3

A week ago asking this question of Microsoft or such would have got me labelled as paranoid, and asking this question about Ubuntu would have seemed plain stupid, bordering offensive.

Then we found out that there's been a "$250m-a-year US program works covertly with tech companies to insert weaknesses into products".

This is (evil) genius: if you insert secret weaknesses into software or services, e.g. SSL key generation, then your job of breaking in to steal data is made a lot easier. In deed, this is why those agencies can now apparently decrypt a fair bit of SSL traffic on the fly.

I felt smug, thinking open source saves the day: hard to introduce code that does something daft when everyone's looking (much much easier in closed source world). Although this can still happen, e.g. Debian's massive SSH key fail of 2008.

Back then, people at slashdot were asking who introduced the change that nobody noticed and which left the OS wide open.

It seems that with a $250m budget you've got various options to pay someone to try to sneak in vulnerabilities unnoticed, either out in the open or, as in the Debian case, more internal. This $250m has been used to bribe companies. So what of Canonical? I love Ubuntu and have always trusted it, but knowing they're (a) a company and (b) short of cash, made me think: actually they're in quite a good position to do such evil bidding. I mean sending all your local searches off to amazon seems nothing compared to what they could do, after all, as Shuttleworth says We have root!

The German Government recently spotted that they can't trust Windows 8 machines, will they move to Ubuntu? (they're rather partial to Debian anyway.)

I posed the question in a provocative manor, but I believe it's valid; I'm not seeking opinion, nor rants, but wanted to see if anyone could answer categorically No (and back that up with evidence).

artfulrobot
  • 8,543
  • 2
    This is not a discussion site. Try ubuntuforums.org or http://ubuntu-discourse.org/ and this "Does Ubuntu deliberately contaminate its binaries to help NSA?" is impossible to answer. How can anyone prove it is done "deliberately" unless they them self say so? – Rinzwind Sep 11 '13 at 14:00
  • So the answer to my question (not interested in discussion): You cannot know; won't every know unless such activity is exposed. Quite far reaching conculsion – artfulrobot Sep 11 '13 at 14:18
  • PS. I believe this question is covered by "Development on Ubuntu. Services provided by Ubuntu" from what topics can I ask about – artfulrobot Sep 11 '13 at 14:20
  • 4
    I think this question is important for many of us, but it is not easy to answer, because nobody knows. Therefore it will tend to a discussion, which is not welcome here. – Dee Sep 11 '13 at 14:33
  • 1
    artfulrobot: While it may be covered by that topic, this is still a VERY opinion-based discussion question as nobody here actually will know because none of us work for Canonical. I am in agreement with Dee, this question is going to create discussion, not answers. – Thomas Ward Sep 11 '13 at 14:39
  • 6
    I think this is an answerable question. Ubuntu provides the source code and it should be answerable if the binaries produced by the builders are being generated from that source. – Jorge Castro Sep 11 '13 at 14:42
  • @JorgeCastro yes, if there was a bulletproof way to check that the binaries had been created from the given source code (without every user needing to compile everything!). If open source could provide this it would be incredible. – artfulrobot Sep 11 '13 at 14:45
  • @dee yes, I realise that danger (see one of the answer below for your concerns instantiated), but I feel that it is a valid question, and one that the community should be looking to answer. – artfulrobot Sep 11 '13 at 14:47
  • 2
    Debian has a goal to do this: https://wiki.debian.org/ReproducibleBuilds A proper answer would find out if Ubuntu does this as well. – Jorge Castro Sep 11 '13 at 14:49
  • @JorgeCastro Point taken. See http://askubuntu.com/questions/344296/will-ubuntu-work-with-reproducible-builds – don.joey Sep 11 '13 at 15:20
  • @JorgeCastro well, I know I will be paranoid right now, but... those is a "layer of protection" we can trust? – Braiam Sep 11 '13 at 15:38
  • 3
    Until we have fully reproducible builds, this is obviously basically impossible to answer other than by assertion. That said, it's worth noting that the people who maintain our build toolchain are mostly outside the US, and they also tend to be the sort of contrary engineer type who'd probably rather quit than insert backdoors ... (I work for Canonical in relevant areas and nobody has ever approached me to insert backdoors, not that there's a particular reason you should believe me.) – Colin Watson Sep 13 '13 at 13:26
  • 1
    @ColinWatson UK's as bad as US, FWIW. Certainly didn't mean to offend - Can't express enough how much I'm grateful to FLOSS community+projects. This entirely about the extreme lengths these agencies have been revealed as going to and whether there's any way forward for security. JorgeCastro's comment seems to offer some hope. – artfulrobot Sep 13 '13 at 13:51
  • 2
    I support this question, and I do not believe it is "too opinion based". Ubuntu is open source, no? An objective answer can be obtained by a full source code audit. It would not be fast or easy, but it would not be an opinion either. It is possible to answer affirmatively one way or another. – Nick Jan 08 '14 at 10:25

1 Answers1

8

Even though this is a valid question, I think it cannot be known whether these practices take place. After all, the purpose of hidden vulnerabilities that are designed into software is for them to remain hidden.

There are a few things to take into account, though:

  • It is harder to hide secret backports in open source software. They almost have to be at the level of algorithms.
  • Why would NSA try to get into Ubuntu if they can already read your email and listen in on your phone?
  • Why would Ubuntu take such a risk? After all, losing their credibility in the linux world would incite people to use other linux systems.

Quite frankly, Ubuntu is dependent on a lot of different software. To be honest, I do not think deliberate contaminations fit the Ubuntu spirit. That being said, who knows...

don.joey
  • 28,662
  • 2
    Your bullets: (1) yes, harder, I agree. (2) getting access to all Ubuntu machines would be quite handy, especially if ppl turn to Ubuntu to flee insecurities of Windows/Apple. (3) They might not have a choice. But your final remark misses the point: Ubuntu is based on a lot of different software, yes, but it's one central company that compiles and publishes the binaries. So that's the single point of weakness. It's not about spirit of kindly floss ppl, it's about what big companies are forced to do. – artfulrobot Sep 12 '13 at 08:06