Slashdot Mirror

The TCG is about open'ness, and you can even download code from IBM
at SourceForge FREE!...
http://sourceforge.net/projects/trousers

TC has not hit the big top because linux is secure and for one, the NSA is
making security advancements free on the website: http://www.nsa.gov/selinux/index.cfm.

Intel wants to gain back some market from AMD, by DRM they hope !.

"Friend added"

I'm not so worried about the national ID card at the moment, maybe I see things differently, but I highly doubt it will actually come into play SOON. As in less than 10 years. Governments have a tendancy to move extremely slow. Much of what I understand in their intent on such an ID, would be standardization of certian things within the ID system so it would be technically simpler in terms of accessing data.

The system has been in place for decades to share information, but never in electronic form... yet. This would allow easier access, but they'd still have to go through the red tape to access such information. Maybe I'm too utopian about the idea of such. Let me know if you think I'm wrong.

Now back on topic.

I love my privacy. I seperate my online transactions with what I want to keep anonymous and what I don't mind being put in the public. Journals, Emails, whatever software I happen to be writing, business plans etc. No one has a right to see them. Encryption is merely a means to an end for me in privacy. I lock the bios, user authentication with linux or Windows (with the NSA's help), and GPG with WinPT

Until MAC and appropriate MAC policies exist on systems this will go on "ad infinitum, ad nauseum". See "The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments" http://www.nsa.gov/selinux/papers/inevit-abs.cfm

Though I'm not a huge fan of the SELinux security model it does seem to be gaining traction. Red Hat Enterprise 4 now includes it and there are an increasing number of "targeted" policies becoming available.

If executables were required to come with packaged policies and those polices were vetted by an organization that had a clue, many of our current issues would be greatly mitigated.

No, I think you have to go via this page

The parent link didn't work for me, but after exploring the NSA's website, I found this link, which seems to work better:

osx_client_final_v_1_1.pdf

The NSA posted an OS X security guide. The NSA stated that OS X is the most secure of clients OSes, particularly in its default configuration.

http://www.nsa.gov/snac/os/applemac/osx_client_fin al_v.1.pdf

Who claimed it was the most secure, bulletproof OS?

There are much, much more secure systems out there than linux. Check out MULTICS sometime. Note that no one uses it anymore, since it requires special hardware to run.

You will never need these features until you find yourself working with massive multiuser machines or classified processing. It's a government project, go figure.

Read up on the SELinux docs on more info, and why the target audience for windows/desktop linux/macos would never care. Most people making claims about linux's security as opposed to other OS's are comparing it to windows, and in terms of vulnerabilities. That's a whole 'nother ball of wax.

Its a kernal patch developed originally by the NSA.
SELinux

Degaussing to NSA standards is very hard with modern high-coercivity media. See the NSA Media Destruction Guidance web page. Physical destruction (furnace) is usually simpler.

contributed back to the community

To the extent that the government is using non-proprietary OSes and and other cheaper/free pieces of infrastructure to conduct critical activities (like defense, or emergency response), we're looking at using up fewer tax dollars, and that's plenty of "giving back." Of course, the defense/intel community does very much distribute enhanced goodies where it can, and we've had plenty of conversations here about things like open source CAD stuff from the Navy.

Probably the most important thing, though, is that you get thousands of federal techies using different systems, and a lot of them will leave their stint with the DOD and head out into the wild with an appreciation for alternate ways to handle IT problems. Those folks, showing up at private sector HR desks looking for more lucrative jobs, will have more to do with corporate acceptance of things like Linux than any amount of code the feds might publish.

What is more interesting here is the derrivative. The perception of Windows is improving rapidly, the perception of Linux is pretty static.

Eh, you're kidding... right?

I've not seen that AT ALL. Windows security is an oxymoron, and people complain about it BITTERLY to me. I've been delivering Linux-only services for years, and it's all I can do to keep up with all the projects on my plate.

One of my clients is on the verge of switching about 50% of their desktop systems in use by their staff to Linux. They're evaluating it now. Issues I know of are: MS-Word (Hello Crossover Office!) and printing.

What "security action" should be going on in the Linux world that isn't? I have a modest number of servers on the 'net. The only one with security issues is one with a bazillion, ancient CGI scripts on it. (that for various reasons, I can't just have removed - ugh)

But, just in case, do you remember SELinux? Or perhaps LIDS?

Heck googling for "Linux Security" produced a few interesting results, right on the home page!

Next time, listen BEFORE you speak...

...if the chip responds without requiring authentication, as current RFID chips do. If the RFID simply spits out its random Mark One RFID number on initial query, and only provides Mark Two grade information on recieving it's RFID back in a RSA signed query, it might mitigate the problem.

Still, that would leave at least five system weaknesses obvious to even cursory glances:

1) It's still a Mark One RFID initial response; to prevent traffic analysis from making identifying USAssholes (yes, I can say that, I am one) trivial for hostile entities, there need to be a lot more responding Mark One RFIDs chirping away out there.
2) The specific query to the RFID could be played back. This might be solvable by inclusion of a random number component with in the initial response.
3) Every Mark Two RFID query generator needs to have the signature capability; the system is only safe until one is stolen and reverse engineered. Giving each it's own marine guard is liable to increase the expense of the deployment slightly. This might be obviated by an integrity-and-privacy secured uplink connection to a centralized query making server located at Fort Meade.
4) This still implies US passport holders should trust the US government to be able to secretly and silently find out exactly who they are at any time. Survey says...
5) I'm betting the computation for signature checks exceed the RFID remotely powered capabilities; I suspect they don't have much more than needed to play "Marco!".... "Polo!"

Unfortunately, governments (at least here in the US) tend to operate on a "How much is it going to cost right now?"

That isn't always true - it depends on which part of the government you are looking at, what kind of mood they are in, how much money they have and a few other factors. Look at the NSA Linux project. I'm sure it took more time and money to put together than buying Windows off the shelf.

I used to work for a company that did some engine controls for the military, navy ships mostly. Their specs and test procedures were incredible. The equipment wasn't the most current technology, but they wanted to make SURE the control we built for their ships worked, no matter the cost.

Actually, it seems like more often than not governments are willing to spend lots of money, especially on things like technology. Now, if it's a new road or school building they are going to be as cheap as possible. OTOH if it's new toys for them and their staff most government officals will spring for the best.

The is pretty much exactly what SELinux does, minus the GUI interface. The only widely-used product that utilizes it is Fedora, and they only use a subset of the capabilities because it such a monumental pain in the ass to configure and debug.

There is nothing they couldn't dream up as a terrorist or other attack on the IT infrastructure that hasn't been thought up already by others, even in the terror game it is hard to be truely original. And at least by going through the exercise of thinking like an attacker they may help spur the development of better defenses, traps, early warnings, recovery procedures , what have you.

The problem is not that no one has thought about the problems of security of software assurance enough to have come up with solutions, the problem is the solutions haven't made their way out of theory and into practice. It's not that the theory is new either - a lot of the ideas are 10 years old or more. The problem is that there are too many people who are happy with what they have and never bothered to look at what the theorists have actually devised. Why do you think the NSA created SELinux? It wasn't because they were planning to create a secure operating system - they themselves say that they did it to demonstrate that such controls can easily be built into "mainstream operating system". Read that as: the've done the research, know the solutions (this sort of architecture is, research wise, quite old), and are so frustrated that no one was actually using it that they hacked it into the most mainstream OS they could just to show people how.

If you consider the task of writing secure software applications, rather than just OS architectures to vastly enhance security, there are still perfectly good options out there. If you're serious about high integrity software (be it for security, or for fault tolerance) you ought to be proving your code. No, seriously - you can statically mathematically prove your code providing you use the right tools. For instance there are things like B-method or SPARK which use allow you to actually prove the partial correctness of your code (partial correctness in the sense of "if it terminates, it terminates with these properties..."). The concept of having a separate prover as a safety and correctness checker, as opposed to letting static typing and the compiler catch the most glaring errors, seems eminently sensible. The techniques for how to do this sort of thing are quite old, and it is becoming increasingly practical to do full proofs given the power of computers these days. Again, this is the category of "something we know how to do, but mostly never bother with".

Jedidiah.

The article mentions they are teamed up to, among other things, compete for government contracts. Then they blast Linux for being unscalable and insecure.

I keep going back to look at this page: http://www.nsa.gov/selinux/

I wonder what the NSA would say to Linux being unscalable and insecure.

I am the AC to whom you were responding.

1. What I wrote was true. The "court" argument, however, was conjecture on my part.

2. I posted AC because everything I publish relating to my work (including my resume) needs to go through a pre-pub review. This is not just for the duration of employment; it's for the duration of my life. I certainly didn't post from my desk, in case you were wondering.

3. I didn't "spill" anything that's not publicly available elsewhere. I collected it in a nice easy-to-digest summary just for you.

4. Incidental violations are dealt with, but not with public floggings. An honest mistake will get you counseled, not fired. Repeated mistakes are a bad thing. Carelessness with the data is not acceptable.

The point was this: it's not as you think. Your tinfoil hat is unnecessary.

..."let's keep in mind that the NSA exists for a reason, and that reason is important".

"the security agencies of the United States have a serious and IMPORTANT function."

"no question they exceed their mandate"

"while overzealous policemen certainly need to be disciplined and corrected"

"they are STILL the "good guys" as long as you are realistic and remember the really BAD alternatives out there."

Hey! You seem like a willing drone... Here, go download and install "SeLinux" and report back to us, esp. if it does anything, well, 'funny' or 'unusual"...

... or IBM offering Linux on its high-end servers, or the SE Linux initiative.

The NSA is in the business of breaking encryption, not providing unbreakable encryption.

How did this get modded insightful? The NSA is responsible for Signals Intelligence, which may involve some breaking of encryption, and Information Assurance which most certainly involves the provision of strong security, including encryption.

ECC is already widely available - Certicom, a Canadian company provides good implementations, and owns about 200 patents relating to it. If it is secure and the NSA can't break it, ignoring its existence isn't going to help them: it is already out there - it is too late for the Signals Intelligence people to worry about it. On the other hand, if there is a good secure encryption system available then promoting it to US government and US companies is a positive thing for the Information Assurance role to be engaged in.

The amount of uninformed, random, misinformation in this thread is astounding.

Jedidiah.

Jedidiah.

The NSA is in the business of breaking encryption, not providing unbreakable encryption.

How did this get modded insightful? The NSA is responsible for Signals Intelligence, which may involve some breaking of encryption, and Information Assurance which most certainly involves the provision of strong security, including encryption.

ECC is already widely available - Certicom, a Canadian company provides good implementations, and owns about 200 patents relating to it. If it is secure and the NSA can't break it, ignoring its existence isn't going to help them: it is already out there - it is too late for the Signals Intelligence people to worry about it. On the other hand, if there is a good secure encryption system available then promoting it to US government and US companies is a positive thing for the Information Assurance role to be engaged in.

The amount of uninformed, random, misinformation in this thread is astounding.

Jedidiah.

Jedidiah.

I hate to burst your bubble, but NSA has two primary missions.
Breaking into stuff Signals Intelligence
and providing good encryption Information Assurance

I hate to burst your bubble, but NSA has two primary missions.
Breaking into stuff Signals Intelligence
and providing good encryption Information Assurance

Are you saying this has been done? Multics had better buffer overflow protection

40 F#%îng years ago! thats right, *before unix existed*, four decades ago, thats before gates had pubic hair! (Okey, I didn`t fact check that one, but this is a long time, and I am not just talking in Internet or doggy years.)

So, where are the lines before compusa to buy one of these computers that may not have the most megahurts and marchitecture, but that doesn`t get new viruses/spyware/script kiddy zombie code every week while mailing personal files to random strangers?

I will tell you where these people are, they are right around the corner at the newsstand waiting for the latest issue of "screenshots, colors, windows and screensavers monthly". While there are billion dollar (memory) price fixing and (os) monopoly scams going on the trade media wonders what the color of Microsoft's next operating system is and where to get the newest megahurts this month....

The reason multics was secure, the people designing it figured security would make a nice feature so the designed it in by default... Ofcourse others tried that but once you add a huge piece of shell/browser/e-mail client/media player, mix in a bunch of rpc accesible administrative tools and have all this code monkey C code run with administrative privileges.... then you are gonna need systems to tell you when your remaining security is gone. (virus signature addiction systems, packet filters and intrusion detection systems).

The babysteps taken in todays "security addons" that descent from the tools dos admins used to clean out the few know viruses are pathetic. The worst part, the people making money of it. These people are evil even by atheist standards (keeping people addicted to virus signatures while selling telephone tapping equipment by comverse/the mossad, while playing "trusted" third party by selling expensive cert`s (Want a microsoft.com one? here go right ahead).... while screwing everyones DNS over just for a few quick bucks. )

The people selling computer security are snakeoil/ducttape sales scumbags

If people had just read the US DoD stuff on computer security (multics, orange book) and used it as a starting point for a one step more secure OS we could just worry about how to make computer do new usefull stuff instead of fending of the spyware/worms/ddos and god knows what people who stay out of log files do. Anyway, one can always start from scratch

Take a pinch of Standard Linux
Wrap it up in Xen
Add a touch of SELinux
And a little bitty bit of Globus
Oh like a Sandboxed Platform
Oh Lordy, Lordy, mixed with Free and Open Source Code
You know you lump it all together
And you got a recipe for a Multi Vendor Development scene
It is coming though, you know, you know.

What we have is a great big melting pot
Big enough enough enough to take every vendor and all IT's got
And keep it stirring for a hundred years or more
And turn out Application Service and Content Providers by the score.

With apologies to Blue Mink .

What about the NSA? I'm sure that they take computer security a little more seriously. - Taj

What about the NSA? I'm sure that they take computer security a little more seriously. - Taj

Uh, no.

Like most information intelligence agencies, NSA has two parts; they're prominently featured on the main webpage as "Information Assurance" and "Signals Intelligence." They are simultaneously a spy agency (in the SIGINT mission) and the government's security agency (in the INFOSEC mission.)

yes and no

The NSA is basically structured into two main departments. One, signals intelligence is the "spy" side of the NSA. The other half, Information Assurance is a defensive department. They are the ones who develop Security-Enhanced Linunx and release the Security Configuration Guides.

yes and no

The NSA is basically structured into two main departments. One, signals intelligence is the "spy" side of the NSA. The other half, Information Assurance is a defensive department. They are the ones who develop Security-Enhanced Linunx and release the Security Configuration Guides.

yes and no

The NSA is basically structured into two main departments. One, signals intelligence is the "spy" side of the NSA. The other half, Information Assurance is a defensive department. They are the ones who develop Security-Enhanced Linunx and release the Security Configuration Guides.

yes and no

The NSA is basically structured into two main departments. One, signals intelligence is the "spy" side of the NSA. The other half, Information Assurance is a defensive department. They are the ones who develop Security-Enhanced Linunx and release the Security Configuration Guides.

Damn foobarred link... NSA Mission statement

Did anyone who read the article stop to understand what the NSA is and what they will be doing?
I didn't think so.
The NSA is the last agency in the government which is not "100% Microsoft". They are the last agency which trusts no one but tolerates Unix and works on SeLinux. In the government you have every possible email server, firewall and other devices with little concern for interoperability or security. NSA is the only agency paranoid enough to truly secure our pitiful government and their contracted paper MCSEs. Expect big things if this were to truly happen (also expect to see a rise in *nix Government jobs open up all over the US).

You are wrong, the NSA's first goal is to break enemy cyphers, but a strong second goal is to keep our own cyphers secure. Witness the tweak to the DES sbox selection, it made DES more secure against a class of attacks that the civilian sector wouldn't reinvent for several decades. It makes sense to have your people that know the most about security and breaking into secure systems establish the practices for other agencies to follow, now having them actually enforce said policies is another matter. It might lead to hostility as well as turf wars between the NSA and other branches of the security sector.

Finally, from their own mission statement page.
The Information Assurance mission provides the solutions, products, and services, and conducts defensive information operations, to achieve information assurance for information infrastructures critical to U.S. national security interests.

The National Security Agency/Central Security Service is America's cryptologic organization. It coordinates, directs, and performs highly specialized activities to protect U.S. information systems and produce foreign intelligence information. A high technology organization, NSA is on the frontiers of communications and data processing. It is also one of the most important centers of foreign language analysis and research within the government.

• Cryptography : the design and implementation of secret communications.
• Cryptology : the analysis of existing secret communications.

Personally, I don't see a problem with it either. The NSA is already reknowned for it's ability to secure networks & systems very well. I believe they write many of the books & guidelines that government agencies and companies use to secure their networks. Perhaps we will see an expanded use of SE-Linux?

The NSA is very fond of Linux.

There are others too.

Basically, if you run Solaris 10, you are pretty much getting the same system run by Top Secret spooky types.

Basically, if you run Solaris 10, you are pretty much getting the same system run by Top Secret spooky types.

Basically, if you run Solaris 10, you are pretty much getting the same system run by Top Secret spooky types.

Here's a basic roundup of useful links:

• GRsecurity
• CIS Scan
• Openwall Project
• Bastille
• RSBAC
• SELinux

Courtesy of Thebogey:

http://www.nsa.gov/snac/downloads_macX.cfm

Direct linking doesn't work because you have to agree to an acceptable use policy before downloading the article.

I know, www.nsa.gov/snac/os/applemac/osx_client_final_v.1. pdf is not only a 404, it's an IIS 404. Why should I trust someone to help me secure my machine if they are running IIS?

They've updated the version number and Apple's site hasn't updated the link yet. This works: http://www.nsa.gov/snac/os/applemac/osx_client_fin al_v_1_1.pdf

Here's the Security guide for OS X. It looks like they've revised it since they first listed it.

You can find the doc if you go here: http://www.nsa.gov/snac/downloads_macX.cfm

The page cannot be found The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.