Microsoft: Vista won't get a backdoor 3271

In comp.os.linux.advocacy, DFS wrote on Tue, 7 Mar 2006 17:28:24 -0500

It is. If one is competent in reading specifications (what does everyone think source code *is*, magic incantations??), it might be caught. However, a *very* old trick is to modify the compiler so that, when it sees certain code patterns -- usually used in older implementations ofbin-login -- it would not use the standard patterns the unmodified compiler would genereate, but rather put in its *own* code patterns, to hack into the system in a fairly undetectable way.

The only way around this is to build one's own compiler, or at least monitor the construction of gcc, and the bits going thereinto (which might include bison-byacc), plus develop a "bootstrap compiler" (gcc is written in C, and is usually built using the native C compiler on a platform -- e.g., Solaris' cc) purely in buttembly strong enough to build gcc.

I'd have to look to see how difficult that would be. The good news is that it doesn't need to rerun the flex-byacc-bison compiler-compiler unless someone actually changes the language; the distributed .c files include the compiled output of flex-byacc-bison.

Or one can simply trust Microsoft's compiler. Considering that I've actually caught Visual Studio 5-NT 4 in an outright memory corruption bug, the trust here may be slightly misplaced, though Windows XP is now better in that area at least.

Presumably.

No, he's not. The bad guy slips in a Mickey into the code redistribution network, sufficiently obfuscated so that it pbuttes muster. Then *they* pbutt the bad code. If they're lucky, someone catches the bad code, and then asks them to remove it.

If not...well, it's been nice knowing Linux.

(Someone *did* try this. It was fairly subtle, too, but it got caught prior to inclusion. Can't guarantee that it won't happen again, though.)

CVS.

That's a variant of 'bait and switch', and is slightly less useful. It would require, for instance, the ability to modify a file on a distribution network that one doesn't really have the rights to -- and since most of such files have MD5 checksums, one would have to modify those as well.

Note that deletion shows up as a delta, which will be timestamped after the build -- unless he deletes it just after he starts the build, which can be done.

Note also that the bad guy can't do the build. He might trick some people from downloading from his site, but that's the best he can do.

No one. Nada. Zippo. Zilch. You are responsible for your own machine; no one is going to do it for you. You are ultimate the one who has to check every line of code (or trust those who allegedly have done it ahead of time on nobody's behalf in particular).

I'd start with the compiler, then with glibc, then maybe init, bash, and login. X might get a very thorough onceover just to ensure that keystroke events aren't getting squirreled intodev-hacker. Don't forget that Gnome and KDE have their own layering, and of course the audio subsystem might be surrepbreastiously recording from your microphone, so try not to vocalize your pbuttword as you type it.

With Gentoo, the good news is that it is theoretically the emerge system, unlike some other systems such as rpm and apt-get, does not appear to have an elegant method by which one can unpack but not build the code, so that one can peruse the code in the temporary tree. This isn't that big of a problem if one interrupts the build at the right moment.

Correct.

You shouldn't. We are sabotaging an American company even as we speak. Oh, the horror!

(That company, of course, is based in Redmond, Washington, and generates about $41B of revenue per year. Losing that $41B will be extremely painful in that area.)

At least with Microsoft they'll happily take your money and provide you with a phone number and access to the Better Business Bureau should they shaft you -- at least until one's "free" support time runs out.

Only they won't. They're wearing clean white hats (with a colored square flag, perhaps), not blood-stained ones, hypnodisks, contagionous geckoes, flying stars, F-world, a rising moon over blue mountains, a penguin on a business card, weird spacecraft, devilworld, colored pinwheel fan, three happy dancing people, a green house roof, a puppy, a yellow dog, or a thing that looks like a mix of an ancient drawing from Galileo and a happy penguin -- with four wings, yet. *

And since their code is closed it's a little harder to hack. (But not that much.)

So where's the Linux backdoor? There's gotta be one, because of projection. Point out file and line #, please.

Not that viruses need a backdoor. They install their own.

* blood-stained hat: RedHat, of course. :-) hypnodisk: Debian. contagionous gecko: Novell-SuSE. flying star: Mandriva. F-world: Fedora. (Don't ask me why there's no hat.) Moon-over-Mountains: MEPIS. penguin-on-card: Damn Small Linux, which touts itself as a "Biz-Card Desktop". devilworld: FreeBSD. (It's in distrowatch, and a very powerful OS in its own right. It's not Linux, but who the hell cares? ;-) But the logo looks like a marble with two red horns sticking out.) colored pinwheel fan: PCLinuxOS, though one might make a case for CentOS (though theirs is more of an 8-arrow logo than a pinwheel). weird spacecraft: Gentoo. three happy dancers: Ubuntu or Kubuntu. green house roof: Linspire. (Cute woman in yellow optional.) a puppy: PuppyLinux, of course. a yellow dog: YellowDog. ancient drawing: Knoppix.

The logos themselves are rather interesting, but the rest get very obscure quickly. Rubix, for instance, has 5 colored squares but probably wouldn't be all that easy to explain to the casual aficionado, especially if he hasn't seen a certain puzzle. Aurox is 4 colored squares, one with an "X". Frugalware has an F in some blue squares. (Uh, are we selling an OS or typography here?) Ark uses three hexagons, one of which might contain a picture of ocean. Big Linux is a very obscure Brazilian distro which has a green bird with a mohawk with two alien antennae, pointing a gun with a funny-looking penguin at the viewer. Ultima is a penguin wearing a pink hair ribbon. (??!?) Lunar Linux is a black cat, or maybe an owl; it's hard for me to tell. Phlak is a helmet. Morphix is a cratered moon with a thick black border. (Maybe they and Lunar need to switch?) TurboLinux is a lightning bolt. TinySofa is a blue sofa (one of the few that actually make any sense). Kurumin (another Brazil offering) is a penguin with feathers. Vine is a bunch of grapes. LFS is either a bird in a chef's hat, or Tux separated into puzzle pieces.

And the very last one in the 100 list is BLAG,which has a black star in a gray square with a white border.

Now clbutt...can you remember which logos go with which brands? :-) No fair peeking.

A better case of "monopolistic compebreastion" I would be hard pressed to find anywhere.

-- It's still legal to go .sigless.