Slashdot Mirror
Would You Use SELinux?
silent_tyr asks: "I am going to re-install my Linux box and being security conscious I am looking for a secure distribution. After a couple of Google searches I found a version called Secure Linux, which sounded ideal. So I followed this link, which turned out to be what I assume is a genuine NSA web-site. All in all, it looks like a good idea and I can play around with it as I wish, but eventually I will be using this machine as my base-system. So before I start I want to ask two questions:
1) Do you think that it is a good idea to trust the NSA not to put in back-door/spy-ware type code to enable them to snoop my personal information? 2) What other security-patched distro's can people recommend? I don't want to open up the floor for generic NSA-bashing, but I also don't want to have to work my way through every line of code before I install." There was a similar question that was asked a while ago, but there wasn't much to the discussion. For those of you who are running SELinux, what have your experiences been, so far?
GPL'd source guarantees that nothing lives in your kernel that you cannot examine as much as you like for backdoors.
From the post:
I also don't want to have to work my way through every line of code before I install.
GPL'd source guarantees that nothing lives in your kernel that you cannot examine as much as you like for backdoors. Yet this examination has to be done somebody else, by larger group of people who have great amount of knowledge and experience on these matters. It is simply not "possible" to this guy/girl to examine the kernel. Besides it is not not a easy task look for backdoors etc. Does anybody know that this kind of examination has been taken place by independent group?
IIRC, it's a series of kernel patches and some modified basic utilities. I wouldn't be surprised if there was more to it than when I first looked at it a couple of years ago.
;) amount of work?
But as to NSA backdoors, honestly, how much intel would they gather from the handful of people who would install SELinux? Wouldn't it make way more sense to crack into Microsoft's source code (if a Russian hacker could do it, well, I'm sure they can) and do it in a closed-source, widely adopted OS?
Hey, I'm as much a conspiracy theorist as the next mildly-intelligent person who sees strings pulling the marionettes in our government. But it ultimately comes down to a resource allocation issue. Why bother when there's so much more to be gained with the same (or less, if you consider the need to somehow disguise the backdoor in open code!
Now about those microwave towers...
Amateurs discuss tactics. Professionals discuss logistics.
Since I live in the real world (tm) I just use Slackware. I reckon I can trust Pat not to fuck with my system :-).
IMO, the bigger question is: "will the extra security measures get in the way of doing what you need to do?" And probably the corollary: "If you're going to have to disable any of those features, is it still worth using this distribution?"
Check out my eclectic infosec blog at InfoSecPotpou
First off, which is more likely- that you have information that the NSA is curious about on your machine or that some random loser with test it for various vulnerabilities? If I remember correctly, the idea behind the NSA distro was to provide a free, secure solution to slow or stop the DDOS attacks and the like. If you have anything that the NSA would REALLY be interested in, other then a pron stash that everyone else has, (meaning actual illegal, get-you-jail-time stuff) why on earth would you put that on a machine conencted to the internet? Put it on a separate machine behind a firewall and encrypt it if you are that concerned about it.
I didnt say ANYTHING about being trustworthy!
Lets be honest I know that Mossad could come up with legal documents proving you are my 3 year old daughter.
AND I know that the NSA could show my direct email correspondence to Lenin himself.
AND I, especially being in the security business, am paid to be paranoid ( which I would be even if I wasn't in the security field) after all just because you are paranoid doesn't mean they aren't really after you. What I am saying is there are 30 big ugly guys standing outside your home with the ability to come in. Some by breaking down your door, others breaking a window. Unless I am a cryptography expert ( I personally am good but am by no means an expert) and a security expert, and a linux expert who has gone through every line of code out there and written appropriate patches yourself you have to trust someone. Me, well I am going to trust the guy with the locksmith business card and teh truck and experience to back it up. After all he is an expert and if i didnt give him the keys he could still walk in. In the end it is not somuch a matter of trust as it is a matter of logic.
"I would be a libertarian but they believe in too much government"
Well, in actuallity, I am a consitutionalist
Bad Panda! No Bamboo for you! In matters of importance ACs will not be responded to. Want to say something critical,OK
% man diff
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
Yes, but having the source of SELinux and the vanilla kernel sources means you can diff the two trees and get a very good idea of what has been changed. Viewing the changes in this manner should make a code inspection managable.
Spencer Ogden
you could spend weeks browsing through the source by yourself (and probably not find any backdoors even if they do exist).
Me (an average good C programmer) and hundreds of others (that are average good C programmers with good networking experience) would stand a reasonable chance of finding something.
In fact, if you are in the computer security business, uncovering a backdoor like this would be a real feather in your cap, look good on your resume, and help you drum up more business, so there's definitely motivation for people to look closely at the NSA code, not just for backdoors, but for any kind of flaw that could potentially compromise security.
Critical (almost hostile!) code review like that is going to do a lot better job than a more friendly limited internal review at Company X, where Marketing wants to ship the product yesterday.
check MD5sums at the original point of distribution
You bring up a good precaution, checking the MD5 sums, especially in light of the trojan distribution problem that happenned with (SSH?,SSL?) last year.
But I've always thought it was silly to check MD5 sums for tarballs from the same point of origin.
If I were a trojan writer, I'd change the webpage so that the MD5 sum displayed was in sync with my malware.
Getting independent verification of the MD5 sum from a different source is better; checking a PGP signature is better still.
Finally, from a political perspective, it would Look Bad if someone managed to hack into nsa.gov and replace chunks of their site. I'd expect NSA sysadmins to pay closer attention to securing their site than average sites.
"Provided by the management for your protection."
The moral is obvious.
You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Though you expressed it with humor, the point is very valid. Doing a diff on to kernel source trees that kicks out 50k lines of code sounds like reading enough, but in many cases of a 10 line change, you'll have to read a good chunk of the rest of the module to get the proper context.
/. this question, you have no chance in hell of catching them.
Additionally, all this is in the realm of seriously expert shit. If the NSA put in a backdoor like
if (connecting_socket->IP == 152.63.39.37) {
connecting_socket->priv_level = GODLIKE;
}
You're in luck.
In most other cases a backdoor is just a hard to exploit/spot vulnerability like a stack overflow, or an awkwardly cast variable assignment that allows the tricky person to assign values to the target varible that are outside it's normal range and have a desirable side effect. If you wrote the modules in question these things would be noticable, if you're a full time kernel coder, they would be possible but hard to spot. If you're asking
The Linux From Scratch suggestion above seems like the most user accessible way to go. I would trust the good will and intentions of individuals over any government's institutions every day of the week.