into another, looks like that. I'm pretty sure that the development of ZFS was done with much care, but the coding style is pretty obscure. That I would agree to instantly. And having done this once or twice in my life, I can also support your point that you either spot anything dodgy while doing so, or it simply does not work afterwards.

 

[throAU]

OK to turn this situation on it's head: FreeBSD core is a more stringent review process than Linux's.

Linus has final say on the official Linux kernel, sure. But few distributions use his vanilla kernel. Or vanilla packages either. Most of them have distribution specific patches and there's no telling what they've done.

And as per the above post: code review isn't a silver bullet. Outside of kernel space, Debian for example had a random number generator vulnerability in OpenSSL for over 18 months. This vulnerability was inserted into Debian by a code reviewer who didn't know what he was doing, and thought he'd clean the code up.

All code that codes into FreeBSD base is reviewed by the core team before it is included.

For the record, I'm not American and am one of the more paranoid network admins you'll meet. But you can only go so far before we're so deep into tinfoil territory that if we're at that point, you're almost certainly compromised at a far lower level than you will ever detect.

Apple do not contribute to FreeBSD un-checked. If this is what concerns you: It doesn't work like that.



edit:
As to the ZFS code being a "mess". I don't think that was a comnment on the code quality. Merely that the architectures were so different that it essentially needed to be untangled and re-written for FreeBSD to fit the FreeBSD way.

 

[kpa]

edit:
As to the ZFS code being a "mess". I don't think that was a comnment on the code quality. Merely that the architectures were so different that it essentially needed to be untangled and re-written for FreeBSD to fit the FreeBSD way.

Yes, that's what I meant and I was exaggerating a little bit more than was needed. I do have experience of maintaining and developing code that was originally written by someone else and it's an analogous situation to importing contributed code from someone else to your own work. Programming languages like C tend to give you lot of freedom about how you express certain programming idioms and it can devilishly hard sometimes to grasp what the original author meant with certain piece of code if there are no comments to help you.

I do know that such obfuscated code can be used to hide something nasty but the it's rare to have long sections of the code written in such manner so it's very unlikely that a few lines of obfuscated code could make up a back door into the final program. There are of course exceptions. One quite famous one was in Linux kernel where a malicious commit changed an equivalence check in a syscall implementation into an assignment and the result was that any process calling the syscall got root priviledges right away. The commit didn't make into the kernel because it was caught quite early.

 

[jrm@]

..try to think like a German and you will understand.

I tried it once, but my basal ganglia nearly exploded, so I vowed to never do it again.

Ouch, that hurts my national pride.
Oh, wait - with our current buffoons-in-power (a nice example of Germans who think nothing of spying) this pride is somewhat limited.

Oh my. I can now see how that might have been interpreted as an insult. It wasn't meant to hurt anyone's pride, just my weak attempt to poke fun at the statement. On the other hand, if I may perpetuate the stereotype a little, I would agree that the overall mood in Germany is a little more cautious about these things. At least that was my impression after having lived there for a few years.

In any case, good luck to you @Ayad on your code vetting explorations. Please consider reporting back if you discover anything interesting.

 

[phoenix]

What really amuses me is this very naive perception that code contributed by someone is readily usable on the target platform and there for it is easy to have things "slip trough the cracks" when it gets imported. This is very very far from the reality. If you take the ZFS implementation in FreeBSD as an example, the code from OpenSolaris was totally unusable in its pristine form for FreeBSD because the kernel internals are so different. Essentially a number of people, very bright and professional people, had read trough the code and figure out how to make that mess into something that could work on FreeBSD.

You may want to do some reading through the history of ZFS in FreeBSD. For example, a single person did the initial import into FreeBSD 7-STABLE (Pawel Jakub Dawidek), and he did in a matter of days (or hours? I can't find the e-mail where he mentioned just how little time it took to make it work on FreeBSD due to GEOM and how portable the ZFS code was). Sure, over the years since then, several people have worked on it, and brought newer versions over and newer features and fixed bugs, etc. But the initial import was easy. It wasn't nearly the mess you make it out to be.

 

[wblock@]

"Easy" is probably not the right word. For instance, most programs don't have a paper written about their porting process. And that paper describes how a Solaris compatibility layer was written.

 

[phoenix]

I was commenting more on "how much of a mess the ZFS code is" and how that made it so hard to port to FreeBSD ... which is the opposite of what Pawel reports.

 

[kpa]

Yeah... I have to take back my claims about ZFS being hard to port to FreeBSD. My point still stands that it's not easy plant backdoors in form of contributed source code. Someone may have a better example of something that required a major rewrite when it was imported to FreeBSD, PF perhaps?

 

[Crivens]

Oh my. I can now see how that might have been interpreted as an insult.

No offence was taken, at least not by me. That's why the "" was in place.

 

[neelwebs]

Apple are a major contributor to webkit. Which powers Chrome, Safari and Opera. Pretty much any current browser which isn't Firefox.

Google forked WebKit back in April as Blink, and Opera uses Blink in its newer versions, so only Safari uses WebKit. And don't forget Internet Explorer. IE isn't WebKit-based either.

 

[throAU]

Google forked WebKit back in April as Blink, and Opera uses Blink in its newer versions, so only Safari uses WebKit. And don't forget Internet Explorer. IE isn't WebKit-based either.

Sure. It's still mostly WebKit unless you think that Google have re-written the majority of it in the couple of months the fork has been around for. Hint: It's probably 95-99% WebKit.

And if you're paranoid about Apple's involvement in free software and yet are willing to give Google a free pass you're pretty naieve.

I didn't include Internet Explorer because it's not available on non-Windows platforms, and Opera's market share is so insignificant as to be comparable to a statistical rounding error (and as above for Google - Blink = WebKit anyway).

 

[kpa]

I didn't include Internet Explorer because it's not available on non-Windows platforms, and Opera's market share is so insignificant as to be comparable to a statistical rounding error (and as above for Google - Blink = WebKit anyway).

IE was actually available on non-Windows platforms back in the day but that was at the time of versions 4 and 5. I have used the Solaris version and it was probably the worst browser I've ever used...

http://en.wikipedia.org/wiki/Internet_explorer#OS_compatibility

 

[throAU]

Even so, IE on non-windows platforms used a different rendering engine (i.e., it wasn't really IE). The Mac version at the time was actually more standards compliant/better than the Windows version. But yeah, talking ancient history there - circa 1998-2000.

 

[Crivens]

I remember using gopher and mosaic. Does that make me a fossil?