al Qaeda Hacks XP? 736
acaird writes "According to this article at Newbytes, members of al Qaeda may have worked for Microsoft and planted "trojans, trapdoors, and bugs in Windows XP"."
This stuff screams of hoax to me, but it is showing up on the Washington
Post.
Re:score -1, redundant (Score:3, Informative)
It would be different if they were reporting that there were *in fact* security bugs in XP planted by terrorists, based on the claims of one guy.
Re:not as easy as you might think (Score:2, Informative)
Re:not as easy as you might think (Score:1, Informative)
Re:WARNING: THIS IS ADVICE TO TERRORISTS (Score:3, Informative)
ObSoln:
Fill 7
(Fill 3 from 7:Discard 3) twice
Decant remaining 1 from 7 to 3.
Fill 7. Top up 3 from 7, leaving 5 in 7.
Re:not as easy as you might think - VERY EASY (Score:3, Informative)
The standard practices at Microsoft do not include a lot of code review (even for a co-op). You could easily sneak stuff in there.
That being said, I'll wait until I see proof before I believe this one.
I have nothing to worry about, however. My standard practice is to never install a Microsoft OS until it has been "in the field" for -at least- a year
Re:not as easy as you might think (Score:4, Informative)
Where is this wonderful place you work?
I've worked for, lessee, eight companies over the years, ranging from the tiny to mammoth international corporations. Only two had code reviews.
At one, a well known company in the computer security field, code for a secure operating system base was reviewed by trust engineers - who were knowledgeable about the theory of security but who were not so knowledgeable about the programming language being use. We'd get questions like "what does char somecstring[16]; somecstring[0] = char(0); mean"?
At the other, a well-known aerospace contractor, reviews of code for a NASA project focused on making sure that your code met the formatting standards required - no one asked me anything at all about the semantics of my code.
Re:not as easy as you might think (Score:4, Informative)
Whatever. Excel used to have a flight simulator embedded in it, for crying out loud! IIS had a back door password of "Netscape Engineers are Weenies" spelled backwords.
Not to mention the fact that it seems like Windows has an exploit approximately every 3.5 seconds, and that's without access to the source. A terrorist at Microsoft wouldn't even have to try and embed backdoors into the software. They could just keep track of the exploitable buffer overflows and pass them on to their buddies instead of raising attention to them at Microsoft. Microsoft's entire defense stems around the fact that the "bad guys" don't have access to the code and must therefore guess where the problems are (and even still they have more than their share of problems). Someone on the inside (with access to the source) could easily subvert this process.
non-humorous post (Score:2, Informative)
Al-Qaeda does have a motive to introduce bugs into Windows XP, which will be deployed widely around the world, especially in the US. Al-Qaeda's leadership has stated that their goal is the destruction of America. To the extent that the American economy relies on Microsoft products, this alleged subversion would give Al-Qaeda information, the ability to disrupt systems over remote connections, and, when revealed as true, the ability to make the world's population panic and distrust their current set of leaders.
Al-Qaeda is known to have hatched many crazy schemes, including one involving a helium balloon that would have distributed anthrax in Washington, DC. This alleged subversion of Windows XP is crazy, but it fits with Al-Qaeda's modus operandi.
Al-Qaeda has different kinds of people on their payroll. It is conceivable that they hired experienced computer programmers who came under the cultish influence of Bin Laden.
Microsoft's software development proceeds not just in the US, but in other countries, too. This geographic diversity would make it easier for an Al-Qaeda operative to be hired by Microsoft.
Even if Al-Qaeda could not get its operative hired by Microsoft, it could have slipped the code into XP through a variety of means. Some people have mentioned third-party modules.
Another obvious choice would be to breach physical security at a Microsoft building, and insert the trojan or backdoor when no one else was around.
They could have cracked into Microsoft's core developer sites. This could have been accomplished via cracking techniques, social engineering, or breach of physical security combined with placement of of hardware or software that allowed the access. Any of these options would have allowed them to place the trojan horse or backdoor password.
As for Microsoft's code review process, there is little detailed public knowledge on how thorough it is. It does miss many security related bugs. No one individual can possibly look at all the XP code. Thus, the crucial part of the system is accountability, ensuring that trusted reviewers look at all the XP code. Has this been done?
Nevertheless, the story seems too unlikely. If Al-Qaeda carried out this alleged subversion successfully, why haven't we seen more ill effects from it yet? You'd think they would have already attempted to hack into sites and cause havoc and mayhem. That hasn't happened yet.
Nevertheless, I would hope that the security people at Microsoft are doing some double checking of the XP code.
Re:Two counterpoints take two (Score:3, Informative)
There is no way that you could try to put a terrorist-sized hole in XP without a lot of people noticing.
-For the months before the OS ships every line of code that is modified is examined on several levels; every bug that is found could potentially be investigated by any of dozens of people in any part of the organization...
-There's nearly a 1/1 ratio of Test/Dev in the critical parts of the system; to do this you would have to get the developer(s) and the tester(s) responsible for that chunk of code/functionality.
-Automated tools run by seperate groups review changes and record owners; try to sabotage something once & you won't get a second chance.
-Automated tools run by testers review code that's not exercised by test-passes, reporting on changes so that the hole can be filled.
This simply did not happen and it's embarrassing that this pseudo-technical forum is giving the report even a little credit. I would expect better from even the bitter/angry/biased-microsoft-haters that make up the such a vocal percentage of the slashdot crowd.
Remember the Y2K bug fixing frenzy? (Score:3, Informative)
Given the long-term planning that Al Queda is known for, and their penchant for using the tools of the West against the West, I would be unsurprised if they planted people into companies doing Y2K patchwork for major financial institutions or other mission-critical systems. Most of that code was NOT code reviewed due to time constraints, and the work was done overseas by the lowest bidders. This is a recipe for disaster and was predicted as such years ago. Now that we know exactly how crazy these motherfuckers are, the warnings seem a lot more important.
Just my paranoid guess.
-jon
Re:"Coup de gras"...? (Score:2, Informative)