Pete Biggs
2017-Apr-15 08:46 UTC
[CentOS] OT: systemd Poll - So Long, and Thanks for All the fish.
Not wishing to extend this thread further, but ...> There are conspiracy theories out there that the NSA is involved with > bringing systemd to Linux so they can have easy access to *"unknown"* > bugs - aka backdoors - to all Linux installations using systemd *[1]*.They're conspiracy theories, and that's it. The bottom line is that in general people don't like not understanding things and when they come across something they don't understand they create a mythology around those things to rationalise their non-understanding. Factor in to that the general mindset of Linux hackers/admins that they must know and understand every part of their system and you create the perfect environment for such theories to grow and blossom. Systemd is complex; it's implementation was badly handled on a social level. Nevertheless it is open source. It is highly unlikely that the NSA, or any other agency, would risk putting in backdoors to code that could be audited by Joe "random hacker" Blogs, let alone that might be discovered by hostile agencies. There is no doubt that most security agencies have a long list of zero- day exploits in their toolbox - I would hazard to suggest that they wouldn't be doing their job if they didn't! But I seriously doubt they would commission exploitable code in something that is openly auditable. P.
ken
2017-Apr-16 10:53 UTC
[CentOS] OT: systemd Poll - So Long, and Thanks for All the fish.
On 04/15/2017 04:46 AM, Pete Biggs wrote:> Not wishing to extend this thread further, but ... > >> There are conspiracy theories out there that the NSA is involved with >> bringing systemd to Linux so they can have easy access to *"unknown"* >> bugs - aka backdoors - to all Linux installations using systemd *[1]*. > They're conspiracy theories, and that's it.Hmm. That's not quite it. Wikileaks recently posted a trove of docs on CIA exploits. It was big news. I'm surprised you missed that. And, yes, the exploits also include more than a few against linux. Go to their site and look under vault7. Or search for "linux" or "redhat"... you'll get hundreds of hits. Here's just one: https://wikileaks.org/spyfiles4/documents/FinSpy-3.10-User-Manual.docx (If you have only a few seconds to look at it, see page 34.)> The bottom line is that in > general people don't like not understanding things and when they come > across something they don't understand they create a mythology around > those things to rationalise their non-understanding.True, but that "mansplanation" can point in a lot of ways, including at Pollyanna.> .... > Systemd is complex; it's implementation was badly handled on a social > level. Nevertheless it is open source. It is highly unlikely that the > NSA, or any other agency, would risk putting in backdoors to code that > could be audited by Joe "random hacker" Blogs, let alone that might be > discovered by hostile agencies.Years ago it was revealed that one of the linux developers inserted an exploit into the gcc code which, when the login code was compiled, would give him access to any system running it, effectively every linux system. This exploit was in the linux code for a long time and was never discovered. It was revealed only by the developer himself, and only because he was retiring. Point is: Code is often complex, especially that written in C (or C++ and others), so much so that an exploit can be written into it and not discovered for a long time, or ever. This is yet another argument against systemd: it would be much easier to hide an exploit in it than in a handful of bash scripts.> There is no doubt that most security agencies have a long list of zero- > day exploits in their toolbox - I would hazard to suggest that they > wouldn't be doing their job if they didn't! But I seriously doubt they > would commission exploitable code in something that is openly > auditable. > > P.P., I used to think that too... indeed, I was thoroughly convinced of it. But reality changed my mind.
Jonathan Billings
2017-Apr-16 12:59 UTC
[CentOS] OT: systemd Poll - So Long, and Thanks for All the fish.
On Apr 16, 2017, at 6:53 AM, ken <gebser at mousecar.com> wrote:> Years ago it was revealed that one of the linux developers inserted an exploit into the gcc code which, when the login code was compiled, would give him access to any system running it, effectively every linux system. This exploit was in the linux code for a long time and was never discovered. It was revealed only by the developer himself, and only because he was retiring. Point is: Code is often complex, especially that written in C (or C++ and others), so much so that an exploit can be written into it and not discovered for a long time, or ever. This is yet another argument against systemd: it would be much easier to hide an exploit in it than in a handful of bash scripts.When you say ?one of the linux developers?, you mean Ken Thompson? http://wiki.c2.com/?TheKenThompsonHack <http://wiki.c2.com/?TheKenThompsonHack> This story predates Linux, and describes a problem with any potential software. You realize ?bash? could be just as malicious as systemd in this scenario? Are you meticulously going through *it?s* source code in your version of the world? Note: bash is not written in bash. -- Jonathan Billings <billings at negate.org>
Andrew Holway
2017-Apr-16 13:51 UTC
[CentOS] OT: systemd Poll - So Long, and Thanks for All the fish.
> > There is no doubt that most security agencies have a long list of zero- >> day exploits in their toolbox - I would hazard to suggest that they >> wouldn't be doing their job if they didn't! But I seriously doubt they >> would commission exploitable code in something that is openly >> auditable. >> >> P. >> > > P., I used to think that too... indeed, I was thoroughly convinced of it. > But reality changed my mind.Indeed. I think the assertion "OSS is somehow safer because of community audit" is a logical fallacy. How would one go about "auditing" in the first place? Even if the various Intelligence agencies are not injecting vulnerabilities then they would certainly be in a strong position to discover some of the holes already existing some time before they become public. Unless you're operating an air gap network you can be damn sure that 'they' can get into your systems if they really want to.
Pete Biggs
2017-Apr-16 17:08 UTC
[CentOS] OT: systemd Poll - So Long, and Thanks for All the fish.
On Sun, 2017-04-16 at 06:53 -0400, ken wrote:> On 04/15/2017 04:46 AM, Pete Biggs wrote: > > Not wishing to extend this thread further, but ... > > > > > There are conspiracy theories out there that the NSA is involved with > > > bringing systemd to Linux so they can have easy access to *"unknown"* > > > bugs - aka backdoors - to all Linux installations using systemd *[1]*. > > > > They're conspiracy theories, and that's it. > > Hmm. That's not quite it. Wikileaks recently posted a trove of docs on > CIA exploits. It was big news. I'm surprised you missed that. And, > yes, the exploits also include more than a few against linux.That's not what I said - I said that the security agencies writing backdoors into systemd was a conspiracy theory. I said later that they have exploits as part of their toolkit. I'm surprised you missed that part when you replied to it ...> Years ago it was revealed that one of the linux developers inserted an > exploit into the gcc code which, when the login code was compiled, would > give him access to any system running it, effectively every linux > system. This exploit was in the linux code for a long time and was > never discovered. It was revealed only by the developer himself, and > only because he was retiring. Point is: Code is often complex, > especially that written in C (or C++ and others), so much so that an > exploit can be written into it and not discovered for a long time, or > ever. This is yet another argument against systemd: it would be much > easier to hide an exploit in it than in a handful of bash scripts.Perhaps bash is exploitable - designed to hide the malicious code put into the init.d scripts by the NSA. P.
Gordon Messmer
2017-Apr-16 17:53 UTC
[CentOS] OT: systemd Poll - So Long, and Thanks for All the fish.
On 04/16/2017 03:53 AM, ken wrote:> And, yes, the exploits also include more than a few against linux. Go > to their site and look under vault7. Or search for "linux" or > "redhat"... you'll get hundreds of hits. Here's just one: > https://wikileaks.org/spyfiles4/documents/FinSpy-3.10-User-Manual.docx > (If you have only a few seconds to look at it, see page 34.)That document appears to describe a remote control application, not an exploit. It's only useful once you have administrative access to the system in question. I won't say that I don't think exploits against Linux systems exist, that would be naive. But, I haven't yet seen any CVEs for GNU/Linux systems resulting from the Vault7 leaks.
Maybe Matching Threads
- OT: systemd Poll - So Long, and Thanks for All the fish.
- [Fwd: CIA Outlaw Country attack against CentOS / Rhel (and Fedora?) Is this credible?]
- OT: systemd Poll - So Long, and Thanks for All the fish.
- OT: systemd Poll - So Long, and Thanks for All the fish.
- Lista dos aprovados em concurso Lagoa da Canoa