Aardvark

Bruce Simpson · Site Admin Joined: 02 Jan 2005 Posts: 6061

This column is archived at: http://aardvark.co.nz/daily/2010/0125.shtml

Can you be sure that the computer you're using right now doesn't have one or more back-doors that have been inserted into software to allow authorities to check up on what you're doing and take a peek at your private data?

If that is the case, is it really a bad thing?

Can even those who run open-source software be 100% sure they don't have a back-door or two in their systems?

Even if your OS and applications are clean, is your BIOS and silicon?

If the likes of Google are providing back-doors for government snoops, do you really believe Microsoft's assurances that Windows is "clean"?

Plato · Joined: 25 Jan 2010 Posts: 132

it is not the US you should be worried about....

Try Googling "Huawei back doors" and take a peek at how the Chinese are progressively gaining access to every core IP router in the world....

A company run by a former Chinese Intelligence Offier and supplyingmany of the world's service providers with core network routers... and with Gigabytes of encrypted "signalling" information coming out of service provider core routers - all heading back to UIP addresses in discreet "network analysis centres" in mainland China - you can't tell me that they are not intercepting all manner of data already across the world and committing extensive spying and industrial espionage...

..and forget just spying - with a couple of keystrokes they could also remotely take down global networks....using these recently detected back-doors in core routers....

Be scared people - be very scared....

Plato · Joined: 25 Jan 2010 Posts: 132

Of course there are back doors on everything...

The Laptop manufactures have set default BIOS backdoor passwords for bypassing the BIOS user configured password. The list of Laptop BIOS backdoor passwords are provided below.

1. VOBIS & IBM ----> merlin

2. Dell ----> Dell

3. Biostar ----> Biostar

4. Compaq ----> Compaq

5. Enox ----> xo11nE

6. Epox ----> central

7. Freetech ----> Posterie

8. IWill ----> iwill

9. Jetway ----> spooml

10. Packard Bell ----> bell9

11. QDI ----> QDI

12. Siemens ----> SKY_FOX

13. TMC ----> BIGO

14. Toshiba ----> Toshiba

Peter · Joined: 22 Aug 2006 Posts: 2355 Location: Dunedin

Half of those backdoors have very easy to pick locks.

ctruell · Joined: 16 Jun 2005 Posts: 4

It's not necessary for every user of Linux to examine every line of code as you say. It's only necessary for some small group of people who are independent of whoever you think might be including backdoors to have done so. If they found anything, they would have raised enough of a fuss that I would have heard of it.

A more subtle problem is that the compiler may have been tampered with so it adds a backdoor that is not in the source code, and adds this ability to itself even if you recompile the compiler from clean code. This possibility was described by Ken Thompson in 1984 http://cm.bell-labs.com/who/ken/trust.html. Examining the executable code should be sufficient to determine if this is happening, and if you don't trust the debugger, it's not too hard to write a simple hexdump utility which does some basic disassembly. There's a reasonable article on these issues at Wikipedia

Sophocles · Joined: 18 Nov 2006 Posts: 880 Location: Auckland

zkarj · Posted: Mon Jan 25, 2010 2:04 pm Post subject:

There's a limit to all of this. Not to how or where back doors can be implemented, but a limit to how much you have to think about it.

I am reminded of a discussion about disaster recovery plans. Any company building a disaster recovery plan needs to decide how big a disaster they need to recover from. E.g. a Wellington-based small business probably isn't going to worry about the possibilty of 'the big one' that flattens the capital. There's a limit for every company, even if they go as far as all-out nuclear conflict or an asteroid strike.

And so it is with worrying about spying. As much as the old phrase "If you've nothing to hide, you've nothing to fear" is maligned as an excuse, it is true to a point. Whilst we should stand up to governments who try to erode our rights, we're not going to stand up to outside parties who we don't know are there

If you compromise all of my data, the worst I might suffer is embarrassment. So I'd rather live my life without the anxiety, in the hope that "she'll be right" than to incessantly worry and waste my time.

In fact, it is a matter of priorities. It is statistically likely that a number of readers here probably don't drive very well - that's more likely to ruin your life than a bunch of Chinese hackers. Pay more attention to your driving please because that affects me too!

barryl · Joined: 21 Nov 2009 Posts: 254 Location: Canterbury

Well the correct answer to the brain-dead muppets who chant "If you have nothing to hide, you have nothing to fear" is always a sneer:--- "Well really, show me all your medical records and IRD statements" (suddenly they shuffle off) we have to do the best to retain our privacy.

But, I don't have enough hours in my life to even begin to learn how to examine code for a possible back-door. Who does with a 100% probability of finding them?

I assume there's one there, and so keep truly vital private data in a notebook. but then if I was truly paranoid, I'd encrypt it with a one-time pad and spend maybe $10,000 on a tough safe for storage.

Life's not worth the hassles that CAN be conjured up. There's too many REAL threats:

Cancer
Heart disease.
Drunken and otherwise idiotic drivers
Windows crashing, again.

And finally, death.

Clive · Joined: 06 Apr 2006 Posts: 114

ArthurHH · Posted: Mon Jan 25, 2010 7:36 pm Post subject:

ArthurHH · Posted: Mon Jan 25, 2010 7:38 pm Post subject: