Security, Linux and the Roving Bug

Her advocates claim Linux is more secure than Windows and as proof they
offer
the list of viruses that target Windows. The rebuttal is typically that
Window is an attractive target for virus writers due to its ubiquity. The
Linux advocate's reply is that, Linux's architecture makes it impossible to
hack. I think we've all seen this exchange. Whether Linux is immune from
hacking is an open question. What if Linux were ubiquitous? Would hackers
try to break in? Could hackers succeed? The answer to these questions is
yes.

Motorola has embraced Linux as the OS to run on its line of cell phones
(http://news.com.com/2100-1001-984424.html). The following link includes
over a dozen cell phone offering, including the Razr, which feature Linux:
http://www.linuxdevices.com/news/NS4504156025.html. Motorola is a leading
cell phone company. Motorola's market share has reached the critical mass
required to make the devices attractive to the l33t haxtorz.

Cell phones are venerable to a security threat called 'The Roving Bug'. The
bug allows people to listen in on you conversations even when the cell phone
is off. People can remotely turn on your cell phone, listen in on your
conversations, upload and download data, and take photos without you knowing
it. The only way to secure your cell phone and your privacy is to remove
the
battery.

Here's what one site has to say:


Nextel and Samsung handsets and the Motorola Razr are especially vulnerable
to software downloads that activate their microphones, said James Atkinson,
a
counter-surveillance consultant who has worked closely with government
agencies. "They can be remotely accessed and made to transmit room audio all
the time," he said. "You can do that without having physical access to the
phone."

Because modern handsets are miniature computers, downloaded software could
modify the usual interface that always displays when a call is in progress.
The spyware could then place a call to the FBI and activate the microphone--
all without the owner knowing it happened
http://hootsbuddy.blogspot.com/2006/...oving-bug.html

The article says, ". the Motorola Razr [running Linux] are especially
venerable ."

It turns out that Linux's security model is porous as a sieve. Devices
running Linux are being hacked and taken over by remote hackers. The
security hole persists even when the device is turned off. But is it some
secret 'back door' that only the government knows how to access? Nope, the
world knows how to by pass and exploit Linux's so-called security. Here's a
horror story describing the hell created because of Linux's weak security:
http://www.thenewstribune.com/news/c...ory/91460.html.

I am sure so will say, "B-b-b-but Windows blah, blah, blah." to which I
reply, "Irrelevant!"

This issue is about a bug in Linux. This is about a known bug in Linux
that's been hanging around for months. It is a bug a known bug in Linux
that's been hanging around for months that has not been fixed. This is
about
a security hole in Linux. Windows is not the issue here. This is a Linux
problem and not a Windows problem.

"Cassandra" wrote in message
news:bJCdnZBigMvgjRnbnZ2dnUVZ_veinZ2d-at-comcast.com. ..
: Her advocates claim Linux is more secure than Windows and as proof they
: offer
: the list of viruses that target Windows. The rebuttal is typically that
: Window is an attractive target for virus writers due to its ubiquity. The
: Linux advocate's reply is that, Linux's architecture makes it impossible
to
: hack. I think we've all seen this exchange. Whether Linux is immune from
: hacking is an open question. What if Linux were ubiquitous? Would
hackers
: try to break in? Could hackers succeed? The answer to these questions is
: yes.
:
: Motorola has embraced Linux as the OS to run on its line of cell phones
: (http://news.com.com/2100-1001-984424.html). The following link includes
: over a dozen cell phone offering, including the Razr, which feature Linux:
: http://www.linuxdevices.com/news/NS4504156025.html. Motorola is a
leading
: cell phone company. Motorola's market share has reached the critical mass
: required to make the devices attractive to the l33t haxtorz.
:
: Cell phones are venerable to a security threat called 'The Roving Bug'.
The
: bug allows people to listen in on you conversations even when the cell
phone
: is off. People can remotely turn on your cell phone, listen in on your
: conversations, upload and download data, and take photos without you
knowing
: it. The only way to secure your cell phone and your privacy is to remove
: the
: battery.
:
: Here's what one site has to say:
:
:
: Nextel and Samsung handsets and the Motorola Razr are especially
vulnerable
: to software downloads that activate their microphones, said James
Atkinson,
: a
: counter-surveillance consultant who has worked closely with government
: agencies. "They can be remotely accessed and made to transmit room audio
all
: the time," he said. "You can do that without having physical access to the
: phone."
:
: Because modern handsets are miniature computers, downloaded software could
: modify the usual interface that always displays when a call is in
progress.
: The spyware could then place a call to the FBI and activate the
microphone--
: all without the owner knowing it happened
: http://hootsbuddy.blogspot.com/2006/...oving-bug.html
:
: The article says, ". the Motorola Razr [running Linux] are especially
: venerable ."
:
: It turns out that Linux's security model is porous as a sieve. Devices
: running Linux are being hacked and taken over by remote hackers. The
: security hole persists even when the device is turned off. But is it some
: secret 'back door' that only the government knows how to access? Nope,
the
: world knows how to by pass and exploit Linux's so-called security. Here's
a
: horror story describing the hell created because of Linux's weak security:
: http://www.thenewstribune.com/news/c...ory/91460.html.
:
: I am sure so will say, "B-b-b-but Windows blah, blah, blah." to which I
: reply, "Irrelevant!"
:
: This issue is about a bug in Linux. This is about a known bug in Linux
: that's been hanging around for months. It is a bug a known bug in Linux
: that's been hanging around for months that has not been fixed. This is
: about
: a security hole in Linux. Windows is not the issue here. This is a Linux
: problem and not a Windows problem.

One thing I've learned after 20 years in the computer industry is that a
system's biggest security risk is complacency. Security isn't binary as
some Linux Loonies proclaim. Security is uniary and it is set to 'off'. If
you're the type who prefers a mathematic theory to support a concept then I
direct you to Gödel's Incompleteness Theory. Gödel theory is based on the
fact that all systems are inherently finite and therefore have external
forces acting upon them. The external forces, being outside the system, can
act in ways not predicted by the system. The system is vulnerable to forces
the system was not designed to handle. Security is a system and its role is
to defend against external forces. The system of security will always have
vulnerabilities since a finite system can not predict and account for an
infinite number of external forces.

Linux should be able to defend against security threats pretty well. You
need two tools to accommodate the inherent incompleteness of security
systems: vigilance and flexibility. Vigilance is used to identity
vulnerabilities early in its life-cycle and flexibility is used to defend
against it.

Linux's source code is open so the code is open to the scrutiny of millions
of eyes. Vigilance against security threats are not dependant on any one
person or group. There are millions of people watching out for security
holes in Linux. In theory at least, the Linux community is vigilant against
security threats.

Linux covers the requirement of flexibility very well too. Linux's code is
available to all to modify, compile and use. Anyone can fix vulnerability
once it is identified. There are probably 10's of thousands of people with
the knowledge, skill set and resources to fix security holes in Linux.
There is an added incentive to fixing security bugs in Linux. The Open
Source Community has a Cult of Personality* culture. The person who fixes
and implements major fixes to Linux would receive Rock Star status in the
Linux world. Someone who fixes a security hole the size of the 'Roving Bug'
might even get to sign (and touch) the boobies of all the girls who frequent
C.O.L.A. He may even get to have sex with a real girl if his mom would let
her into the basement. There are some huge incentives in the open source
community to fix security vulnerabilities like the Roving Bug.

Linux community contains enough 'eyes' to call it a vigilant environment.
Linux provides enough information and resources to call it a flexible
environment. Vigilance and flexibility are required for a secure
environment and Linux has both these. The Roving Bug persists in Linux.

On November 27, 2006 the U.S. District Court described the 'Roving Bug'
(http://www.politechbot.com/docs/fbi....ion.120106.txt).
Information on the 'Roving Bug' has been available to the public for about
six months. The Open Source Community has known about Linux's security
weakness for months. Hundreds of new and updated Linux distributions have
been announced on Linux's Distribution Watch since the 'Roving Bug' became
public. If the Open Source Community had the time and resources to create
hundreds of new distributions then the community had to time to fix the
Roving Bug. The bug persists and the Government is still exploiting a hole
in Linux to spy on innocent people. It is clear the Open Source Community
is not as responsive to bug fixes as the Linux Advocates claim.

To summarize the points:
Cell phones are vulnerable to hackers via the 'Roving Bug'.
Hackers include the government but also juvenile "l33t haxor" brats.
The cell phones that are vulnerable include the Razr which runs Linux.
Linux has a huge security vulnerability.
The open source community has known about the vulnerability.
The open source community has done nothing to fix the vulnerability.
Linux's security vulnerabilities persist.

The above is a list of documented facts. The facts illustrate a weakness in
Linux. No one will come forward and point me to a link where a fix to the
Roving Bug is available for download. Like Cassandra, I'll be ridiculed for
publicizing the truth about weaknesses in Linux and the Open Source
Development Model. The response will consist of name calling and unfounded
accusations. I'll be accused of being on Microsoft's payroll, my choice of
News Reader will come into question and I'll be called a nym-shifting racist
homophobe yet no one will address the issue; no one will fix Linux. The
security hole will continue and hackers will continue to exploit Linux
unbeknownst to the users.

The security holes in Linux will persist and Linux Loonies will pat
themselves on the back for 10 new Linux distributions and Roy S. will spam
C.O.L.A with 100 new posts announcing the new, redundant Linux distributions
and Mark Kent will laude his OCD as a benefit to the Linux cause. The
community focuses on destroying Microsoft and deludes themselves into
thinking GPL 3 will do it. I expect ridicule from the Linux Advocates for
sharing my wisdom. The ridicule only affirms the accuracy of my statements.

Shakespeare observed in King Lear, "Wisdom and goodness to the vile seem
vile: Filths savor but themselves" (Act IV, Scene II). Such is the sad
state of the Linux community.



* The three data points used to support the 'Cult of Personality culture'
observation would include Linus, Stallman and Larry Wall.

Cassandra wrote:

>
> This issue is about a bug in Linux. This is about a known bug in Linux
> that's been hanging around for months. It is a bug a known bug in Linux
> that's been hanging around for months that has not been fixed. This is
> about a security hole in Linux. Windows is not the issue here. This is a Linux
> problem and not a Windows problem.
>
>

Huh?

It seems to be more a bug in the cell-phone protocol/hardware. Or
possibly a hardware mod to the cell phones. I can well imagine the cell
phone companies would have a way to update the firmware in your phone
remotely.

Nothing to say that it's due to linux being on the phone.

The only reason it's not *also* a windows problem is that windows can't
possibly run on a cellphone....

As to the "horror story" - why don't they get a prepaid phone? Or do
away with cell phones altogether? Or stuff the damn things into a sock
while they're not using them? Christ, people used to live their whole
lives without cell phones.

Nedd Ludd wrote:

>
> To summarize the points:
> a) Cell phones are vulnerable to hackers via the 'Roving Bug'.
> Hackers include the government but also juvenile "l33t haxor" brats.
> b) The cell phones that are vulnerable include the Razr which runs Linux.
> c) Linux has a huge security vulnerability.
> The open source community has known about the vulnerability.
> The open source community has done nothing to fix the vulnerability.
> Linux's security vulnerabilities persist.
>
> The above is a list of documented facts. The facts illustrate a weakness in
> Linux. No one will come forward and point me to a link where a fix to the
> Roving Bug is available for download.

Please demonstrate.

If we take your points a) and b), I could just as easily say,

The cell phones that are vulnerable include those that come in blue.
Therefore all blue phones (and only blue phones) are vulnerable.
Furthermore, it is the fault of the blue color that they are vulnerable.

So far, I have not seen anything that would indicate that this is a
*linux* issue. It is, AFAICT, a cell phone issue.

The ability to remotely turn on the mike must be in the hardware; I know
of no such ability within the linux kernel.

Presumably, once the phone is off, the linux kernel is not running; yet
according to the reports, the phone can still transmit conversations.

How is this then a linux issue? Is the linux kernel imbued with some
ghost geekiness that allows it to run even if shut off? playing> Or perhaps is there some Uber-kernel that persists beyond all
attempts to power it off, sucking the energy from the ether?

"CptDondo" wrote in message
news:13885j98uu1do0b-at-corp.supernews.com...
: Cassandra wrote:
:
: >
: > This issue is about a bug in Linux. This is about a known bug in Linux
: > that's been hanging around for months. It is a bug a known bug in Linux
: > that's been hanging around for months that has not been fixed. This is
: > about a security hole in Linux. Windows is not the issue here. This is
a Linux
: > problem and not a Windows problem.
: >
: >
:
: Huh?
:
: It seems to be more a bug in the cell-phone protocol/hardware. Or
: possibly a hardware mod to the cell phones. I can well imagine the cell
: phone companies would have a way to update the firmware in your phone
: remotely.
:
: Nothing to say that it's due to linux being on the phone.

The features of the phone such are the way the firmware is updated are
executed by Linux.
The vulnerability on these phones is a result of Linux.
The Roving Bug is a huge security hole in these phones.
Its presents and exploitation is facilitated by Linux.

Nedd Ludd wrote:
>
> The features of the phone such are the way the firmware is updated are
> executed by Linux.

Please document this. Non-linux phones cannot be updated?

> The vulnerability on these phones is a result of Linux.

Please document this. Non-linux-based phones don't have this vulnerability?

> The Roving Bug is a huge security hole in these phones.

Yes.

> Its presents and exploitation is facilitated by Linux.

Please document this. Non-linux phones don't have this vulnerability?

On Thu, 28 Jun 2007 16:10:00 -0400, Nedd Ludd wrote:

> "Cassandra" wrote in message
> news:bJCdnZBigMvgjRnbnZ2dnUVZ_veinZ2d-at-comcast.com. ..
> : Her advocates claim Linux is more secure than Windows and as proof they
> : offer
> : the list of viruses that target Windows. The rebuttal is typically that
> : Window is an attractive target for virus writers due to its ubiquity. The
> : Linux advocate's reply is that, Linux's architecture makes it impossible
> to
> : hack. I think we've all seen this exchange. Whether Linux is immune from
> : hacking is an open question. What if Linux were ubiquitous? Would
> hackers
> : try to break in? Could hackers succeed? The answer to these questions is
> : yes.
> :
> : Motorola has embraced Linux as the OS to run on its line of cell phones
> : (http://news.com.com/2100-1001-984424.html). The following link includes
> : over a dozen cell phone offering, including the Razr, which feature Linux:
> : http://www.linuxdevices.com/news/NS4504156025.html. Motorola is a
> leading
> : cell phone company. Motorola's market share has reached the critical mass
> : required to make the devices attractive to the l33t haxtorz.
> :
> : Cell phones are venerable to a security threat called 'The Roving Bug'.
> The
> : bug allows people to listen in on you conversations even when the cell
> phone
> : is off. People can remotely turn on your cell phone, listen in on your
> : conversations, upload and download data, and take photos without you
> knowing
> : it. The only way to secure your cell phone and your privacy is to remove
> : the
> : battery.
> :
> : Here's what one site has to say:
> :
> :
> : Nextel and Samsung handsets and the Motorola Razr are especially
> vulnerable
> : to software downloads that activate their microphones, said James
> Atkinson,
> : a
> : counter-surveillance consultant who has worked closely with government
> : agencies. "They can be remotely accessed and made to transmit room audio
> all
> : the time," he said. "You can do that without having physical access to the
> : phone."
> :
> : Because modern handsets are miniature computers, downloaded software could
> : modify the usual interface that always displays when a call is in
> progress.
> : The spyware could then place a call to the FBI and activate the
> microphone--
> : all without the owner knowing it happened
> : http://hootsbuddy.blogspot.com/2006/...oving-bug.html
> :
> : The article says, ". the Motorola Razr [running Linux] are especially
> : venerable ."
> :
> : It turns out that Linux's security model is porous as a sieve. Devices
> : running Linux are being hacked and taken over by remote hackers. The
> : security hole persists even when the device is turned off. But is it some
> : secret 'back door' that only the government knows how to access? Nope,
> the
> : world knows how to by pass and exploit Linux's so-called security. Here's
> a
> : horror story describing the hell created because of Linux's weak security:
> : http://www.thenewstribune.com/news/c...ory/91460.html.
> :
> : I am sure so will say, "B-b-b-but Windows blah, blah, blah." to which I
> : reply, "Irrelevant!"
> :
> : This issue is about a bug in Linux. This is about a known bug in Linux
> : that's been hanging around for months. It is a bug a known bug in Linux
> : that's been hanging around for months that has not been fixed. This is
> : about
> : a security hole in Linux. Windows is not the issue here. This is a Linux
> : problem and not a Windows problem.
>
> One thing I've learned after 20 years in the computer industry is that a
> system's biggest security risk is complacency. Security isn't binary as
> some Linux Loonies proclaim. Security is uniary and it is set to 'off'. If
> you're the type who prefers a mathematic theory to support a concept then I
> direct you to Gödel's Incompleteness Theory. Gödel theory is based on the
> fact that all systems are inherently finite and therefore have external
> forces acting upon them. The external forces, being outside the system, can
> act in ways not predicted by the system. The system is vulnerable to forces
> the system was not designed to handle. Security is a system and its role is
> to defend against external forces. The system of security will always have
> vulnerabilities since a finite system can not predict and account for an
> infinite number of external forces.

The incompleteness theorm has nothing to do with finiteness at all. It
merely says that there are statements which are not mathematcially
provable to be either true or false - i.e. mathematical theory is
'incomplete'.

>
> Linux should be able to defend against security threats pretty well. You
> need two tools to accommodate the inherent incompleteness of security
> systems: vigilance and flexibility. Vigilance is used to identity
> vulnerabilities early in its life-cycle and flexibility is used to defend
> against it.
>
> Linux's source code is open so the code is open to the scrutiny of millions
> of eyes. Vigilance against security threats are not dependant on any one
> person or group. There are millions of people watching out for security
> holes in Linux. In theory at least, the Linux community is vigilant against
> security threats.
>
> Linux covers the requirement of flexibility very well too. Linux's code is
> available to all to modify, compile and use. Anyone can fix vulnerability
> once it is identified. There are probably 10's of thousands of people with
> the knowledge, skill set and resources to fix security holes in Linux.
> There is an added incentive to fixing security bugs in Linux. The Open
> Source Community has a Cult of Personality* culture. The person who fixes
> and implements major fixes to Linux would receive Rock Star status in the
> Linux world. Someone who fixes a security hole the size of the 'Roving Bug'
> might even get to sign (and touch) the boobies of all the girls who frequent
> C.O.L.A. He may even get to have sex with a real girl if his mom would let
> her into the basement. There are some huge incentives in the open source
> community to fix security vulnerabilities like the Roving Bug.
>
> Linux community contains enough 'eyes' to call it a vigilant environment.
> Linux provides enough information and resources to call it a flexible
> environment. Vigilance and flexibility are required for a secure
> environment and Linux has both these. The Roving Bug persists in Linux.
>
> On November 27, 2006 the U.S. District Court described the 'Roving Bug'
> (http://www.politechbot.com/docs/fbi....ion.120106.txt).
> Information on the 'Roving Bug' has been available to the public for about
> six months. The Open Source Community has known about Linux's security
> weakness for months. Hundreds of new and updated Linux distributions have
> been announced on Linux's Distribution Watch since the 'Roving Bug' became
> public. If the Open Source Community had the time and resources to create
> hundreds of new distributions then the community had to time to fix the
> Roving Bug. The bug persists and the Government is still exploiting a hole
> in Linux to spy on innocent people. It is clear the Open Source Community
> is not as responsive to bug fixes as the Linux Advocates claim.
>
> To summarize the points:
> Cell phones are vulnerable to hackers via the 'Roving Bug'.
> Hackers include the government but also juvenile "l33t haxor" brats.
> The cell phones that are vulnerable include the Razr which runs Linux.
> Linux has a huge security vulnerability.
> The open source community has known about the vulnerability.
> The open source community has done nothing to fix the vulnerability.
> Linux's security vulnerabilities persist.
>
> The above is a list of documented facts. The facts illustrate a weakness in
> Linux. No one will come forward and point me to a link where a fix to the
> Roving Bug is available for download. Like Cassandra, I'll be ridiculed for
> publicizing the truth about weaknesses in Linux and the Open Source
> Development Model. The response will consist of name calling and unfounded
> accusations. I'll be accused of being on Microsoft's payroll, my choice of
> News Reader will come into question and I'll be called a nym-shifting racist
> homophobe yet no one will address the issue; no one will fix Linux. The
> security hole will continue and hackers will continue to exploit Linux
> unbeknownst to the users.
>
> The security holes in Linux will persist and Linux Loonies will pat
> themselves on the back for 10 new Linux distributions and Roy S. will spam
> C.O.L.A with 100 new posts announcing the new, redundant Linux distributions
> and Mark Kent will laude his OCD as a benefit to the Linux cause. The
> community focuses on destroying Microsoft and deludes themselves into
> thinking GPL 3 will do it. I expect ridicule from the Linux Advocates for
> sharing my wisdom. The ridicule only affirms the accuracy of my statements.
>
> Shakespeare observed in King Lear, "Wisdom and goodness to the vile seem
> vile: Filths savor but themselves" (Act IV, Scene II). Such is the sad
> state of the Linux community.
>
>
>
> * The three data points used to support the 'Cult of Personality culture'
> observation would include Linus, Stallman and Larry Wall.

The fact remains that I have been running three or more computers on a
home network accessible to the internet via a broadbanc connection for
over five years - online 24/7/365 - and have NEVER seen a malware
infestation. Do I care why?

Cassandra wrote:

>Her

Stupid fscking cross-posting troll.

*plonk*

Oldtech wrote:
> CptDondo wrote:
>> Nedd Ludd wrote:
>>> The features of the phone such are the way the firmware is updated are
>>> executed by Linux.
>> Please document this. Non-linux phones cannot be updated?
>>
>>> The vulnerability on these phones is a result of Linux.
>> Please document this. Non-linux-based phones don't have this
>> vulnerability?
>>
>>> The Roving Bug is a huge security hole in these phones.
>> Yes.
>>
>>> Its presents and exploitation is facilitated by Linux.
>> Please document this. Non-linux phones don't have this vulnerability?
> Me thinks the lady doth protest too much, CptDondo.
>
> It sounds like the Microsoft patent hype. Lots of claims, but, no
> specifics are offered that we can verify.
>
> I am willing to bet my favorite ham in Mohamed's frig. that this is a
> plant by felon Microsoft trolls.

Oh no doubt. It's just a slow day at work and the A/C doesn't work...

CptDondo wrote:
> Nedd Ludd wrote:
>>
>> The features of the phone such are the way the firmware is updated are
>> executed by Linux.
>
> Please document this. Non-linux phones cannot be updated?
>
>> The vulnerability on these phones is a result of Linux.
>
> Please document this. Non-linux-based phones don't have this
> vulnerability?
>
>> The Roving Bug is a huge security hole in these phones.
>
> Yes.
>
>> Its presents and exploitation is facilitated by Linux.
>
> Please document this. Non-linux phones don't have this vulnerability?
Me thinks the lady doth protest too much, CptDondo.

It sounds like the Microsoft patent hype. Lots of claims, but, no
specifics are offered that we can verify.

I am willing to bet my favorite ham in Mohamed's frig. that this is a
plant by felon Microsoft trolls.