Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Colin B.
July 26, 2007, 4:31 pm
rate this thread
One could dismiss this as paranoid trolling or ranting. However, I'll
take it as a serious question.
First of all, you're blurring the difference between software companies
and service providers. AT&T, Comcast, etc., don't provide software--they
just sell service. It's an ethically different perspective between allowing
(and maybe even aiding) the various agencies access, and explicitly creating
access in your code. It also doesn't take into account that the various
telecom/internet/infrastructure providers are government licensed, and are
somewhat more beholden to the government as a result.
Look at it another way: Are there any major hardware/software product
companies that have been shown to be illicitly collaborating with the various
three (or four) letter agencies? If not, then why would Sun be the first?
Secondly, building OO from source is absolutely no guarantee, for a long
series of reasons. First of all, building from source doesn't mean the
same thing as reading the source. If someone put a trojan in the source
code, how long would it be before someone discovered it? Days? Weeks?
Months? Years even? Hard to say, but unless YOU read every line of code,
you are farming out your trust to someone else.
Having said that, there's no reason that clean source code will actually
compile without spyware. Read this article by Ken Thompson, and you'll
realise that you're totally screwed with regards to trustable software:
OK, paranoid yet? Depressed yet? Good. Now let's consider the opposite
side of the coin.
#1: Sun isn't OpenOffice.org. The compiled OO binaries come from the OO
group, not from Sun. Sun produces StarOffice from the same code base,
and could put crap in that if they wanted, but...
#2: Why would they? What would they possibly gain by adding spyware and/or
trojans to their product? If it happened and was discovered, then they
would immediately lose all credibility in the industry.
#3: There's also the method of the purported spyware. If software reports
information back to an agency, then it will (likely) be sent over a
network and can be easily detected with a packet sniffer. If some
inappropriate information is added to a file, it can be sussed out
quite easily given that OO.org stores files in compressed XML, which
can be read by humans.
Is it possible? Absolutely--anything is possible.
Is it likely? Not in my mind. There are so many more effective and sneaky
ways to obtain information, that it just doesn't make any sense.
Mind you, if you're actually doing something that's going to get you
arrested and thrown in a cell somewhere, paranoia is never misplaced.
- Robert M. Riches Jr.
July 26, 2007, 4:36 pm
Re: Could it be that OpenOffice binary has NSA spyware in it?
Actually, most ISPs *do* provide software, typically to brand browsers
with the ISP's name ("Internet Explorer powered by Comcast", or
something like that) or configure network settings (default home page,
SMTP/POP servers, etc.) automatically. Use of it is generally optional,
but lots of newbies don't realize that and dutifully install the ISP's
Barry Margolin, firstname.lastname@example.org
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
- » Re: Could it be that OpenOffice binary has NSA spyware in it?
- — Next thread in » General Computer Security