Slashdot Mirror

Jake Laperruque, Senior Counsel at The Constitution Project, where he is working on issues of government surveillance, national security and defending privacy rights in the digital age, argues via Wired that it's time to end the National Security Agency's metadata collection program, known as CDR. An anonymous reader shares an excerpt: In 2015, Congress passed the USA Freedom Act to reform Section 215 and prohibit the nationwide bulk collection of communications metadata, like who we make calls to and receive them from, when, and the call duration. The provision was replaced with a significantly slimmed-down call detail record program, known as CDR. Rather than collecting information in bulk, CDR collects communications metadata of surveillance targets as well as those of individuals up to two degrees of separation (commonly called "two hops") from the surveillance target. But this newer system appears to be no more effective than its predecessor and is highly damaging to constitutional rights. Given this combination, it's time for Congress to pull the plug and end the authority for the CDR program.

It's unsurprising that just last week a bipartisan group in Congress introduced a bill to do so. Last month, the New York Times reported that a highly placed congressional staffer had stated that the CDR program has been out of operation for months, and several days later, NSA Director Paul Nakasone issued comments responding to questions about the Times story by saying the NSA was deliberating the future of the program. If accurate, this news is major but not shocking; this large-scale-collection program has been fraught with problems. Last year, the NSA announced that technical problems had caused it to collect information it wasn't legally authorized to, and that in response, the agency had voluntarily deleted all the call detail records it had previously acquired through the CDR program -- without even waiting for a court order or trying to save some of the data -- indicating that the system was unwieldy and the data being collected was not important to the agency.

An anonymous shares a report: The National Security Agency maintains a page on its website that outlines its mission statement. But earlier this month, the agency made a discreet change: It removed "honesty" as its top priority. Since at least May 2016, the surveillance agency had featured honesty as the first of four "core values" listed on NSA.gov, alongside "respect for the law," "integrity," and "transparency." The agency vowed on the site to "be truthful with each other." On January 12, however, the NSA removed the mission statement page -- which can still be viewed through the Internet Archive -- and replaced it with a new version. Now, the parts about honesty and the pledge to be truthful have been deleted. The agency's new top value is "commitment to service," which it says means "excellence in the pursuit of our critical mission." Those are not the only striking alterations. In its old core values, the NSA explained that it would strive to be deserving of the "great trust" placed in it by national leaders and American citizens. It said that it would "honor the public's need for openness." But those phrases are now gone; all references to "trust," "honor," and "openness" have disappeared.

An anonymous reader quotes a report from The Hacker News: The National Security Agency (NSA) -- the United States intelligence agency which is known for its secrecy and working in the dark -- has finally joined GitHub and launched an official GitHub page. GitHub is an online service designed for sharing code amongst programmers and open source community, and so far, the NSA is sharing 32 different projects as part of the NSA Technology Transfer Program (TTP), while some of these are "coming soon." "The NSA Technology Transfer Program (TTP) works with agency innovators who wish to use this collaborative model for transferring their technology to the commercial marketplace," the agency wrote on the program's page. "OSS invites the cooperative development of technology, encouraging broad use and adoption. The public benefits by adopting, enhancing, adapting, or commercializing the software. The government benefits from the open source community's enhancements to the technology." Many of the projects the agency listed are years old that have been available on the Internet for some time. For example, SELinux (Security-Enhanced Linux) has been part of the Linux kernel for years.

An anonymous reader writes from an article on Ars Technica: When former Secretary of State Hillary Clinton was pushing to get a waiver allowing her to use a BlackBerry like President Barack Obama back in 2009, the National Security Agency had a very short list of devices approved for classified communications. The General Dynamics' Sectera Edge and L3 Communications' Guardian were the two devices built for the Secure Mobile Environment Portable Electronic Device (SME PED) program. They were the only devices anyone in government without an explicit security waver (like the one the president got, along with his souped-up BlackBerry 8830) could use until as recently as last year to get mobile access to top secret encrypted calls and secure e-mail. At the time Clinton was asking for a phone, only the Sectera Edge was available (the Guardian was running behind in development) and it required multiple server-side and phone-side e-mail additions, desktop synchronization software, and other supporting products. The "Executive Kit" version of the Edge, priced for government purchase at $4,750, included: Type 1 Sectera Edge (GSM or CDMA) device plus: Executive Carry Case, Leather Holster Travel Charger, Red/Black USB Cables, Vehicle Charger, Earbud, Stylus 10-pack, microSD Card with User Manual, Spare Battery, Privacy Shield 4-pack, Antivirus Software, Apriva Email Client and Perpetual Rights fee and Office Suite for Windows CE.

An anonymous reader writes: On Christmas Eve, the NSA quietly dropped 12 years worth of internal reports on surveillance that may have broken laws, including reports that were illegally withheld and the subject of a FOIA lawsuit in 2009. "The heavily-redacted reports include examples of data on Americans being e-mailed to unauthorized recipients, stored in unsecured computers and retained after it was supposed to be destroyed, according to the documents. ... In a 2012 case, for example, an NSA analyst 'searched her spouse’s personal telephone directory without his knowledge to obtain names and telephone numbers for targeting,' according to one report (PDF). The analyst 'has been advised to cease her activities,' it said. Other unauthorized cases were a matter of human error, not intentional misconduct. Last year, an analyst 'mistakenly requested' surveillance 'of his own personal identifier instead of the selector associated with a foreign intelligence target,' according to another report." Here's there list of reports going back to 2001.

An anonymous reader writes: On Christmas Eve, the NSA quietly dropped 12 years worth of internal reports on surveillance that may have broken laws, including reports that were illegally withheld and the subject of a FOIA lawsuit in 2009. "The heavily-redacted reports include examples of data on Americans being e-mailed to unauthorized recipients, stored in unsecured computers and retained after it was supposed to be destroyed, according to the documents. ... In a 2012 case, for example, an NSA analyst 'searched her spouse’s personal telephone directory without his knowledge to obtain names and telephone numbers for targeting,' according to one report (PDF). The analyst 'has been advised to cease her activities,' it said. Other unauthorized cases were a matter of human error, not intentional misconduct. Last year, an analyst 'mistakenly requested' surveillance 'of his own personal identifier instead of the selector associated with a foreign intelligence target,' according to another report." Here's there list of reports going back to 2001.

An anonymous reader writes with this news from MIT's Technology Review: "Like other federal agencies, the NSA is compelled by law to try to commercialize its R&D. It employs patent attorneys and has a marketing department that is now trying to license inventions ... The agency claims more than 170 patents ... But the NSA has faced severe challenges trying to keep up with rapidly changing technology. ... Most recently, the NSA's revamp included a sweeping effort to dismantle ... 'stovepipes,' and switch to flexible cloud computing ... in 2008, NSA brass ordered the agency's computer and information sciences research organization to create a version of the system Google uses to store its index of the Web and the raw images of Google Earth. That team was led by Adam Fuchs, now Sqrrl's chief technology officer. Its twist on big data was to add 'cell-level security,' a way of requiring a passcode for each data point ... that's how software (like the infamous PRISM application) knows what can be shown only to people with top-secret clearance. Similar features could control access to data about U.S. citizens. 'A lot of the technology we put [in] is to protect rights," says Fuchs. Like other big-data projects, the NSA team's system, called Accumulo, was built on top of open-source code because "you don't want to have to replicate everything yourself," ... In 2011, the NSA released 200,000 lines of code to the Apache Foundation. When Atlas Venture's Lynch read about that, he jumped—here was a technology already developed, proven to work on tens of terabytes of data, and with security features sorely needed by heavily regulated health-care and banking customers.'"

Hugh Pickens DOT Com writes "Ellen Nakashima reports at the Washington Post that morale has taken a hit at the National Security Agency in the wake of controversy over the agency's surveillance activities and officials are dismayed that President Obama has not visited the agency to show his support. 'It is not clear whether or when Obama might travel the 23 miles up the Baltimore-Washington Parkway to visit Fort Meade, the NSA's headquarters in Maryland,' writes Nakashima, 'but agency employees are privately voicing frustration at what they perceive as White House ambivalence amid the pounding the agency has taken from critics.' Though Obama has asserted that the NSA's collection of virtually all Americans' phone records is lawful and has saved lives, the administration has not endorsed legislation that would codify it. And his recent statements suggest Obama thinks some of the NSA's activities should be constrained. 'The agency, from top to bottom, leadership to rank and file, feels that it is had no support from the White House even though it's been carrying out publicly approved intelligence missions,' says Joel Brenner, NSA inspector general from 2002 to 2006. 'They feel they've been hung out to dry, and they're right.' Former officials note how President George W. Bush paid a visit to the NSA in January 2006, in the wake of revelations by the New York Times that the agency engaged in a counterterrorism program of warrantless surveillance on U.S. soil beginning after the Sept. 11, 2001, terrorist attacks. 'Bush came out and spoke to the workforce, and the effect on morale was tremendous,' Brenner said. 'There's been nothing like that from this White House.' Morale is 'bad overall' says another former NSA official. 'It's become very public and very personal. Literally, neighbors are asking people, 'Why are you spying on Grandma?'"

benrothke writes "Narrating a compelling and interesting story about cryptography is not an easy endeavor. Many authors have tried and failed miserably; attempting to create better anecdotes about the adventure of Alice and Bob. David Kahn probably did the best job of it when wrote The Codebreakers: The story of secret writing in 1967 and set the gold standard on the information security narrative. Kahn's book was so provocative and groundbreaking that the US Government originally censored many parts of it. While Secret History: The Story of Cryptology is not as groundbreaking, it also has no government censorship. With that, the book is fascinating read that provides a combination of cryptographic history and the underlying mathematics behind it." Keep reading for the rest of Ben's review. Secret History: The Story of Cryptology author Craig P. Bauer pages 620 publisher CRC Pres rating 9/10 reviewer Ben Rothke ISBN 978-1466561861 summary Excellent comprehensive and decipherable text on the history of cryptography As a preface; the book has cryptology in its title, which is for the most part synonymous with cryptography. Since cryptography is more commonly used, I'll use it in this review.

Kahn himself wrote that he felt this book is by far the clearest and most comprehensive of the books dealing with the modern era of cryptography including classic ciphers and some of the important historical ones such as Enigma and Purple; but also newer systems such as AES and public-key cryptography.

The book claims that the mathematics detailed in it are accessible requiring minimal mathematical prerequisites. But the reality is that is does require at least a college level understanding, including algebra, calculus and more.

As an aside, nearly every book on encryption and cryptography that claims no advanced mathematical knowledge is needed doesn't meet that claim. With that, Bauer does a good job of separating the two narratives in the book (cryptography and history), so one who is not comfortable with the high-level math can easily parse through those sections.

Bauer brings an extensive pedigree to the book, as he is a former scholar-in-residence at the NSA Center for Cryptologic History. While Bauer has a Ph.D. in mathematics, that does not take away from his ability as an excellent story teller. And let's face it; telling the story of cryptography in a compelling and readable manner is not an easy task.

The 20 chapters in the book follow a chronological development of encryption and cryptography; from Roman times to current times. Each chapter has a set of exercises that can be accessed here. Besides being extremely well-researched, each chapter has numerous items for further reading and research.

Chapters 1-9 are focused on classical cryptology, with topics ranging from the Caesar cipher, Biblical cryptology, to a history of the Vigenère cipher, the ciphers of WW1 and WW2 and more.

In chapter 8 World War II: The Enigma of Germany, Bauer does a great job of detailing how the Enigma machine worked, including details regarding the cryptanalysis of the device, both in its rotor wirings and how recovering its daily keys ultimately lead to is being broken. The chapter also asked the question: what if Enigma had never been broken,and provides a provocative answer to that.

Chapter 8 opens with the famous quote from Ben Franklin that "three may keep a secret if two of them are dead". He notes that the best counterexample to that is of the 10,000 people that were involved in the project to break the Enigma. They all were able to maintain their silence about the project for decades; which clearly shows that large groups can indeed keep a secret. Bauer notes that it is often a reaction to conspiracy theories that large groups of people could never keep a secret for so long.

Chapter 9 provides a fascinating account of the Navajo code talkers. These were a group of Navajo Indians who were specially recruited during World War II by the Marines to serve in their communications units. Since the Navajo language was unknown to the Axis powers; it ensured that all communications were kept completely secret.

While part 1 is quite interesting; part 2, chapters 10-20 focuses on modern cryptology and is even more fascinating. Bauer does a fantastic job of encapsulating the last 60 years of cryptography, and covers everything from the origins of the NSA, the development of DES and AES, public key cryptography and much more.

The book was printed in March 2013 just before the NSA PRISM surveillance program became public knowledge. If there is any significant mistake in the book, it is in chapter 11 where Bauer writes that "everything I've seen and heard at the NSA has convinced me that the respect for the Constitution is a key component of the culture there".

Aside from the incorrect observation about how the NSA treats the Constitution, the book does an excellent job of integrating both the history of cryptography and the mathematical element. For those that aren't interested in to the mathematics, there is plenty of narrative in the book to keep them reading.

For those looking for a comprehensive and decipherable text on the history of cryptography, this is one of the best on the topic in many years.

Kahn's book laid the groundwork that made a book like this possible and Secret History: The Story of Cryptology is a worthy follow-up to that legendary text.

Reviewed by Ben Rothke

cold fjord writes "The Hill reports, 'The National Security Agency has posted a job opening for a privacy and civil liberties officer. The position was first mentioned last month, when President Obama outlined his plans to bring more transparency to the NSA surveillance programs. A White House press release said the agency was "taking steps to put in place a full time Civil Liberties and Privacy Officer."' — From the NSA job posting: 'The NSA Civil Liberties & Privacy Officer (CLPO) is conceived as a completely new role, combining the separate responsibilities of NSA's existing Civil Liberties and Privacy (CL/P) protection programs under a single official. The CLPO will serve as the primary advisor to the Director of NSA for ensuring that privacy is protected and civil liberties are maintained by all of NSA's missions, programs, policies and technologies. This new position is focused on the future, designed to directly enhance decision making and to ensure that CL/P protections continue to be baked into NSA's future operations, technologies, tradecraft, and policies. The NSA CLPO will consult regularly with the Office of the Director of National Intelligence CLPO, privacy and civil liberties officials from the Department of Defense and the Department of Justice, as well as other U.S. government, private sector, public advocacy groups and foreign partners. '"

Bruce66423 writes "The Guardian reports that two U.S. senators have written to the NSA telling it to amend its 702 provisions fact sheet (PDF) which, they claim, contains inaccuracies. However they can't actually say HOW they are inaccurate, because they would be compromising classified information. So the U.S. government uses taxpayer money to lie to the people... there's a surprise!" From the letter: "In our judgment, this inaccuracy is significant, as it portrays protections for Americans' privacy as being significantly stronger than they actually are." But they go on to say "We appreciate your attention to this matter. We believe that the U.S. government should have broad authorities to investigate terrorism and espionage, and that it is possible to aggressively pursue terrorists without compromising the constitutional rights of ordinary Americans. Achieving this goal depends not just on secret courts and secret congressional hearings, but on informed public debate as well."

benrothke writes "Elementary Information Security, based on its title, weight and page length, I assumed was filled with mindless screen shots of elementary information security topics, written with a large font, in order to jack up the page count. Such an approach is typical of far too many security books. With that, if there ever was a misnomer of title, Elementary Information Security is it." Read below for the rest of Ben's review Elementary Information Security author Richard E. Smith pages 800 publisher Jones & Bartlett Learning rating 10/10 reviewer Ben Rothke ISBN 978-1449648206 summary Information security magnum opus For anyone looking for a comprehensive information security reference guide - Elementary Information Security is it. While the title may say elementary, for the reader who spends the time and effort to complete the book, they will come out with a complete overview of every significant information security topic.

The book is in fact a textbook meant to introduce the reader to the topic of information security. But it has enough content to be of value to everyone; security notices or experienced professional.

Author Richard Smith notes that if you want to get a solid understanding of information security technology, you have to look closely at the underlying strengths and weakness of information technology itself, which requires a background in computer architecture, operating systems and computing networking.

With that, Elementary Information Security is a tour de force that covers every information security topic, large and small. The book also provides a relevant overview of the peripheral topics that are embedded into information security.

In 17 chapters covering over 800 pages, the book is well organized and progressively gets more complex. Two large chapters of the book are freely available online, with chapter 3 here and chapter 9 here. The early chapters focus on the fundamentals of computers and networking, and the core aspects of information security. The chapters progress in complexity and deal with distributed systems and more complex security topics. The mid-chapters deal with cryptography, starting with an introduction to the topic, into more complex topics and scenarios. One is hard-pressed to find an information security topic not covered in the book.

Chapter 1 is on Security from the Ground Up and lays the groundwork for what security is. Various topics around risk are detailed; such as identifying, prioritizing and assessing risks.

Chapter 2 is on Controlling a Compute rand reviews the underlying architecture around computers.

For some people, much of their learning about information security is based on rote memorization. In the book, Smith eschews this and each chapter closes with a glossary of topics, and penetrating questions. There are also problem definitions which detail practical situations with the hope that the reader can create and adequate security solution. The reader who spends extra time reviewing the questions will find that it will significantly help in their mastering the myriad topics.

The goal of the questions and exercises is to make the knowledge real. Some of the exercises include watching movies with computer security related topics such as The Falcon and the Snowman, Crimson Tide, and others. For example, in The Falcon and the Snowman, the author asks the reader to identify two types of security measure that would have helped prevent theft of the crypto keys. In Crimson Tide, it asks the reader to consider the missile launch procedures portrayed in the film and asks if it is possible for a single person to launch a nuclear missile. Another scenario is that under what circumstances a recipient should accept an unauthenticated message. It also asks the reader to give an example of a circumstance in which accepting an unauthenticated message would yield the wrong result.

The book is not meant as a For Dummies guide to the topic, and it assumes a college-level comprehension of relevant mathematical concepts. Note though that the requisite math is detailed in the sections on encryption and cryptography.

The book is also the first textbook certified by the NSA to comply with the NSTISSI 4011 standard, which is the federal training standard for information security professionals. The author notes on his blog that in order to gain that certification, he had to map each topic required by the standard to the information as it appears in the textbook.

Given the value of the book, (ISC) should consider using this title as a reference for their CISSP certification. With all of the CISSP preparation guides available, even the Official (ISC)2 Guide to the CISSP CBK, one is hard pressed to find a comprehensive all-embracing security reference such as this. Some may even want to simply use this book as their definitive CISSP study guide.

For those looking for a single encyclopedic reference on information security, they should look no further than Elementary Information Security. Richard Smith has written a magnum opus on the topic, which will be of value for years to come.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Elementary Information Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

mask.of.sanity writes "The National Security Agency has designed a super-secure Android phone from commercial parts, and released the blueprints(Pdf) to the public. The doubly-encrypted phone, dubbed Fishbowl, was designed to be secure enough to handle top secret phone calls yet be as easy to use and cheap to build as commercial handsets. One hundred US government staff are using the phones under a pilot which is part of a wider project to redesign communication platforms used in classified conversations."

mask.of.sanity writes "The National Security Agency has designed a super-secure Android phone from commercial parts, and released the blueprints(Pdf) to the public. The doubly-encrypted phone, dubbed Fishbowl, was designed to be secure enough to handle top secret phone calls yet be as easy to use and cheap to build as commercial handsets. One hundred US government staff are using the phones under a pilot which is part of a wider project to redesign communication platforms used in classified conversations."

An anonymous reader writes "In a document available from the NSA (warning, PDF file), that organisation advises users to upgrade to Windows 7 as part of their Best Practice for Securing a Home Network. No mention of BSD or Linux so I guess the Slashdot crowd will just have to bite the bullet and change operating systems if they want to be really secure."

Trailrunner7 writes "The United States has a responsibility to take a leadership role in securing the Internet against both internal and external attackers, a duty that the federal government takes very seriously, the country's top military cybersecurity official said Tuesday. However, Gen. Keith Alexander, director of the National Security Agency and commander of the US Cyber Command, provided virtually nothing in the way of details of how the government intends to accomplish this rather daunting task. 'We made the Internet and it seems to me that we ought to be the first folks to get out there and protect it,' Alexander said. 'The challenge before us is large and daunting. But we have an obligation to meet it head-on.' It's unlikely that any of Alexander's comments Tuesday will do much to quiet the criticisms of the Obama administration's security efforts thus far. Speaking mostly in generalities, Alexander emphasized the administration's commitment to the Comprehensive National Cybersecurity Initiative, a plan developed by the Bush administration and recently partially de-classified by Obama administration officials."

SkiifGeek, pointing to our recent coverage of what the NSA went through to create SELINUX, wants to know just how effective system hardening is at preventing successful attack, and writes "When Jay Beale presented at DefCon 14, he quoted statistics (PDF link) that Bastille protected against every major threat targeting Red Hat 6, before the threats were known. With simple techniques available for the everyday user which can start them on the path towards system hardening, just how effective have you found system and network hardening to be? The NSA does have some excellent guides to help harden not only your OS but also your browser and network equipment."

An anonymous reader writes "The NSA's once small National Cryptologic Museum is bigger and better, with new more immersive exhibits like a reconstruction of a listening post from the Vietnam war. The place seems to be caught between the urge to keep your mouth shut and the pleasure of telling war stories. In time, though, the story notes that the need to tell stories wins out. Has anyone visited lately?"

Novus Ordo Seclorum writes "The NSA has a new assignment. No longer merely responsible for signals intelligence, the NSA now has the task of defending against cyber attacks on government and private networks. 'The plan calls for the NSA to work with the Department of Homeland Security and other federal agencies to monitor such networks to prevent unauthorized intrusion, according to those with knowledge of what is known internally as the 'Cyber Initiative.' Details of the project are highly classified. Director of National Intelligence Mike McConnell, a former NSA chief, is coordinating the initiative. It will be run by the Department of Homeland Security, which has primary responsibility for protecting domestic infrastructure, including the Internet, current and former officials said. At the outset, up to 2,000 people -- from the Department of Homeland Security, the NSA and other agencies -- could be assigned to the initiative, said a senior intelligence official who spoke on condition of anonymity.'"

PaxTech writes "Security Enhanced Linux is moving into the mainstream rapidly, bringing its implementation of mandatory access control to a wider audience. The agenda for the 2006 SELinux Symposium has just been announced, distributions such as Fedora are including SELinux in the default build, and ports are underway to bring SELinux functionality to BSD and Darwin. Security minded systems administrators should be learning about this technology as it provides another strong layer of security for Linux servers."

An Anonymous Reader wrote to mention an NSA site covering secure configuration guidelines for a number of operating systems. From the site: "NSA initiatives in enhancing software security cover both proprietary and open source software, and we have successfully used both proprietary and open source models in our research activities. NSA's work to enhance the security of software is motivated by one simple consideration: use our resources as efficiently as possible to give NSA's customers the best possible security options in the most widely employed products."

farker haiku writes "The NSA has unclassified a pdf on how to secure your network in sixty minutes. All in all, it's an interesting and informative read if you are in the security biz. The article covers a variety of topics such as Buffer Overflows, Intrusion Detection Systems and using Tripwire ASR to ensure the integrity of your network server."

farker haiku writes "The NSA has unclassified a pdf on how to secure your network in sixty minutes. All in all, it's an interesting and informative read if you are in the security biz. The article covers a variety of topics such as Buffer Overflows, Intrusion Detection Systems and using Tripwire ASR to ensure the integrity of your network server."

An anonymous reader writes "Kernelthread.com has published a flash presentation overview of the Mac OS X kernel. Its title is 'A Tour of the Mac OS X Kernel' and it also covers Tiger features. Maybe interesting to note is that the slides are from a talk given to the NSA. Well, there is a nice security architecture diagram towards the end of the presentation."

An anonymous submitter writes "Following last week's release of security configuration guidance for Mac OS X, the National Security Agency has released a paper on Internet worms and how to stop new worms using layered defenses (pdf). A good read - your US tax dollars at work."

An anonymous reader writes "The National Security Agency has just released a Security Configuration Guide for Apple Mac OS X (pdf). The guide mostly contains common sense configuration information that applies to many Unix systems. It also includes specific discussion for Apple's unique features such as Keychain and FileVault. It should be useful to most Mac OS X users and will be particularly useful for US Government organisations that use Mac OS X and for commercial IT Departments that are supporting Mac OS X. A range of other NSA Security Configuration guides for other operating systems, applications, and IT kit are also available."

An anonymous reader writes "The National Security Agency has just released a Security Configuration Guide for Apple Mac OS X (pdf). The guide mostly contains common sense configuration information that applies to many Unix systems. It also includes specific discussion for Apple's unique features such as Keychain and FileVault. It should be useful to most Mac OS X users and will be particularly useful for US Government organisations that use Mac OS X and for commercial IT Departments that are supporting Mac OS X. A range of other NSA Security Configuration guides for other operating systems, applications, and IT kit are also available."

Wee writes "I just got an email from Bill Nottingham of Red Hat letting me know that the third and final test release of Fedora Core 2 is now available. The announcement mentions the big changes are SELinux being disabled by default, that on-and-off problem with install CD1 not booting should be fixed, and anaconda now is sporting 31 languages. The mirrors look like they are opening slowly but surely, and bug reports are always appreciated."

notshannon writes "Reuters reports about a new cell phone which automatically encrypts communications. Of course, the matching handset will decrypt the message. Security doesn't come cheap, around $4000 per pair, but it's probably as reliable as anyone in these parts could wish. Favorite quote: 'We allow everyone to check the security for themselves, because we're the only ones who publish the source code,' said Rop Gonggrijp at Amsterdam-based NAH6. Amusingly, the article cites government.nl and not nsa.gov as the world's most prolific phone tapper."

Stargoat writes "CNet reports that China is looking into MS's source code for Windows. They are looking both to increase security as well as perhaps create a Chinese version of Linux. Or are they perhaps concerned with rumors of deliberate holes left in the software for the NSA to exploit?" Here's an earlier Slashdot post about the Microsoft-China agreement.

silent_tyr asks: "I am going to re-install my Linux box and being security conscious I am looking for a secure distribution. After a couple of Google searches I found a version called Secure Linux, which sounded ideal. So I followed this link, which turned out to be what I assume is a genuine NSA web-site. All in all, it looks like a good idea and I can play around with it as I wish, but eventually I will be using this machine as my base-system. So before I start I want to ask two questions: 1) Do you think that it is a good idea to trust the NSA not to put in back-door/spy-ware type code to enable them to snoop my personal information? 2) What other security-patched distro's can people recommend? I don't want to open up the floor for generic NSA-bashing, but I also don't want to have to work my way through every line of code before I install." There was a similar question that was asked a while ago, but there wasn't much to the discussion. For those of you who are running SELinux, what have your experiences been, so far?

Barkmullz asks: "I just recently finished yet another security review on the network at my place of employment. I designed the different security features from scratch and I am using a variety of devices and software (firewalls, IDS, DMZs, and so on). I like to look at network security with the same attitude as I look on the stock market: diversify. Don't put all your eggs in one basket. As I was pondering the review results I wondered what a completely unbiased observer would think of my security. I remember thinking that someone should start a radio show similar to James Cramer's RealMoney and ask the listeners: Are you secure? I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff? What do you consider to be a secure network? What low-budget security features have you come up with? I don't think I am the only one spending evenings and weekends playing around with yet another IDS."

caino59 writes "Thier site is already slow, and must be taking a hit, but the NSA has released several guides on Securing Windows XP, Windows 2000, and Windows NT. Now go out and download the guides, and /. the NSA!"

caino59 writes "Thier site is already slow, and must be taking a hit, but the NSA has released several guides on Securing Windows XP, Windows 2000, and Windows NT. Now go out and download the guides, and /. the NSA!"

Slashback with more on Linux telephony, Mailblocks' terms of service, the scary disease known as SARS, the status of civilian GPS accuracy and more -- read on for the details.

A good oversight to correct. AndyMan! writes "Regarding yesterdays 'Building A Better Inbox,' I got the following email from support@mailblocks.com:

"'Our apologies, we picked up an old version of our TOS when we went live. We will NOT be allowing 3rd parties to send unsolicited email to our userbase. Please check the site this evening for the updated and correct TOS. We apologize for any confusion or inconvenience.'"

All the government you pay for. dunng808 writes "Despite frequent speculation to the contrary, Security Enhanced Linux is alive and well. Government Executive Magazine has a report from a conference on open-source software at which Peter Loscocco, a senior NSA scientist, revealed that the agency has continued to work on SE Linux despite efforts by Microsoft and the Initiative for Software Choice. "We spent a lot of time educating our managers, who accepted a lot of the flack that has come back to NSA about SE Linux," Loscocco said. For those readers trying to win acceptance of open-source software in the workplace, what effort have you undertaken to educate management, and what has worked?"

Also safe for now is GPS. As an anonymous reader writes, "Following last week's thread on GPS, and the possibility that the Pentagon might goof around with the civilian signal, Forbes checks in with the folks in charge and finds we have nothing to worry about."

OK, both of these things involve series of coherent vibrations in air ... A few months back, we mentioned that TheKompany was selling software to let Zaurus owners use Net2Phone for telephone service, and that they were working on a desktop version as well. Well, now it's ready. HeUnique writes "TheKompany just released tkcphone for the Linux desktop. This is the first product which lets Linux users to use their existing net2phone accounts to talk either through net2phone to net2phone or net2phone to standard POTS phone with the best audio quality (G.729 codec)."

And in almost-but-not-totally-unrelated news, jackjumper writes "Shawn Gordon of The Kompany fame has started his own record label, ProgRock Records. From the interview at Linux and Main: "The idea...is to provide progressive rock music to listeners at a low price while allowing more of that money to find its way to the artists' pockets than happens with conventional recording contracts and at the same time making a gesture -- you know the one -- to the established recording cartel." This sounds really cool."

A deadly pathogen by any other name. waytoomuchcoffee writes "The leading hypothesis for what is causing Severe Acute Respiratory Syndrome (SARS) is now thought to be a coronavirus, one of the virii that can cause the common cold. The New York Times (archive version for those non-members) has a story here. The global toll is now more than 750 stricken and 22 dead. Singapore is quarantining hundreds of people in an effort to stop the outbreak, while the head of the city's hospitals has taken ill with symptoms consistent with SARS. Both the Centers for Disease Control and the World Health Organization have pages up now, which include FAQs and progression information."

How many times do we have to go over this? Vajsvarana writes "The major free Desktop Environment GNOME and KDE has released a common open statement on recent XFree86 troubles. 'Innovation should happen in the open, with all affected parties able to participate early in the process' seems a clear and strong request to XFree86 people."

Anonymous Coward writes "LWN has a story about patents in SELinux. The article says: "Much of the actual work in the implementation of SELinux was done by Secure Computing Corporation (SCC). SCC, in its implementation of SELinux, used a technology that it calls type enforcement. As it turns out, SCC has a patent on this technology." Sigh.

James Morris writes: "Here's an update on the Linux Security Modules project (LSM). In April last year, the NSA proposed SELinux at the first Linux Kernel Summit. Following feedback from Linus, the LSM project was initiated by Crispin Cowan to develop a generic access control framework for Linux which would allow different types of security policies to be implemented as loadable kernel modules. Rather than having to choose one security model, LSM aims to provide a framework for incorporating a variety of advanced security mechanisms into Linux with a minimal effect on the base kernel. This week, Chris Wright (the principal maintainer) formally announced patches for the 2.4 and 2.5 kernels. Chris will be presenting LSM at this year's Kernel Summit and giving a talk at OLS, hopefully kicking off discussion on acceptance of LSM into the main kernel. Projects which have already been ported to LSM include SELinux, LIDS, DTE, Openwall and Posix.1e Capabilities. Check out the newly re-vamped web site for downloads, documentation and general information."

James Morris writes: "Here's an update on the Linux Security Modules project (LSM). In April last year, the NSA proposed SELinux at the first Linux Kernel Summit. Following feedback from Linus, the LSM project was initiated by Crispin Cowan to develop a generic access control framework for Linux which would allow different types of security policies to be implemented as loadable kernel modules. Rather than having to choose one security model, LSM aims to provide a framework for incorporating a variety of advanced security mechanisms into Linux with a minimal effect on the base kernel. This week, Chris Wright (the principal maintainer) formally announced patches for the 2.4 and 2.5 kernels. Chris will be presenting LSM at this year's Kernel Summit and giving a talk at OLS, hopefully kicking off discussion on acceptance of LSM into the main kernel. Projects which have already been ported to LSM include SELinux, LIDS, DTE, Openwall and Posix.1e Capabilities. Check out the newly re-vamped web site for downloads, documentation and general information."

kengreenebaum writes: "Webtechniques has a short but interesting article on HP's approach to a secure but expensive LINUX distro. Basically they started with RedHat 7.1 and added compartments; an extension to the age-old chroot jail concept where the processes representing major services run. Kernel extensions allow HP (or the administrator) to specify which compartments can access which kernel resources including individual files, network stacks, and each other. HP has Technical Product Brief as well as other material online. Interesting to compare HP's approach to that of the NSA's Secure Linux projects. These concepts sound like a solid way to prevent buffer overflow type security holes in individual services from compromising the entire machine. At $3000 HP-LX is too expensive for many to experiment with but the NSA's code seems to be more readily available. Anybody have experience with these distributions or with similar approaches to Linux security?"

kengreenebaum writes: "Webtechniques has a short but interesting article on HP's approach to a secure but expensive LINUX distro. Basically they started with RedHat 7.1 and added compartments; an extension to the age-old chroot jail concept where the processes representing major services run. Kernel extensions allow HP (or the administrator) to specify which compartments can access which kernel resources including individual files, network stacks, and each other. HP has Technical Product Brief as well as other material online. Interesting to compare HP's approach to that of the NSA's Secure Linux projects. These concepts sound like a solid way to prevent buffer overflow type security holes in individual services from compromising the entire machine. At $3000 HP-LX is too expensive for many to experiment with but the NSA's code seems to be more readily available. Anybody have experience with these distributions or with similar approaches to Linux security?"

Cally writes: "An interesting article appeared on the Info-Sec News list the other day about Guardent's new security appliance. Based on Snort, Nessus and IPTables, Guardent are taking the unusal step of trying to sell a product based on Free software into the highly resistant corporate security market. Although Free/Open security software is widely acknowledged to be better than commercial alternatives, it's rarely been trusted in the enterprise - the article points out that, although the NSA use Free software, the need for an expensive government audit prevents the government from saving money and improving security."

James Cho writes: "Four days ago, the 2nd public release of the NSA's 'security-enhanced' version of Linux (it's not an entire distribution) came out. The NSA describes it as having 'a strong, flexible mandatory access control architecture incorporated into the major subsystems of the kernel". However it must be noted that this 'is not intended as a complete security solution for Linux' and that there is 'still much work needed to develop a complete security solution'."

James Cho writes: "Four days ago, the 2nd public release of the NSA's 'security-enhanced' version of Linux (it's not an entire distribution) came out. The NSA describes it as having 'a strong, flexible mandatory access control architecture incorporated into the major subsystems of the kernel". However it must be noted that this 'is not intended as a complete security solution for Linux' and that there is 'still much work needed to develop a complete security solution'."

James Cho writes: "Four days ago, the 2nd public release of the NSA's 'security-enhanced' version of Linux (it's not an entire distribution) came out. The NSA describes it as having 'a strong, flexible mandatory access control architecture incorporated into the major subsystems of the kernel". However it must be noted that this 'is not intended as a complete security solution for Linux' and that there is 'still much work needed to develop a complete security solution'."

rstewart writes: "The NSA has released a new version of SELinux for public consumption. It is based on the 2.4.9 kernel and the utilities patches are known to work on Redhat 7.1. More information and the source can be found at the NSA SeLinux site." You can read the what's new for more information.

rstewart writes: "The NSA has released a new version of SELinux for public consumption. It is based on the 2.4.9 kernel and the utilities patches are known to work on Redhat 7.1. More information and the source can be found at the NSA SeLinux site." You can read the what's new for more information.

bpitzer writes: "The NSA has released their guides for securing Windows 2000 that they have issued for various DoD organizations."

NAI Labs, a division of PGP Security, just sent out a press release announcing that they're "joining with the National Security Agency (NSA) and its other partners to further develop the NSA's Security-Enhanced Linux (SELinux) prototype." Wow.

deran9ed writes: "The German foreign office and Bundeswehr are pulling the plugs on Microsoft software, citing security concerns, according to the German news magazine Der Spiegel. Spiegel claims that German security authorities suspect that the US National Security Agency (NSA) has 'back door' access to Microsoft source code, and can therefore easily read the Federal Republic's deepest secrets. Article in German, English article"

deran9ed writes: "Interesting outlook from an article on IDG detailing the use of encryption, and the negative campaigns against it. "When the Feds -- be they CIA, FBI, NSA, or Treasury Department -- discuss crypto, they make it sound as if anyone using it must be a child pornographer, drug smuggler, or terrorist." I wonder if the government feels the same about corporations encrypting their business plans in order to avoid having them stolen. Here's the article." The author has a point. SSL and SSH (or whatever it's called now) are widely used. But how many people routinely encrypt their email?