Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Releases Updated SELinux

Posted by timothy on from the now-they-have-to-kill-you dept.

darthcamaro writes "Looks like our federal tax dollars are hard at work - improving security on Linux! The NSA - you know the folks that are shadowy figures on X-files - have released the latest updates to SELinux (security enhanced). Internetnews.com has got a piece on it where they talk to Gentoo and Red Hat about the release's significance."

32 of 319 comments (clear)

  1. Re:Shouldn't this be our default system? by winkydink · · Score: 4, Insightful

    Security = 1/Convenience Solve for your favorite variable.

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

  2. Better go over the source... twice by CupBeEmpty · · Score: 2, Insightful

    Whoooo nelly... It kind of makes you wonder what kind of "enhanced security" those boys loaded that thing up with?

    I am guessing it will either somehow steal every bit of information, including your fingerprints

    or be totally sweet

    1. Re:Better go over the source... twice by Tackhead · · Score: 5, Insightful
      > Whoooo nelly... It kind of makes you wonder what kind of "enhanced security" those boys loaded that thing up with?

      Well, those who are able should be going over the source closely anyways. The adversaries are!

      Remember, NSA has two mandates:
      1) Help Americans secure their boxen, and
      2) Be able to 0wnz0r any non-American's boxen.

      Just because #2 gets all the press on Slashdot doesn't invalidate #1. The net effect of "more machines on the network are secure, even though some of those machines are used by non-Americans, and even if that fact makes some things a little more difficult for the other half of NSA" is still an increase in security for Americans.

      SELinux is consistent with NSA's goals in providing a secure information infrastructure for US Citizens. Given that NSA knows that the code will be closely examined by both NSA-friendly and NSA-hostile folk alike, I'd expect SELinux code to be safe, and would treat such code with a policy of "trust, but verify." (More precisely: "Verify, but trust.")

    2. Re:Better go over the source... twice by minus_273 · · Score: 2, Insightful

      DES is a great example of the NSA working for the general bebefit of the public. Im sure everyone uses DES all the time and doesnt realize that NSA has the major contibuter to that project. Granted no one has really been able to figure out why the DES encryption works they way it does (see DES boxes) it is still a great encryption tool that has not been broken ( for those morons who say DES is broken, read a book).

      --
      The war with islam is a war on the beast
      The war on terror is a war for peace
  3. Rather generous of the NSA by mrdaveb · · Score: 5, Insightful

    Seeing as any changes the NSA make are presumably only used internally by the agency, they are under no obligation to release the source. So this is quite a community spirited move on their part.

    Unless of course they are trying to sneak some NSA backdoors into Linux kernels :-)

    --
    Homme petit d'homme petit, s'attend, n'avale
    1. Re:Rather generous of the NSA by ePhil_One · · Score: 4, Insightful
      Seems like folks (other than me :) could trivially diff the source and find out what "enhancements" thay have made. I would expect that the authors of the code would be very interested in the changes amd would check it out, at the very least.

      All in all, this is a very good thing. If nothing else, its kind of hard for other OS's to compete with "The NSA's OS" on security concerns.

      --
      You are in a maze of twisted little posts, all alike.
    2. Re:Rather generous of the NSA by Gorath99 · · Score: 5, Insightful

      Well, since it's all GPL anyone can go though the code to look for backdoors. If the NSA has actually planted backdoors and they're found, then that is sure to backlash at them bigtime (nobody will trust them ever again), so I don't think they actually put any in.

      However, that doesn't mean that taking a long and critical look at the modifications isn't worthwhile...

    3. Re:Rather generous of the NSA by Artifakt · · Score: 4, Insightful

      "(nobody will trust them ever again)"

      Like the average slashdotter trusted them now.

      Why should it surprise people if this code is clean. The NSA wanted an OS that they could examine, for their own security. They got one, and made sure it was as safe as possible so they could run it internally. Then they did what a government agency is supposed to do, that is, act like the law applied to them as well and respect the GPL. Like it would be smart to bite the hand that feeds them, and have to go back to using an OS they would have a harder time verifying.

      --
      Who is John Cabal?
    4. Re:Rather generous of the NSA by sflory · · Score: 2, Insightful

      Read the GPL again. Nothing requires you to give away the source to a GPL program. You need to provide source to anyone you give modified binaries to. Thus if the NSA kept it in house they could keep it to themselves. In addition they could in theroy provide to other classified agencies. Who in turn would be able to keep it in house.

      --
      IANALBIPOOGL (I am not a Lawyer, but I play one on GrokLaw.)
    5. Re:Rather generous of the NSA by vt0asta · · Score: 2, Insightful

      You are ofcourse assuming that the NSA uses Linux. I seriously doubt, anything you find on the net is in operation at NSA guarding real secrets.

      Anyway, the NSA has two tasks SIGINT (signal intelligence) or code breaking, and the other is Information Assurance as it relates to US National Security interests.

      Both are broad tasks, the most exciting and romantic is ofcourse is the SIGINT code breaking, spying, espionage, being clever, etc.

      The janitorial work is the Information Assurance, and that is the protecting of information.

      Any contribution the NSA makes to Linux is most likely so people can see how ACL security is done right as it relates to FLASK. If the NSA was going to "sneak" backdoors in anywhere they wouldn't do it in broad daylight using the front door so that another intelligence agency could discover it, and exploit it. They took a published security technique and implemented a very vanilla implementation of it for the most widely used open source OS out there.

      Finally, (and this goes for all of you tin foil hats too) if the NSA wants your information, they'll get it, Linux or SElinux, be damned. Nothing opens doors, passwords, and safes quicker than a man with a gun who moves with a purpose. Failing that, they'll just take what they need and put their in-house geeks on it.

      --
      No.
    6. Re:Rather generous of the NSA by mrdaveb · · Score: 3, Insightful

      Of course. And hence my smiley.

      Although there has been at least one known attempt to deliberately insert a security hole into the Linux kernel before, it would be a pretty outrageous thing for a government to attempt. It would almost certainly be spotted.

      If the NSA are into that sort of thing, they are more likely to sneak/coerce their backdoor into closed source software where it is more likely to go unnoticed and perhaps be harder to trace back to it's authors.

      --
      Homme petit d'homme petit, s'attend, n'avale
  4. Come on by Hi_2k · · Score: 2, Insightful

    Shadowy? Since when are the NSA guys "Shadowy"? I have an uncle who used to work for them (he's retired), and he's a great guy.

    Although, that may describe why he always has those blind marks across his face.

    --
    When life gives you crap, Make Crapade.
    Sluggy Freelance.
  5. NSA and Common Criteria Evaluation by Anonymous Coward · · Score: 2, Insightful

    Can we expect that NSA will also do EAL5 for Linux for free?

  6. About time by cluge · · Score: 4, Insightful

    I find extremely disheartening that our tax dollars go into products, ideas and research that is then turned around and used for the benefeit of ONE company (see big drug companies, defense contractors, and certain university proffesors). That just seems plain "un-american". Here we have a rare exception, our tax dollar going to improve something for ALL americans (and the world too).

    Sadly Microsoft is lobbying to shut down the NSA's involvement in free software, claiming that the government is essentially "competing" with them. Somehow our tax dollar going to work securing windows isn't communist according to MS. Just if it also helps someone that ISN'T MS. Lets hope they fail.

    In the end, this can only be a good thing for ALL OS designers. It helps them look at how the people that stay awake at night worrying a lot think about security in an operating system.

    AngryPeopleRule

    --
    "Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
    1. Re:About time by Anonymous Coward · · Score: 1, Insightful

      "Here we have a rare exception, our tax dollar going to improve something for ALL americans (and the world too)."

      Not necessarily. Depending on what crypto is in the kernel/packages, it could be limited to where it is "exported" to.

  7. Agree Strongly. by Anonymous Coward · · Score: 5, Insightful

    You can say whatever you like about backdoors and the like, but you can be goddamned sure i want some of the brightest minds in this country looking at the code i use as opposed to the dumbfucks that i graduate with that go to work for regular companies. As for the brightest minds? Just take a look at the requirements to work for the NSA vs. Microsoft (and NO, i'm not talking about security requirements).

  8. Re:Antitrust by SparafucileMan · · Score: 1, Insightful

    Don't be silly. The three industries you mentioned are some of the most heavily subsidized markets in the world.

  9. Re:Antitrust by geekee · · Score: 3, Insightful

    " We have government spending money on OS now? I think like car-building, airlines and railway, the operating systems should be left to private commercial markets."

    The govt. can spend money on product development if it is necessary for govt. functions. In this case, the NSA is extremely motivated to have a secure OS to store their secrets. Rereleasing their mods to the public seems like a way to get more bang out of your tax dollar by letting you use their improvements.

    --
    Vote for Pedro
  10. Re:Antitrust by kfg · · Score: 2, Insightful

    Outsourcing spooks. Yeah, that'll work just spiffy.

    KFG

  11. security vs stupidity by lkcl · · Score: 2, Insightful

    security -> tends to zero as Sum(Idiots) -> tends to infinity.

  12. US Government employees MUST relinquish copyright by lkcl · · Score: 4, Insightful

    the combination of linux being open source plus the legal requirement that all US government employees must release code they develop as public domain results in SElinux.

    in other cases it results in a very good statistical test suite being dumped into the public domain.

    http://csrc.nist.gov/rng/

  13. Re:eeeeenteresting.... by mrscorpio · · Score: 2, Insightful

    Do you read all of your source code before you use the software?

    Chris

  14. Go Linux by SphericalCrusher · · Score: 4, Insightful

    I'd rather pay taxes to support the stability of Linux, than to pay taxes to keep a piece of vulnerable software running any day.

    --
    "Instant gratification takes too long." - Carrie Fisher
  15. Re:eeeeenteresting.... by metlin · · Score: 4, Insightful

    Do you read all of your source code before you use the software?

    No, but if someone made changes and enhancements to my code or related to my code, I would most definitely like to see the changes.

    Especially if its an agency like the NSA.

    And am sure, so would the contributors to the various kernel and networking parts of Linux (or for that matter other Open Source works).

    Besides, ever seen your average mail (and the number of mails) on Bugtraq or Security Focus mailing lists? There are quite a few people out there who would be quite interested.

    Also, remember that even if NSA wanted to introduce backdoors, this would be too early - they would need to build up the trust to a level when people will get a little careless and then take advantage :)

  16. Re:Context by mrpuffypants · · Score: 0, Insightful

    You felt the need to link to microsoft's site in your post? You're new here so I'll give you that, but you don't have to do that. For example, the following phrases would all work too:

    "The great satan"
    "Bill the Impaler"
    "The guys in Redmond"
    "Generic Microsoft Comment #5F"
    "OMG LINUX RAWKS. DIE M$ DIE DIE DIE!!!!1"

  17. Re:Antitrust by C10H14N2 · · Score: 4, Insightful

    Just what 100% commercial private railway did you have in mind?

    Almost all railways are national interests, including passenger service in the United States. Only _very_ recently has privatization become fashionable for railservice and it is usually marked by miserable failure. Take Britain where it was suggested that they basically dump British rail north of Manchester because there's no profit in servicing BFE. That's the point of state-owned services. The state will not dump a region simply because it isn't making a buck and the service is more important than profit.

    The vast majority of airlines are state-sponsored (outside the U.S., that is) and vary from states as majority stakeholders to 100% state-ownership. American carriers being privately held is more the exception to the rule.

    If not for massive government investment, international travel would still resemble an Indiana Jones plot line.

  18. Re:Antitrust by fermion · · Score: 4, Insightful
    I think like car-building, airlines and railway, the operating systems should be left to private commercial markets.

    The government had always spent money in infrastructure, either directly or indirectly. The examples you choose illustrate this point.

    Cars-building would not be so lucrative if there were not good roads. The government pays for these. In addition, most factories are now subsidized by tax incentives. We would probably have almost no cars built in this country if local and federal authorities did not pay the manufacturers to locate here.

    In the early days airlines made their profits delivering mail. It was a while before they were independent. Also, airports are generally built and heavily subsidized by local and federal money.

    It is my understanding that the railroads were given land. They wanted to own the rails so they built them, with immigrant labor, externalizing a number of costs related to said labor. Lately the rail lines have been complaining that they have to pay for maintain of the rails with the government pays for the airports. The difference is that the rail didn't want to share. Of course, the government spend huge amounts of money subsidizing the rail lines. Which is good because for many thing rail is more efficient than road or air. The rail people later used their exclusive use of the right-of-way to develop long distance telephone service, another thing that would not exist with heavy government support.

    Operating systems are infrastructure. It is proper that the government helps to make sure that this important business tool is suitable. The government has always subsidized the development of these technologies through research grants, not to mention the computer time that gates and co original took from university computers. On a higher level, some analysts think much of the profit MS generates is due to specific tax breaks they have been given.

    --
    "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  19. Re:post rsbac news, too! by plcurechax · · Score: 3, Insightful

    Anyhow, don't tell me SeLinux is better because.. it would cause a flame-thread only...

    So are you trying to claim Rule-set Based Access Control (RSBAC) is better? Have anything to back up that assertion?

    Considering there are still too many junior and not so junior system administrations that fail to use standard Unix access controls correctly or to their full potential, I do not expect to see advanced fine-grain access controls like RSBAC, MAC, etc. to gain mainstream usage any time soon. The issue is that find-grain access control does not tend to scale well in complex and dynamic environments like found in the typical IT department of a commercial enterprise, or an academic computer centre, or the typical under (IQ) staffed government IT/IS department.

  20. Re:Shouldn't this be our default system? by exhilaration · · Score: 4, Insightful
    who would trust the NSA

    Anyone that can read and understand C. Thank God for OSS.

    A better question would be, who would trust Microsoft?

  21. BSD UNIX research, TCP/IP, http, etc.. by romanval · · Score: 2, Insightful

    ...are among other research projects paid for by government money. Don't tell me that those things would be better developed by private industry.

    That's like saying we would be better off with 5 different (and incompatible) digital TV standards.

  22. Re:Hardened Gentoo by Anonymous Coward · · Score: 1, Insightful

    Considering the target audience it makes sense. Fedora/Red Hat is the most popular used Linux distro by far. A more user-friendly approach to SELinux at least at first seems like a good idea. This is after all a bit of a landmark for linux and will be new to a lot of people.

    I don't think its a loss as your implying that Fedora choose the path it did. Those who prefer be deeply involved with every aspect of their distro will of course be free to use Gentoo.

  23. Sheesh... by Anonymous Coward · · Score: 1, Insightful

    I have had numerous occasions to work with folks from NSA, NIMA (now GIA), DSS and others on projects. Despite the Hollywood induced perception that the GP has of them, they are normal guys like you and I that are: 1.) Just REALLY good at what they do, and 2.) Will do it for less money than they could in the private sector because they feel a patriotic duty to do so. Back doors...? Give me a break guys, it's Open Source for Pete's sake. You don't think the guys maintaining the kernel have a looksee?