Slashdot Mirror
NSA Releases Updated SELinux
darthcamaro writes "Looks like our federal tax dollars are hard at work - improving security on Linux! The NSA - you know the folks that are shadowy figures on X-files - have released the latest updates to SELinux (security enhanced). Internetnews.com has got a piece on it
where they talk to Gentoo and Red Hat about the release's significance."
What kinds of changes in SELinux would be NOT welcome in mainstream Linux distros?
I have been pwned because my
This comes right on the heels of a report by a security firm that Linux was the most vulnerable server OS...
On the other hand, I think this is a great example of why open source software is a good thing - anyone, the government included, can improve the software. I'm sure they feel much better about using an OS that they've personally inspected and tested than something else.
Does the security enhancements developed by the NSA slow down the kernel? Does it make it harder to set up services such as email or apache? How much more secure is it than a standard vanilla kernel?
I have not had the opportunity to play with SELinux but am interested in how it works, how difficult it is to set up properly and all that fun stuff
I just want to toss out the notion that the general complaint that slashdot readers don't read the article, and the slashdot effect are mutually exclusive. There were only 8 replies to this thread when I clicked the main article link, and although it wasn't completely slashdotted, it was incredibly slow coming up.
My second comment is really a question: How do we weigh this up against Mr. McBride's letters to congressmen? It seems like they would probably lean on the NSA for advice on what's secure and what's not, rather than the seemed ravings of a madman.
I would also throw out a little pointer that probably one of the major reasons that the NSA is working on the Linux Kernel is simply because they can. I'm almost certain that if they had the ability to tweak security in MS, they would do so.
Kutos to the NSA for sharing it all with us.
Isn't this one of the best things to have happened to linux in the past year? How many operating systems can boast about having ***NSA***-quality security? Whether that's the whole story is another issue: this is marketing pure gold! That line in and of itself would be enough to catch the interest of most managers, I think. This may really kick open the door for Linux moving into the corporate space.
I don't think the US. govt. is allowed to use GPL. Of course, they must honor the gpl for the rest of the linux kernel, however.
Vote for Pedro
... is the NSA web site running on IIS?
(Yes, yes, I know that the web site will be totally physically separated from the spooks' computers...)
Call me old fashioned, but I like a dump to be as memorable as it is devastating - Bender
They spend money on it because they need to use it. I am sure the computer security required by the NSA is not met by most vanilla versions of OSes out there.
The NSA is mostly a bunch of geeks.
The vast majority of their work is maintaining secure communications for the military and other intelligence agencies plus analizing (code breaking) intercepted secure transmissions. The movie "the Falcon and the Snowman" depicted their work fairly accurately, compiling lists and transcripts of monitored communications and forwarding them to the apropriate parties.
These are not the guys who start wars and disappear people (that would be the CIA). That's not to say they are completely innocuous, they are the guys who run the ECHELON program.
Read, L
click
"Ooh, sweet Flash intro..."
Something isn't right about that...
Only... The US government did NOT develop SELinux. A company named Secure Computing was contracted by the NSA to add aspects of their SecureOS (which runs their Sidewinder firewalls) to Linux.
one motive other than kindness might be the endless stream of attacks on the nation's communication and commerce infrastructure due to poorly secured internet-attached servers (not just windows - there's been plenty of linux based root jobs too). perhaps the NSA takes it's role in protecting our nation a bit more seriously than you would think?
For about a year, NSA stopped talking about SELinux. Then one day there was an announcement in the Linux kernel mailing list that SELinux had been updated to the current kernel version and was becoming part of the mainstream kernel.
Now it's mainstream.
If my memory serves me correctly, didn't they stop developing their Linux tree a year or two ago? Because of some stupid ruling at political level, IIRC?
Please correct me if I'm wrong, as I can't remember. I'm happy to see them continue, as it now seems.
better yet:
http://uptime.netcraft.com/up/graph/?host=nsa.go v
"The site www.nsa.gov is running Microsoft-IIS/5.0 on Windows 2000."
Maybe they're running SEwindows2000. They added security enhancements once they downloaded the code from kazaa..errr, i mean SEKazaa
Actually the ONLY contribution the NSA made to DES was to tweak the S-Box selection criteria to help thwart differential crypto analysis (20 years before the public sector rediscovered the technique). The cypher itself was written 100% at IBM and was an extension of LUFICER.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
You can find out here.
This is an old speech made by Ken Thompson that talks about invisible back doors. To summarize, using Linux as an example in this case:
A method could be written into the kernel that detects that a kernel is being compiled and inserts code into that kernel. That code could be whatever you want, as long as it contains the method that detects a kernel being compiled...and so on.
That way, the kernel could have code in it that was not in the source code, but was present in every build, nonetheless.
In the speech, Thompson notes that this sort of backdoor could be inserted into any compiler or assembler (I can't remember if he says OS or not.) Kind of cool stuff.
*Meep* Wrong!
There are several ways to implement a backdoor, and many of them are practically invisible. There is no need at all to open a port and handle incoming traffic (wich would be very obvious). Instead if you want to implement a backdoor you could just leave some input-parameters of a service unchecked so it can be exploited by a buffer overflow. If anyone notices this flaw later you can still say "Ooops... but hey, everyone makes mistakes. I'll just fix it..."
I know that buffer-overflows are not a good example since they are not easily exploitable in SE-Linux anymore (iirc). But the basic concept remains still applicable.
Maybe thast's the reason a big Company like MS takes so long to correct some very simple bugs, like the one about BMP-files in IE (http://xforce.iss.net/xforce/xfdb/15210). As soon as they fixed all their bugs they would be forced to release a new Windows-Version with new backdoors^d^d^d^d^d^dvulnerabilities.
Who guarantees that MS really didn't know about some of the bugs initially and they didn't just provide a list to NSA?
regards,
q.kontinuum
Trolling is a art!
Read the story in Steven Levi's Crypto.
TCAP-Abort
Can anyone comment on how well (or poorly) Medusa DS9 Security System compares with SELinux?