# Backdoors in my OS?



## Grell (Jul 1, 2016)

Hello, I want to keep this thread free of politics and political opinions but I am a paranoid person and I do not like the idea of backdoors in my OS regardless of who is doing it.  How can we be sure that there are no backdoors in FreeBSD?  I also am aware that the hardware itself could have a means to spy on its user.  I'm trusting that since FreeBSD is source based and all the source code (for the most part) is publicly available, that it would be very difficult to put a backdoor into the system.  How can we be sure that the government (any government for that matter) is not logging everything I am doing on my computer?


----------



## ShelLuser (Jul 1, 2016)

Grell said:


> How can we be sure that there are no backdoors in FreeBSD?


You can't. My first response would be to go over the source code yourself, but considering the amount of code I deem this to be virtually impossible.



Grell said:


> How can we be sure that the government (any government for that matter) is not logging everything I am doing on my computer?


Simple answer: by making sure said computer isn't connected to the Internet. In FreeBSD terms: by running this command: `# service netif down`. Or, if you'd like to remain connected to your local network: `# route del default`.

But in the end there are no certainties.


----------



## Murph (Jul 1, 2016)

Grell said:


> I'm trusting that since FreeBSD is source based and all the source code (for the most part) is publicly available, that it would be very difficult to put a backdoor into the system.



Even with 100% source visibility, and no illicit code present in the source, the compiled operating system can still have a backdoor.  You just have to embed the backdoor deep into the compiler or linker, as Ken Thompson famously explained back in 1984.  See http://c2.com/cgi/wiki?TheKenThompsonHack for details.  The source code can be 100% clean, but the binaries can't be guaranteed to be clean unless the entire build system (hardware, firmware, build software, etc) is also 100% clean.

Basically, the bottom line is that you can't really be completely certain that there isn't something illicit present.  It could be hidden in the CPU microcode, system BIOS / boot ROM, any hardware with its own firmware / microcode (GPU, NIC, HBA, etc), or even embedded in your hard drive's controller.  You basically have to either take a bunch of things on trust or go back to an age where you can verify the physical hardware personally and start by entering the boot code using toggle switches on a panel.

With the major *BSD and Linux projects, it would be very difficult for any form of compromise to exist for long, as they are under more or less constant scrutiny by some of the most talented people on the planet.  The people involved are spread around the world sufficiently such that it is essentially impossible for a government entity to persuade them to hide something and keep quiet about it.  Nothing is impossible, but it would be far easier for the NSA to secretly persuade a commercial operating system vendor to insert a little bonus feature, and far easier for it to remain hidden in a commercial OS.

For the highest levels of security / secrecy, even physically disconnecting from the network is insufficient.  See the NSA / NATO "TEMPEST" specification / certification, for example.  The NSA (and others) know how to monitor your systems without requiring any form of hidden code, network, or physical access, if you are of sufficient interest to them.


----------



## ShelLuser (Jul 1, 2016)

Murph said:


> With the major *BSD and Linux projects, it would be very difficult for any form of compromise to exist for long, as they are under more or less constant scrutiny by some of the most talented people on the planet.


I have to disagree with you on that one. Remember the Debian OpenSSL disaster? The package maintainer himself deemed it necessary to apply changes to the encryption engine of OpenSSL itself yet by doing so created a major loophole. It took approx. 3 years before this massive yet still manually created bug got discovered. 

If it can take 3 years to detect a flaw in the very encryption engine itself one can only imagine how long it could take for less important parts.


----------



## Murph (Jul 1, 2016)

ShelLuser said:


> I have to disagree with you on that one. Remember the Debian OpenSSL disaster? The package maintainer himself deemed it necessary to apply changes to the encryption engine of OpenSSL itself yet by doing so created a major loophole. It took approx. 3 years before this massive yet still manually created bug got discovered.
> 
> If it can take 3 years to detect a flaw in the very encryption engine itself one can only imagine how long it could take for less important parts.



Ok, perhaps "should be very difficult" would be a better description.  It still should be more likely to get caught than with closed source / proprietary code, as the bad change is there for all to see without trying to analyse disassembly of highly complex code.

That example is an excellent demonstration of why all of the security-critical code needs a thorough automated test suite, particularly for anything related to crypto, and why independent code review by many skilled eyes is critical.  With closed source, introduction of the same style of bug is probably equally likely, especially when long term support is carried out by less experienced teams (or a team without the necessary deep level specialist skills) or the lowest outsourcing bid.


----------



## SirDice (Jul 1, 2016)

ShelLuser said:


> If it can take 3 years to detect a flaw in the very encryption engine itself one can only imagine how long it could take for less important parts.


Case in point
https://it.slashdot.org/story/08/05/11/1339228/the-25-year-old-bsd-bug
https://bsd.slashdot.org/story/08/07/08/2236232/33-year-old-unix-bug-fixed-in-openbsd


----------



## getopt (Jul 1, 2016)

Grell said:


> I want to keep this thread free of politics and political opinions but I am a paranoid person


First I want to make rightous clear, that my response is not meant to insult th OP. My intention is making the reader think about choosing the appropriate words when talking about IT-security.

Is it appropriate to call yourself being "a paranoid person"? What happens, if you say such sentences outside of the IT-context?



			
				https://en.wikipedia.org/wiki/Paranoid_personality_disorder said:
			
		

> Paranoid personality disorder (PPD) is a mental disorder characterized by paranoia and a pervasive, long-standing suspiciousness and generalized mistrust of others. Individuals with this personality disorder may be hypersensitive, easily insulted, and habitually relate to the world by vigilant scanning of the environment for clues or suggestions that may validate their fears or biases. Paranoid individuals are eager observers. They think they are in danger and look for signs and threats of that danger, potentially not appreciating other evidence.
> 
> They tend to be guarded and suspicious and have quite constricted emotional lives. Their reduced capacity for meaningful emotional involvement and the general pattern of isolated withdrawal often lend a quality of schizoid isolation to their life experience. People with PPD may have a tendency to bear grudges, suspiciousness, tendency to interpret others' actions as hostile, persistent tendency to self-reference, or a tenacious sense of personal right. Patients with this disorder can also have significant comorbidity with other personality disorders.



So why are some IT-persons still so eager calling themselves "paranoid"? A paranoid person is not seen trustworthy by most of the others, and conspiracy theories are right around the next corner.

The year 2013 marks the beginning of the "Post-Snowden-Era". After 2013 the term "paranoid" has been under review and should be reserved for those needing a professional therapy.

Should an IT-professional call himself "paranoid"? Does that person attract a positive attention when doing so? Is that really cool? Does this advocate competence? Probably not, except in some unserious environments.

So let's tag the word "paranoid" in IT-context as obsolete. It's a remnant term of the Pre-Snowden-Era, created by those who had an interest labelling some IT-people as suspect and mentally ill. Aren't those times gone?

We should take our time to think about using appropriate terms that are not that ambivalent and hurt our own reputation.

When implementing security in IT-environments that are less vulnerable to attacks by strong adversaries, there is no need to "be paranoid". Instead careful risk analysis are needed, taylored to the strength of the adversaries one have to cope with.

Having said all this, think about research on side-channel attacks or trying to defend such attacks. Do we really still need the buzzword "paranoid" or do we can better?


----------



## DiscmanDaemon (Jul 2, 2016)

Grell said:


> but I am a paranoid person and I do not like the idea of backdoors in my OS regardless of who is doing it.



I feel your pain. 

But alas I have to agree with ShelLuser in that you simply can't avoid the possibility of backdoors. Even if you could go over all the OS code, that doesn't guarantee you are free from "backdoors". Your machine probably has some firmware (BIOS etc..) that you cannot see the code for. You could of course compile some of the free/open source loaders (like coreboot), but that would of course mean trusting your compiler and firmware as explained by Murph. This leads to a case of it being turtles all the way down since you cant really compile clean firmware (or an OS for that matter) without relying on some other possibly suspect firmware.



ShelLuser said:


> Simple answer: by making sure said computer isn't connected to the Internet. In FreeBSD terms: by running this command: `# service netif down`. Or, if you'd like to remain connected to your local network: `# route del default`.



If you can't trust your software, why not at least stop it from talking to anyone? A mighty good idea. But I'm skeptical that you can really do that since you can't trust your hardware (and my transitive property, your software) 

Just because you turned your network interface off from within the OS, are you sure its really off? The network interface controller (NIC) is after all a piece of hardware that's often built right in to the motherboard. As Murph mentioned, it has its own firmware. Maybe when you turn it off, it just stops talking to the OS and keeps broadcasting. I have checked the 2.4 and 5 GHz bands and determined the NICs on my boxes do in fact stop broadcasting on standard WiFi bands when "off", but I lack the time and equipment to verify that its not gossiping about me on other bands. And yes it could possibly broadcast on other bands. Although not an advertised capability, have you actually taken an electron microscope to the NIC's integrated circuits and verified that it can only operate on those two bands? It wouldn't be that hard for No Such Agency to pay a chip manufacturer to add an "extra feature" to their chips, and its very hard to verify the integrity of hardware in the age of ICs.

Of course you could do as I did with my "crypto box". I actually physically took the NIC out (older boxes often have the NIC attached to the bus rather than the mobo and thus it can be removed easily) along with anything else that could possibly broadcast a signal. Or wait. Did I? I did mention I can't actually verified the integrity of the rest of the hardware. Maybe my 1 gig ram chip has a small antennae and micro controller in it that can broadcast the contents of my ram at will. Or maybe my hard disk. Or maybe even my CPU. Even if I did have thousands of years and an electron microscope to verify that all the ICs are doing as they're supposed to, and found that all the hardware was in fact trustworthy, hardware is after all, circuitry. Any wire with varying current going through it will produce an electromagnetic signal... Your CPU produces a weakly detectable signal at the band being equal to the clock rate. I suspect that it would be possible to tell precisely what op code was executed by the amplitude of the signal each cycle since each op code has a different set of transistors being flipped to the "on" state. And there's no shortage of devices Big Brother could use to listen to this signal. Your naive girlfriend's iPhone... those danged Google cars... Your WPA "secured" wifi router... The possibilities are endless... 

How's your paranoia now? 

What would probably work is faraday caging whatever area you use the computer in. This is somewhat common practice in high security government buildings to stop their air-gapped networks from being eaves-dropped on. Of course most people, including me, are unable/unwilling to turn a room of their residence into a copper clad dungeon... You also would need to do something about the "oversized rats" that might rudely infest your faraday cage room while you step out, without so much the courtesy of leaving you a search warrant.

You could *just* get/build yourself a PDP-8. Big brother would have a very difficult time backdooring a system made from discrete transistors without you noticing it. Alas 12 bit 1960s DEC architecture is not supported by FreeBSD...

Or you could just accept we live in a surveillance state and dream of retiring early in Fiji, Vanuatu, or anywhere else that has nice, off-the-grid tropical islands.


----------



## Remington (Jul 2, 2016)

Don't forget that many motherboards are made in China even iPhone.  Network routers such as Tenda, Netcore, TP-Link, Huawei and couple others were accused or caught having backdoors in their firmware.

It's pointless to argue about FreeBSD having a backdoor while routers, motherboards, BIOS, WiFi cards, ethernet cards could have one.  If you really want absolutely 100% without a backdoor then you'll have to build everything yourself including OS, hardware, firmware, etc. and stay off the internet.

FreeBSD community do try their best to find a backdoor but there is no such thing as 100% guarantee.


----------



## kpedersen (Jul 2, 2016)

When I am using a Windows machine, I tend to do this:

https://www.ibm.com/developerworks/...om_having_full_access_to_the_internet?lang=en

Not because I care about spying as such but mostly because I don't like having my computer constantly doing random crap like updates. I prefer to keep it deterministic as much as I can.

The same could be done for FreeBSD if you do not trust it. You could also use some simpler, open-source or more transparent hardware to run the proxy (perhaps beaglebone, arduino or rpi?) rather than via a VM.


----------



## Remington (Jul 2, 2016)

The only difference between Windows and FreeBSD is open and closed source codes, Windows does a lot of random craps and FreeBSD doesn't.  In fact, you can easily turn off jobs or startups in FreeBSD but you cannot with Windows.  I would say FreeBSD is way more secure than you think because FreeBSD is open-source for anyone to investigate.  If someone was to slip in a backdoor code and it will eventually be found or blocked at review or audit stages.  There are programs that can scan the source code for backdoor keywords, monitor the ports for any unusual activities and audit to find the difference between older and newer codes.  It will be found regardless if anyone tried to insert a backdoor code.

Few years ago, someone claimed that FBI hired OpenBSD developer to insert a backdoor in OpenBSD but it was unsuccessful supposedly because of review and audit stages.  Another attempt was done on ProFTPd with fake checksum which is hard to do.  It's difficult to bypass security checksums, signatures and audits.  Every sources that are committed are subject to several stages of reviews and audits before being accepted.  It's not like you can write a program, submit it and it will be accepted immediately without going through stages of review and audit.  If I wanted, I could run a DIFF on all sources between 10.2 and 10.3 to see what's changed without having to investigate all source codes and it can be found.

If someone were to insert a backdoor in FreeBSD, they'll have to be really clever to do it without getting caught and that's hard to do with many paid and volunteer FreeBSD developers and 10 million programmers worldwide.  Someone will notice.

With Windows and Mac OS X, you're at their mercy because there is no public oversight to investigate and their source codes are closed to the public.  They can insert whatever craps in their OS without you knowing.

Red Star OS (Linux) got massive backdoor and surveillance craps in it and its only government approved OS in North Korea.  I would not recommend you to install it on your computer but if you want to play with it, disconnect the internet first.  I mean literally disconnect the ethernet cable, turn off your router, call your ISP to cancel the service or as a last extreme resort use an AXE to cut up the ethernet cable.  Seriously, Red Star OS is really evil OS created by incarnate late leader Kim Jong.


----------



## ShelLuser (Jul 2, 2016)

I have no intention of starting a whole discussion here, one which is even kind of offtopic, but having said that:



Remington said:


> In fact, you can easily turn off jobs or startups in FreeBSD but you cannot with Windows.


That is actually incorrect. Check out msconfig.exe for starters (you can simply start it, it'll probably asks for elevated permissions). This allows you to fully control Windows' boot process. Another option is services.exe (or services.msc) which, when run with administrative permissions, allows you to start and stop all the registered services.


----------



## Remington (Jul 2, 2016)

ShelLuser said:


> That is actually incorrect. Check out msconfig.exe for starters (you can simply start it, it'll probably asks for elevated permissions). This allows you to fully control Windows' boot process. Another option is services.exe (or services.msc) which, when run with administrative permissions, allows you to start and stop all the registered services.



You can but how many people know this?  Not many.

Windows have too many services with obfuscated names.  Turning off the wrong service will break the system and the same could be said for FreeBSD too.

Anyway, most FreeBSD users know UNIX very well.  Most Windows users are novice and they don't know what services A or B does.  That's why Windows does the updates automatically while FreeBSD users have to perform the updates manually.  Windows is designed for people who don't want to work under the hood, use CLI or perform complicated tasks.

Anyway, you get my idea.


----------



## ronaldlees (Jul 7, 2016)

kpedersen said:


> When I am using a Windows machine, I tend to do this:
> 
> https://www.ibm.com/developerworks/...om_having_full_access_to_the_internet?lang=en
> 
> ...



I agree with all of the above.  I hate auto-updates.  Linux distros seem to be pushing them now, just like MS, and making them the default SOP.

I like the proxy idea, but not by using conventional tools.  A proxy software archive would be towards the top of the list, in terms of having exploit affinity.  A completely homegrown proxy system could befuddle system attackers.  You could run a raspberry pi or odroid with 2400 MHz tranceivers (the kind that you use for wireless serial comm links) - and then run private key encryption on them. The homegrown links could use homegrown software so there would be no known exploit profiles to work from.  

But, as was said, in the end there is no infallibility.  Some processors are coming armed with internal transmitters these days, and the Pi2 has a programmable frequency generator for output on any frequency up to 250 MHz, which _might_ be good enough for eavesdropping if the right software (I should say _wrong software!_) were to be inserted into the system by exploiters.

In the end, pull all the connectivity, wired and wireless, and do the sneaker net for transfers.  Then, worry about processor transmitters in your sleep.


----------



## fossette (Jul 9, 2016)

Grell said:


> How can we be sure that the government (any government for that matter) is not logging everything I am doing on my computer?



I would say to activate/configure any of the available FreeBSD firewalls to your licking (note that some packets go through it like butter, I've personally seen it), and add another firewall device (different brand/vendor too) with a logging feature to isolate your Internet router.  Firewall should be configured as DENY ALL except the specific traffic that you need, ultimately, only to servers that you contact.  It's better than nothing.

Also, are you using a web browser?  If so, not a good idea...  The crap stored in cookies and the javascript code being executed right there...  Look for secure web browsing topics too.  ;-)



Murph said:


> For the highest levels of security / secrecy, even physically disconnecting from the network is insufficient.  See the NSA / NATO "TEMPEST" specification / certification, for example.  The NSA (and others) know how to monitor your systems without requiring any form of hidden code, network, or physical access, if you are of sufficient interest to them.



Oh!  That one is nasty!  This is way beyond cracking the WiFi password...

Dominique.


----------



## Remington (Jul 9, 2016)

My servers are behind pfsense server so pretty much everything is blocked except the required ports for web servers.


----------



## Deleted member 9563 (Jul 10, 2016)

I generally advocate for FreeBSD and feel it is pretty "safe". However, nobody uses it for security in the paranoid sense mentioned here. For that it is probably better to chose an OS which is configured for that purpose specifically. I'd use Tails as a first choice if it was really important. It runs fine in VirtualBox on FreeBSD too. As a good compromise for a persistent install, I run a separate machine with a plain and patched Debian which I use for Torbrowser. I'm not paranoid enough to consider this as a must though. I just do it to learn and provide a small amount of resistance to the way things seem to be going.


----------



## kpedersen (Jul 10, 2016)

OJ said:


> I'd use Tails as a first choice if it was really important.


I think due to the sheer complexity of Linux and "wild west" style of development, the Tails distro can only do so much. They surely don't audit the entire software stack that it is based upon. Therefore I think FreeBSD could potentially be a better choice because it is simpler but better yet, OpenBSD because that is audited for security relatively often.

Though a live CD is a good idea because it can be reset back to a known state very quickly


----------



## Phishfry (Jul 10, 2016)

From everything I read it would seem that the use of Tails makes you a target.
http://www.infoworld.com/article/28...g-linux-users-for-increased-surveillance.html

"the NSA's intention here was to separate the sheep from the goats -- to split the entire population of the Internet into "people who have the technical know-how to be private" and "people who don't" and then capture _all_ the communications from the first group."

You can bet every word said here is scraped.


----------



## Murph (Jul 10, 2016)

Phishfry said:


> You can bet every word said here is scraped.


Well, with the nature of the discussion in this thread and the mention of their TEMPEST stuff, it's fairly likely to trip one of their filters.  Of course, if you really want to make sure, editors/emacs has a function for that (`M-x spook`):


> Uzi DHS NOCS CIS Biological event VIP Protection USDOJ Airport SGC
> National security Axis of Evil PFS Tuberculosis primacord NIMA


 *wave to the good people at Ft. Meade*


----------



## ShelLuser (Jul 10, 2016)

Backdoors or not...  I think there's one thing which is very important yet gets overlooked way too easily: good security starts by gaining a good understanding of the OS you're using. I don't care if that's Windows, Linux or our beloved FreeBSD. If you don't have a good understanding of what's going and how things work then you're creating a liability.

Please note: there's nothing between the lines here, I'm not insinuating that people don't know their environments.

But I do believe that if you have a concern for your servers security then you shouldn't start focusing on possible backdoors which might be theoretically possible, but on getting to know your operating system instead. Example: the ports collection downloads the official source code, then applies a patch, then processes it. So it helps to be familiar with `# make patch`: this allows you to check out the source tree of the port after the patches have been applied.

Speaking of which...  This is actually one of reasons why _all_ of my FreeBSD environments (on all servers and even my laptop) got compiled from the source tree (http://svn0.eu.freebsd.org/base/releng/10.3) is what I use). First and foremost because this gives me full control over my system (no wireless tools on my servers, but also no ZFS tools on my UFS based laptop) but also because I can look up every thing in the source tree itself.

If I wonder what makes /usr/bin/yes tick then I can look it up: /usr/src/usr.bin/yes/yes.c. And that can help as well. That can also help to get a better security. Obviously yes is pretty harmless, but now lets try focusing on sockstat or netstat.


----------



## Deleted member 9563 (Jul 11, 2016)

ShelLuser said:


> good security starts by gaining a good understanding of the OS you're using.



And knowing what kind of security actually matters to you. A threat model is absolutely essential or you will either miss out on important things or waste your time on stuff that doesn't matter in your situation. For example, many server operators really don't care about the NSA but only about keeping the servers from being compromised and/or going down. Replacing a theoretically compromised BIOS to avoid theoretical vulnerabilities that only three letter agencies can afford to exploit does not make business sense in most cases. Doing destructive RAM testing to find a type that is resistant to rowhammer attack, even less so. Most people have much simpler needs, and it is worth defining them.


----------



## kpedersen (Jul 14, 2016)

I have had a think about this and wonder if the following could potentially be a product in the future.

Basically you plug in some small device via usb into an untrusted OS like Windows and install the (open-source) drivers.

What this device and drivers provide is a complete network stack (separate from that provided by the OS). This stack is pretty useless on its own (all the software on Windows cannot use it for example). Then we also provide some userland software such as a web browser specifically designed to use our 3rd party networking stack. Another userland example could be a proxy so that trusted software running on windows could also be configured to transparently use the 3rd party network stack.

Either way, those pesky Windows updates should fail to connect, likewise other software like spyware, drm etc...

I wonder if we could forgo the usb device completely and hook into the actual networking hardware and redirect it from using the Windows network stack to our custom implementation, similar to how a VM does it.


----------



## SirDice (Jul 14, 2016)

kpedersen said:


> Basically you plug in some small device via usb into an untrusted OS like Windows and install the (open-source) drivers.


Anything and everything you install on an untrusted host will be untrusted too. What if the kernel itself has been hooked? Your custom network code will simply receive subverted data and it has no way to tell the difference.



> I wonder if we could forgo the usb device completely and hook into the actual networking hardware and redirect it from using the Windows network stack to our custom implementation, similar to how a VM does it.


Some advanced malware works exactly the same way too 

It reminds me of the Lamer Exterminator virus on the Amiga. It hooked directly in the code that reads from disk. Any action that read the boot sector simply received a bogus default boot sector. In reality the boot sector contained the Lamer Exterminator virus but there was no way to detect this when it was active.


----------



## kpa (Jul 14, 2016)

Amiga was quite different case because it had no memory management that would have kept user space programs and kernel memory space separate. In hindsight the design was just asking for trouble because it allowed any program to modify the OS internals as they wished.


----------



## Deleted member 9563 (Jul 14, 2016)

kpedersen said:


> plug in some small device via usb into an untrusted OS



Pwnd! The USB code is untrusted too.


----------



## SirDice (Jul 14, 2016)

kpa said:


> Amiga was quite different case because it had no memory management that would have kept user space programs and kernel memory space separate. In hindsight the design was just asking for trouble because it allowed any program to modify the OS internals as they wished.


True but there's nothing stopping malware from exploiting ring 0 code and injecting itself there. Or simply ask for Administrator access and install itself that way. What I was trying to say is that once malware has its hooks (or should I say claws?) in the OS you simply cannot trust it anymore and any attempt to remove or detect it can be hooked or otherwise subverted.


----------



## kpa (Jul 14, 2016)

Yeah but the modern malware has to first get around this privilege separation and that can be difficult or easy depending on the user and the system. On FreeBSD and most of the UNIX-like systems this is very hard because the users tend to be a bit more aware of the dangers of running unknown software and the systems are built with much more sense to enforce the restrictions than on let's say MS Windows that allows the user to perform very dangerous operations without any warnings if the system is set up that way (which is unfortunately more common than not).


----------



## Murph (Jul 14, 2016)

kpa said:


> … MS Windows that allows the user to perform very dangerous operations without any warnings if the system is set up that way (which is unfortunately more common than not).



There's also the aspect of the users getting conditioned to just automatically approve the frequent stream of "Random Thing needs Admin privilege" dialogs when the warnings are enabled, or install that faked critical flash/media/browser update.  That, and the continuing failure of far too many users to think before clicking on random email attachments.  I'm not a fan of M$ or Windows, but there's a big chunk of blame which deservedly belongs to careless or clueless users.


----------



## TiberiusDuval (Jul 22, 2016)

kpa said:


> Yeah but the modern malware has to first get around this privilege separation and that can be difficult or easy depending on the user and the system. On FreeBSD and most of the UNIX-like systems this is very hard because the users tend to be a bit more aware of the dangers of running unknown software and the systems are built with much more sense to enforce the restrictions than on let's say MS Windows that allows the user to perform very dangerous operations without any warnings if the system is set up that way (which is unfortunately more common than not).



Hmm Windows asks do you want to give this or that software privileged access without any explanations WHAT it will do, FreeBSD or Linux asks for root privileges to run process without giving no explanations what it will do.  On that regard they perform quite same way.


----------



## cyrano (Jul 22, 2016)

Maybe the OP should take a look at Qubes:

https://www.qubes-os.org/

It's kind of a bare-metal hypervisor. It isolates from the outside and you can run freeBSD, Windows or whatever on top of it.

As far as software security goes, it's probably the most evolved system. It does require modern hardware and will not disable stuff like the Intel management engine in hardware.


----------



## SirDice (Jul 22, 2016)

cyrano said:


> Maybe the OP should take a look at Qubes:
> 
> https://www.qubes-os.org/
> 
> It's kind of a bare-metal hypervisor. It isolates from the outside and you can run freeBSD, Windows or whatever on top of it.


Until the hypervisor itself gets infected 

Not for this one but there has been malware that managed to break out of the virtual and runs code on the host. It's not common and it's certainly not easy but it's not impossible. Once the hypervisor is cracked you're royally screwed.


----------



## cyrano (Jul 22, 2016)

You really should take a look at Qubes 

I mean, it's still human made, of course. But the way Joanna Rutkowska and her team are building this is next to none, in my humble opinion.

Start here:




If you have te time. It's a long talk.


----------



## cyrano (Jul 24, 2016)

Qubes isn't meant for servers, but for desktop use. What it provides, is a simple means to run several OS'es simultaneously and being able to transfer data between them, while at the same time keeping them separated security wise.

I'll agree that a properly set up FreeBSD system is probably more secure, but a lot of people need to run Windows software, or want to use fi audio- or video editors that are simply not available on FreeBSD. In that case, Qubes is a working, secure solution for people living in the real world.

I'll admit that the needed hardware specs aren't exactly low end, but that's to be expected.

And I'm open to suggestions if you have ever found something comparable...


----------



## zspider (Jul 25, 2016)

These days, you can't know for sure.

Just avoid being a person of interest, so that the people with the money and time to use advanced persistent threats, don't see the need to use them on you. If they want to get you they will.


----------



## SirDice (Jul 25, 2016)

gpatrick said:


> SmartOS is a Type 1 hypervisor that doesn't install to disk; /etc is recreated on boot and you can't write under /usr.


That won't matter much. Remember CodeRed infecting IIS servers? That infected a machine and ran entirely from memory. It never dropped any files.


----------



## tomxor (Jul 25, 2016)

You can basically summarise all of the above as "you cannot trust the software"... because if you can't trust the OS then trying to trust any other software is pointless.

Separate hardware is generally a good idea (see Snowdens latest iPhone network monitor), but i'm not sure how much you would get from a network stack on separate hardware. I suppose it would be a trustworthy monitor, you could be confident that you know what and when your OS is sending packets to, just not for what reason or what their content is.


----------



## cyrano (Jul 31, 2016)

gpatrick said:


> Qubes is built on Xen which seems to regularly have vulnerabilities, some that garner a high risk rating by US CERT.
> 
> Besides, these virtualization products are all meant to utilize the large capacity of servers. Security was not the primary goal.



It seems you were right on Xen:

http://blog.quarkslab.com/xen-exploitation-part-2-xsa-148-from-guest-to-host.html


----------



## a6h (Aug 2, 2016)

Grell said:


> I do not like the idea of backdoors in my OS


Don't bother with backdoors in OS, there's a known problem in hardware system.

If you have a chipset with Intel IME/AMT feature (Core 2 and newer) in your mainboard, you have a "TCP/IP server"-powered backdoor in your system.
It's a *Ring -3!* level implementation, and CPU have no way to control it.
Even if your system is on G2/S5 state, Intel IME/AMT is ON and have full access to connected network interface.
While the system is running, it has full access to RAM, and it can bypass any software-based firewall.
You can't turn it off unless you unplug network interface.


----------



## Deleted member 9563 (Aug 2, 2016)

vigole said:


> Don't bother with backdoors in OS, there's a known problem in hardware system. . . .



It seems to me that all the cases of intrusion reported in the news have been using different zero day vulnerabilities. Perhaps I'm wrong., but why would someone use OS vulnerabilities if it wasn't necessary? Why are software developers fixing vulnerabilities if it doesn't make any difference?


----------



## kpedersen (Aug 2, 2016)

Heh, no it means that you must be paranoid about both hardware *and* software.

So start stockpiling old computers now in the hope that we can prolong the inevitable where we are all in digital (and probably physical) cages run by corporations and governments


----------



## roddierod (Aug 2, 2016)

kpedersen said:


> So start stockpiling old computers now in the hope that we can prolong the inevitable where we are all in digital (and probably physical) cages run by corporations and governments



HA HA! I thought I was the only one doing this. Still hording analog TV so when those underground broadcast start, I'm ready!


----------



## kpedersen (Aug 2, 2016)

, Good to hear! My girlfriend thinks I have a problem and gets quite annoyed when she trips over one of my stacks of old T23 Thinkpads... But she'll see! One day...

We can just rest easy in our bomb shelter playing Age of Empires on the Thinkpads and watching old Disney VHS tapes, waiting for this whole corporate apocalypse thing to blow over


----------



## zspider (Aug 2, 2016)

kpedersen said:


> Heh, no it means that you must be paranoid about both hardware *and* software.
> 
> So start stockpiling old computers now in the hope that we can prolong the inevitable where we are all in digital (and probably physical) cages run by corporations and governments



Atleast long enough for us to live out our lives. I was going to chuck that Dell laptop,  but not now. This could last a long time.


----------



## ronaldlees (Aug 2, 2016)

With control of the network, the little software and hardware hacks probably aren't needed anyway.  So, I'm building tiny computers in tiny cast aluminum boxes, that have no connection to the internet.  When the time comes, I'll toss a few of them into my bag, along with the extra Tibetian robes and some reading material, and head off to the cave.


----------



## DiscmanDaemon (Aug 3, 2016)

kpedersen said:


> , Good to hear! My girlfriend thinks I have a problem and gets quite annoyed when she trips over one of my stacks of old T23 Thinkpads... But she'll see! One day...


Imagine the looks I get when I show up to a starbucks with a X-31 or a T-43... and a stack of CDs and a sony discman


----------



## Deleted member 9563 (Aug 3, 2016)

DiscmanDaemon said:


> Imagine the looks I get when I show up to a starbucks with a X-31 or a T-43... and a stack of CDs and a sony discman



That's nothing compared to the hazzle I get when I plunk down my IBM 5155 and go looking for a plug. It got so bad that I started bringing my Honda generator which resulted in them banning me completely. That's the price of freedom! So I make coffee at home now.






PS: yes I've got one, and it even has the original blue canvas carrying bag. 

PPS: Anybody got a FreeBSD 5.25" system disk?


----------



## ronaldlees (Aug 3, 2016)

I do have some 5.25 floppies, but they're dedicated to an OS/2 setup.  But, maybe you could twist my arm ...

I think I used a version of the IBM with eight inch floppies, IIRC.

I touched an Altair once (when it was only half built).  Now that'd be a good bet to get the attention of the coffee drinkers.


----------



## Crivens (Aug 3, 2016)

cyrano said:


> As far as software security goes, it's probably the most evolved system. It does require modern hardware and *will not disable* stuff like the Intel management engine in hardware.



So it's out. Nailing the windows shut (pun intended) but leaving the back door in place does not give you much.



kpedersen said:


> Heh, no it means that you must be paranoid about both hardware *and* software.
> 
> So start stockpiling old computers now in the hope that we can prolong the inevitable where we are all in digital (and probably physical) cages run by corporations and governments


I thought about giving that old HP-PA to someone, but for the same reasons you folks can't bin junk (her words, not mine), I can't either. And when there is discussion about a tax on them, you know you did something right.
PS: Still got my A3oooT, that'll be all I need if need be


----------



## big_girl (Aug 3, 2016)

This seems (as always) relevant.


----------



## Deleted member 9563 (Aug 3, 2016)

ronaldlees said:


> I do have some 5.25 floppies, but they're dedicated to an OS/2 setup. But, maybe you could twist my arm ...
> 
> I think I used a version of the IBM with eight inch floppies, IIRC.



Thanks for the offer but I actually have a good supply of 5.25 floppies - both single and double density. In fact some recently purchased. So, I was partially kidding.  But it would indeed be interesting to run a UNIX system on a floppy only system. I'm a big fan of the double floppy computer but they're mostly, if not all, 8088 based so not a good candidate for *nix. I've actually got a stack of XT boards with 1M soldered-in RAM if somebody wants one.


----------



## tomxor (Aug 4, 2016)

OJ said:


> That's nothing compared to the hazzle I get when I plunk down my IBM 5155 and go looking for a plug. It got so bad that I started bringing my Honda generator which resulted in them banning me completely. That's the price of freedom! So I make coffee at home now.



...And I thought I was old with my Compaq SLT and Atari STFM, these look like modern computers compared to that beast!





On topic: was the hardware in any of these old machines really any more knowable from a hardware level? They have more discrete collections of ICs but ultimately there is still some proprietary CPU at the centre of it all.


----------



## Crivens (Aug 4, 2016)

Maybe one should consider to 'roll your own'. Since it can be done, why not do it again? That should make it hard to backdoor any system, when you are only compatible on source level. Also, it might be fun. Not our beloved OS, but we left that limit behind several posts ago.


----------



## zspider (Aug 28, 2016)

Makes me tempted to obtain an IBM Thinkpad R40 and relive my days in high school. Haha.


----------



## Snurg (Aug 28, 2016)

Isn't the Unix philosophy of (relatively) simple (and maybe even open sourced and relatively easily auditable) programs doing only one thing and doing this well contrary to the needs of a secret service?

Wouldn't it make much more sense to introduce some monolithic large programs (that can easily control and divert all data the system handles) disguised as "progress", as "must-have-improvement" in a way that practically everybody is forced (or even wants) to use them?

Wouldn't gigantic code chunks like systemd or pulseaudio that are hard to impossible to audit as whole with their lots of (deliberate and accidental) hidden "bugs" that potentially could serve as tapping device or even as "kill switch" suit the state security agencies' needs better?

Doesn't it make people wonder why a big part of the massive pressure to introduce such "innovations" on a wide scale stems from Black Red Hat Linux, whose customer base to a large part consists of US government agencies of all sorts, some of them quite shady, and who employ people like Mr. Poettering to implement their needs?


----------



## tobik@ (Aug 28, 2016)

Snurg said:


> monolithic large programs (that can easily control and divert all data the system handles) disguised as "progress", as "must-have-improvement" in a way that practically everybody is forced (or even wants) to use them?


You mean a kernel?



Snurg said:


> Wouldn't gigantic code chunks like systemd or pulseaudio that are hard to impossible to audit as whole with their lots of (deliberate and accidental) hidden "bugs" that potentially could serve as tapping device or even as "kill switch" suit the state security agencies' needs better?


Maybe? Systemd is harmless as is PulseAudio with regards to code size. Ever look at a web browser's code (+ all the libraries they use)?


----------



## ronaldlees (Aug 28, 2016)

tobik said:


> You mean a kernel?



Yeah - but Linus vets every line (here's hoping).


----------



## Snurg (Aug 28, 2016)

tobik said:


> You mean a kernel?


Don't have kernels some intrinsic problems as attack vector?
Won't make the multitude of different, relatively short-lived kernels that get much attention make the introduction of some helpful "bugs" difficult?
Wouldn't the need for specially tailored individual "per-kernel-treatment" be quite uneconomical?
Wouldn't such activities raise the risk to draw undesirable attention to unacceptable levels?

Couldn't other vectors than kernels be more attractive from a secret service's standpoint?
Wouldn't things that allow the injection of exploitable tricks from a single, apparently innocuous spreader outlet be much more efficient for state services?



tobik said:


> Maybe? Systemd is harmless as is PulseAudio with regards to code size. Ever look at a web browser's code (+ all the libraries they use)?


Honestly, I am not sure whether one really can compare large userland applications with "relatively small" things that run as root.
Compared to usual kernel modules' code size systemd is already a giant.
And it is growing steadily, as more and more control functionality over more and more previously untouched system components is being added.

Wouldn't it be a big success for the big brothers if they'd manage that _all_ Linux computers (maybe except those of a few unimportant nerds) are equipped with a PID 1 they can access should the need arise?
Wouldn't such a thing be a glorious covert take-over of Linux, effectively making it a "secure" OS kernel with an attached remotely controllable "wrapper"?


----------



## zirias@ (Sep 1, 2016)

vigole said:


> Main functions of OS:
> [...]


Well you _could_ have a more abstract view on this: The main functions of an OS are

manage the machine it's running on (somehow, e.g. abstract the hardware) and
support the application that's valuable to the user
and that's it. The application is what counts, well, normally. In very narrow cases, like setting up a firewall box for your network, the OS _is_ the application. But most of the time, it isn't, and you must ask yourself: which OS will support my intended application the best under given circumstances, like hardware it should run on, or other non-functional requirements like performance and security/privacy ...

"Nerds" like us mistrust anything closed-source and might even ask questions about open-source as soon as it grows big enough, so we can't review all of the code ourselves. And we take the security/privacy requirement even more important than the actual functional requirements (getting work done using the application). But be aware these aren't the priorities of the majority of users


----------



## gofer_touch (Mar 29, 2017)

This thread was an interesting read. Has anyone ever heard of these guys: https://www.raptorengineering.com/TALOS/prerelease.php

Otherwise the only semi-modern alternative for secure hardware seems to be based on the Interlagos and Valencia Opteron CPUs and the corresponding Asus motherboards which can be coreboot flashed.


----------



## tingo (Apr 9, 2017)

Raptor Engineering and TALOS, yes, I've heard about them. The crowd funding campaign for the TALOS failed. So: people think that security is important, but there is a limit to how much people want to pay for better security.


----------



## gofer_touch (Apr 9, 2017)

There seems to be some consensus building that it really doesn't matter how secure the OS is. As long as there are hardware level CPUs that can act independently of the OS, with access to RAM and the networking hardware its still possible to take over control of a system (i.e. Intel Management Engine and AMDs Platform Security Processor in their new CPUs). Hence the argument for open hardware that can be audited.

Raptor Engineering tried with OpenPower, but it was more costly than what people were willing to pay. AMD's bulldozer chips seems to be the most recent CPUs without the extra CPU cooked into the die.

Now there are calls for AMD to open up the PSP on Ryzen. Perhaps it will get somewhere.


----------



## Mjölnir (May 28, 2020)

ShelLuser said:


> Simple answer: by making sure said computer isn't connected to the Internet. In FreeBSD terms: by running this command: `# service netif down`. Or, if you'd like to remain connected to your local network: `# route del default`.
> 
> But in the end there are no certainties.


Nowadays, at least on UEFI machines that's definitely NOT enough. The ME is still running _below_ the OS... 
For non-Intel machines these "things" just have other names.  And even on older BIOS-based machines, including consumer devices (e.g. ThinkPad), similar OOB can sometimes be found if the machine was targeted for buisness use.


----------



## kpedersen (May 28, 2020)

A lot has changed since this thread was resurrected from 2017 and luckily Raptor has managed to start manufacturing and selling their hardware without relying on crap like crowd funding. They have actually been really great as a company it seems. I really do hope that one day they can (almost single-handedly) free us from Intel's clutches.



mjollnir said:


> And even on older BIOS-based machines, including consumer devices (e.g. ThinkPad).



I really wanted to argue against this and say "no, you meant IdeaPad!" or something along those lines but no. You are right. ThinkPads unfortunately are absolutely consumer devices. There doesn't exist a non-consumer laptop brand it seems. Shame that they are still pretty much the best option :/


----------



## Mjölnir (May 28, 2020)

kpedersen said:


> [...] I really wanted to argue against this and say "no, you meant IdeaPad!" or something along those lines but no. You are right. ThinkPads unfortunately are absolutely consumer devices. There doesn't exist a non-consumer laptop brand it seems. Shame that they are still pretty much the best option :/


I'm interested in getting FreeBSD running on the tablet and phone of Pine64. I think a tablet-pro will come when the pinebook-pro has reasonable acceptance.  Anyone interested to join?


----------



## k3y5 (May 28, 2020)

mjollnir said:


> I'm interested in getting FreeBSD running on the tablet and phone of Pine64. I think a tablet-pro will come when the pinebook-pro has reasonable acceptance.  Anyone interested to join?



Count me in.


----------

