[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
www/server/staging/proprietary proprietary-back...
|
From: |
Therese Godefroy |
|
Subject: |
www/server/staging/proprietary proprietary-back... |
|
Date: |
Thu, 22 Feb 2018 10:31:22 -0500 (EST) |
CVSROOT: /webcvs/www
Module name: www
Changes by: Therese Godefroy <th_g> 18/02/22 10:31:22
Added files:
server/staging/proprietary: proprietary-back-doors.html
Log message:
Reorganize back doors in 4 categories (see www-discuss 2018-02-22).
CVSWeb URLs:
http://web.cvs.savannah.gnu.org/viewcvs/www/server/staging/proprietary/proprietary-back-doors.html?cvsroot=www&rev=1.1
Patches:
Index: proprietary-back-doors.html
===================================================================
RCS file: proprietary-back-doors.html
diff -N proprietary-back-doors.html
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ proprietary-back-doors.html 22 Feb 2018 15:31:19 -0000 1.1
@@ -0,0 +1,459 @@
+<!--#include virtual="/server/header.html" -->
+<!-- Parent-Version: 1.85 -->
+<title>Proprietary Back Doors - GNU Project - Free Software Foundation</title>
+ <!--#include virtual="/proprietary/po/proprietary-back-doors.translist" -->
+<!--#include virtual="/server/banner.html" -->
+<h2>Proprietary Back Doors</h2>
+
+<p><a href="/proprietary/proprietary.html">Other examples of proprietary
malware</a></p>
+
+<p>Nonfree (proprietary) software is very often malware (designed to
+mistreat the user). Nonfree software is controlled by its developers,
+which puts them in a position of power over the users; <a
+href="/philosophy/free-software-even-more-important.html">that is the
+basic injustice</a>. The developers often exercise that power to the
+detriment of the users they ought to serve.</p>
+
+<p>Here are examples of demonstrated back doors in proprietary software.
+They are sorted out according to what they are known to allow. Back doors
+that can be used for remotely changing or installing software are called
+“universal” because they grant the developer total control
+over the user's computer.</p>
+
+<p class="c">
+ <a href="#spying">Spying on users</a> |
+ <a href="#user-access">Manipulating users' data/settings</a> |
+ <a href="#root-access">Changing/installing software</a> |
+ <a href="#other">Other/undefined</a>
+</p>
+
+<!-- WEBMASTERS: make sure to place new items on top under each subsection -->
+
+<h3 id="spying">Spying on users</h3>
+<ul>
+ <li>
+ <p id="InternetCameraBackDoor">Many models of Internet-connected
+ cameras contain a glaring back door—they have login accounts
+ with hard-coded passwords, which can't be changed, and <a
+
href="https://arstechnica.com/security/2017/06/internet-cameras-expose-private-video-feeds-and-remote-controls/";>
+ there is no way to delete these accounts either</a>.</p>
+ <p>Since these accounts with hard-coded passwords are impossible to
+ delete, this problem is not merely an insecurity; it amounts to a
+ back door that can be used by the manufacturer (and government) to
+ spy on users.</p>
+ </li>
+
+ <li>
+ <p>WhatsApp <a
+
href="https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snooping-on-encrypted-messages";>
+ has a back door that the company can use to read the plaintext
+ of messages</a>.</p>
+ <p>This should not come as a surprise. Nonfree software for
+ encryption is never trustworthy.</p>
+ </li>
+
+ <li>
+ <p><a
href="https://theintercept.com/2015/12/28/recently-bought-a-windows-computer-microsoft-probably-has-your-encryption-key/";>
+ Microsoft has already backdoored its disk encryption</a>.</p>
+ </li>
+
+ <li>
+ <p>Apple can, and regularly does, <a
+
href="http://arstechnica.com/apple/2014/05/new-guidelines-outline-what-iphone-data-apple-can-give-to-police/";>
+ remotely extract some data from iPhones for the state</a>.</p>
+ <p>This may have improved with <a
+
href="http://www.washingtonpost.com/business/technology/2014/09/17/2612af58-3ed2-11e4-b03f-de718edeb92f_story.html";>
+ iOS 8 security improvements</a>; but <a
+ href="https://firstlook.org/theintercept/2014/09/22/apple-data/";>
+ not as much as Apple claims</a>.</p>
+ </li>
+</ul>
+
+<h3 id="user-access">Manipulating users' data or settings</h3>
+<ul>
+ <li id="chrome-erase-addons">
+ <p>Chrome has a back door <a
+
href="https://consumerist.com/2017/01/18/why-is-google-blocking-this-ad-blocker-on-chrome/";>
+ for remote erasure of add-ons</a>.</p>
+ </li>
+
+ <li>
+ <p>A pregnancy test controller application not only can <a
+
href="http://www.theverge.com/2016/4/25/11503718/first-response-pregnancy-pro-test-bluetooth-app-security";>
+ spy on many sorts of data in the phone, and in server accounts, it
+ can alter them too</a>.</p>
+ </li>
+
+ <li>
+ <p>The Dropbox app for Macintosh <a
+
href="http://applehelpwriter.com/2016/07/28/revealing-dropboxs-dirty-little-security-hack/";>
+ takes total control of the machine by repeatedly nagging the user
+ for an admin password</a>.</p>
+ </li>
+
+ <li>
+ <p>Users reported that <a
+
href="http://www.networkworld.com/article/2993490/windows/windows-10-upgrades-reportedly-appearing-as-mandatory-for-some-users.html#tk.rss_all";>
+ Microsoft was forcing them to replace Windows 7 and 8 with all-spying
+ Windows 10</a>.</p>
+ <p>Microsoft was in fact <a
+
href="http://www.computerworld.com/article/3012278/microsoft-windows/microsoft-sets-stage-for-massive-windows-10-upgrade-strategy.html";>
+ attacking computers that run Windows 7 and 8</a>, switching on a flag
+ that said whether to “upgrade” to Windows 10 when users
+ had turned it off.</p>
+ <p>Later on, Microsoft published instructions on <a
+
href="http://arstechnica.com/information-technology/2016/01/microsoft-finally-has-a-proper-way-to-opt-out-of-windows-78-to-windows-10-upgrades/";>
+ how to permanently reject the downgrade to Windows 10</a>.</p>
+ <p>This seems to involve use of a back door in Windows 7 and 8.</p>
+ </li>
+
+ <li>
+ <p>Caterpillar vehicles come with <a
+
href="http://www.zerohedge.com/news/2015-11-19/caterpillar-depression-has-never-been-worse-it-has-cunning-plan-how-deal-it";>
+ a back door to shutoff the engine</a> remotely.</p>
+ </li>
+
+ <li>
+ <p>Modern gratis game cr…apps
+ <a
href="http://toucharcade.com/2015/09/16/we-own-you-confessions-of-a-free-to-play-producer/";>
+ collect a wide range of data about their users and their users'
+ friends and associates</a>.</p>
+ <p>Even nastier, they do it through ad networks that merge the data
+ collected by various cr…apps and sites made by different
+ companies.</p>
+ <p>They use this data to manipulate people to buy things, and hunt
+ for “whales” who can be led to spend a lot of money. They
+ also use a back door to manipulate the game play for specific
players.</p>
+ <p>While the article describes gratis games, games that cost money
+ can use the same tactics.</p>
+ </li>
+
+ <li>
+ <p><a id="samsung"
+
href="https://www.fsf.org/blogs/community/replicant-developers-find-and-close-samsung-galaxy-backdoor";>
+ Samsung Galaxy devices running proprietary Android versions come with
+ a back door</a> that provides remote access to the files stored on
+ the device.</p>
+ </li>
+
+ <li>
+ <p><a
href="http://www.itworld.com/article/2705284/data-protection/backdoor-found-in-d-link-router-firmware-code.html";>
+ Some D-Link routers</a> have a back door for changing settings in a
+ dlink of an eye.</p>
+ <p><a href="https://github.com/elvanderb/TCP-32764";>Many models of router
+ have back doors</a>.</p>
+ </li>
+
+ <li>
+ <p><a href="http://sekurak.pl/tp-link-httptftp-backdoor/";>
+ The TP-Link router has a back door</a>.</p>
+ </li>
+
+ <li id="swindle-eraser">
+ <p>The Amazon Kindle-Swindle has a back door that has been used to <a
+
href="http://pogue.blogs.nytimes.com/2009/07/17/some-e-books-are-more-equal-than-others/";>
+ remotely erase books</a>. One of the books erased was 1984, by George
+ Orwell.</p>
+ <p>Amazon responded to criticism by saying it would delete books only
+ following orders from the state. However, that policy didn't last.
+ In 2012 it <a
+
href="http://boingboing.net/2012/10/22/kindle-user-claims-amazon-dele.html";>
+ wiped a user's Kindle-Swindle and deleted her account</a>, then
+ offered her kafkaesque “explanations.”</p>
+ <p>Do other ebook readers have back doors in their nonfree software?
+ We don't know, and we have no way to find out. There is no reason
+ to assume that they don't.</p>
+ </li>
+
+ <li>
+ <p>The iPhone has a back door for <a
+
href="http://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphone";>
+ remote wipe</a>. It's not always enabled, but users are led into
+ enabling it without understanding.</p>
+ </li>
+</ul>
+
+<h3 id="root-access">Changing or installing software</h3>
+
+<ul>
+ <li>
+ <p>ChromeOS has a universal back door. At least, Google says
+ it does—in <a
+ href="https://www.google.com/intl/en/chromebook/termsofservice.html";>
+ section 4 of the EULA</a>.</p>
+ </li>
+
+ <li>
+ <p>The Furby Connect has a <a
+
href="https://web.archive.org/web/20171124134624/https://www.contextis.com/blog/dont-feed-them-after-midnight-reverse-engineering-the-furby-connect";>
+ universal back door</a>. If the product as shipped doesn't act as a
+ listening device, remote changes to the code could surely convert it
+ into one.</p>
+ </li>
+
+ <li>
+ <p>Sony has brought back its robotic pet Aibo, this time <a
+
href="https://motherboard.vice.com/en_us/article/bj778v/sony-wants-to-sell-you-a-subscription-to-a-robot-dog-aibo-90s-pet";>
+ with a universal back door, and tethered to a server that requires a
+ subscription</a>.</p>
+ </li>
+
+ <li>
+ <p>Tesla cars have a <a
+
href="https://techcrunch.com/2017/09/09/tesla-flips-a-switch-to-increase-the-range-of-some-cars-in-florida-to-help-people-evacuate/";>
+ universal back door</a>.</p>
+ <p>While remotely allowing car “owners” to use the whole
+ battery capacity did not do them any harm, the same back door would
+ permit Tesla (perhaps under the command of some government) to
+ remotely order the car to use none of its battery. Or perhaps to drive
+ its passenger to a torture prison.</p>
+ </li>
+
+ <li>
+ <p>Vizio “smart” TVs <a
+
href="https://www.ftc.gov/news-events/blogs/business-blog/2017/02/what-vizio-was-doing-behind-tv-screen";>
+ have a universal back door</a>.</p>
+ </li>
+
+ <li>
+ <p>The Amazon Echo appears to have a universal back door, since <a
+ href="https://en.wikipedia.org/wiki/Amazon_Echo#Software_updates";>
+ it installs “updates” automatically</a>.</p>
+ <p>We have found nothing explicitly documenting the lack of any way to
+ disable remote changes to the software, so we are not completely sure
+ there isn't one, but it seems pretty clear.</p>
+ </li>
+
+ <li>
+ <p>Xiaomi phones come with <a
+
href="https://www.thijsbroenink.com/2016/09/xiaomis-analytics-app-reverse-engineered";>
+ a universal back door in the application processor, for
+ Xiaomi's use</a>.</p>
+ <p>This is separate from <a href="#universal-back-door-phone-modem">the
+ universal back door in the modem processor that the local
+ phone company can use</a>.</p>
+ </li>
+
+ <li>
+ <p>Capcom's Street Fighter V update <a
+ href="https://www.theregister.co.uk/2016/09/23/capcom_street_fighter_v/";>
+ installed a driver that can be used as a back door by any application
+ installed on a Windows computer</a>.</p>
+ </li>
+
+ <li>
+ <p>Baidu's proprietary Android library, Moplus, has a back door that <a
+
href="https://www.eff.org/deeplinks/2015/11/millions-android-devices-vulnerable-remote-hijacking-baidu-wrote-code-google-made";>
+ can “upload files” as well as forcibly install apps</a>.</p>
+ <p>It is used by 14,000 Android applications.</p>
+ </li>
+
+ <li>
+ <p>Microsoft Windows has a universal back door through which <a
+
href="https://web.archive.org/web/20071011010707/http://informationweek.com/news/showArticle.jhtml?articleID=201806263";>
+ any change whatsoever can be imposed on the users</a>.</p>
+ <p>More information on when <a
+ href="http://slated.org/windows_by_stealth_the_updates_you_dont_want";>
+ this was used</a>.</p>
+ <p>In Windows 10, the universal back door is no longer hidden; all
+ “upgrades” will be <a
+
href="http://arstechnica.com/information-technology/2015/07/windows-10-updates-to-be-automatic-and-mandatory-for-home-users/";>
+ forcibly and immediately imposed</a>.</p>
+ </li>
+
+ <li>
+ <p>Mac OS X had an <a
+
href="https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/";>
+ intentional local back door for 4 years</a>.</p>
+ </li>
+
+ <li>
+ <p id="universal-back-door">Almost every phone's communication
+ processor has a universal back door which is <a
+
href="https://www.schneier.com/blog/archives/2006/12/remotely_eavesd_1.html";>
+ often used to make a phone transmit all conversations it hears</a>.</p>
+ <p>The back door <a
+
href="http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone";>
+ may take the form of bugs that have gone 20 years unfixed</a>.
+ The choice to leave the security holes in place is morally
+ equivalent to writing a back door.</p>
+ <p>The back door is in the “modem processor”, whose
+ job is to communicate with the radio network. In most phones,
+ the modem processor controls the microphone. In most phones it
+ has the power to rewrite the software for the main processor
+ too.</p>
+ <p>A few phone models are specially designed so that the modem
+ processor does not control the microphone, and so that it can't
+ change the software in the main processor. They still have the
+ back door, but at least it is unable to turn the phone unto a
+ listening device.</p>
+ <p>The universal back door is apparently also used to make phones <a
+
href="http://www.slate.com/blogs/future_tense/2013/07/22/nsa_can_reportedly_track_cellphones_even_when_they_re_turned_off.html";>
+ transmit even when they are turned off</a>. This means their
+ movements are tracked, and may also make the listening feature
+ work.</p>
+ </li>
+
+ <li>
+ <p><a
href="http://www.theguardian.com/technology/2014/dec/18/chinese-android-phones-coolpad-hacker-backdoor";>
+ A Chinese version of Android has a universal back door</a>. Nearly
+ all models of mobile phones have a universal back door in the modem
+ chip. So why did Coolpad bother to introduce another? Because this
+ one is controlled by Coolpad.</p>
+ </li>
+
+ <li>
+ <p><a
href="http://www.techienews.co.uk/973462/bitcoin-miners-bundled-pups-legitimate-applications-backed-eula/";>
+ Some applications come with MyFreeProxy, which is a universal back door
+ that can download programs and run them.</a></p>
+ </li>
+
+ <li>
+ <p>In addition to its <a href="#swindle-eraser">book eraser</a>, the
+ Kindle-Swindle has a <a
+
href="http://www.amazon.com/gp/help/customer/display.html?nodeId=200774090";>
+ universal back door</a>.</p>
+ </li>
+
+ <li>
+ <p><a
href="http://www.computerworld.com/article/2500036/desktop-apps/microsoft--we-can-remotely-delete-windows-8-apps.html";>
+ Windows 8 also has a back door for remotely deleting apps</a>.</p>
+ <p>You might well decide to let a security service that you trust
+ remotely <em>deactivate</em> programs that it considers malicious.
+ But there is no excuse for <em>deleting</em> the programs, and you
+ should have the right to decide who (if anyone) to trust in this
+ way.</p>
+ </li>
+
+ <li>
+ <p>In Android, <a
+
href="http://www.computerworld.com/article/2506557/security0/google-throws--kill-switch--on-android-phones.html";>
+ Google has a back door to remotely delete apps.</a> (It was in a
+ program called GTalkService, which seems since then to have been
+ merged into Google Play.)</p>
+ <p>Google can also <a
+
href="https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/";>
+ forcibly and remotely install apps</a> through GTalkService.
+ This is not equivalent to a universal back door, but permits various
+ dirty tricks.</p>
+ <p>Although Google's <em>exercise</em> of this power has not been
+ malicious so far, the point is that nobody should have such power,
+ which could also be used maliciously. You might well decide to let a
+ security service remotely <em>deactivate</em> programs that it
+ considers malicious. But there is no excuse for allowing it
+ to <em>delete</em> the programs, and you should have the right to
+ decide who (if anyone) to trust in this way.</p>
+ </li>
+
+ <li>
+ <p>The iPhone has a back door <a
+
href="http://www.telegraph.co.uk/technology/3358134/Apples-Jobs-confirms-iPhone-kill-switch.html";>
+ that allows Apple to remotely delete apps</a> which Apple considers
+ “inappropriate”. Jobs said it's ok for Apple to have this
+ power because of course we can trust Apple.</p>
+ </li>
+</ul>
+
+<h3 id="other">Other or undefined</h3>
+<ul>
+ <li>
+ <p>Dell computers, shipped with Windows, had a bogus root certificate
+ that <a
+
href="http://fossforce.com/2015/11/dell-comcast-intel-who-knows-who-else-are-out-to-get-you/";>
+ allowed anyone (not just Dell) to remotely authorize any software to
+ run</a> on the computer.</p>
+ </li>
+
+ <li>
+ <p>ARRIS cable modem has a <a
+
href="https://w00tsec.blogspot.de/2015/11/arris-cable-modem-has-backdoor-in.html?m=1";>
+ back door in the back door</a>.</p>
+ </li>
+
+ <li>
+ <p>HP “storage appliances” that use the proprietary
+ “Left Hand” operating system have back doors that give HP <a
+
href="https://insights.dice.com/2013/07/11/hp-keeps-installing-secret-backdoors-in-enterprise-storage/";>
+ remote login access</a> to them. HP claims that this does not give HP
+ access to the customer's data, but if the back door allows
+ installation of software changes, a change could be installed that
+ would give access to the customer's data.</p>
+ </li>
+
+ <li>
+ <p>German government <a
+
href="https://web.archive.org/web/20160310201616/http://drleonardcoldwell.com/2013/08/23/leaked-german-government-warns-key-entities-not-to-use-windows-8-linked-to-nsa/";>
+ veers away from Windows 8 computers with TPM 2.0 due to potential back
+ door capabilities of the TPM 2.0 chip</a>.</p>
+ </li>
+
+ <li>
+ <p>Here is a big problem whose details are still secret: <a
+ href="http://mashable.com/2013/09/11/fbi-microsoft-bitlocker-backdoor/";>
+ The FBI asks lots of companies to put back doors in proprietary
+ programs</a>. We don't know of specific cases where this was done,
+ but every proprietary program for encryption is a possibility.</p>
+ </li>
+
+ <li>
+ <p>Here is a suspicion that we can't prove, but is worth thinking
+ about: <a
+
href="http://web.archive.org/web/20150206003913/http://www.afr.com/p/technology/intel_chips_could_be_nsa_key_to_ymrhS1HS1633gCWKt5tFtI";>
+ Writable microcode for Intel and AMD microprocessors</a> may be a
+ vehicle for the NSA to invade computers, with the help of Microsoft,
+ say respected security experts.</p>
+ </li>
+</ul>
+
+<p>The EFF has other examples of the <a
+href="https://www.eff.org/deeplinks/2015/02/who-really-owns-your-drones";>
+use of back doors</a>.</p>
+
+
+</div><!-- for id="content", starts in the include above -->
+<!--#include virtual="/server/footer.html" -->
+<div id="footer">
+<div class="unprintable">
+
+<p>Please send general FSF & GNU inquiries to
+<a href="mailto:address@hidden";><address@hidden></a>.
+There are also <a href="/contact/">other ways to contact</a>
+the FSF. Broken links and other corrections or suggestions can be sent
+to <a href="mailto:address@hidden";><address@hidden></a>.</p>
+
+<p><!-- TRANSLATORS: Ignore the original text in this paragraph,
+ replace it with the translation of these two:
+
+ We work hard and do our best to provide accurate, good quality
+ translations. However, we are not exempt from imperfection.
+ Please send your comments and general suggestions in this regard
+ to <a href="mailto:address@hidden";>
+ <address@hidden></a>.</p>
+
+ <p>For information on coordinating and submitting translations of
+ our web pages, see <a
+ href="/server/standards/README.translations.html">Translations
+ README</a>. -->
+Please see the <a
+href="/server/standards/README.translations.html">Translations
+README</a> for information on coordinating and submitting translations
+of this article.</p>
+</div>
+
+<p>Copyright © 2014-2018 Free Software Foundation, Inc.</p>
+
+<p>This page is licensed under a <a rel="license"
+href="http://creativecommons.org/licenses/by-nd/4.0/";>Creative
+Commons Attribution-NoDerivatives 4.0 International License</a>.</p>
+
+<!--#include virtual="/server/bottom-notes.html" -->
+
+<p class="unprintable">Updated:
+<!-- timestamp start -->
+$Date: 2018/02/22 15:31:19 $
+<!-- timestamp end -->
+</p>
+</div>
+</div>
+</body>
+</html>
- www/server/staging/proprietary proprietary-back...,
Therese Godefroy <=