Debian Linux versus the CIA

Debian Linux versus the CIA

Hidden backdoors into software have long been a concern for some users as government spying has increased around the world. Now the Debian project has taken aim at the CIA and other government spy agencies with reproducible builds that aim to stop hidden backdoors.

JM Porup reports for Vice:

In response to the Snowden revelation that the CIA compromised Apple developers’ build process, thus enabling the government to insert backdoors at compile time without developers realizing, Debian, the world’s largest free software project, has embarked on a campaign to to prevent just such attacks. Debian’s solution? Reproducible builds.

In a talk at Chaos Communication Camp in Zehdenick, Germany, earlier this month (full text here), Debian developer Jérémy Bobbio, better known as Lunar, told the audience how the Linux-based operating system is working to bring reproducible builds to all of its more than 22,000 software packages.

Reproducible builds, as the name suggests, make it possible for others to reproduce the build process. “The idea is to get reasonable confidence that a given binary was indeed produced by the source,” Lunar said. “We want anyone to be able to produce identical binaries from a given source.”

A software package reproducibly built should be byte for byte identical to the publicly-available package. Any difference would be evidence of tampering.

More at Vice

The news about Debian’s efforts to stop hidden backdoors spawned a large thread on the Linux subreddit, and redditors weren’t shy about sharing their opinions:

Altiris: ”Each and every time I read something about Debian, I like them more and more.”

Wbsgrepit: ”The problem is to do what they are suggesting “right” they need to go much, much deeper. https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf[1] Is a very well known and old article about a hard to solve vector (yes, that Ken Thompson). Basically, by making small and orchestrated changes over time to a compiler chain/bootstrap it is possible to create a very very hard to find backdoor/vector inherent to an OS that can insert into any executable on the system (when they are compiled and without any telltale source).

If they don’t backtrack to a known good/clean bootstrap on the compiler chain/kernel it does not matter if they create reproducible binaries — given a clean source compiled to known bits the bits may already have a backdoor introduced by the compiler. And mind-breaking the compiler itself being compiled by the compiler could propagate the issue on bootstrap of the compiler. Basically they need to verify a compiler chain from hand coded machine language to a current version in as few steps as possible. =(”

RenaKunisaki: ”Hand coded machine language on a known good CPU. Modern CPUs are basically entire systems themselves, and could easily have code hidden away in that top secret System Management Mode that finds and tampers with certain code in memory. (Or finds and executes code marked with a particular magic signature, which might end up in memory as part of a random received packet…)”

Asnotfaw: ”Reproducible builds allow others to verify the correctness of builds. This alone helps protect against all manner of attack, from mundane malicious compilation to Trusting Trust. It’s not a perfect defense, since theoretically every verifier could be compromised, but it’s much safer than having no verification at all.

Hopefully, in the future, we will also build trusted compilers from scratch, enhancing our security even further. This, combined with reproducible builds, will give us even stronger guarantees about our security.”

Bloodguard: ”CPU, disk/network controller chips, BIOS, the microcode on the drives themselves. There are so many places they can hide stuff. Good effort, though.”

Khumbu: ”That doesn’t mean that Debian’s efforts are in vain. We need both open hardware and software, not one or the other. ”

Frownyface: ”The awesome thing about have an easy to use fully reproducible build system for your entire system would be the ability to not just modify everything, but to do so quickly and without a bunch of side effects from using a bunch of different tools, dependency versions, build configuration settings, etc, which is usually the case now with system with black-box binaries.”

TheStackSmasher: ”Backdoored compilers has always been one of the scariest stuff for me… You strategically infect one dev and, boom, it spreads to everyone, and with no practical way to detect it. Now this is a great solution! Congratulations to the Debian guys, that’s why I love Debian and GNU/Linux in general. (Yes, this doesn’t get rid of backdoors completely, but it is one less problem to care about.)”

More at Reddit

Adblock browser launches for Android

Ad blockers have been in the news a lot lately, and now Adblock Plus has launched Adblock Browser 1.0 for Android.

Felix Dahlke reports on the official Adblock Plus blog:

As previously announced, we’ve been working hard on Adblock Browser for Android and iOS over the past few months. I’m happy to announce that today is the day where we release it on both platforms.

Adblock Browser for Android was in an open beta for a while now, and thanks to the amazing feedback we received there, we were able to evolve it into something we’re proud to release.

1.0 is, of course, just the beginning. There’s a long list of things the community wants to see happen, and the list is most definitely not going to get any shorter.

More at the Adblock Plus Blog

Raspberry Pi touch display released

The Raspberry Pi has proven to be a popular item among some users, and now you can get a touch display for it for only $60.

Silviu Stahie reports for Softpedia:

The new touch display for Raspberry Pi is developed by the same team who built the mini-PC itself, and it’s been in the works for the past three years. It took them a long time because they always had other more important projects to take care of, but they finally got enough time to finish the project.

Don’t expect to see a monster of a display for the Raspberry Pi. That’s not really what the developers had in mind when they were designing it.

As it stands right now, the new touch display supports a resolution of RGB 800×480 @60fps, 24-bit color, has an FT5406 10 point capacitive touchscreen and 70-degree viewing angle. Also, the metal-backed display comes with specially designed mounting holes for the Pi.

More at Softpedia

Did you miss a roundup? Check the Eye On Open home page to get caught up with the latest news about open source and Linux.