Debian Project Aims to Keep the CIA Off Our Computers

James Darvell — Tue, 15 Sep 2015 16:13:53 +0000

Lunar, one of the lead developers on the Debian ReproducibleBuilds project, has recently outlined a serious security hole that could impact all open-source software, including most Linux distributions. It potentially exposes users to unwanted scrutiny from third parties, including security agencies. His project is designed to close this hole.

One of the big advantages of open source software is that third parties can inspect the code to ensure it does what it's supposed to. If any malicious code is present, it can be detected and eliminated. But when software is distributed in the form of a binary executable, there is a risk that malicious code (not present in the original source code) has been added.

This doesn't necessarily mean that the developer intended to distribute corrupted code. If the developer is using a compromised compiler, it could introduce the malware as the source code is turned into an executable.

This may sound a little far-fetched, but in actual fact it is a real security concern. The Snowden leak has revealed that the CIA is working on ways to exploit these weaknesses to install snooping software onto consumer devices all over the world.

At a recent conference organized by the CIA, a team of developers presented a proof of concept. They had managed to bypass Apple's digital certificates to produce a corrupted version of XCode, Apple's proprietary compiler. This compiler is used to by independent developers to make OS X and IOS apps. The corrupted version embeds spyware into any application compiled by the developer without their knowledge.

These apps could find their way into the app stores, and potentially onto millions of consumer devices. This would allow security agencies to snoop on the conversations and private messages of millions of innocent users all over the world.

If Apple is a hot target, then Linux is an even more tempting one. Security conscious users who understand the risk of commercial platforms often use Linux for its tighter security features. This includes people who the security agencies are VERY interested in spying on.

Anti-virus software can detect fragments of known malware, but this is only possible after instances of the malware have been discovered and analyzed. It doesn't protect against new or previously undetected malware infections. In short, anti-virus software is not enough to protect against this type of attack.

The only way to be sure that a binary executable does not include any unexpected code is to compile the source code and compare the two files. If the freshly compiled file does not match the binary executable under test, it could have added code, possibly malware.

While this is a basically sound idea, there is a major fly in the ointment. The source code for the majority of Linux packages is written in such a way that it doesn't always compile to produce an identical binary file.

Go to Full Article