Slashdot Mirror
New Release Of NSA SELinux
rstewart writes: "The NSA has released a new version of SELinux for public consumption. It is based on the 2.4.9 kernel and the utilities patches are known to work on Redhat 7.1. More information and the source can be found at the NSA SeLinux site." You can read the what's new for more information.
What's their mascot? Penguin in Bondage?
Je t'aime Stéphanie
Actually, I'm very satistied with Grsecurity, a nice kernel patch to enhance the security of a linux kernel.
What would be the benefit of switching to NSA (but more complexity to admin) ?
{{.sig}}
Can i apt-get install Carnivore? :)
or do i have to use their rpm?
Chaos, Mayhem, and Destruction: Not
3 years without cdparanoia working in the default install.
-... ---
Didn't HP just release there SE Linux the other day?
I just got back from the book store to pick up 'Linux Journal' and it was funny how 'Linux Magazine' and LJ have almost identical Security Special Editions.
"better ways of doing things eventually just replace the inferior things" - Linus Torvalds 09-08-07
Search google for NSAKey if you don't know what I'm yammering about
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
Linux was chosen as the platform for this work because its growing success and open development environment provided an opportunity to demonstrate that this functionality can be successful in a mainstream operating system
Is Linux really a mainstream OS yet? I know it is for servers, but definately not for desktops. I couldn't quite tell where they were going with it, if it was geared more towards servers or desktops, since both need decent security. Could someone shed some light on this?
Things you think are in the Constitution, but are not.
Aside from the NSA, has anyone taken the time to audit the code?
How can you trust the NSA after playing a complete game of Deus Ex???
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
A reward of $1,000 to the person who finds the trap door that NSA can use.
Spying penguin (binoculars and trench coat) be more appropriate?
BlackNova Traders
My compile keeps hanging on NSABackdoor.h
Why are u guys complaining everytime (!)...?
When IBM does something for GNU/Linux it must be evil, when NSA implements some really neat features, you guys also complain.
Why are you people always moaning when some big company supports GNU/Linux ?
That's what *you* want, ne c'est pas ?
GNU/Linux is still lacking behind in some areas, but when some $random company fixes this, it cannot be good...Why ?
I'm sick of this FUD of yours.
You're not doing the stuff yourself, so be happy.
--sn0w
grab it here http://www.robertgraham.com/altivore/
The basic sleazeware produced in a drunken fury by a bunch of UCBerkeley grad students was still the core of BIND. --PV
Well...
Linux is not as ubiquitous as Windows (which I doubt can be considered "trusted" in the security sense due to how it handles memory protection and device access).
However, if you look at the other operating systems which are considered B2 or B1 secure Linux is mainstream compared to those.
j.
The sole purpose of the NSA is to spy on you, now why are they trying to make your system more secure?
You know they used the favorite hacker OS out there and now give it out freely....funny crap coming from the very same government that locked Dimitri up for showing security flaws, the same gov that locked Kevin up without trial, the same gov run by CIA spinoffs.....fuck the NSA linux, we don't want no gov building a hacker tool.
You know they're just trying to get closer to the hacker community by giving you a free linux distro. So far it's the only way the feds found to get close to the hacker type, since force didn't do them any good.
Watch out, they're not up to any good there.
Broken Hearts are for Assholes. - Frank Zappa
"I just got back from the book store to pick up 'Linux Journal' and it was funny how 'Linux Magazine' and LJ have almost identical Security Special Editions."
Those are two different magazines?
Well...I only bought one.
"better ways of doing things eventually just replace the inferior things" - Linus Torvalds 09-08-07
Why are you people always moaning when some big company supports GNU/Linux ?
That's what *you* want, ne c'est pas ?
Nope, I could care less. I want people to be free to use their computers as they see fit. I'm not happy to see people surrender those freedoms to another big company, much less the Federal Government, using some basterdized version of a free OS. The NSA has a history of recomending weak secruity, backdoors and nice stuff like Carnivore.
You're not doing the stuff yourself, so be happy.
Backdoors are not a do it yourself job.
Friends don't help friends install M$ junk.
(I'll probably get modded down as flamebait for this, but screw it.) I'm a Linux user. However, I've long thought about installing/using one of the *BSD variants, simply because they are often touted as being even more secure than linux. Why might the NSA not create "SE-BSD"? Wouldn't that likely be even more beneficial?
I only post comments when someone on the internet is wrong.
When exactly did Slashdot stop posting News for Nerds and start only posting News for Linux users. When I want news on Linux I go to sites dedicated to Linux, I come here to get news on whats going on that effects (or is it affects, damn english) the entire tech community, not just news about what new distro is available. Come on guys, how about some variety every now and then.
Before downloading this software, you must accept the warranty exclusion and limitation of liability which appears below.
/root/.ssh/authorized_keys and someone points this out...we'll we don't need to explain it, you kids have played Counter-Strike enough to figure it out. 'Hostage Down' hahah
Warranty Exclusion
I expressly understand and agree that this software is a non-commercially developed program that may contain "bugs" (as that term is used in the industry) and that it may not function as intended. The software is licensed "as is". NSA makes no, and hereby expressly disclaims all, warranties, express, implied, statutory, or otherwise with respect to the software, including noninfringement and the implied warranties of merchantability and fitness for a particular purpose.
Limitation of Liability
In no event will NSA be liable for any damages, including loss of data, lost profits, cost of cover, or other special, incidental, consequential, direct or indirect damages arising from the software or the use thereof, however caused and on any theory of liability. This limitation will apply even if NSA has been advised of the possibility of such damage. I acknowledge that this is a reasonable allocation of risk.
hmmm. "bugs", clear this up will ya? Software glitches or electronic listening devices? Plus, they use "may contain"...Are they giving it permission? My software isn't allowed to have bugs. If it does, it is an error! "it may not function as intended" hmm you mean...like...the 'security' part? "In no event will NSA be liable for any damages, including...or other special, incidental, conseqential...damages...arising from the software"
special: backdoors we forgot about that we find later
incidental: backdoors we internally documented
direct: What we break/steal from you
indirect: What l33t hax0rs break/steal from you after our direct methods post on Bugtraq.
and finally...."This limitation will apply even if NSA has been advised of the possibility of such damage" if we 'accidentally' left our public ssh identity in
Chaos, Mayhem, and Destruction: Not
Is the NSA responsible for figuring out the best ways to lock down whatever OS's the various government agencies of the U.S. use? Reason I'm asking is because seems like recently (or kinda-recently) there was an article here on /. with a link to the NSA's guidelines for securing Win2k. I'm sure the NSA has reasons that I don't even want to know about for running both their own build of Linux and a tightened-up install of Win2k, but I'm just curious as to the extent of their influence on other agencies' software choices.
Do other agencies just follow along with the guidelines the NSA sets forth, try to get independent advice or go it alone? Financially, at least, it would seem like going with the NSA's guidelines would be the way, since the information is more or less public (at least it is in these two instances) and there wouldn't be any time or money spent on third-party tripe (bids, negotiations, etc) or independent research.
My sigs always suck.
...who knows what this nsakeyd demon is doing ?
On the search for the Übermensch.
"Is Security-enhanced Linux a Trusted Operating System? No."
I'm so sure the source doesn't contain anything like this:
/etc/hosts.equiv
/root
if $LOGNAME==`NSA_Agent` then
echo `crackyou.nsa.gov ispy` >>
useradd ispy -G wheel -d
Exellent, i thought that final fantasy was state of the art in computer graphics, but this.... thanks, i will use this as a sig.
HP's secure linux and other projects like that harden the box against breakins. This is COMLETELY diffrent from what the NSA is doing.
The NSA addons allows linux to use a diffrent permissions mechamism and to track the information needed to exist in military installations.
Because openBSD beat them to the punch. For a secure *bsd open is the best there is and the NSA knows that.
---
I don't know about the rest of you, but i cannot help but feel a little insecure about the NSA's secure version of linux.
Pseudocode is code to demonstrate a concept, not designed to be run. Like certain M$ software.
Like it? Send thanks and donations to above address. Have a good one.
Freedom: "I won't!"
Then read this:
http://www.acm.org/classics/sep95
(Reflections on Trusting Trust - Ken Thompson)
"The final step is represented in Figure 7. This simply adds a second Trojan horse to the one that already exists. The second pattern is aimed at the C compiler. The replacement code is a Stage I self-reproducing program that inserts both Trojan horses into the compiler. This requires a learning phase as in the Stage II example. First we compile the modified source with the normal C compiler to produce a bugged binary. We install this binary as the official C. We can now remove the bugs from the source of the compiler and the new binary will reinsert the bugs whenever it is compiled. Of course, the login command will remain bugged with no trace in source anywhere.
Moral
The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect. "
A definate read !
Believe it or not, as Ken Thompson says, you will be 100% secure.
--sn0w
Also, for those people all paranoid about all this, remember it was because of the national security issues that resulted from systems and web servers attacked by Denial of Service, hackers and the Chinese, that caused Congress and NSA to study the problem.
Nothing against the GPL, but I find it disgraceful that the United States government is producing code under the GPL. Works produced by the government should be public domain, not GPL. And yes, there is a difference.
Beware, Nugget is watching... See?
First try and wrap your brain around this concept: The NSA has TWO distinct missions -- to spy on foreign nations on behalf of the US government, and to keep foreign nations from spying on US govt. and businesses. People tend to forget about that second part. Knowing government beaurocracy, it's not at all unlikely that the spy-on-other-folks department and the keep-other-folks-from-spying-on-us department are involved in a turf war, or are working at cross-purposes.
Second: the NSA secure linux is a patch to the standard Linux kernal. If you are paranoid about them trying to do somthing neferious, download the source and diff it against the baseline code. It's pretty hard (but not impossible) to hide a backdoor in source. Paranoid types, make sure you trust your compiler [as well as any other binary that touchs the code as it's being transformed from source to executable] If the NSA wanted to hack your box, they have a lot of better ways to do it than releasing a GPL'ed trojan. Give them some credit -- they are not that stupid.
This is a Good Thing. Having a respected government agency endorse Linux gives it huge amounts of credibility. [OK, geeks may not trust/respect the NSA, but you can be sure that CEOs and PHBs do.] Believe it or not, occasionally the US gvt does manage to Do The Right Thing, even if it's unintentional.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
Until someone proves me that the NSA Linux distro contains any backdoor, or something that allowes the NSA to snoop on you while running their distro, this is all F-U-D.
When I say something, you want facts right ?
Now it's your time to give that facts, I've read no real fact until now.
So upon then, you are just making a fool of your self with these conspiracy theories. Gimme facts about a backdoor in the NSA distro.
--sn0w
At least the ASCII art offers nice presentation and is quick to read.
All these other "comments" are poorly formated, poorly thought out, poorly stated and a total waste of time.
Search google for NSAKey if you don't know what I'm yammering about...
Right, and the first article that comes up when you do that is this one:
http://www.counterpane.com/crypto-gram-9909.htm
...which basically says that any conspiracy theory about the so-called "NSAkey" is bunk.
But believe whatever you like, dude. (not that you needed me to tell you that)
I would guess for the all-out hacker geek, this NSA compile on their system, probably would cause paranoia (like some invisible eye looking back at you !! ha! ha!) But probably wouldn't have any other power you imagine it has. As for anyone else, it wouldn't hurt to at least study their implementations.
"Paranoia strikes deep
Into your life it will creep
It starts when you're always afraid
You step out of line, the man come
and take you away"
-- Stephen Stills, "For What It's Worth"
ITYM "persian"
Does narcissism count as a hobby? --Shawn Latimer
Great, news that 1% of 1% of 1% of the total computing population cares about.
Why does the NSA only make tools that work with Red Hat? Yes, Linux is Linux, but distributions place different stuff in different places. I think they should expand a little and make modifications to work nicely with other popular distributions, too.
Well, due to my ignorance that's the only to projects I know of for linux to implement MAC. So how do they compare to each other? which on is more mature? Are there any other similar projects?
Imagine a Beowolf Cluster of THESE!!!
So, what is this NSA thing?
I keep asking around, and all I get is that there is "No Such Agency".
room101 -- how much can you stand before they break you?
(they always break you eventually)
From the brief summary, it looks like this would be very useful to protect a Linux system against malicious code, worms, and many other forms of attacks. For example, rather than trying to find and fix every buffer overrun in sendmail, you could keep sendmail from becoming destructive even if it is compromised. And you don't have to blindly trust every RPM and Debian package you install anymore, you can instead define policies for what the executables in that package may and may not do (e.g., an audio player probably has not business accessing /dev/hda).
This version of Linux is NOT, REPEAT NOT any more secure than any other distro as far as most of us have a sense of the word. What is does do is a couple of things.
./ is screwy today and I can't get it to come up.
1) It shuts off almost all services and ports by default. Unless you specify it, it does not enable it.
2) It includes (rather clever and robust) methods for autheticating a user and his/her permissions and/or clearance levels on-the-fly in a secure manner called Flask. If you read this document, it explains it in very precise terms (if somewhat dryly).
The articles linked from the last time NSALinux was covered were better, but
The United States National Security Agency is a spy agency. It's purpose is to discover things that other people want to keep secret. It is the official U.S. agency for snooping. Democracy means acting openly; the NSA is, in this sense, anti-democratic.
Nevertheless, it is possible that not all people who work for the NSA believe in sneakiness. Remember that the purpose of DARPA (Defense Advanced Research Projects Administration) was to find better ways to kill people and destroy their property. However, people within Darpa intented the Internet.
NSAs work should be carefully audited. But things are not so wonderful that the Open Source Community can turn down honest contributions from any source.
Bush's education improvements were
Yeah fuckit the NSA is our friend.
Broken Hearts are for Assholes. - Frank Zappa
is that they keep referring to linux as a 'mainstream opreating system'. how sweet it is.
When I install, my formerly encrypted partitions show up as being mounted on /dev/squeamish_ossifrage
???
Eloi, Eloi, lema sabachtani?
www.fogbound.net
As others have pointed out, the NSA has two jobs - one is to spy on foriegners' communications (and possibly run the spy photosats, I'm not sure) and the other is to help secure US government communications against foriegn spy agencies.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
Auditing would seem to be the whole point. If the NSA were just going to hack Linux for their own purposes, they wouldn't bother to make their distro available for external use. Obviously, somebody at the NSA is rebelling against the conventional notion that you hiding the source code makes a system more secure.
A more appropriate symbol would be a penguin using the NSA Key to bash in the head of the commie penguin who symbolizes Red Flag Linux.
Regular Unix is far from "trusted" too, even though it has device permissions. Basically the argument is that associating a process to a 'user' to a set of privledges is too broad of a model, as that user could be doing any number of tasks, from mundane to classified.
My bad :(
P.S. Taco, your lameness filter SUCKS!! All I did was follow my comment with an elipsis (3 dots) and then the frowny face, and the filter thought it was ASCII ART!!
And look at all the actual ASCII art that makes it through!!
What absolute unmitigated HORSESHIT!!! Why don't you pull your head out of your ass and learn to code, dipstick????
Previous NSA secure OS projects (I worked on one, 20 years ago) concentrated on security at the expense of usability. This resulted in systems that didn't get used much. This time, they're trying to fix the usability problem first.
If mandatory security in Linux goes mainstream, this would be a major step forward. Once we see important applications like Apache modified to work under mandatory security, we'll have real progress.
Ok wasnt MS recently tied to the NSA invloling some NSAKEY string or something like along those lines? think the NSA got tired of MS doing its bidding and decided to go and get where MS couldnt or wouldnt?
doesnt seem quite right. im sure im way off base but oh well...
I don't get it. How do I instal the NSA SELinux? Do I need to be running RedHat or Mandrake first and then install on top of it? Or SELinux a standalone distro?
I agree completely. All government funded software should be public domain. I'm sick and tired of my tax dollars going to fund development of commercial software. This is nothing more than welfare for rich (and in the case of M$, criminal) organizations.
Whatever happened to the idea that Linux = Communism? Wasn't that one of Microsoft's ploys to kill Linux? Wasn't Linux un-American ?
It's GPL... If you don't trust the NSA version, then simply do another version based on the original idea of NSA...
And besides, if the NSA wanted, they could have released this software using a legal company they would set-up, and all this FUD would never exist... And if they want the public to use this software, they are probably among us, posting against those that oppose the use of their software...