al Qaeda Hacks XP? 736
acaird writes "According to this article at Newbytes, members of al Qaeda may have worked for Microsoft and planted "trojans, trapdoors, and bugs in Windows XP"."
This stuff screams of hoax to me, but it is showing up on the Washington
Post.
Re:Doesn't seem likely (Score:2, Insightful)
Re:Those bastards hacked the linux kernel too! (Score:1, Insightful)
find
Re:XP? Wouldn't Linux be just as easy? (Score:3, Insightful)
Now, third-party patches such as those at linuxhq.com are not scrutinized by the kernel team, and these patches might possibly contain nasty code (as well as simply poor code). But if you're downloading third-party patches and applying them without reading them, you're an idiot. Can't read C, or don't understand kernel internals? Then don't apply third-party patches.
It would be far easier, as you suggest, to insert backdoors and other nasties into userspace open source programs. When was the last time you downloaded a source tarball and actually read all the code before building and installing it? The most evil of all would be a trojan in gcc -- all programs compiled with the trojaned compiler would themselves be trojans. After a while all source remnants of the trojan would be wiped away, but the trojan code would still be lurking in all our binaries. Horrible thought.
Like you say, be careful. Just because you're running Linux, or you use open source, doesn't make you immune to viruses, backdoors, trojans, or anything else.
Re:Spelling!!!!!!!!!! (Score:2, Insightful)
"There is no groaning in my store"
When I read comments like this, I think of the lovable Comic Book Guy, so anal about everything. Get over the mispellings, no one is perfect, not CNN, not the BBC and not Slashdot. Besides, what is the word, "You's?" Does the think belong to You, or maybe it should read, "You is think... Ohhh, look, I can be anal and picky as well!
For once, I'm sympathising with MS (Score:4, Insightful)
Look at the effect they've already had on the global airline and tourist industries, based on a net increase in danger that's insignificant compared to road deaths. Score one for the terrorists.
And here come the ill considered security measures and infringements of civil liberties. We defend Freedom by taking it away. Score two.
Then it was time to target the the government, postal service and law enforcement with a few packets of a not particularly lethal virus (sympathies to the victims though). Again, the big impact is from the FUD, as law enforcement chase hoaxes and benign packages all over the country. Score three.
Now it's software. "All your code base belong to us!" they rant. Expect the hoaxers to jump on this and a new rash of bin Laden themed virii and worms to appear. It's pure FUD, but the problem is reassuring easily frightened and confused non-techies that it isn't true. How do you disprove the existence of allegedly hidden code?
And so for once I'm actually going to get on the bandwagon with Microsoft and give this zero credibility. This pathetic piece of bluster should not be allowed to put anyone off using XP. There's plenty of real reasons for not using it, but this isn't one of them.
Re:not as easy as you might think (Score:3, Insightful)
While I'd admit that QA in professional software is lacking, there are definately source code reviews in an OS product group. Every line of code is looked at, even if only briefly. The risk of the exploit being detected and erased before a release is too great for the Microsoft interview process (grueling, trust me) to be worthwhile. Especially if the coder is a new employee. It is highly unlikely that a new programmer even wrote a single line of compiled OS code. Most of the time, they are writing tools or test scripts for years before they get to write OS code. Insinuating that someone's entire career was a setup in order to get caught planting some bugs in Windows is a lot more ridiculous than claiming this is a hoax.
gotta be a hoax. (Score:2, Insightful)
If a terrorist organization did succed in infiltrating MS and backdooring thier OS, why would they say anything? it much more useful to them to keep it quiet. On the other hand, if they didn't succed in do it, saying they have is the next best thing. Remember terrorism thrives on scare tactics, and convincing your enemy to chase ghosts.
the mear fact someone is taking credit for it before anyone else found out about it, means it probably didnt actually happen.
RA7
---
Re:not as easy as you might think (Score:5, Insightful)
You see, I work for a not so big software company right now, but I used to.
It's not that hard to sneak some malicious code into the final product. Quality Arrusance is usualy made only by using the software, not by analising the code. And even if they do analise the code, it's quite trivial to introduce some obscure buffer overflow.
Also, we are forced to remember about that hacking of microsoft internal network some time ago, which they "claimed" give the hackers no access to the code base.
I hate bin Laden as much as the next guy, and think he should die. But, even being a fanactic, the guy is inteligent. And has recources, both personel and money. I think it's very likely he would attempt something like this. I know, in his shoes, I would.
Two counterpoints (Score:5, Insightful)
Secondly, while I agree that it's unlikely that a terrorist would approach a 13-year old kid and say, "Hey, you should start excelling in Math and then attend college to get a CS degree so that 10 years from now you can go work at Microsoft for 4 years or so (enough to gain the confidence of your managers) and then start putting back doors and bugs in their OS," it's far more plausible that a terrorist would approach a already working programmer who's naive and idealistic -- and perhaps *already* working at and trusted by managers at Microsoft -- and say, "Hey, here's how you can really help your faith..."
Re:not as easy as you might think (Score:2, Insightful)
Re:Where the hell is Microsoft's PR agency? (Score:5, Insightful)
What, you mean Microsoft Product Activation and Passport subscriptions?
GTRacer
- How much for WinXP Corporate?
Re:Not as easy as you might think (Score:3, Insightful)
Ok, but when you pick the suspected Al Qaeda member up, and he says "I'm an Al Qaeda member, and I'd like to enter a formal confession in court, so I can blather on about the evils of western 'civilization' before proudly marching off to die a martyr in your jails", you can excuse journalists for thinking he might really mean it.
Doesn't work this way (Score:4, Insightful)
In the article they mention the following : "authorities find some of his claims inconsistent and "too theatrical to believe.""
This guy is probably not even a member of Al Qaeda, he's just a crazy guy who's probably too dumb to even be a terrorist.
There's a dead giveaway in the article itself... (Score:3, Insightful)
Parliament perhaps, but not Tower Bridge. If they were interested in tourist attractions in the US, they would have put a plane into the statue of Liberty. It doesn't fit their pattern. Tower Bridge isn't even that big a deal as a symbol of the City. The Tower itself, or St Pauls, or Buck Huse, would be more likely.
Canary Wharf, I could believe.
Re:*sigh* (Score:2, Insightful)
Re:not as easy as you might think (Score:3, Insightful)
I used to work for Microsoft as a dev. (Visual Studio) Although coding practices vary from group to group, many (including our team) have mandatory code reviews before submitting, including ours.
Noone would personaly verify that the peer reviewed version is exactly what's under source control, but come on. Groups are tight knit. You're always going through each other's code on a daily basis. You plant a Trojan, you're going to get caught.
Let's face it. These Al Quaeda has enough problems smuggling weapons onto airplanes. Try smuggling a programmer through a Micrsoft interview process. M$ job interviews are notoriously tough. You would get more bang for the buck building a bomb and giving the federal reserve a good shaking. (No pun intended)
Re:not as easy as you might think (Score:5, Insightful)
That's assuming that the terrorists would actually have to plant backdoors. It would be far less dangerous, and far easier, to simply look for buffer overflows and then not report them to management. What good is a peer review if your "peer" is actually looking for exploitable code for their own ends. A remotely exploitable buffer overflow is every bit as good as a backdoor, and if they were in QA they wouldn't even have to write it themselves, they would simply have to let it slide through.
Now, I am not saying that the Al Qaeda has penetrated Microsoft, but I can't imagine that someone working at Microsoft hasn't been tempted to simply overlook a buffer overflow. Especially now that Windows is being used to run some very tempting targets.
Re:Cave Dwellers Hack XP? (Score:1, Insightful)
Re:Two counterpoints (Score:3, Insightful)
And it's even more plausible that somebody just made this crap up, and the Washington Post bit on it like a hungry trout....
"I saw it on the Internet, it must be true. Right, dad?"
"Not necessarily, son, but I saw it printed on pieces of a dead tree, so that makes it true for sure!"
Re:XP? Wouldn't Linux be just as easy? (Score:2, Insightful)
Probably not into the kernel itself, as changes there are carefully thought-out. Think of the kernel as the crown jewels. But then again you wouldn't need to get it into the kernel.
As you move a proposed exploit away from the kernel and into more remote areas, you both increase your chances of being able to slip an exploit past the code owners, and reduce the number of people likely to deploy it. Reducing this to absurdium, you could create a full root exploit and "get it past the code owners" with 100% probability by starting your own project. But then again, you'd likely only wind up exploiting your own machine.
Heck, if you managed to get an exploit into a certain incremental release of the kernel (2.3.14, for example) you'd still only get a fraction of the Linux users (not everyone downloads and applies each new kernel release) and once the exploit was discovered and publicized, it would likely be patched out of existence much quicker than it's Windows counterpart.
Then there's the whole "many eyes" problem. In a closed source situation, you can assess exactly who the code reviewer will be, what their weaknesses (and concerns) are likely to be, and hide in those shadows (or avoid sensitive areas.) You also have the benefit of knowing the exact compiler which will be used, what the compile environment and options will be, what test cases will be run, etc.
In an open source setting, any proposed patch is likely to generate a hundred complaints about what it breaks (or slows down) from a hundred different people you never even knew were using that code compiling it on a hundred different compilers (some of which were written by their users) and porting it to a hundred (well, maybe ten) different hardware platforms. And that's even if you aren't trying to slip in a trojan. And fully half of those people will know more about that particular software than you do.
*barf* (Score:3, Insightful)
Let's just whine about it instead of moving on. Way to fill the page up with trash.
Hypocracy, see above.
Re:not as easy as you might think (Score:3, Insightful)
Ok, whatever. It still goes to show how effective Microsoft's "code reviews" are. If it takes them years to find something that was meant to be a joke, then how long is it going to take them to find something that was meant to be a hard to spot backdoor written by a talented coder (there is no questioning the fact that Microsoft programmers are talented folks).
The fact of the matter is that bugs are hard to find in almost any setting. The fact that so few people have access to Microsoft source code simply makes it that much harder to find errors. Microsoft can pretend that they have processes in place to catch these sorts of errors, but when all it takes is the knowledge of one previously unknown buffer exploit it is hard to feel very safe.
Microsoft's entire security policy is based on the fact that the bad guys don't have access to their source code. This assumes, of course, that there isn't anyone inside of Microsoft that is willing to sell (or exploit themselves) security information.
Re:Two counterpoints take two (Score:3, Insightful)
I still don't really believe the story, but I think you are dismissing it too lightly.
Malice? (Score:3, Insightful)
Never attribute to malice that which can be adequately explained by stupidity.