al Qaeda Hacks XP?

acaird writes "According to this article at Newbytes, members of al Qaeda may have worked for Microsoft and planted "trojans, trapdoors, and bugs in Windows XP"." This stuff screams of hoax to me, but it is showing up on the Washington Post.

Re:Doesn't seem likely

[Warvi]

Al Queda is not just terrorists in afghanistan. They are all around the world. They have well educated, smart people well capable of getting jobs at Microsoft.

Re:Those bastards hacked the linux kernel too!

[eggfellow]

Aw man when did grep get fixed up like this? I've still been typing:

find /usr/src/linux -type f -exec grep -i "a.*l.*q.*a.*e.*d.*a" {} /dev/null \;

Re:XP? Wouldn't Linux be just as easy?

[pclminion]

I really doubt something like that could make its way into the kernel. Kernel changes are always submitted as patches, and are always reviewed. Imagine if someone submitted a two-liner backdoor (very improbable). It would be caught immediately. Now, imagine that someone submitted a five hundred line patch with a backdoor (more likely). It will be just as carefully scrutinized, by virtue of the fact that it is a large patch. In either case, the evil code will never make its way into the kernel.

Now, third-party patches such as those at linuxhq.com are not scrutinized by the kernel team, and these patches might possibly contain nasty code (as well as simply poor code). But if you're downloading third-party patches and applying them without reading them, you're an idiot. Can't read C, or don't understand kernel internals? Then don't apply third-party patches.

It would be far easier, as you suggest, to insert backdoors and other nasties into userspace open source programs. When was the last time you downloaded a source tarball and actually read all the code before building and installing it? The most evil of all would be a trojan in gcc -- all programs compiled with the trojaned compiler would themselves be trojans. After a while all source remnants of the trojan would be wiped away, but the trojan code would still be lurking in all our binaries. Horrible thought.

Like you say, be careful. Just because you're running Linux, or you use open source, doesn't make you immune to viruses, backdoors, trojans, or anything else.

Re:Spelling!!!!!!!!!!

[bahtama]

As a wise man from the simpsons would say:

"There is no groaning in my store"

When I read comments like this, I think of the lovable Comic Book Guy, so anal about everything. Get over the mispellings, no one is perfect, not CNN, not the BBC and not Slashdot. Besides, what is the word, "You's?" Does the think belong to You, or maybe it should read, "You is think... Ohhh, look, I can be anal and picky as well!

For once, I'm sympathising with MS

[Rogerborg]

• A suspected member of the Al Qaeda terrorist network claimed that Islamic militants infiltrated Microsoft and sabotaged the company's Windows XP operating system, according to a source close to Indian police.

Look at the effect they've already had on the global airline and tourist industries, based on a net increase in danger that's insignificant compared to road deaths. Score one for the terrorists.

And here come the ill considered security measures and infringements of civil liberties. We defend Freedom by taking it away. Score two.

Then it was time to target the the government, postal service and law enforcement with a few packets of a not particularly lethal virus (sympathies to the victims though). Again, the big impact is from the FUD, as law enforcement chase hoaxes and benign packages all over the country. Score three.

Now it's software. "All your code base belong to us!" they rant. Expect the hoaxers to jump on this and a new rash of bin Laden themed virii and worms to appear. It's pure FUD, but the problem is reassuring easily frightened and confused non-techies that it isn't true. How do you disprove the existence of allegedly hidden code?

And so for once I'm actually going to get on the bandwagon with Microsoft and give this zero credibility. This pathetic piece of bluster should not be allowed to put anyone off using XP. There's plenty of real reasons for not using it, but this isn't one of them.

Re:not as easy as you might think

[Computer!]

That's a fucking joke.

While I'd admit that QA in professional software is lacking, there are definately source code reviews in an OS product group. Every line of code is looked at, even if only briefly. The risk of the exploit being detected and erased before a release is too great for the Microsoft interview process (grueling, trust me) to be worthwhile. Especially if the coder is a new employee. It is highly unlikely that a new programmer even wrote a single line of compiled OS code. Most of the time, they are writing tools or test scripts for years before they get to write OS code. Insinuating that someone's entire career was a setup in order to get caught planting some bugs in Windows is a lot more ridiculous than claiming this is a hoax.

gotta be a hoax.

[RogueAngel7]

I'm as anti-Microsoft as the next guy (well, probably more anti-MS then most actually), but this has to be a hoax.

If a terrorist organization did succed in infiltrating MS and backdooring thier OS, why would they say anything? it much more useful to them to keep it quiet. On the other hand, if they didn't succed in do it, saying they have is the next best thing. Remember terrorism thrives on scare tactics, and convincing your enemy to chase ghosts.

the mear fact someone is taking credit for it before anyone else found out about it, means it probably didnt actually happen.

RA7
---

Re:not as easy as you might think

[morcego]

I'm not sure.
You see, I work for a not so big software company right now, but I used to.
It's not that hard to sneak some malicious code into the final product. Quality Arrusance is usualy made only by using the software, not by analising the code. And even if they do analise the code, it's quite trivial to introduce some obscure buffer overflow.
Also, we are forced to remember about that hacking of microsoft internal network some time ago, which they "claimed" give the hackers no access to the code base.
I hate bin Laden as much as the next guy, and think he should die. But, even being a fanactic, the guy is inteligent. And has recources, both personel and money. I think it's very likely he would attempt something like this. I know, in his shoes, I would.

Two counterpoints

[Mr. Fred Smoothie]

In a million-plus line codebase for a product under deadline pressure, while official policy might be that "every line is checked", in reality this is highly unlikely to happen. The coders and their managers may assure the suits, "Yeah, we reviewd every line of code," but they'd be lying. It just doesn't happen. It's one of those things that everyone knows is *supposed* to happen and most people know doesn't *really* happen.

Secondly, while I agree that it's unlikely that a terrorist would approach a 13-year old kid and say, "Hey, you should start excelling in Math and then attend college to get a CS degree so that 10 years from now you can go work at Microsoft for 4 years or so (enough to gain the confidence of your managers) and then start putting back doors and bugs in their OS," it's far more plausible that a terrorist would approach a already working programmer who's naive and idealistic -- and perhaps *already* working at and trusted by managers at Microsoft -- and say, "Hey, here's how you can really help your faith..."

Re:not as easy as you might think

[L-Wave]

its quite possible the code reviewers know the eaaster egg is THERE, usually code reviews are done by co-programmers, not management.

Re:Where the hell is Microsoft's PR agency?

[GTRacer]

That may be the Al-qeada plan to destroy America. make sure all MS products stop working after a certain date...

What, you mean Microsoft Product Activation and Passport subscriptions?

GTRacer
- How much for WinXP Corporate?

Re:Not as easy as you might think

[Syberghost]

In the first place, I notice that man is a "suspected" Al Qaeda member. From what I've been seeing lately, anyone who has the wrong kind of accent or a copy of the Koran is a suspected Al Qaeda Member.

Ok, but when you pick the suspected Al Qaeda member up, and he says "I'm an Al Qaeda member, and I'd like to enter a formal confession in court, so I can blather on about the evils of western 'civilization' before proudly marching off to die a martyr in your jails", you can excuse journalists for thinking he might really mean it.

Doesn't work this way

[WildBeast]

Al Qaeda members aren't supposed to know what the other members are doing. Their own mission is revealed to them at the last moment.

In the article they mention the following : "authorities find some of his claims inconsistent and "too theatrical to believe.""

This guy is probably not even a member of Al Qaeda, he's just a crazy guy who's probably too dumb to even be a terrorist.

There's a dead giveaway in the article itself...

[biglig2]

... where this looney says they planned to attack the Houses of Parliament and Tower Bridge.

Parliament perhaps, but not Tower Bridge. If they were interested in tourist attractions in the US, they would have put a plane into the statue of Liberty. It doesn't fit their pattern. Tower Bridge isn't even that big a deal as a symbol of the City. The Tower itself, or St Pauls, or Buck Huse, would be more likely.

Canary Wharf, I could believe.

Re:*sigh*

[TheAwfulTruth]

Actually it's a screaming "NO" on both accounts. It is not "news" any more than anything in the Inquirer is "News". And does such an obvious hoax qualify as something that matters? It's pure yellow journalism at it's best. Sensationalist crap, and /. eats it up like candy. The emotional age of this site goes down month by month...

Re:not as easy as you might think

[Francis]

Yeah, right. All code gets peer reviewed, and it's also verified that the version that's peer reviewed is exactly what's under source control, and QA reads code? That's a fucking joke.

I used to work for Microsoft as a dev. (Visual Studio) Although coding practices vary from group to group, many (including our team) have mandatory code reviews before submitting, including ours.

Noone would personaly verify that the peer reviewed version is exactly what's under source control, but come on. Groups are tight knit. You're always going through each other's code on a daily basis. You plant a Trojan, you're going to get caught.

Let's face it. These Al Quaeda has enough problems smuggling weapons onto airplanes. Try smuggling a programmer through a Micrsoft interview process. M$ job interviews are notoriously tough. You would get more bang for the buck building a bomb and giving the federal reserve a good shaking. (No pun intended)

Re:not as easy as you might think

[Jason Earl]

That's assuming that the terrorists would actually have to plant backdoors. It would be far less dangerous, and far easier, to simply look for buffer overflows and then not report them to management. What good is a peer review if your "peer" is actually looking for exploitable code for their own ends. A remotely exploitable buffer overflow is every bit as good as a backdoor, and if they were in QA they wouldn't even have to write it themselves, they would simply have to let it slide through.

Now, I am not saying that the Al Qaeda has penetrated Microsoft, but I can't imagine that someone working at Microsoft hasn't been tempted to simply overlook a buffer overflow. Especially now that Windows is being used to run some very tempting targets.

Re:Cave Dwellers Hack XP?

[Anonymous Coward]

Surely you're not referring to "cave men" like Mohammed Atta (terrorist who piloted Flight 11 into the first tower) because he was a model student at Hamburg's Technical University, was fluent in several languages, and who also was trained at one of the USA's most prestigious flight schools.

Re:Two counterpoints

[Geckoman]

And it's even more plausible that they would approach a disaffected, unhappy person regardless of faith -- who'd been working there for several years, feeling unappreciated the whole time -- and say, "Hey, here's a few ten thousand dollars tax free...we'll pay you and you get to screw your company!"

And it's even more plausible that somebody just made this crap up, and the Washington Post bit on it like a hungry trout....

"I saw it on the Internet, it must be true. Right, dad?"
"Not necessarily, son, but I saw it printed on pieces of a dead tree, so that makes it true for sure!"

Re:XP? Wouldn't Linux be just as easy?

[lynx_user_abroad]

wouldn't it be just as easy to plant "trojans, trapdoors, and bugs" in Linux?"

Probably not into the kernel itself, as changes there are carefully thought-out. Think of the kernel as the crown jewels. But then again you wouldn't need to get it into the kernel.

As you move a proposed exploit away from the kernel and into more remote areas, you both increase your chances of being able to slip an exploit past the code owners, and reduce the number of people likely to deploy it. Reducing this to absurdium, you could create a full root exploit and "get it past the code owners" with 100% probability by starting your own project. But then again, you'd likely only wind up exploiting your own machine.

Heck, if you managed to get an exploit into a certain incremental release of the kernel (2.3.14, for example) you'd still only get a fraction of the Linux users (not everyone downloads and applies each new kernel release) and once the exploit was discovered and publicized, it would likely be patched out of existence much quicker than it's Windows counterpart.

Then there's the whole "many eyes" problem. In a closed source situation, you can assess exactly who the code reviewer will be, what their weaknesses (and concerns) are likely to be, and hide in those shadows (or avoid sensitive areas.) You also have the benefit of knowing the exact compiler which will be used, what the compile environment and options will be, what test cases will be run, etc.
In an open source setting, any proposed patch is likely to generate a hundred complaints about what it breaks (or slows down) from a hundred different people you never even knew were using that code compiling it on a hundred different compilers (some of which were written by their users) and porting it to a hundred (well, maybe ten) different hardware platforms. And that's even if you aren't trying to slip in a trojan. And fully half of those people will know more about that particular software than you do.

*barf*

[Erris]

It screams of a hoax, so let's put it on the front page. Way to be part of the problem, Taco.

Let's just whine about it instead of moving on. Way to fill the page up with trash.

Hypocracy, see above.

Re:not as easy as you might think

[Jason Earl]

Ok, whatever. It still goes to show how effective Microsoft's "code reviews" are. If it takes them years to find something that was meant to be a joke, then how long is it going to take them to find something that was meant to be a hard to spot backdoor written by a talented coder (there is no questioning the fact that Microsoft programmers are talented folks).

The fact of the matter is that bugs are hard to find in almost any setting. The fact that so few people have access to Microsoft source code simply makes it that much harder to find errors. Microsoft can pretend that they have processes in place to catch these sorts of errors, but when all it takes is the knowledge of one previously unknown buffer exploit it is hard to feel very safe.

Microsoft's entire security policy is based on the fact that the bad guys don't have access to their source code. This assumes, of course, that there isn't anyone inside of Microsoft that is willing to sell (or exploit themselves) security information.

Re:Two counterpoints take two

[crucini]

That sounds reasonable. However, by that logic there should never have been any exploits for a Microsoft product, right? Maybe you are assuming that the trojan would be glaringly obvious. I would assume the opposite - that it would be the kind of vulnerability we've already seen many times in IIS and Outlook. Something that could be called an honest mistake.

I still don't really believe the story, but I think you are dismissing it too lightly.

Malice?

[Frank Sullivan]

"no evidence of malicious code in the operating system has been reported".

Never attribute to malice that which can be adequately explained by stupidity. :}