If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Quartz)   So Google's Android smartphone operating system uses source code contributed by the NSA. What could go wrong there?   (qz.com) divider line 161
    More: Scary, NSA, Android, Google, Baidu, operating systems, People's Republic, chinese company, Android smartphones  
•       •       •

9664 clicks; posted to Main » on 10 Jul 2013 at 10:06 AM (40 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



161 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

First | « | 1 | 2 | 3 | 4 | » | Last | Show all
 
2013-07-10 10:10:05 AM
Let's get this started.

B..bb..but but Apple
 
2013-07-10 10:10:28 AM
If you're not a terrorist, then you don't need to worry about the NSA.
 
2013-07-10 10:10:46 AM
Boogity! Boo! NSA! Boo!
 
2013-07-10 10:11:39 AM
encrypted-tbn3.gstatic.com
 
2013-07-10 10:13:28 AM
In the meantime, NSA submissions to Android are in the public domain, and subject to intense examination by anyone who wants to look.

I'm wetting my pants.
 
2013-07-10 10:14:50 AM
Your tax dollars at work spying on you
 
2013-07-10 10:15:22 AM
Not a damn thing if they had people properly verify the code before implementing.
 
2013-07-10 10:16:01 AM
It's OSS...you don't think every line of that source has been gone over by scores of people in Google and in the OSS community at large?  If so, you're an idiot.

China can read the code too - they're not concerned about a single line of it.  Sensationalist journalist doesn't understand OSS, apparently.
 
2013-07-10 10:16:12 AM

Oakenshield: Let's get this started.

B..bb..but but Apple


To be fair, the NSA probably has hooks in IOS as well, we'll just never know about it because Apple is so secretive.
 
2013-07-10 10:17:18 AM
I'm distrustful of the NSA too, but given that this component has been there for years, is based on an even older enhancement for Linux, and is open source, this article is completely stupid. You can't really get more transparent than that.

The problem with the NSA is the lack of transparency/accountability for some of their programs, primarily. That's not the case here, as this is the complete opposite of that.
 
2013-07-10 10:17:51 AM

SeriousGeorge: In the meantime, NSA submissions to Android are in the public domain, and subject to intense examination by anyone who wants to look.

I'm wetting my pants.


Considering the NSA had public-key encryption ~30 years before the general public, I'm betting whomever scrutinizes their code won't understand it, and we'll still be in the dark about what it does.
 
2013-07-10 10:18:48 AM

Mnemia: I'm distrustful of the NSA too, but given that this component has been there for years, is based on an even older enhancement for Linux, and is open source, this article is completely stupid. You can't really get more transparent than that.

The problem with the NSA is the lack of transparency/accountability for some of their programs, primarily. That's not the case here, as this is the complete opposite of that.


How are we supposed to gin up our moral outrage with you talking sense like that? Huh!?
 
2013-07-10 10:19:36 AM
Oh and the "journalist" completely ignores the huge difference between a defensive tool and an offensive one.
 
2013-07-10 10:20:16 AM
Android is Open Source Software, so the odds that they have something flagrant in there is very low.

The NSA has a history of contributing security enhancements to other open source projects. It's one of their community outreach things they do.
 
2013-07-10 10:21:03 AM

Mnemia: I'm distrustful of the NSA too, but given that this component has been there for years, is based on an even older enhancement for Linux, and is open source, this article is completely stupid. You can't really get more transparent than that.

The problem with the NSA is the lack of transparency/accountability for some of their programs, primarily. That's not the case here, as this is the complete opposite of that.


Came here to say that.   http://en.wikipedia.org/wiki/Security-Enhanced_Linux

Next their gonna tell me that OpenSSH was invented by a Canadian so therefore Canada is spying on us.
 
2013-07-10 10:21:13 AM
eh? Pointless article is pointless.

Back in 2000, websites were falling over left and right. The NSA wanted something a little better. Since the Windows API from that time was a complete joke, they did the obvious thing and made some adjustments to Linux. What they ended up with was Linux SE, a system that sandboxes *everything*.

Android, on the other hand, appears to be designed from damn insecure Linux. More likely, it is similar to the winAPI disaster that lead to "click here to install dancing cat [and let me pwn your box]". No amount of sandboxing will help your system as long as users click the "please pwn me" links, you need something like Apple's walled garden for that.

Personally, I'd be happier with something like a "walled garden with ladders lying around". Whitelist the stuff I can give access to my data, and put some pretty high barriers on the security defaults to the "dancing cat apps".
 
2013-07-10 10:22:59 AM

BillDozer357: SeriousGeorge: In the meantime, NSA submissions to Android are in the public domain, and subject to intense examination by anyone who wants to look.

I'm wetting my pants.

Considering the NSA had public-key encryption ~30 years before the general public, I'm betting whomever scrutinizes their code won't understand it, and we'll still be in the dark about what it does.


Nope. SELinux is among the most scrutinized tools out there for security. And there is no deep magic crypto voodoo involved in it. So you would be betting wrong.
 
2013-07-10 10:23:20 AM
Someone's tin foil hat needs to be made less tight.
 
2013-07-10 10:24:42 AM
So that's what uses up all my battery life...the US government!
 
2013-07-10 10:25:35 AM
The NSA has contributed a lot of code to a lot of different commercial and open source software and has done so for a very long time.

If you don't like it, go fork yourself and stop whining.
 
2013-07-10 10:26:17 AM

BillDozer357: Considering the NSA had public-key encryption ~30 years before the general public, I'm betting whomever scrutinizes their code won't understand it, and we'll still be in the dark about what it does.


If the people who scrutinize it don't understand it then the NSA code won't be passed along into the mainstream. All open source projects have some form of code review where contributions are vetted mechanically and by hand, especially for security-intensive pieces.

You can be sure that Google's security team have looked at the code as well as security researchers worldwide, because Android (and the Linux it's based on) are huge high-visibility projects. It would only ever take one of those people to raise the flag and then the gig is up.
 
2013-07-10 10:26:46 AM

Thisbymaster: Someone's tin foil hat needs to be made less tight.


All the cool kids use copper plating these days.

The cool Chinese kids use these;

www.codesmiths.com
 
2013-07-10 10:27:08 AM
I wonder if the NSA is responsible for the recently-announced cryptography bug that affects nearly all Android devices?

This bug allows untrusted apps to pretend they're from trusted suppliers, and bypass sandboxing to access all data on a device.
 
2013-07-10 10:27:08 AM
I'd like to like I've bored a few NSA agents to tears with my boring excuse of a life.
 
2013-07-10 10:28:34 AM

BillDozer357: SeriousGeorge: In the meantime, NSA submissions to Android are in the public domain, and subject to intense examination by anyone who wants to look.

I'm wetting my pants.

Considering the NSA had public-key encryption ~30 years before the general public, I'm betting whomever scrutinizes their code won't understand it, and we'll still be in the dark about what it does.


There's plenty of cryptographers out there that don't work for the NSA and can read code.

/and if you think Linus and co. are going to include code just because the NSA says 'it's good!', you're wrong
 
2013-07-10 10:28:46 AM
You know what else uses code created by the US government? The Internet.
 
2013-07-10 10:32:06 AM

Arkanaut: You know what else uses code created by the US government? The Internet.


Thread over.
 
2013-07-10 10:32:11 AM

fnordfocus: I wonder if the NSA is responsible for the recently-announced cryptography bug that affects nearly all Android devices?

This bug allows untrusted apps to pretend they're from trusted suppliers, and bypass sandboxing to access all data on a device.


Nope. That's the fault of Google keeping secrets. They have a secret code (a 'master key') that allows apps  elevated privileges. It was just a matter of time until someone figured out the key, and they knew that from the get-go. Now they'll just change the key and hope that not too many devices are compromised in the meantime.
 
2013-07-10 10:33:33 AM

SkittlesAreYum: Arkanaut: You know what else uses code created by the US government? The Internet.

Thread over.


Hell I thought it was Hitler. me not so smrt
 
2013-07-10 10:36:15 AM
*yawn*

I don't care.  I never cared.  The NSA and several other agencies are out there.  I know this.  I don't care.  I treat my phone like a phone, and just like my FB.  There's nothing on there that momma or my boss couldn't see.

hint:  there are lots and lots of agencies gathering data on you, me, everyone.  All. the. time.  Has been for YEARS.

*yawn*
 
2013-07-10 10:37:19 AM

BillDozer357: SeriousGeorge: In the meantime, NSA submissions to Android are in the public domain, and subject to intense examination by anyone who wants to look.

I'm wetting my pants.

Considering the NSA had public-key encryption ~30 years before the general public, I'm betting whomever scrutinizes their code won't understand it, and we'll still be in the dark about what it does.


You have a very weak grasp of how open source works. If a professional programmer can't understand the code, it would be a huge red flag that someone's trying to obfuscate something. Ditto for any strange algorithms. There are a lot of eyes on this particular code, including those of number theory guys and entire foreign governments. The NSA would be taking a huge chance of being discovered if they did this. The bad PR simply wouldn't be worth it.

If you want to hide something, you do it in the executables. AFAIK no professional is decompiling the entirety of iOS 7 and doing a byte by byte analysis. That's where you'd want to hide something.
 
2013-07-10 10:38:45 AM

jshine: If you're not a terrorist, then you don't need to worry about the NSA.


Right.  Nothing wrong with the government collecting information about you.
 
2013-07-10 10:39:32 AM
Have you even READ the HTML 2.0 spec, maaaan? There's a reserved bit in every frame, clearly stated as hands-off. That's OBVIOUSLY an archival/backup bit for the NSA, maaaan!
 
2013-07-10 10:40:14 AM

Mnemia: I'm distrustful of the NSA too, but given that this component has been there for years, is based on an even older enhancement for Linux, and is open source, this article is completely stupid. You can't really get more transparent than that.

The problem with the NSA is the lack of transparency/accountability for some of their programs, primarily. That's not the case here, as this is the complete opposite of that.


Thank goodness you talked some sense into me.  I was almost considering going with an iphone next.  Bless you.
 
2013-07-10 10:40:53 AM
Am I being too paranoid when I think about how the NSA lied to everyone repeatedly, including Congress, and has on other instances refused to let companies like Google explain away the role the NSA has, leading me to suspect there could easily be more stuff in there than meets the eye? The same might necessarily go for every operating system, though.
 
2013-07-10 10:41:16 AM

GanjSmokr: Oakenshield: Let's get this started.

B..bb..but but Apple

To be fair, the NSA probably has hooks in IOS as well, we'll just never know about it because Apple is so secretive.


Yep. NSA contributing open source code: big farking deal.
 
2013-07-10 10:41:39 AM

IamAwake: It's OSS...you don't think every line of that source has been gone over by scores of people in Google and in the OSS community at large?  If so, you're an idiot.

China can read the code too - they're not concerned about a single line of it.  Sensationalist journalist doesn't understand OSS, apparently.


Or NSA.  The hype heaped on these stories is beyond ridiculous. It's down-right ricockulous.
 
2013-07-10 10:41:56 AM
Subby fails....

It is open source, everyone can see it!  This isn't some BS Sci-Fi flic where the NSA buried some hidden text inside the lines of code....  it is probably just stuff related to security hardening or encryption...NOT to let the NSA snoop around.

That's the thing about open source.... you can't really hide a back door, or secretly program in a hole (unlike Apple or Microsoft, who could add such things to their mobile OS platforms).... You can't hide anything from the massive hordes of geeks who pour over these things, line by line, trying to be the hero and finding a bug.
 
2013-07-10 10:42:26 AM

oldfarthenry: I'd like to like I've bored a few NSA agents to tears with my boring excuse of a life.


I'm worried some NSA agent is getting off on the naughty texts I send my husband.

/or laughing hysterically at the old folks being nasty
 
2013-07-10 10:42:35 AM

AeAe: jshine: If you're not a terrorist, then you don't need to worry about the NSA.

Right.  Nothing wrong with the government collecting information about you.


your are an moran.  christ you're dumb
 
2013-07-10 10:42:45 AM

LL316: I was almost considering going with an iphone next.  Bless you.


Don't do it, man!  Don't throw away your life like that!  Someone, somewhere, still cares about you...probably.
 
2013-07-10 10:45:33 AM

Slaxl: The same might necessarily go for every operating system, though.


Yeah, because Windows and iOS are well-known for using OSS in their kernels...

well, technically, I suppose it is fairly assumed they are stealing some code from OSS, but still...
 
2013-07-10 10:46:19 AM

Limeyluv: oldfarthenry: I'd like to like I've bored a few NSA agents to tears with my boring excuse of a life.

I'm worried some NSA agent is getting off on the naughty texts I send my husband.

/or laughing hysterically at the old folks being nasty


how old?  this could be relevant... my interests and all.
 
2013-07-10 10:46:37 AM

LL316: Mnemia: I'm distrustful of the NSA too, but given that this component has been there for years, is based on an even older enhancement for Linux, and is open source, this article is completely stupid. You can't really get more transparent than that.

The problem with the NSA is the lack of transparency/accountability for some of their programs, primarily. That's not the case here, as this is the complete opposite of that.

Thank goodness you talked some sense into me.  I was almost considering going with an iphone next.  Bless you.


I don't care in the slightest what kind of smartphone you use (and I develop for multiple mobile platforms). They all have advantages and disadvantages (and yeah, transparency isn't exactly one of Apple's strengths). I use an iPhone, myself, actually, as a personal phone. But this article is an unfair criticism of Android. There are plenty of other things that suck about Android, but this isn't one of them.
 
2013-07-10 10:47:33 AM

enry: BillDozer357: SeriousGeorge: In the meantime, NSA submissions to Android are in the public domain, and subject to intense examination by anyone who wants to look.

I'm wetting my pants.

Considering the NSA had public-key encryption ~30 years before the general public, I'm betting whomever scrutinizes their code won't understand it, and we'll still be in the dark about what it does.

There's plenty of cryptographers out there that don't work for the NSA and can read code.

/and if you think Linus and co. are going to include code just because the NSA says 'it's good!', you're wrong


I'm not so sure about that:
http://www.wired.com/politics/security/commentary/securitymatters/2007 /11/securitymatters_1115

There's ways to get vulnerabilities into code without being obvious. In this case making the prediction of random vAlues somewhat easier could help with breaking encryption.
 
2013-07-10 10:47:34 AM

Fubini: fnordfocus: I wonder if the NSA is responsible for the recently-announced cryptography bug that affects nearly all Android devices?

This bug allows untrusted apps to pretend they're from trusted suppliers, and bypass sandboxing to access all data on a device.

Nope. That's the fault of Google keeping secrets. They have a secret code (a 'master key') that allows apps  elevated privileges. It was just a matter of time until someone figured out the key, and they knew that from the get-go. Now they'll just change the key and hope that not too many devices are compromised in the meantime.


It doesn't sound like it's actually a leaked master key, as not all devices all vulnerable.  My understanding is it's a bug in how Android verifies that an app has been properly signed with that key.
 
2013-07-10 10:49:06 AM

Slaxl: Am I being too paranoid when I think about how the NSA lied to everyone repeatedly, including Congress, and has on other instances refused to let companies like Google explain away the role the NSA has, leading me to suspect there could easily be more stuff in there than meets the eye? The same might necessarily go for every operating system, though.


Yes, you are being too paranoid. The NSA isn't full of power seekers or ladder climbers, which is part of why they're able to fly under the radar of so much of the American populace. Their goal is to be entirely unseen and unfelt. The people who staff most of the NSA are very bright computer scientists, mathematicians, and electrical engineers. Their stated role is to intercept and decode foreign communications.

As has been said many times already, the NSA is  only doing what they were told to do by congress. There is no overreach here- the people at the top were fully aware of what was going on (or, at least they were briefed on it) and approved of it. This is a direct offshoot of the whole 1984/PATRIOT Act atmosphere that consumed our nation following 9/11.
 
2013-07-10 10:50:27 AM
 
2013-07-10 10:53:49 AM
fnordfocus:It doesn't sound like it's actually a leaked master key, as not all devices all vulnerable.  My understanding is it's a bug in how Android verifies that an app has been properly signed with that key.

Sorry to quote myself, but from the discoverer's FAQ:

Is the vulnerability caused by device manufacturers using a known/default platform key for signing, or otherwise compromising or recovering the device manufacturer's platform private key?

No, the platform private key is not necessary for this vulnerability to be attacked.
 
2013-07-10 10:53:49 AM

fnordfocus: Fubini: fnordfocus: I wonder if the NSA is responsible for the recently-announced cryptography bug that affects nearly all Android devices?

This bug allows untrusted apps to pretend they're from trusted suppliers, and bypass sandboxing to access all data on a device.

Nope. That's the fault of Google keeping secrets. They have a secret code (a 'master key') that allows apps  elevated privileges. It was just a matter of time until someone figured out the key, and they knew that from the get-go. Now they'll just change the key and hope that not too many devices are compromised in the meantime.

It doesn't sound like it's actually a leaked master key, as not all devices all vulnerable.  My understanding is it's a bug in how Android verifies that an app has been properly signed with that key.


We don't know exactly, because the people who found the flaw haven't publicly said how to do it.

http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-ke y/

It involves a 'master key' (which is assuredly just security through obscurity) and affects 99% of devices.
 
Displayed 50 of 161 comments

First | « | 1 | 2 | 3 | 4 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report