Slashdot Mirror

And what happens when the DHS begins to use Linux/Solaris/et al and the attackers focus their attention on these products and find numerous and obvious vulnerabilities?

If they are obvious, then we already found them. Numerous... I don't think so, not in the core system. When a new Linux vulnerability comes out, it's big news and dozens of hackers descend on it immediately. Then when the fixes go out, they are *easy* to apply and highly unlikely to break anything unrelated in your system.

Any new features that go into core systems get heavily peer-reviewed for security impact. That's *proactive* security. This process has been going on for 30 years (long before Linux appeared) and you might say, it's reached a state of comparative maturity.

This is the difference between security as an afterthought and security as a process. Besides that, Linux 2.6 has a gleaming new plug-in security harness. This allows the user to tailor their own security system. For example, mandatory access controls allow the administrator to limit the actions of any process, even root. The impetus for this originally came from the NSA. You can bet that's interesting to government departments across the board.

I think he'd be interested to know the Joe McCarthy was 100% right.

It's not a magic bullet, but mandatory security just went mainstream.

What this all means is the ability to put programs into levels and compartments from which they can't escape. Security breaches in the mail handler or the web server can't propagate to the rest of the system.

The code is open source, GPL, and written by the United States Department of Defense's National Security Agency. It looks like Microsoft's attempt to shut down that project failed.

It's not a magic bullet, but mandatory security just went mainstream.

What this all means is the ability to put programs into levels and compartments from which they can't escape. Security breaches in the mail handler or the web server can't propagate to the rest of the system.

The code is open source, GPL, and written by the United States Department of Defense's National Security Agency. It looks like Microsoft's attempt to shut down that project failed.

In developing news, Slashdot.org has released yet another non-SCO related article. Slashdotters are drooling at the incoming news "There on a roll now dude. A few more articles without the mention of SCO? I didn't think I would see the day" stated a fp'er..

"Ok so maybe we misunderestimate the potential of Slashdot, but answer me this, If a tree falls in an ocean does it make a splash? We here Texans, here in Texas, which of course is in the United Nations of America, value sites like Slashdot. At least they don't post forged articles". stated Slashdotter daprez.

Slashdot once upon a time was one of the hottest sites on the net, and the site which now boasts close to 600+ thousand users (most of which are duplicate users) is slowly going down the toilet. "Well I doubt if it is going to go away, if it did most of the admins there would likely commit suicide or something. I just want to see it go back to the basics and focus on news. Sure SCO is news, but do we really need it shoved down our throats four to five times?" stated another user via IRC who wished to remain anonymous.

So for those who are interested in real news, such as how China will replace every citizens ID cards with Digital Cards, you can read this here, or if you care about the NSA possibly backdooring all software, you can read that too by clicking here. The CIA's statement on WMD? Sure right here, however, if your looking for another SCO article, stay tuned one will be availble within the hour.

Numerous request were sent to Slashdot administrative staff who never responded to our e-mails. We feel for them, and will make sure to send them carfare when the company goes under so they'll be able to get to the unemployment office.

2003 Slashdotter Strikes Back News

In developing news, Slashdot.org has released a non-SCO related article. Slashdotters are ecstatic at the incoming news "Oh man I really thought it was the end of the road there for a minute, I mean last week was bad, but as of Sunday, I don't know how many SCO based articles they posted. I think it's somewhere in the low hundreds though" stated a user who wished to remain anonymous.

"It's exciting for the moment, but I know these morons will just post some other sickening story about a company that's about to go under any god damned moment". stated fx0rspy.

Slashdot once upon a time was one of the hottest sites on the net, and the site which now boasts close to 600+ thousand users (most of which are duplicate users) is slowly going down the toilet. "Well I doubt if it is going to go away, if it did most of the admins there would likely commit suicide or something. I just want to see it go back to the basics and focus on news. Sure SCO is news, but do we really need it shoved down our throats four to five times?" stated another user via IRC who wished to remain anonymous.

So for those who are interested in real news, such as how China will replace every citizens ID cards with Digital Cards, you can read this here, or if you care about the NSA possibly backdooring all software, you can read that too by clicking here. The CIA's statement on WMD? Sure right here, however, if your looking for another SCO article, stay tuned one will be availble within the hour.

Numerous request were sent to Slashdot administrative staff who never responded to our e-mails. We feel for them, and will make sure to send them carfare when the company goes under so they'll be able to get to the unemployment office.

(c) 2003 Disgruntled Slashdotter

I don't know if I like the idea of having the California State Department of OSS or somesuch, but government agencies do in fact create OSS. One good example is NSA Security Enhanced Linux.

Would the NSA's Security Enhanced Linux kernel (http://www.nsa.gov/selinux/) count?

or let them go after this: http://www.nsa.gov/selinux/

There has been no mention of it on the official SELinux mailing list.

-cp-

So I can help fund shit like this...
Step 1. Microsoft wins homeland security contract worth $100 million
Step 2. Homeland security warns of flaws in microsoft software
So, this government has spent $100 million dollars to Q&A Microsoft products. Meanwhile,at the NSA, free security enhanced linux.
Your tax dollars hard at work. I'm going to buy a box of tea and throw it in Boston harbor.

The sad part is that the NSA itself already was far ahead developing a secure OS that would do just fine for the dept of HS. Instead tax monies go to bill gates and his dancing monkeys.

It's time the government started to realize its own linux version has been developed to preclude vulnerabilities such as these that are caused mostly by sloppy programming.

Can you explain how The President of the United States has fuck all to do with this? Bush isn't smart enough to even grasp 99% of this shit yet you assign some implied evil conspiracy that involves the US government and it's president in some anti OSS plot. Plese explain this after you re-adjust your tinfoil hat. The US government uses Linux. The NSA has a Linux distro Security-Enhanced Linux Please explain this plot to us all, stay on topic or shut the fuck up.

I have been waitng for HURD for a number of years now and will not be holding my breath for it's promised release. It will be attacked just as Linux has been in any case as soon as it becomes a threat to M$.

Seriously, I'm sure that a number of intelligence agencies have archives of this stuff. I believe the FBI used to get a USENET feed on 9-track 1/2" tape.

• Spy museum in Washington DC
• North of DC, The NSA crypto museum
• The manly Rocketdyne F1 Saturn V Booster
• More thrust at the Alabama Space and Rocket Center
• Spam king Alan Ralsky's house
• A Lake Washington cruise past Bill's humble abode
• While in Seattle, the Museum of Flight
• North of Seattle is the largest building under 1 continuous roof at Boeing
• That Holy of Holies: Xerox PARC
• Another park, but of the vertical daqueri variety the Ouray Ice Park

The National Cryptologic Museum is a place I try to hit every time I'm in the Baltimore/Washington area.

Some favorite exhibits include their working Enigma unit, a cut-away Cray XMP, a WWII Bombe processing unit and Bletchley Park presentation, a rare book collection, and a working 800TB robotic tape "silo."

There's also a good chance you'll run into docents who share history with the machines and projects on display - be prepared to hear some cool (unclassified) stories.
~doug

While you're in DC, go to the basement of the American History museum.

Also of geekly interest in/around DC are the Spy Museum (easy to get to; a couple blocks from the Metro) and the NSA museum (annoying to get to; about a 2-hour bicycle ride from downtown DC or half an hour from Greenbelt Metro).

The FBI tour is a total waste of time. The Bureau of Engraving & Printing (where they make the paper money) was a bit interesting (though a poor ratio of standing in queues to actually seeing stuff) but I believe the tours have been suspended. The Newseum was good but it's now closed until 2006.

Any Geek tour of America should include the following sites:

The NSA National Cryptologic Musuem

The INEEL nuclear labs in Idaho - Home of the world's first nuclear power generation facility.

Tour of the Hanford Site near Richland, Washington. Home of the worlds first large-scale nuclear reactor for production of weapons grade plutonium. Nuclear reactors, Plutonium Generation plants, lots of nuclear waste,... a must see!

Grand Coulee Dam, The largest hydroelectric dam in North America and one of the largest in the world.

If you're in the area you might also want to visit one of the various lower Dams on the Columbia and Snake rivers, which feature huge locks for transporting boats and barges above the dams.

If your into Natural Disasters and biological recovery, visit Mount St. Helens, the volcano that erupted in 1980.

30 minutes north of DC, lots of neat stuff, including one of the few surviving ENIGMA boxes

I can give you a couple of hints for the area around Baltimore and Washington:
As well as checking out the Smithsonian Air and Space Museum go see the restoration facility where they actually work on the planes. They have so many planes they will be working on them for years. You can tell the un-restored ones by the oil dripping from the engines

Skip the spy museum and go see the the real spy museum, the NSA museum. They let you play with a real German Enigma machine that is right next to the electro-mechanical computer that cracked it's codes. The NSA is so secretive with their information that I didn't find out until later what was the key that allowed a machine to recognize when it found the right key in an encrypted message. It was because the German message always started with the same format.

For the best collection of railroad engines in the world check out the B&O Railroad museum in Baltimore, just visiting the parking lot you can see, touch, and climb on 15 or 20 historic steam engines

here.

Intrusion Tolerance is already being practiced, although another term for it is defense in depth.

Another poster has described how defense in depth and fault tolerance apply to firewalls, network infrastructure, etc. I'd like to mention host-based measures to slow an attacker down and limit the damage they can do.

One of the oldest host-based D-i-D measures is chroot jails. A 'chroot' in Unix means that an application is run with access to only a limited subset of the filesystem, one which does not contain interesting, useful, or leveragable files. This makes it harder for an attacker to leverage, say, user-level access via a buggy network daemon into root-level access, access to the system passwd/shadow file, or access to system binaries.

chroot isn't perfect; the process still shares access to the OS kernel and the network, and can leverage those.

LIDS is a Linux-specific solution. LIDS allows capabilities on a system to be locked down beyond the capability of even root to modify. For example, you can set /usr/bin/* to be read-only, and not even root can override that without first disabling LIDS. The ability to bind to network ports can be controlled; e.g. only /usr/sbin/sendmail can bind to port 25 (and /usr/sbin/sendmail can be made read-only). The ability to load modules into the kernel and access devices to do similar things (e.g. /dev/kmem) can be blocked. In other words, the ability of an attacker who gains root access on the host to rootkit it is severely degraded. There are still openings, though, e.g. root can access user's files.

Security-Enhanced Linux is the next step. Rather than emasculating root as LIDS does, it "has no concept of a 'root' super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms...." Privileges can be carefully handed out to protect the system from the users and the users from each other.

Even Windows can benefit from some careful configuration. Consider how NIMDA used the Windows TFTP.EXE binary to bootstrap its access up - why is TFTP.EXE executable by anyone on the system? Set ACLs on system binaries. Make sure the IIS web root isn't on the OS drive to block directory traversal attacks. Remove things that aren't needed.

I can't remember the attribution, but someone summed Intrusion Tolerance up by saying, "If you can't prevent it, you sure as hell better be able to detect it." Keeping the bad guys off the server may be impossible, but every little roadblock you put in to slow them down will give you a better chance of detecting them and stopping them before they capture the flag and end the game.

You have no clue what you are talking about. Linux security is superior to that of any MS OS. When people talk about Linux vulnerabilities, they usually also include vulnerabilities to other open source apps. Sorry, but that is not Linux. Also, look at the expliots that have happened under Linux compared to MS OSes. Most of the ones you would find on Linux applications are very minor and fixed much faster then the MS "security through obsurity" method. Where as the ones under MS OSes are usually far more critical like network services, Server attacks, Credit card theft, logging users DVD picks, Unpatched IE security holes, etc. I wonder why the National Security Agency picked Linux for a secure OS? These are just some of the holes we hear about. It is easy to hide all the small holes when you use a closed source approach. Sorry, but the MS Fisher Price(TM) OS is not in the same league as that of Unix and Unix like OSes such as Linux, *BSD and now MacOS X. Whether you like it our not, Unix and Unix like OSes are the dominant server platform and run most of the web for a reason.

Oh Christ, well, you'd better hurry and tell that to the NSA, US Navy, US Army and Boeing since they're all apparently terrorists.

So why does the NSA emplyee the most people of any goverment TLA? FBI,CIA

Because the CIA's dirty work is mostly done by private corporate contractors (Wackenhut, Carlyle, and The Curry Company are the big ones), some entertainment companies (remember MCA, now part ofUniversal Studios but I'm sure they're still active in the comunity) and an assortment of airlines (Pan Am got screwed for helping out), shipping companies (still working on tracking these), and import/export businesses (mostly furniture and lighting, some appliance). There are also some strange connections to Scientology, The Landmark Education Corporation, and The Moonies.

The CIA has been known to work with terrorist organisations to achieve thier desired objectives.

The FBI, CIA, and the DEA, also contract various crime organisations, individual criminals, and run of the mill citizens to do work for them. Often these folk have no idea who it is they are working for.

The NSA, for the most part, uses in house employees to analyze intelligence data, monitor foriegn communications, and ensure the security of comunications for the other departments and the military. In other words, they hire a lot of geeks, have some clue about the internet (they like it), and don't really mind if you encrypt your own data (security for all is more secure than security for some, plus breaking it will be a nice challenge.)

--qtp

"a whistle-blower who helped sell software to the National Security Agency says that much of the development work is subcontracted to China,"

How incredibly STUPID..
And I thought he NSA was smarter than that.
They even have developed a secure version of the kernel and have it for public download http://www.nsa.gov/selinux/

My faith has been shaken...

why dont you visit their website and attempt to find out for yourself what they do? Here are the two big terms to look for: SIGINT and INFOSEC. When you can tell someone what those are in your own words, you'll know what the NSA does.

For that kind of money, why isn't the Army creating their OWN Linux distro? They could've started with the NSA's security-enhanced Linux and customized it from there. A half-billion dollars ought to be enough to build an operating system that would make OS X look like DOS. (Actually, I imagine it would cost much less to create their own distro -- perhaps only 10% of the Microsoft deal.)

What's more, the Army would have total access to the code, they could make changes as needed, and they'd never have to spend another dime on OS licenses.

I can't see any way that this deal makes sense. What a waste. Until I hear better, I'm considering this theft by cronyism.

The Linux kernel sources in the NSA SELinux distribution are based upon those found at www.kernel.org.

I'd love to see the fireworks when SCO tries to sue the NSA.

# What does your distribution include?

Security-enhanced Linux includes patches to the Linux kernel and patches to a number of standard tools and utilities. It also includes a number of new utilities, support files, and documentation. By far the easiest way to build and install Security-enhanced Linux currently is to duplicate our source trees (lsm-2.4 and selinux) and follow the instructions in selinux/README. We have provided compressed archives of our source trees, as well as several ways to build it by acquiring only our modifications from our web site (http://www.nsa.gov/selinux/). As time permits, we intend to create or modify the RPM spec files as appropriate and provide SRPM format files.

# What does your distribution include?

Security-enhanced Linux includes patches to the Linux kernel and patches to a number of standard tools and utilities. It also includes a number of new utilities, support files, and documentation. By far the easiest way to build and install Security-enhanced Linux currently is to duplicate our source trees (lsm-2.4 and selinux) and follow the instructions in selinux/README. We have provided compressed archives of our source trees, as well as several ways to build it by acquiring only our modifications from our web site (http://www.nsa.gov/selinux/). As time permits, we intend to create or modify the RPM spec files as appropriate and provide SRPM format files.

Gawd!

It aint that hard.

Basically:

1) It defines OSS & GPL

2) Says they're OK to use provided:
a) They comply with the same Dod policies for equivilant Off the Shelf software
b) They're comply with the requirements defined by the National Security Telecommunications and Information Systems Secuirty policy.
c) They're configured as per DoD approved security configurations from http://iase.disa.mil and http://www.nsa.gov.
d) You dont break any licenses.

Thats all!

Yeah, as I was reading that article, I was struck by how handy something like a secure version of LiveJournal would be to an intelligence organization. Each analyst could post things up, works in progress, tidbits of interest, or formal product, which could then be syndicated by other analysts and consumers of analytic content in a fluid manner (NB: obviously would need some additional access, authentication, and authorization infrastructure to regulate who can syndicate what). Further, the LJ codebase would allow feedback on each entry in the analyst's "text stream", or I should say "media stream". And as a bonus, clients exist to talk to LJ servers from pretty much any platform, and most don't require any knowledge of HTML or similar technologies by the end user. The source code for the LJ server system as well as most of the clients is available here but as usual for any outside product, it'd probably be wise to commission a source review of it before putting it into production in a secure environment. (This may be one way to help fund the projects, if possible, by commissioning project developers to contribute to the security process, and allowing the non-agency-specific security changes to be rolled back into the public sphere, analogous to the NSA's SELinux.)

I'm an undergraduate student going towards a CS. After I graduate I plan to get a master's from an educational institution reccomended by the NSA. Keep in mind that some schools on this list have better programs than others. Georgia Tech has a highly technical program while Carnegie Mellon has a great organizational program. Both schools deal with all topics, just to different degrees. I have heard the argument that experience is better than education. In my opinion, both are important.
If you are looking for a less formal learning experience, you could check out DEFCON, which is an annual conference for hackers. There are also other more formal conferences which costs lots more. (ApacheCon, DallasCon etc.)
If you are looking for a thorough documentation, you could check the Open Source Security Testing Methodology Manual . Network and other computer security topics are extremely important and very important and interresting.

I'm an undergraduate student going towards a CS. After I graduate I plan to get a master's from an educational institution reccomended by the NSA. Keep in mind that some schools on this list have better programs than others. Georgia Tech has a highly technical program while Carnegie Mellon has a great organizational program. Both schools deal with all topics, just to different degrees. I have heard the argument that experience is better than education. In my opinion, both are important.
If you are looking for a less formal learning experience, you could check out DEFCON, which is an annual conference for hackers. There are also other more formal conferences which costs lots more. (ApacheCon, DallasCon etc.)
If you are looking for a thorough documentation, you could check the Open Source Security Testing Methodology Manual . Network and other computer security topics are extremely important and very important and interresting.

I'm an undergraduate student going towards a CS. After I graduate I plan to get a master's from an educational institution reccomended by the NSA. Keep in mind that some schools on this list have better programs than others. Georgia Tech has a highly technical program while Carnegie Mellon has a great organizational program. Both schools deal with all topics, just to different degrees. I have heard the argument that experience is better than education. In my opinion, both are important.
If you are looking for a less formal learning experience, you could check out DEFCON, which is an annual conference for hackers. There are also other more formal conferences which costs lots more. (ApacheCon, DallasCon etc.)
If you are looking for a thorough documentation, you could check the Open Source Security Testing Methodology Manual . Network and other computer security topics are extremely important and very important and interresting.

I'm an undergraduate student going towards a CS. After I graduate I plan to get a master's from an educational institution reccomended by the NSA. Keep in mind that some schools on this list have better programs than others. Georgia Tech has a highly technical program while Carnegie Mellon has a great organizational program. Both schools deal with all topics, just to different degrees. I have heard the argument that experience is better than education. In my opinion, both are important.
If you are looking for a less formal learning experience, you could check out DEFCON, which is an annual conference for hackers. There are also other more formal conferences which costs lots more. (ApacheCon, DallasCon etc.)
If you are looking for a thorough documentation, you could check the Open Source Security Testing Methodology Manual . Network and other computer security topics are extremely important and very important and interresting.

1. Afghanistan, 1998, 2001, 2002, 2003
2. Bosnia, 1994, 1995
3. Cambodia, 1969-70
4. China, 1945-46
5. Congo (now Zaire), 1964
6. Cuba, 1959-1961 ("Bay of Pigs" invasion)
7. El Salvador, 1980s
8. Grenada, 1983
9. Guatemala, 1954, 1960, 1967-69
10. Indonesia, 1958
11. Iran, 1987
12. Iraq, 1991-2000, 2003 (The U.S. government used radioactive bombs in the first war against Iraq. See United States War Crimes Against Iraq for what appears to be an accurate history.)
13. Korea and China, 1950-53 (Korean War)
14. Kuwait, 1991
15. Laos, 1964-73
16. Lebanon, 1983, 1984 (both Lebanese and Syrian targets)
17. Libya, 1986
18. Nicaragua, 1980s
19. Panama, 1989. The U.S. government called it "Operation Just Cause". The link is to a U.S. military web site.
20. Peru, 1965
21. Somalia, 1993
22. Sudan 1998. There are doubts that the pharmaceutical plant that was bombed was making weapons.
23. Vietnam, 1961-73 (An estimated 2,000,000 Vietnamese were killed.)
24. Yugoslavia, 1999

There are many sources for this information. For example, see this PBS web page: PBS: A Chronology of U.S. Military Interventions (PBS is the Public Broadcasting System in the U.S.) Also see From Wounded Knee to Afghanistan: A Century of U.S. Military Interventions [zmag.org] and The government of the United States is a consistent opponent of international law. [

Wasn't Nasa also involved in the development and testing of NSA secure Linux ?

Does this mean that SCO is going to sue the government too?

There's not a whole lot new and interesting in terms of security on the network side of things. Lay out your network properly, use a DMZ, firewall (preferably Linux's iptables with stateful firewalling and something like shorewall to make it easy to use) and use IDS etc. Actually, one kinda new and interesting you can do on the network side of things is to use User Mode Linux to set up a fake network (all running on one box) of tempting looking target machines simulating your production network and watch for people to poke at it. It serves as a good control subject to compare against your IDS results to reduce false positives. If anything is hitting your honeypot you know it's hostile.

But the real recent innovation in the host based security area is Mandatory Access Controls. ugo+rwx and unix uid's are all part of descretionary access controls. Users can make their .rhosts world writeable and can often use suid binaries or buffer overflows in daemons running as root to elevate their privs. But if you have a kernel enforced mandatory access control system these things cannot happen. I have been playing with SE Linux for a while now and I really
like it. I just created a security domain/role for the freenet daemon to run in. If someone exploits it and gets a root shell they will be trapped in freenets domain which is restricted to least priviledge. Even if they get root they cannot hurt the system. Mandatory Access Controls take the fangs out of root. I have put up my freenet domain config file for your viewing pleasure
here. Note that it is still a work in progress. SE Linux is very flexible and secures the entire machine from any root exploit I have seen used in recent years. It would have prevented my personal box from being rooted by that ssh bug that came out a couple years ago!

As they say, it is "Military grade security at Open Source prices!"

The Education of a Poker Player by Herbert O. Yardley is one of the best books I've ever read on poker. Incidentally, H.O. Yardley was one of the first employees/agents of what became the National Security Agency; His specialty was cryptology/cryptanalysis.

The Education of a Poker Player by Herbert O. Yardley is one of the best books I've ever read on poker. Incidentally, H.O. Yardley was one of the first employees/agents of what became the National Security Agency; His specialty was cryptology/cryptanalysis.

Preach it brother.

I support most of the actions of the Administration, particularly in foreign policy.

This action, however, is shortsighted. Dumb. A big fucking mistake. 10 pounds of stupidity in a 5-pound bag.

NSA, if you're reading this (and we all know you are :), thanks for a nice after-dinner "snac" of consolidated security tips I can pass on to my users. I humbly submit that the "Secure American b0xen against furriner 0wnij" part of your dual mandate demands that you deliver a righteous bitchslapping upon the right people in the right places as regards open source development.

Politicians don't listen to geeks, because we don't speak politician. They might listen to you.

actually, check the "What's new or Updated" link

here for the lazy.

says the win2k guide updated next month ;oP

5-Mar-03

and yes, the cisco guide is a bit old at 10-feb-03 and the xp guide even older at 6-feb-03(my b-day!)

and i think a lot of people out there that have to maintain Microsoft servers, so this may be advantageous to someone...

...Kind of like when NSA backed off on doing security for Linux...

Perhaps a contradiction to what you are saying, but his earlier post pointed out that the NSA just put out a new SElinux release...

www.nsa.gov/selinux/news.html

You might want to show them this page:
http://www.nsa.gov/programs/kids/standard/index.sh tml

The NSA has some pretty cool puzzles up there. Some are pretty easy, but there are plently that will even confound most adults. If you want them to really stretch their minds, have them try it. (Try have difficulty ratings for things to help you decide what to try too.)


From the site:
Puzzles come in three levels. Elementary level is appropriate in content and difficulty for elementary school students in grades three through five. Intermediate level puzzles are geared for middle school students. Master puzzles are the most difficult and are designed to be challenging for high school, college students, and adults as well.

Ummm, exactly WHY do you think the NSA seems to have suddenly stopped contributing code to the NSA security enhanced linux project?

I suppose the NSA stopping all development on SE Linux is the reason that they just posted updates one week ago to SE Linux, as well as in January 2003, December 2002, and October 2002, all of which took place after this article reported them dropping the project (August 2002).

Not to flame, but just check your sources first next time ;)