NSA Inside?

Newsforge has an article covering a talk given by two of the developers working on NSA's security-enhanced Linux. It seems the NSA has plans to offer kernel code to implement mandatory access controls, a level of system control which goes beyond the normal user-based permissions. Sure, the code would be vetted thoroughly before it could ever make it into the kernel, but....

This is a Good Thing

[starseeker]

Ok folks, put paranoia aside for a second and consider rationally what this actually could mean. If they are going to commit the code to open source, that almost certainly means they don't dare try any tricks. Any tricks that they could hope to put in would have to be extremely subtle. As such, they would require a great deal of effort. Like all of us, their time is limited. And if their efforts were discovered, always a distinct possibility with open source, all that effort would be wasted since open source software is much more easily updated. Doesn't make any sense. Remember also, that *nix users are generally some of the more computer savvy users around. If you're going to try tricks, they're generally not the target you want to try them on. Windows users are on average more cooperative.

Then there is the other option - that they are sincere, they want a really secure operating system, they like the design and abilities (as well as as the lack of licensing issues) associated with Linux, and they are scratching their own itch for a really secure system by contributing this design and code. Once in a while the public interest happens to work well with some professional agendas. They may see Linux as a good group of people to harden the code with.

Consider, also, that if they are sincere with Linux users hammering on it they could probably create a STRONG solution, stronger than most other free software programmers. These guys know how it works. This could be a golden opportunity.

Geek dreams are made of things like super secure systems. I'm excited by this. Also, I think the threat, if any, is minimal If worse come to worse, Linus could include a compile option to not build it in - although I doubt it would be necessary. Let's give them the benefit of the doubt, examine the code carefully for both our benefit and theirs, and do some cool stuff with it!

NSA Inside? So what?

[John+Sullivan]

Sure, the code would be vetted thoroughly before it could ever make it into the kernel, but....

But what? In this instance their motivation is almost certainly to allow a widely available OS to be certified to a sufficient security level that it can actually be used in the same situations where certain US agencies might normally buy in NT, AIX or such.

If they *really* wanted to plant a back door, in no way would they want their name so obviously traceable to the actual patches they submitted - they'd do it 'anonymously' and you'd never know. How do you know they haven't already done this? Or that GCHQ, or Mossad, or the Russians haven't? You have no way of knowing, but we just have to trust that any attempts at sabotage would be obvious in the source.