Slashdot Mirror
PGP Division to Work With NSA on Secure Linux
NAI Labs, a division of PGP Security, just sent out a
press release
announcing that they're "joining with the National Security Agency (NSA) and its other partners to further develop the NSA's Security-Enhanced Linux
(SELinux)
prototype." Wow.
Relying on any one crypto methodology is stupid. Why would anyone so worried about people snooping their data put all their trust into one crypto format?
dd if=/dev/random of=/somefile-1 bs=1M count=1024
losetup -e blowfish /dev/loop1 /somefile-1 /dev/loop1 /dev/loop1 /mnt/chain1 /mnt/chain1
mke2fs
mount
cd
dd if=/dev/random of=/somefile-2
losetup -e serpent /dev/loop2 /chain1/somefile-2 /dev/loop2 /dev/loop2 /mnt/chain2 /mnt/chain2
mke2fs
mount
cd
dd if=/dev/random of=/somefile-3
losetup -e cast128 /dev/loop3 /chain2/somefile-3 /dev/loop3 /dev/loop3 /mnt/chain3 /mnt/chain3
mke2fs
mount
cd
dd if=/dev/random of=/somefile-4
losetup -e rijndael /dev/loop4 /chain3/somefile-4 /dev/loop4 /dev/loop4 /mnt/chain4 /mnt/chain4
mke2fs
mount
cd
dd if=/dev/random of=/somefile-5
losetup -e twofish /dev/loop5 /chain3/somefile-5 /dev/loop5 /dev/loop5 /mnt/chain5 /mnt/chain5
mke2fs
mount
cd
Store secure data here. When Feds rip out your machine (they never conduct data searches on the spot cuz they're stupid), they won't be aboe to mount that 1GB of random data without the 5 passphrases.
Performance hit? Yes. Security costs. Which is more important? Get a faster CPU.
Some of you are over-interpreting the occurence of the word "PGP" in this press release. This has little or nothing to do with Phil Zimmerman's program.
A merger-and-acquisition review for those who missed it:
NAI took these various companies and tried, totally unsuccessfully, to merge their products into one product line so they would become a "one stop shop" for security purchases.
NAI dismally failed at this strategy, outmaneuvered by competitors like Cisco, Axent and in particular Internet Security Systems.
NAI reorganizes, and essentially splits into several groups. These are called:
In this reorg, "TIS Labs" became "NAI Labs".
So as you can see the juxtaposition of "PGP" with "NAI labs" is merely a happenstance of the merger and acquisition history of this company.
It's actually refreshing to see people like PGP who have traditionally been at the forefront of providing encryption to the masses working with a place like the NSA. This could mean a lot of good things for Joe User. I personally can't think of any company I'd like working with NSA more than PGP.
PGP is just an all around good company, and I'm sure their participation on this project will only make it better for everyone involved.
I really can't see any way in which this could turn out badly!
The Security-enhanced Linux prototype was developed in conjunction with research partners from NAI Labs, Secure Computing Corporation (SCC), and the MITRE Corporation.
This like annoucing that AOL/Netscape is joining up with the Mozilla project to produce Mozilla.
Python
Python
Actually, of the two I'd rather have Microsoft. Why? Because if the NSA don't like your information, you're going to jail, it's as simple as that.
To paraphrase JWZ, the NSA have the r00t password to the constitution. There is no legal defence against the national interest.
On the other hand, if Microsoft finds something they don't like (anything that violates their liscencing agreements)
Ah, there we differ. I pay for all the commercial software I use (actually, that's not true; it would be more accurate to say that I only use commercial software that someone has paid for, for example a company). If you get caught for it, you just pay up and it's settled.
No, what I'm worried about is information that may be politically or socially unacceptable to the government. What would Thoreau have done?
So, where can I get my cool NSA Linux t-shirt?
---
[Bet y'all didn't see this coming, say, five years ago. --Declan]
It's certainly a new (is that, gnu?) world out there. This does raise, however, further questions about PGP-via-NAI's security and lack of governmental collusion. One wonders if the talks leading up to this were what spurred Zimmerman to leave to focus on OpenPGP?
Returned Peace Corps IT Volunteer
The NSA has two jobs to do in order to fulfill their mission of protecting the interests of the United States.
The first one is well, invasion of privacy. They need to be able to read the communications of "Bad Guys". Most people on Slashdot are perfectly aware of this role.
The other role, paradoxically, is protection of privacy. They need to prevent the communications of "Good Guys" from being intercepted by the "Bad Guys". Currently, one of the most annoying threats to national security is industrial espionage. Thus it behooves the NSA to provide tools to American citizens and corporations to protect themselves.
Thus you see the NSA fighting encryption by encouraging export restrictions & key escrow schemes on one hand, while simultaneously promoting encryption by working with PGP, and enhancing the security of Linux.
Trying to think how the NSA reconciles those two roles makes my head hurt.
Meldroc, Waster of Electrons
The NSA is chartered to protect the communications security of the United States, and to break the protections on communications of foreign powers and other percieved national security threats.
Why is the NSA doing this? How can it benefit them? What could possibly motivate them to cooperate with an open source effort, if not to compromise its security?
Why yes, I AM a rocket scientist!
Why then would they release that product back to us? That clearly contravenes their second objective.
I submit that it's not possible to examine the product thoroughly enough to ensure that no back doors have been introduced. Surely you don't believe that the NSA is even SLIGHTLY worried about YOUR privacy, do you?
Why yes, I AM a rocket scientist!
Follow the money. If you can't find the money, follow the power. The NSA is motivated to do this by what they percieve is in the NSA's best interest. I believe that the NSA's best interest has very little to do with my personal liberty and privacy, and therefore I trust them as far as I can throw the Pentagon. This is a huge, obvious Trojan Badger. If you want to let it into your demesnes, feel free. It's terribly naive, however, to think it's a gift.
(Distributed processing node for Echelon, anybody?)
Why yes, I AM a rocket scientist!
You know, I've really got to hand it to the NSA. Somewhere, deep in that organization, is an individual who is driving this whole SELinux project, and I think it's safe to say that He's got a clue.
Don't think that it wasn't difficult for the NSA to do what we've seen with SELinux. For an organization who's entire history has been built upon the idea that incognito is good, this movement of opening up and embracing the open source community was certainly hampered by the knee-jerk reaction of middle-managers who can't imagine working openly with private companies, much less thousands of developers worldwide.
Bravo, NSA. And bravo, Mr. Man-behind-the-scenes who's making this happen. My hat's off to you.
Previously, we worked on a publicly available implementation of SNMPv3 (first in net-snmp and then from scratch in opensnmp, both of which are BSD copyrighted code).
My next project is targeted to large scale management of IPsec installations, the code for which should also be released to the public (though the popular FreeS/Wan code base won't accept US patches, so we'll probably be instrumenting Cerberus instead; FreeS/WAN's loss I guess, otherwise we might have implemented code for them both).
Working on projects like this is great, because it's typically in the form of "here's a hard problem", now "go solve it" without any mention of "do it this way".
The next site to slashdot will be ready soon, but subscribers can beat the rush and start slashdotting it early!
Say I'm working at the NSA and somebody puts a code on my desk, something nobody else can break. Maybe I take a shot at it, maybe I break it. I'm really happy with myself, because I did my job well.
But maybe that code was the location of some rebel army in North Africa or in the Middle East and once they have that location they bomb the village where the rebel army is hiding. Fifteen hundred people that I never met, never had no problem with, just got killed.
Now the politicians are saying "Oh, send in the Marines to secure the area," because they don't give a shit. It won't be their kid over there getting shot just like it wasn't them when their number got called because they were pulling a tour in the National Guard.
It'll be some kid from Southie over there taking shrapnel in the ass. He comes back to find that the plant he used to work at got exported to the country he just got back from, and the guy that put the shrapnel in his ass got his old job, because he'll work for fifteen cents a day and no bathroom breaks.
Meanwhile he realizes that the only reason he was over there in the first place was so we could install a government that would sell us oil at a good price. And of course the oil companies use the little skirmish to scare up oil prices. It's a cute little ancillary benefit for them, but it ain't helping my buddy at two-fifty a gallon.
They're taking their sweet time bringing the oil back, of course, and maybe they took the liberty of hiring an alcoholic skipper who likes to drink martinis and fucking play slalom with the icebergs. It ain't too long until he hits one, spills the oil, and kills all the sea life in the North Atlantic.
So now my buddy's out of work, he can't afford to drive, so he's walking to the fucking job interviews which sucks because the shrapnel in his ass is giving him chronic hemorrhoids. Meanwhile, he's starving because any time he tries to get a bite to eat the only Blue Plate Special they're serving is North Atlantic Scrod with Quaker State.
So what did I think? I'm holding out for something better.
I figure, fuck it. While I'm at it, I might as well just shoot my buddy in the ass, take his job, give it to his sworn enemy, hike up gas prices, bomb a village, club a baby seal, hit the hash pipe and join the National Guard. I could be elected President.
--From "Good Will Hunting" (Matt Damon's character speaking to an NSA recruiter, in a heavy Boston accent)
Remember that the NSA has multiple responsibilities. Specifically, it also has the responsibility to ensure that our (government, contractors) computers aren't compromised by others.
A truly secure COTS OS won't hurt the NSA and FBI too much - they have plenty of other resources available to them. But not many groups will be able to afford the HumInt required to get around NSA/FBI safeguards, if the easy technical backdoors have been eliminated.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
On the flip side, actually doing something useful with this hack would be very difficult. It would be too easy to get caught if someone with the right skills goes poking around binaries and finds something amiss. And it's a fair bet that any NSA-blessed code would get such a close look. It wouldn't be so easy to hide, either. This is much easier with Microsoft OSes, which have such a large amount of undocumented stuff all over teh place that could be linked together.
Who knows, often things are no more complex than they appear. I bet that the NSA has found that it would be much easier to protect themselves and other government agencies if there were a distribution that THEY could trust without the expense of coding it all themselves. With proprietary software, they are at a slight disadvantage in that cat and mouse game. Maybe the _NSAKEY was a Microsoft trick to backdoor the NSA...
But the lesson from the compiler hack is that you can really only trust it if you've examined it yourself. And a secure linux distrubution would undeniably be of very high utility all on it's own to the NSA.
Now let us have no more curiosity about this bizaare cover-up.
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Expanding a vast wasteland since 1996.
A few years ago, Network Associates gobbled up Trusted Information Systems - the folks who brought you the TIS Firewall Toolkit, and brought me my first job out of grad school. TIS was very cozy with the NSA (founder and many employees were ex-NSA), and did several research projects for them (including the one I worked on, Trusted Mach).
I don't know what the current organizational structure of Network Associates is, but I suspect that NAI labs may be the remains of TIS. I wouldn't be surprised if the NSA came to Network Associates as the result of this relationship.
(In the interests of full disclosure: I'm a Network Associates stockholder.)
Tom Swiss | the infamous tms | http://www.infamous.net/
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
yes,
they did make some [at the time] incomprehensible changes to the S-Boxes that DES uses for its non-linear component. However, it was later discovered that these changes were 100 beneficial, in that they were specifically designed to protect against differential cryptanalysis (IIRC: if the non-linear transform isn't uniform, the bias can be statistically sampled and used to cut down the search space), that the original design would have been vunerable to.
So, they may move in strange ways, but that is not always against everyone else.
(mind you, at the time, they were possibly the only people who could have afforded to build a brute-forcer, so you could argue that this change WAS to their benefit in the long run)
The changes for SELinux have NOTHING to do with the network transport of data! They will in no way make it either easier or harder for the NSA to monitor network traffic!
SELinux is simply about making the data on your machine safe from other processes on your machine. It prevents a program from accessing any resource on the machine it is not cleared for, no matter who the process is running as.
OK, let's put on our paranoid hats <SoundFX type="crinkling aluminum foil"> and try to guess what benefit this has to the NSA: It makes it possible to use Linux in a secure environment. It gives them an OS for which they have source code (I am pretty sure they have the source for Windows(9*|NT|XP|2000) and Solaris, legally aquired), but they have the legal right to modify and distribute. This allows them to secure any government agency's computing resources in a consistant fashion. Remember, part of their job is securing OUR stuff.
Now, I'm sure that if a modification to allow all TCP traffic to be encrypted by default were to be added to normal IPv4, they might have a problem with that, since that would interfere with their normal data gathering operations. BUT, hardening Linux so a Trojan/Malicious user cannot get access to somebody else's stuff is going to make their life EASIER.
Remember, if the NSA wanted what is on your hard drive, they'd just wait till you were out, pick your locks, dd the drive, and leave.
www.eFax.com are spammers
Does anybody know what NSA's prior work on the kernel is? Any pointers, web sites, /. articles, ... for the un-initiated?
Hi!
Funny!
But for reference: it's licenced under the GPL - that's the normal GPL.
Hi!
Stupid me: should have checked the NSA web site for the information.
Hi!
At least this will make it harder for the Micro$oft marketers to ramble on about how Linux is insecure :)
"This work is not intended as a complete security solution for Linux. Security-enhanced Linux is not an attempt to correct any flaws that may currently exist in Linux. Instead, it is simply an example of how mandatory access controls that can confine the actions of any process, including a superuser process, can be added into Linux. The focus of this work has not been on system assurance or other security features such as security auditing, although these elements are also important for a secure system.
The security mechanisms implemented in the system provide flexible support for a wide range of security policies. They make it possible to configure the system to meet a wide range of security requirements. The release includes a general-purpose security policy configuration designed to meet a number of security objectives as an example of how this may be done. The flexibility of the system allows the policy to be modified and extended to customize the security policy as required for any given installation.
There is still much work needed to develop a complete security solution. In addition, due to resource limitations, we have not yet been able to evaluate and optimize the performance of the security mechanisms. Currently, we can only support the x86 architecture and have only been able to test it on Red Hat 6.1 distribution. Nonetheless, we feel we have presented a good starting point to bring valuable security features to Linux. We are looking forward to building upon this work with the Linux community."
This is NOT security fixes of Linux, NOT auditing. It is simply a showcase for how to bolt a more complex security model onto an existing mainstream Open Source OS. The kind of security most normal users DO NOT need in their day-to-day browsing habits. However, I hope the project goes well so that they get more funds to do even more.
- Steeltoe
http://www.debunkingskeptics.com/
All privacy functions within NSA Linux have been removed or disabled, all Internet traffic is cached at NSA headquarters for your convenience, and nearly-anonymous statistics are recorded about you to improve customer service. Any attempt to circumvent these features will result in quiet, painless death in the middle of the night.
Got Rhinos?
Got Rhinos?
Come on, stop being so damn paranoid. Trust me, you're not nearly as intersting to the government as you might think you are.
Last night I shot an elephant in my pajamas. How he got in my pajamas I'll never know.
It would be extremely hard to add backdoors to Linux. The code is all Open Source. Under the GNU, the NSA is required by law to release source code modifications to the public. How would they explain a source code modification like, "05/13/01 - Added backdoor code to the TCP stack."?
People are overly paranoid. Just because its the NSA doesn't mean that they're doing this just to add backdoors to Linux. Even if they did, and they somehow manged to get away with it (which is extremely doubtful), it would only be applicable to their distribution. They could always convince Torvalds to let them add it to the kernel as a whole, but do you think all the other kernel hackers wouldn't notice?
I have no doubt that the NSA puts backdoors in Microsoft software, but I also have very little doubt that they will try the same with Linux. An ex-spook even admitted to Microsoft backdoors. Try the same with Open Source software, and you'll have hundreds upon thousands of angry hacker-types banging down your doors. Give the NSA a little more credit.
If anything, this is a step in the right direction for the NSA. They realize that security through obscurity is a poor way to protect systems, and that Linux can provide them with an ultra-secure OS. They can then give this back to the people, and show what years of security and encryption research has produced. I say encourage them. Nothing will make Linux more secure than the US government pumping money and their best security hackers (yes, I mean hackers, not crackers) into the OS. As long as they follow the GNU license, we should see lots of excellent security enhancements in Linux coming soon!
Trolls make great pets. Adopt one today!
Secure Linux -> Penguin in Bondage?
--
Je t'aime Stéphanie
Gee, I don't know could it be:
I don't know about you, but I think that pretty clearly covers the idea of new, higher security versions of existing software. Remember that SE Linux isn't really about encryption, but about adding a better security architecture to the system. That means helping to make the system cracker-proof, not making its communications more secure. They still have plenty of room to intercept and decode the other guys' communications even if they can't crack his boxen anymore.
There's no point in questioning authority if you aren't going to listen to the answers.
Of course there's still a very serious need to make those systems secure. Not being on the Internet does reduce your risk of being hax0red by skript kiddiez, but being a high profile, high value target attracts other kinds of attackers. You can bet that just about every unfriendly power out there is trying to get access to Intelink, either by infiltrating a mole or suborning someone who already has access. The number of potential attackers may be lower, but their dedication, skill, and support is likely to be a lot higher than random kiddiez.
And, of course, there's more to national security than keeping top secret military secrets from the prying eyes of the baddies. The long term economic health of the country is critical for national security, and that means helping companies that need security to get it. The NYSE, for instance, needs to have a lot of its critical systems exposed to the net, since their whole purpose is to send out critical information. It would be no good at all if they were broken into by morons intent on vandalizing the computers, and really, really bad if they were cracked by somebody with some subtlety and bad intentions, though I'm pretty confident that they're already running something more secure than Apache/Linux or IIS/Win2000. And, of course, that's just one example. Corporate espionage is a real potential problem, as is large scale credit card fraud, both of which could be carried out by cracking the right computers.
There's no point in questioning authority if you aren't going to listen to the answers.
It's interesting to note that NAI have been involved for months with the project - see an NSA Press Release from January here.
An interesting techy overview is available from IBM here. I'm a serious NSA-paranoid (in 98 I wrote the rhyme: "Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."), but I for one think that NSA 'hardened' Linux is a VERY good thing....Don't forget that, as well as being dirty spying bastards , the NSA (and the rest of the USG) are the largest consumers of secure computing.
At the moment they pay through the nose for 'hardened' versions of AIX, Solaris, HP-UX etc. They see that Linux is a 'free' alternative and would like to cut costs. They see that Linux isn't secure enough (e.g. would struggle to get c2 rating, let along B*), so they decide to start coding themselves, adding functionality such as MAC.
Rather than keep the changes themselves, the NSA decide to share the source code back with the community - this really embraces the Free Software / Linux philosophy. Any code released will be scrutinized no end - a peer review of the initial code for example uncovered a potential buffer overflow vulnerability.
I appreciate that my comments may not be popular with the ultra-paranoid, but if you can objectively view the facts this development really is a good thing for Linux. Hell, if you don't want to use the changes, then don't apply the diffs.
The bottom line: I strongly support NAI in their efforts to further develop Linux.
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
1.2 million dollars will be pumped into the development of Linux.
That's 1.2 million dollars of government effort. It gets you one project manager who doesn't understand the project, three programmers who are there because they can do no work and not get fired, two programmers who are there bankrolling thier education to the government, one programmer who died at his desk in '79 and nobody's noticed yet, 20 dot matrix printers someone in procurement bought because they're an idiot, five toilet seats, and a ball-peen hammer.
Maybe the state's highest function is to grind out insoluble problems. (Zelazny, Hall of Mirrors)
I believe, backdoors notwithstanding, that the NSA port of Linux has great potential. I mean, they'd probably rebuild Linux to B1 or better in the Orange Book. (This puts it in the same class as BSDi (I believe), Trusted Irix, and other Unixes with high security standards.) Manditory Access Controls are made stronger, Access Control Lists are part of the OS, probably paranoia levels of logging, good crypto. Good times.
For those of you who are concerned about this port, pay close attention to this next line.
GPL/OSS's strength is in the availablity of source which can be audited.
For those of you cryptonauts and paranoids who don't quite know C (present company included), you've a very good reason to learn. Reading the multitudinous (ooh! big word!) kilos and megs of kernel source ain't my idea of a great vacation, but the results of the extensive audit will be worth it. (B1 operating systems are, shall we say, DAMNED hard nuts to crack.)
If that's not enough, there's an article (name, site, and url escape me) where Linus says that audited parts of the NSA port may well be injected into the source tree.
Windows.. Good for targeting rocks.
I used to be someone else. Now I'm someone better.
Real life is underrated.
From the mouth of Robert Steele, former CIA spook and runner of OSS.net (Open Source Secrets), a site which offers information to businesses and others on open information which is encoded in that most hard to crack of codes, other languages:
"The Morris Worm was the worst thing to happen to the CIA, because then system administrators looked for all those cracks in security!"
Full audio at h2k.net.
Windows.. Good for targeting rocks.
I used to be someone else. Now I'm someone better.
Real life is underrated.
The only reason windows is still being used? What the heck are you talking about? Windows... Secure?!?
This (infiltrating the linux community through the prebuilt compiler or even kernel) would actually work to a certain extent with the current Linux community. How many of you are running a home-compiled kernel? [OK, lots] Now keep your hands up if you are running a kernel you comlpiled with a compiler you compiled. [most hands go down.] What kernel were you running when you compiled the compiler? And what compiler did you use on that kernel?
The mechanism for complete infection would not be there, though, since there would be plenty of people and distros out there that would begin to track and maintain the purity of the lineage of their compilers and kernels, but the NSA could get a foothold into the more promiscuous script kiddies community, which they have some incentive to do anyway.
Bingo Foo
---
taken! (by Davidleeroth) Thanks Bingo Foo!
Doesn't anybody think before going into hysterics?
Of course not. That is kind of the point of hysterics.
Although they have a reason to want the net to be unhackable, they also have a reason to be the exception. Given the brainpower they have, they could conceivably know something we don't. Beware of algorithms you don't understand.
Milo
Now lets look at other times a joint commercial/NSA endeavor has taken place, DES. The standard was published in January 1977 and no major cryptographic break has been discovered yet save brute force (I hardly consider linear cryptanalysis a real threat).
Personally I am a little more worried about NAI's involvement than the NSA's .
Note to obtuse mods: J/K ;)
--
--hongpong.com
The NSA has always been so close-doored about exactly what it does and doesn't know in the crypto field, it has a lot of public domain cryptography experts wondering whether all their hard work is actually in any way useful, or whether the NSA is so much further ahead of them that they're just wanking - to use the parlance of our times.
Its interesting to me then that the NSA has chosen to partner with NAI on this, it seems to give some very strong support to the belief that public domain cryptography is at least as good as NSA level stuff.
Of course it could all be a massive ruse to put us poor saps off guard - but honestly I'm not willing to go that paranoid today. any takers?
There are a thousand forms of subversion, but few can equal the convenience and immediacy of a cream pie -Noel Godin
Doesn't publishing the source kind of make it meaningless to incorporate monitoring features? Somebody out there will find the monitoring features pretty quick, and then nobody will use your code. Somehow I think the NSA is a bit smarter than that.
There are a thousand forms of subversion, but few can equal the convenience and immediacy of a cream pie -Noel Godin
Its nice to see companies joining to assist the NSA, however I would never install it, for paranoia reasons. Aside from that its not all that. (read this to back those claims and we can't forget its first security incident)
Its a nice idea, but ask yourself this question... The NSA could have done this a long time ago, why now? With the rising amount of cybercrime, one would think that, _THAT_ would be their motives however, if that were the case they would be strong opponents of crypto for the masses, so why one and not the other?
So again jumping into the paranoia stage, could it be because the typical script kiddiot is using various forms, of Linux, this could be a method to monitor them? If so how do corporations who use this (SELin) fall into the muck of it all, what about employees of the NSA, and NAI, if they were capturing data, that could affect stock markets, integrity of people, confidence. Total PR nightmare...
Anyways it is nice to see a secure (for now) OS on the market, but as for me... I'd take Open over SELinux anytime.
click this link... get fired
360 degrees of Karma
why hasn't this security issue with PGP been address yet? Are they waiting for an epidemic? Less reason to go goo goo over PGP.
Outguess
360 degrees of Karma
Vaudenay, S. 1995. An Experiment on DES Statistical Cryptanalysis.
Linear cryptanalysis and differential cryptanalysis are the most important methods of attack against block ciphers. Their efficiency have been demonstrated against several ciphers, including the Data Encryption Standard. We prove that both of them can be considered, improved and joined in a more general statistical framework. We also show that the very same results as those obtained in the case of DES can be found without any linear analysis and we slightly improve them into an attack with theoretical complexity
360 degrees of Karma
Leaving a backdoor in would be pretty stupid, because the impact (to the nation and the NSA itself) if it was found and exploited would be enormous. You may think of the NSA as a bunch of goons, but they do have a sense of self-preservation; they'd have to be suicidal to do what you're proposing.
--
Scientists restrict study to entire physical universe; creationist
Great, another round of NSA hysterics.
You know what the saddest thing is about this?
Somebody busted his hump to get his boss at NSA to let him work on Linux. Said person then busted his hump even further to get his boss to actually allow the release of the source code. What, you think it was easy to get the NSA to release the source code?
I can only imagine how many levels of authorization this poor guy had to go through to get permission to release the source code. Can you even begin to imagine the hell he went through for our benefit?
And as his reward, this poor soul now gets a bunch of idiots screaming about the NSA trying to break Linux's security. If he ever gets invited to speak at a conference, he'll probably be booed off the stage for his efforts.
Doesn't anybody think before going into hysterics?
The NSA has to worry about the GAO breathing down their necks and the CIA, DIA, and FBI competing with them in some things. Microsoft is a monopoly. Who's going to be the one to worry more about the end-user?
If the NSA has to be working with an operating system, I'd prefer it to be Linux. Even if they were to put in back doors, at least the users have the legal right to look at the source code and try to find it and fix it. And I can almost guarentee that anything that has the NSA stamp of approval on it will be rigorously tested by the community, if for no other reason than because it says "NSA" on it.