The NSA is writing code for the Android OS now

[Balog]

http://www.zerohedge.com/news/2013-07-09/nsa-has-inserted-its-code-android-os-bugging-three-quarters-all-smartphones

What think the smart folks of APS?

[geronimotwo]

i'm not sure what the "smart' ones think, but if they can get to blow up when you dial a terrorists number........

i'm assuming this is more than the cell listening that was reported on 5-6 years ago?  we still seem to be as accepting of our lack of privacy.

[Fitz]

Cell phone networks, and the devices on them, are so insecure that it really does not matter if the NSA is actually writing code

[Ron]

Attempting to be secure in your person and belongings is evidence of suspicious behavior these days, what are ya trying to hide? You a terrorist or something?

[zahc]

Does not surprise. Didn't the NSA actually release their own Linux (SELinux)?

[lee n. field]

Dig down in the link.  It's actually SELinux they're talking about. 

[RevDisk]

What think the smart folks of APS?

Complete and utter bovine excrement. I actually mean that. All of the negative assertations are false.

The original "NSA backdoor" in Windows was the whole "NSAkey" thing. Basically, Microsoft made their OS, sent it to NSA to be reviewed for security improvements.

NSA: "You did do a split key, right? So no one person can backdoor Windows by knowing the whole key?"
Microsoft: "Nooo..?" 
NSA: "Alright. Generate a new key. Have half signed by person A, half signed by person B. Don't let them share info." (highly boiled down)
Microsoft: "Ok".  And names the new key NSAKey, spawning legions of conspiracy theories.

Cue forward.

NSA makes something (actually, pays others to make) SE Linux, which is a cluster of mechanisms for supporting access control security policies. The Windows version is NTFS and Group Policy (kinda, sorta, not a direct parallel). Unix/Linux has been seriously lacking in that area (no joke).

Android is Linux based. NSA ported over the security code. And is working on their own security focused distro of Android, which is open source.  ALL of the NSA code is open source, open for scrutiny and worked on by multiple organizations.

[Nick1911]

Umm... the code is open source.  It's hard to hide something in software when you release the source code for public review.

[AZRedhawk44]

Not worried about NSA contributions to Linux kernel, here.

It's peer reviewed by the global kernel development community.  Yes, they "could" slip something in if the volunteer dev community slacks off.  But I doubt it would last long, and would have such a negative backlash against US FedGuv that we would lose standing and be regarded like the Norks.  Also, inserting security vulnerabilities into open source code ends up opening those security vulnerabilities to anyone who can read the code, not just the NSA.

[zahc]

It's hard to hide something in software when you release the source code for public review.

No it's not; it's very easy to hide something in software, regardless. If it was easy to read, they wouldn't call it "code". There are a limited number of kernel hackers that work on the Linux kernel; most of them work in a specific area to implement specific functionality and are not auditing the entire 15 million lines of code in the kernel. It would be very possible to get backdoors in the Linux kernel.

Public review should also eliminate bugs. Does anyone believe there are not bugs in the Linux kernel? Heck, out of the KNOWN bugs that are in Linux kernel, how long were they in there before someone found them? A talented programmer can write something that appears to be legitimate, which can be harder to find that an outright bug.

http://www.ioccc.org/

And this is all assuming that the topical backdoors/vulnerabilities are injected the source code level. It's just as likely that they would be in compilers, or binary device drivers. Do you really know what's in that 200MB NVIDIA driver you installed with root permissions?

http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

[RevDisk]

No it's not; it's very easy to hide something in software, regardless. If it was easy to read, they wouldn't call it "code". There are a limited number of kernel hackers that work on the Linux kernel; most of them work in a specific area to implement specific functionality and are not auditing the entire 15 million lines of code in the kernel. It would be very possible to get backdoors in the Linux kernel.

Public review should also eliminate bugs. Does anyone believe there are not bugs in the Linux kernel? Heck, out of the KNOWN bugs that are in Linux kernel, how long were they in there before someone found them? A talented programmer can write something that appears to be legitimate, which can be harder to find that an outright bug.

http://www.ioccc.org/

And this is all assuming that the topical backdoors/vulnerabilities are injected the source code level. It's just as likely that they would be in compilers, or binary device drivers. Do you really know what's in that 200MB NVIDIA driver you installed with root permissions?

http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

As long as you record who did the submits, you can backtrace it to whomever is responsible. And most projects tend to glance over submitted patches. It's not impossible to backdoor open source software. Extremely obfuscated code SHOULD get a very hairy eyeball.   It's very hard to backdoor open source software in an anonymous, deniable manner.

Flawless? Hardly. But again, once you do find the backdoor, you can locate and correct the issue much more easily.

Backdoors occasionally can exist in the wild for a long time, especially in closed source embedded devices. But, when used, they can become noticed in short order. There are too many different combinations of switches, firewalls, and IDS's to be able to pull a Thompson on all of them. Thus, even if Cisco hardware or IOS is compromised, it doesn't mean the Linux server running snort is. All that's necessary is to block the path once in the chain leading from the compromised device back to the controller, and the access is cut off.  Not a big deal if the backdoor is used to brick the device, but a very big deal if you're trying to be surreptitious and have ongoing activities.

[lee n. field]

Umm... the code is open source.  It's hard to hide something in software when you release the source code for public review.

http://cm.bell-labs.com/who/ken/trust.html

Been done, but the "perp" was in a very special place and time to do it.

[Tallpine]

Government agencies are notoriously incompetent.  I'm just trying to figure out how they could write software that works 

[RevDisk]

http://cm.bell-labs.com/who/ken/trust.html

Been done, but the "perp" was in a very special place and time to do it.

zahc linked to it already. And original corrupt compiler was identified and quarantined. So yes, it happened, but it was still identified. It's nice to get super awesome proof of theoretical concept malware into a PC. Keeping it in the wild is a bit more complex.

[kgbsquirrel]

This story, if truth, is moot as it is has been unnecessary for the NSA to do what they do with cellphones since before smart phones.

If you really want to be secure regarding someone not using your phone as a listening or tracking device, but don't want to leave it at home, then: Remove the battery, leave the battery and phone in a small faraday cage.