Slashdot Mirror

No shit? You are just the kind of guy we are looking for.
We Need You!!!

And you get 2 guesses on what will be approved and what wont.

The NSA has been touting this for a while.

http://www.nsa.gov/coremsgs/corem00002.cfm

They have. It's published here

They also have guides for OSX and Solaris.

Or perhaps some kind of security-enhanced Linux variant...the NSA could even help develop it!

Researchers in the Information Assurance Research Group of NSA worked with Secure Computing Corporation (SCC) to develop a strong, flexible mandatory access control architecture based on Type Enforcement, a mechanism first developed for the LOCK system. NSA and SCC developed two Mach-based prototypes of the architecture: DTMach and DTOS (http://www.cs.utah.edu/flux/dtos/). NSA and SCC then worked with the University of Utah's Flux research group to transfer the architecture to the Fluke research operating system. During this transfer, the architecture was enhanced to provide better support for dynamic security policies. This enhanced architecture was named Flask (http://www.cs.utah.edu/flux/flask/). NSA has now integrated the Flask architecture into the Linux operating system to transfer the technology to a larger developer and user community.

Why is the Government selling Linux?

They don't; they give away the source code and it's been migrated into other distributions.

SELinux was started by the NSA, and they have a page about it here:
http://www.nsa.gov/selinux/

They are pretty clear in their FAQ that SELinux was produced essentially as an internal product / demo, and they just thought other people might find it a useful starting place for securing Linux. They're not actively marketing it as a product, or even evangelizing it.

Linux isn't a magic security wand. Its just that its been audited by more people that microsoft ever can be. It has a proven (by external audits, funded by the office of homeland security) to have far fewer software flaws then comparable commercial software (by a factor of about 8:1). To say 'oh its too expensive' is just BS. That argument fell flat several years ago. Its just bullshit! There is a one time migration cost. The one time cost is recovered in less than 1 year. After that, 2/3 of the cost is saved every year after the one-time expense (every year). So there are two options to the 'sticking with microsoft' story: He's either an idiot, or he's paid-off (possibly both). There is no equivalent to security enhanced Linux in the world of microsoft, neither is there an equivalent to Fort Knox for Linux ...note that one of the sponsors is the Space and Naval Warfare Systems Command San Diego!

Making a quarter what you would in the private sector?

I wouldn't really call it the private sector.
It's more like the black market.

Then there is the NSA.

Bet they won't use SE Linux...

It would be nice if that were true, but given the secrecy and lack of information about exactly what the NSA did we have no idea how "helped" any of us are.

Given the fact, that nobody is pushing NSA to say anything on the subject, it is unlikely, that they are lying. The kind of "help" you suspect NSA of providing needs no press-releases...

In any event, if the government wanted to help "the users" it would make it very clear as to what security criteria [...]

That's very strict requirements you are placing there, actually. Making anything "very clear", coming up with reliable estimates of saving/loss from using a particular product, making recommendations — hairy stuff, which NSA is rightly stearing clear from...

[...] helping hand to a private monopoly, because the roll out of their latest software abortion is looking like a flop.

And why does NSA help BSD and Linux? Sorry, your conspiracy theory is less convincing, than NSA's stated reasoning — 90% of personal computers run Windows, thus we all benefit from the OS being more secure. Microsoft is, of course, going to milk this for all they can, but it is no less plausible an explanation because of that...

Yeah, Linux folks would never think of working with a SPY agency either. Oh, wait...

At leat they are wasting their time and resources in something usefull to the majority of the user and not in a minority Linuzz obscure distro that only 4 cats can use.

"For YEARS"? the NSA has helped MS with security issues? The mind reels. A bunch of talented amateurs building Linux do a better effort than the combined efforts of MS and the NSA. The next time the NSA comes to help me with a problem I think I'll politely decline.

Except that some of those "talented amateurs" were in fact NSA employees, working to make Linux more secure, as part of a project called Security-Enhanced Linux...which has been incorporated into the mainline 2.6 kernel tree.

When is the NSA gonna help with Red Hat, Mandrake or Mac OS? I must say that this is totally off the board. MS should be paying the NSA to help with this. They should be footing the bill!

http://www.nsa.gov/selinux/

Its only fair that the NSA helps Microsoft.

Enjoy,

I certainly understand and share the frustration of tax-dollars helping a healthy and profitable corporation, but another way to look at this is NSA is helping the users. The proper long-term solution would, probably, be to make software vendors liable for flaws in their products — as is the case with most other industries. Short-term, however, National Security Agency making personal computers harder to hijack does, indeed, contribute to, uhmm, national security...

Microsoft is not the only entity to benefit either, BTW. For example, FreeBSD cvs-commit messages have plenty of acknowledgments of government's help (fgrep for TrustedBSD). The NSA-funded SELinux is another example...

NSA is, supposedly, full of very smart, technically adept people, who, no doubt, strongly prefer Unix-like OSes (on average) to Microsoft's offerings. However, with Microsoft's market-dominance, it gives a lot more bang for the NSA's buck to help them, rather than the OSS projects...

Granted, there is a danger of this solution perpetuating the problem, but that's a distant and lesser danger, than the present and grave one of millions of zombies arraigned into bot-nets and immediately usable (and up for hire) against businesses and government institutions alike.

On one hand since the NSA has been helping with linux security for years with SELinux, it seems only fair that they would be willing to similarly assist M$. But my concern would be whether they are violating the GPL under which they released SELinux. If they are using concepts they developed for the open source SELinux in Vista, shouldn't M$ be required to open source at least those portions of Vista?

If the NSA can help Microsoft tighten up it's shitty systems then that's good. There are already positive benefits from NSA research into the Flask OS in the form of GNU/Linux's SElinux.

The only problem I have with any of this is that this is another government subsidy (read our tax dollars) going to subsidise a private company which should (given the vast profits it makes) be able to pay for its own security research instead of dipping its snout into the public trough.

Information Assurance has long been one of NSA's primary missions. NSA ran the Trusted Product Evaluation Program (TPEP) since 1983, which evaluated off-the-shelf commercial products against standardized security criteria, and employed various experts from government, military, academia, and industry. Contributions or recommendations from TPEP often were incorporated into future iterations of vendor products. The expanded Common Criteria programs, which grew in part out of the US Trusted Computer System Evaluation Criteria (TCSEC, the famous Rainbow Series of security publications), picked up where TPEP left off, now administered by the National Information Assurance Partnership (NAIP) of NSA and NIST.

NSA's Information Assurance Directorate also provides public security configuration guides for many popular applications, operating systems, database servers, routers, and other networking equipment.

Also, don't forget to check out NSA's Security-enhanced Linux (SELinux) (FAQ).

When US computing, communications, and networking implementations are more secure, we all benefit, and NSA contributes to this in its overall mission.

Information Assurance has long been one of NSA's primary missions. NSA ran the Trusted Product Evaluation Program (TPEP) since 1983, which evaluated off-the-shelf commercial products against standardized security criteria, and employed various experts from government, military, academia, and industry. Contributions or recommendations from TPEP often were incorporated into future iterations of vendor products. The expanded Common Criteria programs, which grew in part out of the US Trusted Computer System Evaluation Criteria (TCSEC, the famous Rainbow Series of security publications), picked up where TPEP left off, now administered by the National Information Assurance Partnership (NAIP) of NSA and NIST.

NSA's Information Assurance Directorate also provides public security configuration guides for many popular applications, operating systems, database servers, routers, and other networking equipment.

Also, don't forget to check out NSA's Security-enhanced Linux (SELinux) (FAQ).

When US computing, communications, and networking implementations are more secure, we all benefit, and NSA contributes to this in its overall mission.

Information Assurance has long been one of NSA's primary missions. NSA ran the Trusted Product Evaluation Program (TPEP) since 1983, which evaluated off-the-shelf commercial products against standardized security criteria, and employed various experts from government, military, academia, and industry. Contributions or recommendations from TPEP often were incorporated into future iterations of vendor products. The expanded Common Criteria programs, which grew in part out of the US Trusted Computer System Evaluation Criteria (TCSEC, the famous Rainbow Series of security publications), picked up where TPEP left off, now administered by the National Information Assurance Partnership (NAIP) of NSA and NIST.

NSA's Information Assurance Directorate also provides public security configuration guides for many popular applications, operating systems, database servers, routers, and other networking equipment.

Also, don't forget to check out NSA's Security-enhanced Linux (SELinux) (FAQ).

When US computing, communications, and networking implementations are more secure, we all benefit, and NSA contributes to this in its overall mission.

Information Assurance has long been one of NSA's primary missions. NSA ran the Trusted Product Evaluation Program (TPEP) since 1983, which evaluated off-the-shelf commercial products against standardized security criteria, and employed various experts from government, military, academia, and industry. Contributions or recommendations from TPEP often were incorporated into future iterations of vendor products. The expanded Common Criteria programs, which grew in part out of the US Trusted Computer System Evaluation Criteria (TCSEC, the famous Rainbow Series of security publications), picked up where TPEP left off, now administered by the National Information Assurance Partnership (NAIP) of NSA and NIST.

NSA's Information Assurance Directorate also provides public security configuration guides for many popular applications, operating systems, database servers, routers, and other networking equipment.

Also, don't forget to check out NSA's Security-enhanced Linux (SELinux) (FAQ).

When US computing, communications, and networking implementations are more secure, we all benefit, and NSA contributes to this in its overall mission.

Information Assurance has long been one of NSA's primary missions. NSA ran the Trusted Product Evaluation Program (TPEP) since 1983, which evaluated off-the-shelf commercial products against standardized security criteria, and employed various experts from government, military, academia, and industry. Contributions or recommendations from TPEP often were incorporated into future iterations of vendor products. The expanded Common Criteria programs, which grew in part out of the US Trusted Computer System Evaluation Criteria (TCSEC, the famous Rainbow Series of security publications), picked up where TPEP left off, now administered by the National Information Assurance Partnership (NAIP) of NSA and NIST.

NSA's Information Assurance Directorate also provides public security configuration guides for many popular applications, operating systems, database servers, routers, and other networking equipment.

Also, don't forget to check out NSA's Security-enhanced Linux (SELinux) (FAQ).

When US computing, communications, and networking implementations are more secure, we all benefit, and NSA contributes to this in its overall mission.

Not sure if declassified documents have already been placed online for the FBI or NSA, but the FBI, NSA and CIA FOIA sites might be good places to start. The CIA does have a few new documents online. Pick your favorite incident and happy hunting!

In ten years someone who has been recording them for thirty years will have quantum breakers to decode them with.

No.

Decrypting one-time pads isn't hard because there isn't enough compute power to throw at it. It's hard because it can't be broken, no matter what you do to it. Given a message to decrypt, the best an enemy cryptanalyst can do is random chance. There are better ways of compromising secrets.

This is a well-established result in encryption and there is no point in arguing about it. The only time one-time pad encryption has ever been broken was when the agents misused their one-time pads. The Venona decrypts are a good example of this.

(Wow! First time I've ever linked to the NSA!)

...laura

I think the article must be a joke. If they'd been even remotely serious, they might have found:

- Marie Curie, as has already been mentioned here. She is credited not with discovering plutonium but with discovering radium and with promoting, among other things, its medical uses--so she's also a pioneer in the field of radiology. Might've been nice to see at least a brief nod in her direction.
- Hypatia of Alexandria. More about her here. A mathematician, astronomer, and philosopher, she was actually martyred for her geekdom by the local contingent of fundamentalist Christians while they were destroying the library at Alexandria.
- How about a group nod to the women "computors" of World War II? Their presence and skills permitted the male geeks to (I suppose) go off and do actual fighting. These jobs were the first real opportunity for women to exercise their math skills at something besides bookkeeping.
- There's a pretty interesting exhibit at the Cryptology Museum about women cryptologists and cryptanalysts.

It would be interesting to compile a non-joking list.

If possessing certain types of knowledge becomes illegal in and of itself, that's when we'll need the Anarchist's Cookbook the most.

pedantic bore, you have been identified by our automated communi^M^M^M^M^M^M^Mterrorist identification system. Interrogation agents will come to your house in the next 96 hours. Until then, you must go outside, on your knees and put your arms in the air. If you do not comply to those instructions, you will be shot at view.

To enter a plea of not guilty, please visit this web site: https://www.nsa.gov/all_my_base_are_belong_to_the_ nsa

Failure to enter your plea of not guilty within the next 15 minutes will result in you being placed in Guantanamo Bay detainment camp until further investigation.

Thank you for your cooperation,
Your friends at the NSA

That said, since he's "outgoing" and with a comfortable financial situation, I doubt he much cares. Perhaps in his spare time he can lounge by the pool and read something enlightening.

But doesn't even the most open, verified system still suffer from having the "Vote for Bob" patch installed at the last minute by an official-looking guy with glasses and a clipboard? I know, this shouldn't be allowed, but it seems to happen all the flippin' time!

Believe me, on formalities you can trust bureaucrats more than Windows developers. That's for sure.

It all boils down to responsibilities. The machine needs (and is) to be tamper proof. Nobody of bureaucrat want to risk their jobs - nobody would try to circumvent anything, since that would be found immediately and the election results would be nullified. And elections would be repeated.

That's possible - if original vendor tried to achieve such goals. Or the goals were put into requirements. It is very ironical that rest of the world uses NSA safety guidelines, while US itself for sake of its own elections cannot enforce the guidelines on vendors.

If I were an American, I'd be very frightened about voting using an electronic machine, given all the horror stories I've been reading. And as a Canadian, I'm quite happy with our paper ballot system, and I'll resist any attempt to replace it!

Paper ballot system is also Okay - when paper ballots are made machine readable. And they are easily made so. And I believe such tallying machines are already used on most of the modern elections. Probably Canadian elections too. Anyway, many people cannot come to election offices - and vote using alternative means, mostly paper ballots. One cannot dismiss paper ballots overnight.

The NSA has extensive guides that everyone in the U.S. government bases their security on. Their operating system guides will show you how to lockdown a machine to only allow a handful of applications to work.

The NSA has extensive guides that everyone in the U.S. government bases their security on. Their operating system guides will show you how to lockdown a machine to only allow a handful of applications to work.

Get a system to be a domain controller. Lock that DC far away from everything else. Reformat the machines and configure them according to this: http://www.nsa.gov/snac/downloads_winxp.cfm?MenuID =scg10.3.1.1. It'll pretty much prevent any silly things with the keyboards. Also disable the local admin accounts after the machines join the domain and don't give anyone the domain admin password or privilages except those who need it.

This is the only way I've found to keep people from messing up Windows Machines.

Security used to lack quality academic training for it, with some exceptions.

Certifications filled a gap then.

Now though, that is no longer the case.

Many universities, including my own, have partnered with the NSA.
http://www.nsa.gov/ia/academia/caeiae.cfm

My professors have included the head of the NSA's red team, another senior IA guru at the NSA, and senior network defense people from DoD branches. I've met professors from other schools at conferences with the NSA partnership, and I was similarly pleased with their backgrounds and experience levels.

Does passing one CISSP test equal a solid 4-5 year curriculum in software, security, and coding mixing both the theoretical and practical? Of course not! Unfortunately though, employers sometimes use it as a yardstick of skill. This is also why in my day job I am constantly having to tutor/mentor/train CISSPs that should not even be in security in the first place. I am of the opinion that the CISSP boondoggle will be seen through rather quickly.

If you want to get a certification, get a vendor specific one, like a CCNA. However, I implore you to get into a formal degree program. I really think the best these days, is mixing a Computer Science degree with a security degree, one at the masters and one at the undergraduate. Another good choice would be an undergraduate degree, along with one of the newer certificate programs that includes 6 - 9 good courses.

Certifications* are much easier to obtain than a degree, and they cannot hope to compare in the overall knowledge & skills acquisition departments.

* - Not counting the CCIE

It is called SELinux and has been built into Linux for a long time. But unless you need it for a specific situation, privilege separation is a pain in the ass which is why many people turn it off. I would be glad to sacrifice some usability if it made windows more secure, but ironically a Linux box with privilege separation turned off is still more secure.

I really hate this popular Slashdot myth that viruses only exist because OSes are designed improperly. No, wrong. ... There isn't an OS level defense for this short of an Orwellian trusted computing scheme. If I sent you a version of Apache with malicious code in it and you installed it as root, I could do whatever I wanted. Doesn't matter how secure your OS is, you gave it the permissions it needs.
</snip>

This is why SELinux and App Armor exist. With a proper SELinux or App Armor setup you could install Apache as root and all it will be allowed to do is what Apache does normally. So, it would only be allowed to read the /etc/httpd directory and the /var/www directory. It would only be able to write to the /var/log/httpd directory and listen on port 80 and 443. So, this could prevent an exploit in Apache from taking over the rest of your system.

Admittedly this example wouldn't help a desktop user. But, there is no reason why SELinux or App Armor couldn't help a desktop user. One example would be if Firefox was locked down to only allow downloads to the ~/Downloads directory or something like that. Now any hole in firefox would only be able to damage your ~/Downloads directory and presumably your firefox cache directory or something. It wouldn't be able to delete ~/Pictures and ~/Music. The browser example is kind of complicated because it has so many tasks these days. But, the point is that you can prevent a lot of problems by employing some kind of mandatory access control system.

Oh, and it really isn't that hard to use one of these systems either. Yeah, they can be pretty nasty if you really get into it (especially SELinux). But, for a desktop user there really isn't anything to worry about. I use Fedora Core 5 at work and at home and I've kept SELinux enabled on both systems. App Armor is really nice to use for the purposes of locking down a server system in this way. SELinux is more generic but it is much more complex than App Armor.

One of the published documents in the index: Communication With Extraterrestrial Intelligence: http://www.nsa.gov/ufo/ufo00034.pdf Quoting from it: "And after we resolve our pressing scientific questions, it might be appropriate to make discreet inquiries as to how we could live in harmony and peace with our fellow man..." -- This made me LOL.

I and solved it for you Americans, so you don't need to ask any aliens for help on it. The answer is: Communication. Learn how to communicate better. You can't communicate with aliens if you don't have the simplest of understanding for your fellow man and species on this planet. Understanding and compassion of others is crucial. And by communication and compassion, I don't mean the George W(MD) Bush style diplomacy that consists entirely of sending battle fleets to bomb people and NOT TALKING to each other. If you want to avoid problems, you need to talk and solve the perceived injustices. Cosistent Paranoid delusions of WMD threats without any kind of proof is a sickness, and the current US government is very sick. There are no serious military threats to USA on this planet. Nobody benefits from attacking USA. The only motivation attackers have is REVENGE for what US military is doing abroad. Agressive and pre-emptive warfare is unnecessary, and resulting only in the creation of more terrorist threat to USA. Motivation for war of course lies in the US military corporations' self-interested profit seeking. This behaviour is sick and needs to stop.

To avoid species-wide catastrophies, it helps to look at bacteria on a dish. Some backteria poison each other. Some eat each other. But what forms a stable system that stays alive? Continuous self-mutilation of our planetary environment and species in pursuit of short term corporate profits is sick. Poisoning our environment, destroying our climate and driving nations to destructive, non-productive wars will not bring a higher civilization into existence. It will bring about our own destruction and decline. Humans on Earth are similar to the bacteria on the dish. We will drown in our own environmental destruction, waste and poisons unless we learn to cooperate globally. And to that end, USA needs to stop the short term corporate profit seeking through destructive wars. You have no enemies here but the ones you create yourselves through your deeds.

Even the NSA doesn't go quite that far; in this article they only claim the intercepts show that Ethel " may have known about her husband's activities" (my emphasis).

Innocent until proven guilty, right?

You gotta love the schizophrenic nature of the DoD, on one hand they have elements afraid of open source because of the word "open" and on the other hand the NSA, an arm of the DoD and the group in charge of computer security, not only uses open source based software but has even contributed to it.

http://www.nsa.gov/selinux/

I could download an application, run it, have it trash my user folder, add some things to my .profile, etc. The truth is that the current 'security' on just about every system out there is a joke if you consider intentionally running a (secretly) malicious application a security problem.

Well, there's at least one project to do this kind of thing, which got taken up by a popular distribution. The fancy security certified OSes have been doing MAC for a long time. Now it's more a case of getting them distrubted and creating profiles for well behaved apps. It's a big project though, as modelling the 1000s of programs in a normal Linux distribution is harder than the 10s of apps a secure government computer might see.

You're probably thinking of RSA, but what you actually mean is Diffie-Hellman, which is similar but a little earlier. It's the kind of thing that happens when you work for the security services; just think what fundamental mathematical discoveries are right now hushed up in the name of national security. Clue: the American NSA claims to be the largest employer of mathematicians in the world (according to its own web site).

As for 'unfortunately nowadays we seem useless' - I'm never one to credit the state with too much but we mere plebs would hardly be party to the latest research at GCHQ! These things are secret for a reason; I'm reminded of the Falklands war when a careless on-the-record remark from an ex-defence minister (something along the lines of 'when we were in government the argentine navy was an open book to us' - sure the exact quote is in Google) led to the Royal Navy loosing key signals intelligence assets, specifically the ability to track Argentine sub(s), right at the crunch point. The RN then had to spend significant fleet time hunting a sub that may or may not have put to sea. What an idiot that man was.

I'm not aware of any modern hard drive that will survive erasure of the embedded servo data.

Second, I don't think you can get bulk erasers that work for modern harddrives. The magnetic fiel strenght may just be too large.

You can, they just wont be cheap or small. See the NSA Degausser Evaluated Products List (PDF).

2006 Young Innovators Under 35 ..

Eddie Kohler
A better operating system

"Asbestos keeps personal data secure by "tagging" it with information about which programs or users can access it .. and Kohler hopes that within a few years, Asbestos will be an alternative to server operating systems such as Linux and Windows."

"(NSA) worked with Secure Computing Corporation (SCC) to develop a strong, flexible mandatory access control architecture based on Type Enforcement, a mechanism first developed for the LOCK system."

"AppArmor security policies, called "profiles", completely define what system resources individual applications can access, and with what privileges."

Here is a link to an NSA publication on the subject: Solving the Enigma

Fact Sheet NSA Suite B Cryptography

The Case for Elliptic Curve Cryptography

From the latter:

Since their use in cryptography was discovered in 1985, elliptic curve cryptography has also been an active area of study in academia. Similar to both RSA and Diffie-Hellman, the first years of analysis yielded some degenerate cases for elliptic curve parameters that one should avoid. However, unlike the RSA and Diffie-Hellman cryptosystems that slowly succumbed to increasingly strong attack algorithms, elliptic curve cryptography has remained at its full strength since it was first presented in 1985.

Fact Sheet NSA Suite B Cryptography

The Case for Elliptic Curve Cryptography

From the latter:

Since their use in cryptography was discovered in 1985, elliptic curve cryptography has also been an active area of study in academia. Similar to both RSA and Diffie-Hellman, the first years of analysis yielded some degenerate cases for elliptic curve parameters that one should avoid. However, unlike the RSA and Diffie-Hellman cryptosystems that slowly succumbed to increasingly strong attack algorithms, elliptic curve cryptography has remained at its full strength since it was first presented in 1985.

Where's our (our meaning the linux community) senators and congressmen in our pockets? Oh wait, we don't have to depend on senators, we depend on government agencies already using Linux both before and after all the seucirty breakins. Can't say that Microsoft did a good job educating our own government on how to secure their systems. BTW, doesn't the NSA work on selinux in their spare time? http://www.nsa.gov/selinux/

Yeah, makes me wonder if they do business with the NSA in Acquisition Outreach or Technology Transfer.

Typical Government, the private sector is always building more effecient solutions. Sheesh!

Yeah, makes me wonder if they do business with the NSA in Acquisition Outreach or Technology Transfer.

Typical Government, the private sector is always building more effecient solutions. Sheesh!

Yeah, makes me wonder if they do business with the NSA in Acquisition Outreach or Technology Transfer.

Typical Government, the private sector is always building more effecient solutions. Sheesh!