"ensuring that the code doesn't contain any accidental security holes"
The whole software developer industry tries to solve this problem: how to write code which doesn't have bugs. But "to err is human". I doubt that some secret agents can keep Windows secure. Microsoft itself tries to make it bug free, it's their interest too. If you dig down to deep level what happened with flame: - the only little error was that the certificate which was used for RDP allowed to sign code too. - the fact that someone spotted that and went ahead and cracked things with some huge infrastructure doesn't mean that there has to be any agents within Microsoft. If you suspected, _you_ could debug the RDP protocol too, and you could see the little policy quirk in the certificate which allows code signing too. The group who created Stuxnet and Flame are _extremely_ smart. This wasn't the first occasion when they were very thorough. One of the 0-day exploit they used in Stuxnet was based on information which was hinted in some forums by some hackers. They just see those channels, and they went down to the rabbit hole and actually crafted the exploit code. Very nice and thorough job. Also, since the Stuxnet they were looking desperately for certificates. For example, in different updates of Stuxnet they used 3 kinds of certificate to sign driver files (JMicron, etc, etc). Kudos to the writers, they did a very nice job. Csaba ________________________________________ From: [email protected] [[email protected]] On Behalf Of Tilghman Lesher [[email protected]] Sent: Sunday, June 17, 2012 12:20 PM To: [email protected] Subject: Re: [nlug] Tin-Foil-Hat-Dept: One more reason to run NOT-M$ On Sun, Jun 17, 2012 at 9:48 AM, Chris McQuistion <[email protected]> wrote: > I've read ~very~ similar stories with claims that the NSA/FBI/etc has people > working on the Linux kernel or other major open-source projects. Well, in fact, that part is true. There's nothing sinister about it, though; they're working to safeguard the nation's infrastructure, by ensuring that the code doesn't contain any accidental security holes. Intentional security holes are much more difficult to create within active open source projects; someone will find it and broadcast its existence. The problem with conspiracy theories is the axiom about secrets: three may keep a secret if two of them are dead. -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en
