Slashdot Mirror

SELinux Background

Researchers in the National Information Assurance Research Laboratory of the National Security Agency (NSA) worked with Secure Computing Corporation (SCC) to develop a strong, flexible mandatory access control architecture based on Type Enforcement, a mechanism first developed for the LOCK system. The NSA and SCC developed two Mach-based prototypes of the architecture: DTMach and DTOS. The NSA and SCC then worked with the University of Utah's Flux research group to transfer the architecture to the Fluke research operating system. During this transfer, the architecture was enhanced to provide better support for dynamic security policies. This enhanced architecture was named Flask. The NSA integrated the Flask architecture into the Linux® operating system to transfer the technology to a larger developer and user community. The architecture has been subsequently mainstreamed into Linux and ported to several other systems, including the Solarisâ operating system, the FreeBSD® operating system, and the Darwin kernel, spawning a wide range of related work.

Although this situation is clearly unacceptable, I would not have called your remark insightful. Apple has been pretty busy with the security updates:
http://support.apple.com/kb/HT1222
As a whole, I would say leopard is pretty secure (when compared to linux, compared to windows it's ironclad). If additional security is required, consider:
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml#AppleMac

I could be missing the joke, but isn't said agency the NSA?

There are plenty of ways to hack all OSs. Maybe a generic underhardened Windows install has more know ways...but how would one even quantify what is know and not know.

When getting attacked by the NSA, I'd prefer to use something that they developed to stem such an attack. And I don't want to hear, "well they developed it, so they probably have a backdoor." The many eyes argument definitely applies, since patches from the NSA would undoubtedly come under much more scrutiny. Espeically since this has yet to be proven for other operating systems.

Anyway, the winning team was using Fedora 8, which has SELinux on by default.

NSA linux : http://www.nsa.gov/research/selinux/index.shtml

"I don't think disassembling the drives is part of their procedure."

I remembered that being permitted, provided certain requirements were met by the degaussing equipment. I just double-checked, the EPL and it seems there is more such equipment than I remembered. Perhaps things have improved since I last looked, or perhaps my memory was just faulty. I know we were only interested in the cheaper hand wands, which do require disassembly, so perhaps my memory magnified that part of the document.

You can find the NSA Evaluated Products List online:

http://www.nsa.gov/ia/_files/Government/MDG/NSA_CSS-EPL-9-12.PDF

''If your environment does not permit the use of the following hardware components, you must physically disable them ...

Only an Apple Certified technician can physically disable these components without voiding the warranty on your computer. A limited number of Apple Certified technicians can remove preapproved components.

After an Apple Certified technician removes the component the technician logs a special note with Apple Care, indicating that the computer has had a component properly removed. Most components removed by Apple technicians can be reinstalled, if needed.

To locate a Certified Apple technician go to: www.apple.com/buy.

Also, see your local Apple representative for more information.

Note: If you are in a government organization and need a letter of volatility for Apple products, send your request to AppleFederal@apple.com.''

FYI: A similar action can be taken for hand held devices such as an Apple iPhone.

BTW: You can still use an external camera/microphone for services such as iChat on a MacBook where the built in devices have been removed. When permitted, plugging in an external camera/microphone will temporarily restore such capability. Moreover, by physically removing such external devices when they are not in use, you can better control them. :-)

So buy your MacBook, have a Apple Certified technician remove the offending components, and if needed get a letter of volatility. Q.E.D.

when you are done stroking your ego-
NSA - job search - http://www.nsa.gov/careers/jobs_search_apply/index.shtml

You mean like this one: http://www.nsa.gov/careers/index.shtml?

Just answer this question:

Linux has PAX and grsecurity/SELinux support.
PAX handles (mostly) stack randomization.. the equivalent on windows is DEP which is only enabled for system services. but, OK, all fine.

Now tell me which is the equivalent of SELinux on windows?

Now have a look at this and enlighten yourself:
http://www.nsa.gov/research/selinux/index.shtml

3. Inspector then moves on to the server room, where Linux is installed. Inspector can't determine that "latest Microsoft patches are installed", so machines are marked as non-compliant.

The FederalGgovernment uses Linux as well and there are published security standards for it. The NSA and DISA both publish security guides and implementation guidelines for Linux. NSA Secure Configuration Guides DISA STIGS . This will require training for your typical enforcement droid but is not out of reach. To say that regulation would require Microsoft only is ignoring the fact that *nix is very much in use in the Federal Government

You are correct. See

http://blog.wired.com/27bstroke6/2008/04/nsa-releases-se.html

for a summary and see

http://www.nsa.gov/public_info/_files/cryptologic_spectrum/tempest.pdf

for the recently declassified document. The discovery of this problem is dated to 1943.

They've had a museum for a while and while not, "here's our project list for the week" it does have quite a bit of information about what they've done in the past (including exhibits on supercomputers and Verona documents). For an agency that's name was considered No Such Agency, I was plesantly surprised.

The object of cybersecurity is to prevent people from interfering with out computers. The NSA's JOB is to interfere with our computers.

Actually, the NSA is charged with the security of the nation's communications, including the private sector. "National Signals Agency" would be a better expansion ("signals" including communications and computers in the GOVSEC world). Sure, they spy on everybody. How much spying they should do is a quagmire of a political debate I'm not about to involve myself in here. But they also work to make sure the nation's signals infrastructure is secure.

As I pointed out in another post, the NSA publishes a lot of security guidance. It's very well written, very real-world oriented, and public. The private sector would do well to take lessons from it.

http://www.nsa.gov/ia/guidance/security_configuration_guides/

They've largely given up on controlling crypto. Of course, that just leads one to wonder -- is that because they've recognized it as a lost cause, or because they don't need to control it to crack it anymore?

so, NSA, leave it to people who know internet

Um, yah. Do you have any real idea what you're talking about?

The NSA is full of very smart people. They employ more mathematicians and computer scientists than any other organization in the world. Their IA division is very good. They publish lot of very good, public computer security guidance. The computer world would be a more secure place if most organizations tried to adopt some of their recommendations.

Check out http://www.nsa.gov/ia/guidance/security_configuration_guides/ some time. Chances are, the computers you're using to post your mindless spiel could benefit from following the instructions there.

Who told you that OSS is less safe than closed sourceWho told you that OSS is less safe than closed source?

A representative of a company who wants to sell!

MS is known to have used a business tactics known as Fear, Uncertainty and Disorientation

Facts are:

MS source code can be obtained by Hackers/Crackers through illegitimate channels - the availability of source code is not an argument.

Thousands of experts monitor OSS source code and vulnerabilities are discussed in the open. Hackers recognizing vulnerabilities in MS source code are not to publish it, but to write exploits!

Number of successful attacks on MS and other closed source products in comparison to OSS products speaks for itself.

Average workload consumed per machine for remedy of exploitation coed ( malware removal ) was per Windows machines 20 manhours, for Linux machines 0.01 hours at a company running 5000 PCs

You can offer security tests and penetration tests to your costumer !

The largest institutions and companies where security is an issue use Linux

• DoDs http://www.desktoplinux.com/news/NS3846976086.html http://www.forbes.com/2003/06/20/cz_eb_0620linux.html
• NSAs even created SE linux http://www.nsa.gov/research/selinux/
• IBM - you know IBM?
• DHS http://searchdns.netcraft.com/?position=limited&host=dhs.gov
• FBI http://searchdns.netcraft.com/?restriction=site+contains&host=fbi.gov&lookup=wait..&position=limited
• Navy http://searchdns.netcraft.com/?restriction=site+contains&host=navy.mil&lookup=wait..&position=limited
• Air Force http://searchdns.netcraft.com/?restriction=site+contains&host=airforce.com&lookup=wait..&position=limited
• Amazon http://news.cnet.com/2100-1001-275155.html
• Google just google Google about use of Linux

• Contraindications - or failures of MS installations in the media:

• French http://economictimes.indiatimes.com/Infotech/Computer_virus_grounds_French_fighter_planes/articleshow/4094774.cms
• British http://www.theregister.co.uk/2009/01/15/royal_navy_email_virus_outage/
• US http://www.networkworld.com/community/node/38384

The NSA uses Linux. http://www.nsa.gov/research/selinux/

If it's good enough for the NSA, it's good enough for you.

Yeah, 'cause we all install SE Linux on our servers and desktops...

You're a fucking idiot, as are the people that modded you up.

If it's good enough for the NSA, it's good enough for you.

So here I am reading the document linked in this story when I get to page 85 about tempest. I encounter the phrases "He sauntered past a kind of carport jutting out..." and "a carefully concealed dipole antenna, horizontally polarized." And I thought...I've heard these exact words somewhere else before. Where would I have encountered this exact wording from a document which has been declassified just in the past few days? I dumped the phrase into google and sure enough:

http://www.nsa.gov/public/pdf/tempest.pdf

Here it is in this document about tempest which was declassified 9-27-2007. It contains a lot more about the story in Japan and tempest etc.

And I notice that this document contains what is certainly the redacted paragraph in the other document between the paragraph about the discovery of the antenna and the one that begins "Why, way back in 1954, when the Soviets published a rather comprehensive set of standards..."

This paragraph is about how 40 microphones were found in the US embassy in Moscow and talks about a "large metal grid buried in the cement of the ceiling over the Department of State communications area" and that it had a wire leading off somewhere. Apparently such things were being found as far back as 1953 and the US did not know what their purpose was.

The next paragraph puts the above into context when it says that in 1954 "the Soviets published a rather comprehensive set of standards for the suppression of radio frequency interference". So the previous paragraph reveals some details about what kinds of devices were found but the second paragraph goes on to imply that the Soviets may have been listening in on our unencrypted electronic communications for at least 10 years before the US figured out that it was possible to do so and took action.

It's funny how something which would seem so obvious to us now in hindsight baffled the NSA for at least 10 years. It is also funny that it is possible to reconstruct redacted materials from declassified documents using Google due to the use of cut and paste from a document written back in 1973.

Uh oh, someone stole the plans for the NSA Tape Dispenser, it is missing from their Domestic Technology Transfer Program website! http://www.nsa.gov/techtrans/techt00075.cfm

Like the NSA with Vista and SELinux?

"The year of Linux on the desktop"!

Maybe not.
http://www.nsa.gov/selinux/

You can't be serious.

Under the Common Criteria (CC), people with financial ties create the product. They (or another sponsor who wants the product evaluated) pay an independent lab (CCTL) to evaluate it. Labs are certified by NIAP, a partnership of NIST and the NSA Information Assurance directorate. (The NSA has two main parts, the other is Signals Intelligence.) The independent lab evaluation is overseen by a Validation team employed by the government, who reviews the process and results of every evaluation, including all vendor evidence, before it is certified. The Validators also oversee the labs for proper execution of the CC. Once it passes all these reviews successfully it is certified.

Certifications are tiered by Evaluation Assurance Levels (EALs), from 1 to 7. Generally, the higher the EAL, the greater confidence there is in the vendor claims. This is NOT the same as being more secure!

The way to use these certified products is to select a product family (say firewalls), and review at a minimum two documents: The Security Target (ST) and Validation Report (VR). The ST is written by the vendor or sponsor, and basically contains the security claims they're making for the product, and how they expect the product to be used. The Validation Report describes how those claims were evaluated, and what notable things the Validation team observed during the evaluation. After reading both of these documents (usually not more than 100 pages - pretty short for 1-2 years of work) you can determine if the product can be used in its certified configuration in your environment.

Check out some interesting operating systems, like Windows XP, Mac OS X, or one of the Linux's.

It's certainly not perfect, but it's better than what we had.

there is always the worlds largest employer of mathematicians to consider.

the best toys, with only one catch....you can't brag about it. :)

The National Cryptologic Museum, I found it very interesting. If you are in the area you might give it an hour or two.

http://www.nsa.gov/MUSEUM/museu00009.cfm

I have a big scoop about the internal working of the NSA.

The NSA program was designed to listen in on US citizens talking to people on a known terrorist list. One part of the conversation was always international and one part was domestic.

Care to show me all of the national security letters that document this? Oh, wait, that's right, they're classified and impose an immediate gag order on anybody who receives one.

As we all know, the government would never lie to us, especially to go to war, and especially not the NSA. Of course, when caught red-handed in their own documents, they claim that "The opinions expressed within the documents in both releases are those of the authors and individuals interviewed. They do not necessarily represent the official views of the National Security Agency."

Please tell me why I should trust anything that the NSA says at face value.

Just one counter example: selinux came from the NSA. A pretty big "give back".
http://www.nsa.gov/selinux/

There is a LOT of government written code available. In fact many of the biggest and most complex free software systems were developed and given away by the US government. It's just that they typically do not write word processors and games so your typical home user does not see it.

I can think of many examples most from the areas of science and enginerring. Here is one
http://www.nec2.org/nec_hist.txt

As Linux and FreeBSD in that point today, someone needs to investigate who or which board had the genius idea of putting Windows to Space. It smells really, really dirty.

I like OS X and Apple but if I had something to put on Space, it would be SE Linux ( http://www.nsa.gov/selinux/ ) or Trusted BSD http://www.trustedbsd.org/ and nothing else. It is not like they will play God damn DirectX games there. If scientists require Windows, again, they need to get investigated too. GNU doesn't put millions of hours of free work on Fortran support etc. for nothing. If scientist can't code plain Fortran/Java or C code, he is not a scientist.

This is not a regular, "Oh look how stupid they are" thing. If one digs it enough, there could be some sort of Space-Watergate scandal out of it.

Putting a Windows to space is something like amazing joke. As nobody would joke with billion dollar equipment, it must have some background.

Try this:

Set up any box, make it OpenBSD, hell, SELinux.

http://www.openbsd.org/

http://www.nsa.gov/selinux/

Lock that bad boy down, complete with Honeypot.
Then go here - piss these guys off (not hard - be patient):

http://www.wolfware.dk/intro/welcome.asp

Did I remind you to watch from a disk-loaded Linux box?
A good time will be had by all.

You'll have to toss the hardware on both machines, but eh, if you grab the Honeypot traffic (if they don't catch it) you could write a book.

PROFIT !!!

I rather think that the amendment does allow the surveillance of U.S. persons, as long as they are not the "target" of the surveillance, and as long as they are speaking to a person reasonably believed to be a non-U.S. person who is not in the U.S.. I was careful not to claim it allowed it for evidentiary purposes, although that claim may have indeed by too careful.

FISA may have contained no prohibition against targeting non-U.S. persons on U.S. soil (I admit to not having read the original legislation), but I think that you'd agree with me that such actions have a fair chance of not being allowed by the courts because of the fourth amendment (of course, I can't say anything about throwing the people in a military brig, but I am not sure if the evidence has to be collected legally in such proceedings anyway). Thus I make the argument that we can let the courts sort it out and that defining the powers of FISA is hardly of overreaching importance, compared to accountability.

You wrote quite a post there, but it seems that the only thing I may have really been wrong about is whether the old FISA explicitly required warrants for the surveilance of non-U.S. persons in the U.S.

I just did take a gander at the original text of the bill, and you can see quite clearly that in 1802the original bill allowed warrantless wiretapping only in the case of communications between two foreign powers or terrorists (and as you say, there is no mention of whether the individuals representing said powers are in the U.S.). I don't think there is a huge amount of outrage over that, since, again, as you have said, it has been the case for decades. The old FISA explicitly says, however, that surveillance may be conducted when "there is no substantial likelihood that the surveillance will acquire the contents of any communication to which a United States person is a party;" I suppose the amendment does explicitly define this as a U.S. citizen or a foreign national with a valid visa, but the original seems to imply that a U.S. person is a person who is in the U.S., although the NSA claims that U.S. persons have been defined by federal law and executive order as citizens and permanent residents.

The amendments do change the oft-repeated exclusive means clause...instead of FISA being the exclusive means by which surveillance of U.S. persons is conducted, now it is the exclusive means by which domestic surveillance is conducted. I agree that this bodes well for "any person known at the time of acquisition to be located in the United States" (i.e. those with temporary visas), although one could only hope that the courts would continue to rule that the constitution applies to all those within the U.S., whether resident or not. If, for example, the court were to decide that the constitution does not apply to U.S. citizens when not in the U.S., then it seems to me that under the new "domestic surveillance" phrasing, U.S. citizens abroad could be surveilled freely, just not using FISA procedure, especially if the gathering were not done inside the U.S..

I'm not a lawyer, so I may have missed some intricacy of the text, but it seems to me that, at best, this bill reiterates the protections of those visiting the U.S., protections which could have only have been denied in any case by a rather loose reading of the constitution by courts, while at worst, it allows the warrantless surveillance of U.S. citizens and persons, as long as they are communicating with a foreign person located outside the U.S. who is the explicit target of the surveillance (a provision which itself is arguably unconstitutional). At this point it occurs to me that I have been throwing "evidentiary" around rather loosely...it really does not say that surveillance of U.S. persons who are not the target can or cannot be used for any purpose. Thus, I brought up Al-Haramain, making tha

you're not a fool per se. everything has deficiencies of one sort or another. but have you looked to see whether there is any configuration guidance for your particular choice?

I know NSA IAD has a security configuration guide for MacOS X. It may include a section on FileVault. If so, it ought to be at least a good place to start from and provide you with good search terms.

http://www.nsa.gov/snac/downloads_macOSX10_4Server.cfm?MenuID=scg10.3.1.1

Ok, you've got $50B in the bank and you want to build the ideal desktop, server, supercomputer and portable device OS for all people. In addition to the money you have accumulated the world's largest collection of professional programmers, systems engineers and managers from around the globe. You've got a first class distribution network, peered server farms and media pressing manufacturers the world over. You've partnered with every major OEM since the beginning of time, so you have full specifications for all the hardware there is. Let's have some criteria...

1. Take out the trash. Interpret that as you will.
2. Now is a good time to consider security. Now keep it in mind throughout the rest of this post. It's hard, I know. Try. Try really hard. If you make a good start the NSA might help you. If anybody knows about IT security, they do.
3. Employ some black hats to keep you honest on security. Give them fiat to break your stuff. Pay them well to keep your secrets, then try to compromise them with strippers. If it doesn't work they'll still respect you and you'll have improved the strippers' economy.
4. Architect your solution using proven practices -- separate functions by critical elements and include only the necessary in the core system. Use peer review. You can afford a subscription to Communications of the ACM. When your system architects have mastered the patent expired (pre-1990) material, they might be ready to lead a team of programmers.
5. Choose a good set of toolchains that include every programming language since CP/M was kicking your butt. Because developers don't like to be told which toolchain to use.
6. Cross platform is not "runs in the last two versions of Windows". Make sure the thing can be ported to every hardware architecture there is -- including systems designed to prevent just that like the XBOX. Include alien processors and systems like Sparc, Power and Cell. Don't forget to include obscure crap like SNOBOL and APL - the few freaks who use that stuff really love it. Remember that every build must run in the user's choice of VM environments. When you let the users do what they will, they do the most amazing stuff.
7. Allow for multiple user interfaces based on user choice -- web-based, terminal based, GUI are only major categories of options, not individual choices. Some people like thin clients, so make sure they're supported fully.
8. Choices are not hierarchical. The subchoices of a major choice often overlap in interesting or useful ways.
9. Build a separate version for every conceivable field of endeavor. Archaeology? That's going to need GIS software, modelling software, a good browser and office package and a hundred other things. Make that many separate versions. Even specialists like choice. Architects? That's another suite. Don't be stingy. Every desktop needs an office suite or three, a CAD program, several browsers for the users to choose from and many other things. That way end users (or network admins) can choose. Try to get each one to install from a CD if you can, or a DVD at worst. Larger volume distribution media should be reserved for distributions that also include considerable multimedia content.
10. Make sure the thing scales from the feeble 386 processor available in some old embedded devices to the largest supercomputer currently in use, with additional consideration for how extreme the next 20 years might expand that horizon. Absurd Limit Theory is your friend.
11. Let go of stupid licensing. Your product's licensing cannot be so obscure that it takes three months with legal six months into a project to discover that licensing is not available for this use. It's also not acceptable

I understand that there are environments where the default level of security of workstations is insufficient and hardening is needed. The thing is, if you're administrating such an environment and need to harden your systems a bit more, you should already have read the similar hardening guide for OS X that was published by the NSA (or at least be aware of it since it was discussed in hundreds of security forums when released). It was for Panther at the time, but not much has changed since then, at least as far as practices. Or you could use the hardening guide Apple released for Tiger. In any case, this guide probably should have little to do with your purchasing decisions.

Great article on the history of Enigma:

http://www.nsa.gov/publications/publi00016.cfm

Yeah. My initial question here was "Why doesn't the government step in?" What, does England have so much history that it doesn't see the value of protecting a historic site that's from something as new as the last century?

Here in the states, we've got the NSA cryptologic museum, where among other things you can tool around on an old Enigma from WWII. Can't imagine why Britain wouldn't want something like it.

...but will it run on Linux? And be compatible with NSA's Security-Enhanced Linux?

Ask and you shall receive...

Cisco Routers
Cisco Switches

Ask and you shall receive...

Cisco Routers
Cisco Switches

The Windows XP guide is also available, though they also point to the MS guides since they have become very good. If nothing else, a quick glance through the services to disable can be helpful.

Oh, I don't know...

There's a strong correlation between the libertarian/independent/freethinker community and the advocacy of Linux and other [F]OSS solutions.

And yet, doesn't every Linux kernel (2.6 or better) use SELinux [1] ?

The NSA actually has a very good track record in contributing to public knowledge of network security and hardening. The SNACs are amazing pieces of in-depth documentation for nearly any hardware and software platform.

The NSA themselves:

http://www.nsa.gov/about/about00003.cfm

Point to an executive order:

http://www.archives.gov/federal-register/codification/executive-order/12333.html#1.12

How is:

"The ability to understand the secret communications of our foreign adversaries while protecting our own communications..." http://www.nsa.gov/about/about00003.cfm

contemptible?

From what I can see from Executive Order 12333 http://www.archives.gov/federal-register/codification/executive-order/12333.html the NSA is charged with Foreign Intelligence gathering and Information Assurance. The second one is at discussion here. I'm sure they, like every other Govt department, use off-the-shelf software where possible to cut down cost (another goal of all Govt departments). Making that software secure protects your Government AND your people.

Admittedly they may have overstepped the letter of the law (which can be quite grey at times) on a few occasions, but I do believe that, in general, agencies of Democratic governments aren't inherently evil, or made up of evil people. They're just normal people trying to do a job and really are trying to do the best for the people they serve.

Having said that, as others have commented, the price of freedom is eternal vigilance. Trust your Government, they probably really are trying to do their best for you, but DO keep an eye on them!

Those of you who are paranoid, we know who you are...

"Open" is the keyword here. It's not like they are going to be submitting binary patches or that we can't review the source code they submit.

I'd also like to point out the SELinux project, will you abandon Linux now too?

You should really adjust that tin foil, it's messing with the signals that are already inside your head.