How likely is that a country or organization could create a public Linux distribution as a "cyberweapon" of some sort?
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How likely is that a country or organization could create a public Linux distribution as a "cyberweapon" of some sort?
Some people [who?] are suspicious of Linux distributions coming from some countries [weasel wording][citation needed].
Would it really be feasible to somehow "weaponize" a linux distribution into, I don't know, a large-scale trojan, plus perhaps a distributed malicious AI*, or whatever?
My guess is that in order to hide something like that in an open source code it would have to be quite convoluted, but perhaps they could bet that seldom anyone would bother to somehow screen such large amounts of code, or somehow examine its behavior in some sort of quarantine?
And perhaps the code could be so that it kind of detects it's not on the real internets but in some fake quarentine internets, and behaves nicely as one would expect from a non-evil linux?
I'm covering my mouse with tin foil, just in case.
* I imagine it could hack lots of stuffs, like make stock brokers jump by the dozens on Wallstreet; mess with flight controls, or traffic signals, provoking lots of "accidents", or mess with the electrical grid (making household appliances attack their owners), or perhaps somehow pump flammable gas from fracking into cities water supplies, then people would drink the water and spontaneously combust, or at least spit fire, and so on. It would probably take hundreds of high-level hackers to counter-hack it all, with something like three to five people typing in the same keyboard for every computer being used (partly because some would explode as well, as the trojan virus defends itself).
weasel wording indeed.
anything particular on your mind?
generally speaking, this falls under the good ol' pro open source argument: you cannot "hide" anything in open source software.
So you think one can create an open source operating system that by itself runs attacks against thousands of targets? An evil box out of the box? You can attack other devices connected to the web but for any attack you need an individual strategy and regarding programs. So I think your idea is far from reality.
But if you give an OS to people with invisible code you can get as much of information about the users as you want with it and you can manipulate the info they receive. And you can provde the users with a fake internet that provides fake news in any respect. That is why I use linux and identify OSs like doze as a trojan.
weasel wording indeed.
anything particular on your mind?
generally speaking, this falls under the good ol' pro open source argument: you cannot "hide" anything in open source software.
I've just found out about "Deepin Linux", and in a youtube video some guy commented suspiciously about how it's Chinese and there's no clue about who else would be financing it besides the government itself. Not that the government couldn't come up with a façade for that anyway, if being the sole financer was really a "red flag" for their ulterior purposes. One commenter made the pun that the malware is "deepin the code".
Ironically enough, before posting this, I've searched a little bit about this very subject here, where I've found people recommending Deepin and Red Flag Linux for someone scared of possibly NSA-backed (perhaps also general-globalist-backed) distros.
Funny how both these distros have such pun-prone names.
It is logical to assume that malicious code could be hidden in a project – these things are enormously big – but it's also logical to assume that the code would be quickly detected. One of the merits of open source is that it creates an environment in which there are a great many stakeholders, corporate and otherwise. There are a lot of people out there "minding the store."
Far more likely, in my book, is a rogue app for a mobile device. There are millions more mobiles out there than laptops, and these generally are closed systems even though they are based on open foundations. You buy a game as a binary; you don't know what's in it and you can't find out.
I've just found out about "Deepin Linux", and in a youtube video some guy commented suspiciously about how it's Chinese and there's no clue about who else would be financing it besides the government itself. Not that the government couldn't come up with a façade for that anyway, if being the sole financer was really a "red flag" for their ulterior purposes. One commenter made the pun that the malware is "deepin the code".
Ironically enough, before posting this, I've searched a little bit about this very subject here, where I've found people recommending Deepin and Red Flag Linux for someone scared of possibly NSA-backed (perhaps also general-globalist-backed) distros.
Funny how both these distros have such pun-prone names.
It’s good to see an anti-globalist here! In my experience, it seems like a lot of people in technology forums, and especially GNU/Linux forums, tend to be globalists, which I find irritating. It’s a rare thing to find an anti-globalist in one of these forums, and a welcome sight.
Unlike a lot of RMS supporters, I like Linux and FOSS out of practical reasons instead of ideology. I like it because it’s open-source, which makes it safer, and it also makes it possible for someone other than the original author to modify or maintain it. Linux is also Unix-like, which is great since I’ve been using MacOS as my primary OS since 2011, and I’ve been using Terminal for some tasks, like installing FOSS apps (via brew and cask) and moving files.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
I can see no reason why a distribution could not be set up with code embeded at the behest of a government which allowd remote control by tha government without it being easily detected.
I find it odd that others don't think it possible.
I have to admit though that if I had to choose between a US/UK leak and one to China I'd likely choose China because it's a heck of a lot harder for them to grab me and have me tortured to death without charge.
I very much doubt that any such distribution exists but I very much believe that it could.
Slightly similarly, a few years ago I used an open-source Second Life client (MMOD with no aim) and it was the best by far. One day I tried to log in and found that articular client was banned for unspecific reasons. It transpired that one of the developers had a feud with some guy and added some DoS code to the client -- lots of us used it, and some worked on it (I chatted with them) without realising it.
It is logical to assume that malicious code could be hidden in a project – these things are enormously big – but it's also logical to assume that the code would be quickly detected. One of the merits of open source is that it creates an environment in which there are a great many stakeholders, corporate and otherwise. There are a lot of people out there "minding the store."
Far more likely, in my book, is a rogue app for a mobile device. There are millions more mobiles out there than laptops, and these generally are closed systems even though they are based on open foundations. You buy a game as a binary; you don't know what's in it and you can't find out.
Not long ago there was a scientific article of some sort that posited that the odds of a conspiracy being kept secret diminish dramatically with the number of people involved in it, as there are more and more potential leakers/whistleblowers, and perhaps sheer managerial difficulties. Then they estimated how many people would be theoretically required to keep with some classical conspiracy theories, and reached to unlikely numbers.
So, if for some reason an "evil distro" attracted lots of innocent contributors, the odds would really be that it would soon be exposed. People attempting that perhaps could still think it wouldn't attract other developers or people knowledgeable enough to detect anything weird. And perhaps even the "it would be soon found out" idea would end up working in their favor as a general suspension of suspicion.
But I don't know, I'm certainly not claiming that this is in fact what's happening, I'm just curious about the possibility, more or less like I'm curious about the possibility of weaponization of things like a more virulent flu strain. And, like with the flu strain, I think it would be interesting if "good" governments or organizations attempted to study the possibility of doing something like that (undetected by the real-world population, in the case of a distro; whereas the flu needs only lab tests), which would possibly make us think about strategies to either prevent that or deal with that.
But perhaps even an analog to the biological virus' lab testing for this cyberwarfare plan would suggest that an entire OS distribution is just not the best method of deployment, far worse when compared with closed source apps and whatnot.
The whole thing got me interested in reading or listening to podcasts about the whole thing of cyberwarfare, unfortunately it would take me some time to sort the wheat from the chaff, I'd only be able to eliminate the most alarmist fear-mongering tin-foil-hat types immediately, but I guess there's quite a good degree of BS that may seem plausible to the lay people.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Most "minor" (for want of a better way of putting it) distro's only have a few contributors though -- take something like the much-loved Slackware. I wonder how many people check its provided kernel against the upstream kernel to check for anything added? Now, with Slackware, for various reasons, I'd personally doubt anything would stay hidden for long but what of one of one of the lesser-contributed to Ubuntu derivatives or even something like Mint?
If a distro only has two or three main contributors to the main packages (upstream contributors ignored, since they've done their bit before any code gets introduced) then we're not talking about some kind of cloak-and-dagger conspiracy but just an honest-to-goodness trojan distribution. Sure, you'd hope that other contributors to packages such as web browsers might take a look at core code and smell a rat and, hopefully, they would but do we know that to be the case?
Just speculation, by the way, I'm not suggesting these things exist and I certainly don't worry too much about it but I don't see it as improbable even.
Distribution: Slackware/Salix while testing others
Posts: 1,718
Rep:
For sake of brevity, of course it can, probably already has, just a matter of scope and depth of project.
US Gov. (especially three letter agencies), use Linux, in particular CentOS and RedHat (which they modify in house) for critical systems. Many of those agencies used to use Ubuntu for desktops/laptops, however, they switched away from it since it is a "foreign" company located outside of USA. Those workstations typically use Fedora, CentOS and Slackware (for Development).
It is not a stretch to think that code can be placed in the larger Linux sphere, only to be removed or closed on "their" end. Of course, it is still better then completely closed source programs/OS's, where you have no idea what is in there.
One could also, argue that this was done many moons ago with Windows (interesting choice of name by the way). Is Google/Android serving this purpose, don't know. I agree with Stallman that we should stay away from closed source/non-free software/programs, however, I do use non-free firmware on one desktop so I am pragmatic.
Any OS, except maybe the big 3, would be too little bang for the buck.
My money for most effective is Java as its closed, fits on anything including Linux, and can essentially operate as an OS in an OS doing near anything with full privileges. I'd rate it best hacker tool ever.
Oracle's agreement is downright scary, by the way. At one point, it claims no responsibility for any malicious deeds done to anyone who ever even allowed anyone from three US government lists of sanctioned individuals or companies to touch said device. If that ain't bad enough, I went online to access these lists, 3 links to 3 lists led to 2 lists. After a couple hours, I found no way to access the final list to insure my sister, the cafe downstairs, or dog weren't there.
But, apparently, I (in Vietnam) should just avoid any and all who might work for anything other than Amerikan interests in return for flash game access and active porn ads. Having been one of perhaps the only two who ever actually read the agreement, I declined.
So clearly, Oracle is well aware of why it receives such lovely synergy. The same synergy phone companies have enjoyed for ages. Such companies lacking said synergies will find all permit processes prohibitively difficult against those that do.
I see a similar synergy with all Amerikan Software and hardware companies if not always so obvious or extreme. Carrot or stick, all companies there will comply once they have matured. I avoid closed-source US software whenever possible.
So, it doesn't really matter which OS you have if you fill it with feces along with the keys. And even if you are a patriot, the US can't keep secrets and the key you entrusted them with will be with whoever bought the first copies or even just given away like in Vault7 (rootkits). If patriots must love and trust them than do as you would with an autistic brother and do treat them well but don't give them the keys to important stuff.
Nut-shell? Trust but verify, just like the streets. Closed means hidden and unacceptable.
How? Pick an open-source with some history and a rep for what you're looking for. Doesn't matter what country. China's BSD has me curious, but no talk yet, so I wait.
Malware and the like your concern? Pick a minimalist one you can build up to your needs and continue to verify through this process.
But if you have just gotta have some closed-source program like Java, its called a walk of faith and I would wish anyone luck. Maybe even watch a bit, get the camera out...
I have yet to find an OS that is secure. I know how some of the holes get in but not all of them. There are I'm sure many still in every OS. Hackers don't announce they put in a bug do they?
You would be correct to assume that any distro would be suspicious.
Just wait a bit, you'll see a security patch for some issue that came from some place way back.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.