Slashdot Mirror
NSA Releases Updated SELinux
darthcamaro writes "Looks like our federal tax dollars are hard at work - improving security on Linux! The NSA - you know the folks that are shadowy figures on X-files - have released the latest updates to SELinux (security enhanced). Internetnews.com has got a piece on it
where they talk to Gentoo and Red Hat about the release's significance."
I wonder how it compares to Tin Foil Hat Linux?
Anyone can provide contrast/comparisons?
What kinds of changes in SELinux would be NOT welcome in mainstream Linux distros?
I have been pwned because my
ScullyEnhanced Linux?
I'm in. Where do i get it?
mattdev@server$ touch
cannot touch `/dev/genitals': Permission denied
...backdoors!
Treehugger? Treehugger... Treehugger!
This comes right on the heels of a report by a security firm that Linux was the most vulnerable server OS...
On the other hand, I think this is a great example of why open source software is a good thing - anyone, the government included, can improve the software. I'm sure they feel much better about using an OS that they've personally inspected and tested than something else.
Whoooo nelly... It kind of makes you wonder what kind of "enhanced security" those boys loaded that thing up with?
I am guessing it will either somehow steal every bit of information, including your fingerprints
or be totally sweet
Seeing as any changes the NSA make are presumably only used internally by the agency, they are under no obligation to release the source. So this is quite a community spirited move on their part.
:-)
Unless of course they are trying to sneak some NSA backdoors into Linux kernels
Homme petit d'homme petit, s'attend, n'avale
Shadowy? Since when are the NSA guys "Shadowy"? I have an uncle who used to work for them (he's retired), and he's a great guy.
Although, that may describe why he always has those blind marks across his face.
When life gives you crap, Make Crapade.
Sluggy Freelance.
Does the security enhancements developed by the NSA slow down the kernel? Does it make it harder to set up services such as email or apache? How much more secure is it than a standard vanilla kernel?
I have not had the opportunity to play with SELinux but am interested in how it works, how difficult it is to set up properly and all that fun stuff
Can we expect that NSA will also do EAL5 for Linux for free?
I find extremely disheartening that our tax dollars go into products, ideas and research that is then turned around and used for the benefeit of ONE company (see big drug companies, defense contractors, and certain university proffesors). That just seems plain "un-american". Here we have a rare exception, our tax dollar going to improve something for ALL americans (and the world too).
Sadly Microsoft is lobbying to shut down the NSA's involvement in free software, claiming that the government is essentially "competing" with them. Somehow our tax dollar going to work securing windows isn't communist according to MS. Just if it also helps someone that ISN'T MS. Lets hope they fail.
In the end, this can only be a good thing for ALL OS designers. It helps them look at how the people that stay awake at night worrying a lot think about security in an operating system.
AngryPeopleRule
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
I guess NSA didn't get the memo -- or the lobbyists -- from SCO telling them that open source software was a security risk and that terrorists could use it to make their own supercomputer.
I distinctly remember reading that NSA stopped deveolpment on this project , under pressure from US govt. which was under pressure from Microsoft..So what happend now ? /. , so the authenticity of it is highly questionable.
But then again I read that on
for the last time people, I am "frodo from middle eaRTH", not "middle eaST".
I just want to toss out the notion that the general complaint that slashdot readers don't read the article, and the slashdot effect are mutually exclusive. There were only 8 replies to this thread when I clicked the main article link, and although it wasn't completely slashdotted, it was incredibly slow coming up.
My second comment is really a question: How do we weigh this up against Mr. McBride's letters to congressmen? It seems like they would probably lean on the NSA for advice on what's secure and what's not, rather than the seemed ravings of a madman.
I would also throw out a little pointer that probably one of the major reasons that the NSA is working on the Linux Kernel is simply because they can. I'm almost certain that if they had the ability to tweak security in MS, they would do so.
Kutos to the NSA for sharing it all with us.
Isn't this one of the best things to have happened to linux in the past year? How many operating systems can boast about having ***NSA***-quality security? Whether that's the whole story is another issue: this is marketing pure gold! That line in and of itself would be enough to catch the interest of most managers, I think. This may really kick open the door for Linux moving into the corporate space.
I'll know they're really shadowy figures when they take that 'released' Microsoft code and clean it up and re-release it. :-)
A feeling of having made the same mistake before: Deja Foobar
Isn't this the same NSA that melted down their 3-million-processor crypto computer by fiddling with a "mutations strings" virus?
February 24, 2004
Linux Gets Security Boost from NSA
By Sean Michael Kerner
Most stories about government deployments of Linux involve a distributor helping various federal and municipal agencies install the open source operating system. But in this case, a federal agency is helping Linux.
The U.S. National Security Agency (NSA), also known as the codemakers and codebreakers cryptologic division within the Department of Defense, has helped to harden Linux with newly-released Security Enhanced Linux (SELinux) kernel modifications.
The latest release, which updates the base kernel to 2.6.3 and 2.4.24, contains numerous significant improvements to security in the open source operating system. The SELinux improvements mark a major breakthrough for Linux. Because of the NSA's contributions to the kernel, the new security features will now show up in mainstream distributions of Linux.
"Conditional policies are significant and also networking hooks were added, which makes SElinux all that much more powerful," Joshua Brindle, hardened Gentoo Linux Project Leader and the NSA's SELinux contributor, told internetnews.com.
"They also exported AVC (define) controls to userland to facilitate strong X-based access control and privilege separation," he added.
SELinux was released by the NSA under the GNU GPL open source license. SELinux is essentially a Linux Kernel with a number of utilities that provide enhanced security functionality. But the critical component of SELinux is how it implements and handles mandatory access controls.
"SELinux is important because mandatory access controls are essential to limiting access to daemons and users to only what they need. It also solves the age-old almighty powerful superuser problem in Linux," Gentoo's Brindle told internetnews.com.
"We stress however that it isn't an end-all solution, that it must be combined with additional layers of protection."
Debian, Gentoo and Red Hat Fedora's latest test release of Fedora Core 2 all currently make some use of SELinux. Red Hat also plans to incorporate SELinux into its next Red Hat Enterprise Linux release
This "marks an important milestone in what enterprises globally feel is an important issue," Red Hat spokesperson Leigh Day said of the SELinux update. "One of the first issues we hear from our customers when talking with them about solution requirements is security," she told internetnews.com. "Were pleased to be working with the NSA to bring SELinux to our distribution. We will incorporate SELinux fully in our next release of RHEL 4."
The Security-enhanced Linux kernel enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs.
I remember when legal used to mean lawful, now it means some kind of loophole. - Leo Kessler
http://www.nsa.gov/selinux/
Treehugger? Treehugger... Treehugger!
As grande as nachos!
You can say whatever you like about backdoors and the like, but you can be goddamned sure i want some of the brightest minds in this country looking at the code i use as opposed to the dumbfucks that i graduate with that go to work for regular companies. As for the brightest minds? Just take a look at the requirements to work for the NSA vs. Microsoft (and NO, i'm not talking about security requirements).
If the NSA pored over the Windows code and made it secure, well, then you would have big government.
"It required a work force of 384 slaves, 34 slave drivers, 12 engineers, 2 turtle doves, and a partridge in a pear tree. The work was managed by a command team composed of 2345 bureaucrats, 2347 secretaries (at least two of whom could type), 12,256 paper shufflers, 52,469 rubber stampers, 245,193 red tape processors, and nearly one million dead trees."
A feeling of having made the same mistake before: Deja Foobar
Don't be silly. The three industries you mentioned are some of the most heavily subsidized markets in the world.
" We have government spending money on OS now? I think like car-building, airlines and railway, the operating systems should be left to private commercial markets."
The govt. can spend money on product development if it is necessary for govt. functions. In this case, the NSA is extremely motivated to have a secure OS to store their secrets. Rereleasing their mods to the public seems like a way to get more bang out of your tax dollar by letting you use their improvements.
Vote for Pedro
Outsourcing spooks. Yeah, that'll work just spiffy.
KFG
I don't think the US. govt. is allowed to use GPL. Of course, they must honor the gpl for the rest of the linux kernel, however.
Vote for Pedro
i'm sure it can't hold a candle to BarbieOS !!
seeing as even federal government agencies already believe in the GPL.
Apparently, you don't understand the difference between a "page impression" and a "read". Now, here's what the normal slashdot user does:
1)clicks on link
2)looks for colorful photos
3)Presses Ctrl-F, then types "screeshots", then Enter
4)Clicks on any links he finds in that context.
5)If he finds nothing, clicks "Back", clicks "Reply", and makes an uninformed comment
Very little reading usually goes on; just viewage of pretty pictures. And, of course, this just makes the slashdot effect worse; text doesn't really hurt webservers as bad as big JPGs. That's why two hours after the posting on slashdot, the site admins are always back online with a text-only version of their site saying something like "I've never seen so much web activity in my life".
There were some selinux related posts on slashdot, consider checking www.rsbac.org too.
RBAC, MAC, ACL, extensible, malware-scan (virus protection on kernel ('access') level), network protection, other methods (FF,...) and whatever you wish
It's not financed by NSA, and not programmed in the US., can you be happier?
Anyhow, don't tell me SeLinux is better because.. it would cause a flame-thread only...
... is the NSA web site running on IIS?
(Yes, yes, I know that the web site will be totally physically separated from the spooks' computers...)
Call me old fashioned, but I like a dump to be as memorable as it is devastating - Bender
security -> tends to zero as Sum(Idiots) -> tends to infinity.
They spend money on it because they need to use it. I am sure the computer security required by the NSA is not met by most vanilla versions of OSes out there.
the combination of linux being open source plus the legal requirement that all US government employees must release code they develop as public domain results in SElinux.
in other cases it results in a very good statistical test suite being dumped into the public domain.
http://csrc.nist.gov/rng/
.....Microsoft.
Let them continue to believe they can defeat FOSS
Alot of my Gentoo specific comments were taken out of the article so I'll provide them below:
MAC's are only the enforcement part, auditing is also very important and sadly something lacking in LSM. We are looking into different auditing schemes to compliment SELinux.
Recently we have completely integrated PaX memory protections into the SELinux policy. Unfortunatly Redhat's Ingo wrote execsheild, which he admits provides less protection so most of the SELinux camp is not interested in the work we are doing in this area.
We also provide much tighter policies by default whereas Redhat/Fedora has chosen to make the user domains much less restrictive and 'user-friendly'. This isn't in line with the goals we've cited on out page http://hardened.gentoo.org . While user friendliness is important taking restrictions away from domains inevitably loosens security.
one of the coolest gov agncies. Think really smart geeks working in secret for the greater good :)
The war with islam is a war on the beast
The war on terror is a war for peace
Anyone know much much of SELinux MITRE contributed?
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
I'd rather pay taxes to support the stability of Linux, than to pay taxes to keep a piece of vulnerable software running any day.
"Instant gratification takes too long." - Carrie Fisher
This is a great thing to add to Linux, but is it secure enough to keep even the FBI out of your sensitive information?
Summary of Changes for SELinux
[classified@classified]
[classified@classified] fix broken (classified) in (classified).c
[classified@classified] changed (classified), added (classified)'s patch to (classified)
[classified@classified] (classified) (classified) with (classified)
Afraid to install SELinux but interested in what it does? The Hardened Gentoo project maintains a SELinux Demo Machine that allows you to ssh in as root. More information here: http://selinux.dev.gentoo.org/
When convenience nears zero, the machine has been dismounted into its smallest components and each component is mantained in a separate safe room at a different geographic location. In the limit, security is infinite when the machine being secured does not exist anymore and cannot be re-assembled - ie, it has been reduced to its original atoms and those were scattered in different places.
Ken Thompson's compiler hack
KFG
Just what 100% commercial private railway did you have in mind?
Almost all railways are national interests, including passenger service in the United States. Only _very_ recently has privatization become fashionable for railservice and it is usually marked by miserable failure. Take Britain where it was suggested that they basically dump British rail north of Manchester because there's no profit in servicing BFE. That's the point of state-owned services. The state will not dump a region simply because it isn't making a buck and the service is more important than profit.
The vast majority of airlines are state-sponsored (outside the U.S., that is) and vary from states as majority stakeholders to 100% state-ownership. American carriers being privately held is more the exception to the rule.
If not for massive government investment, international travel would still resemble an Indiana Jones plot line.
Come on, out of all the contributions to the Linux kernel, don't you think that the ones that the NSA contribute are of the MOST audited??
I know it's a joke, but come on. That's like saying "Oh, here's the blueprints to my house, with 200% more SECRET PASSAGEWAYS to my nuclear reactor!"
It is pitch black. You are likely to be eaten by a grue.
The government had always spent money in infrastructure, either directly or indirectly. The examples you choose illustrate this point.
Cars-building would not be so lucrative if there were not good roads. The government pays for these. In addition, most factories are now subsidized by tax incentives. We would probably have almost no cars built in this country if local and federal authorities did not pay the manufacturers to locate here.
In the early days airlines made their profits delivering mail. It was a while before they were independent. Also, airports are generally built and heavily subsidized by local and federal money.
It is my understanding that the railroads were given land. They wanted to own the rails so they built them, with immigrant labor, externalizing a number of costs related to said labor. Lately the rail lines have been complaining that they have to pay for maintain of the rails with the government pays for the airports. The difference is that the rail didn't want to share. Of course, the government spend huge amounts of money subsidizing the rail lines. Which is good because for many thing rail is more efficient than road or air. The rail people later used their exclusive use of the right-of-way to develop long distance telephone service, another thing that would not exist with heavy government support.
Operating systems are infrastructure. It is proper that the government helps to make sure that this important business tool is suitable. The government has always subsidized the development of these technologies through research grants, not to mention the computer time that gates and co original took from university computers. On a higher level, some analysts think much of the profit MS generates is due to specific tax breaks they have been given.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
The problem with this is that it requires one to distribute binaries. There has to be a compromised binary compiler for this to work. The NSA isn't shipping any binaries; it's all source code.
Unless gcc was compromised a long time ago, this isn't likely to become a widespread problem.
No. They don't need to use it and they admit that it only addresses a small part of the needed security policy. It's just a research project. In fact, without installing custom software, it won;t even meet a fraction of the NISPOM, Chapter 8 requirements. The only system you'll see NSA "endorse" on government projects is Trusted Solaris. It doesn't get any more anal than that OE. Every aspect of a user's profile (access rights, etc.) is controlled. Indeed, the root user is nobody special.
If you've never setup a TSol box, consider yourself lucky. Of course, if you've ever setup TSol correctly the first time, consider buying lottery tickets because the odds are about the same.
Absolutely. My part in this thread began with a joke.
KFG
And i guess that the NSA has no motives of their own in probing linux security and getting the assistance of contributing coders given that a number of foreign governments (china, etc) are moving towards adopting linux in secure environments. Anyone have any thoughts about the ethical issues of contributing code to a government agency like the NSA? Putting on my tin-foil-hat Paco
Only... The US government did NOT develop SELinux. A company named Secure Computing was contracted by the NSA to add aspects of their SecureOS (which runs their Sidewinder firewalls) to Linux.
SELinux has been going on for four years now. Moreover, the NSA doesn't certify this as some sort of bulletproof linux, it mostly just adds access controls (I'm guessing aka ACLs). Since nobody's been dumb enough to run around marketing the NSA's involvement and SELinux it really hasn't caught on much. Bandying about that the NSA has somehow "approved" of this kernel would likely result in a very pissed off NSA. Nobody, not even marketing, dicks with the NSA.
I Browse at +4 Flamebait
Open Source Sysadmin
NSA is a great organization. Could be worse. You could be in the USAF where you have to consume mass quantities of MS Windows stuff, for almost everything. Some days I think MS owns part of USAF.
Some services are harder to set up, because the permission issues get in the way, especially if they expect to have an all-powerful root doing the work for them, or if the application does lots of work to secure themselves (chroot jails, etc.), but most applications aren't affected much. Anything that does much with Setuid() can expect a radically different environment underneath.
The big security win is that you can define different security compartments, including one or more for the operating system itself, and applications can only read from lower-security-level compartments, not write to them. This means that even if somebody finds an egregious buffer overflow bug in your email client, and uses it to mail your precious files to kgbvax.dhs.gov, they still can't use that to r00t your machine, and it's very hard for them to accomplish much by leaving Trojan Horse files around in your home directory because root usually isn't allowed to read them without you explicitly authorizing them.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Man, to think Mr. Gates has to spend company money to secure his OS, whereas Linux users (in the U.S.) just need to pay their taxes to get an extra secure system.
And at least for me, knowing that the NSA is using Fedora Core 2 as a development platform makes me more likely to use it than other distros (although admittedly I already had a liking for Fedora Core for the get go). Perhaps it's stupid to let a thing like that sway me, but it definitely adds to a conversation...
Friend: Linux? Huh?
Me: Ya, it's an OS that even has the NSA making security patches for it too.
Friend: Nice. But does it play my games?
Me: Doh!
Not trying to be a dittohead, just trying to underscore a well-constructed point.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
...are among other research projects paid for by government money. Don't tell me that those things would be better developed by private industry.
That's like saying we would be better off with 5 different (and incompatible) digital TV standards.
most people go on slashdot for one of two purposes... to read an interesting article, or to look for a place to dispense their opinion.
Only a small minority of slashdotters do both tasks (and necessarily in that order!)
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
SCO vs. NSA
Day 1: Darl announces SCO will be suing the NSA
Day 2: Darl is missing and the SCO headquarters has mysteriously been hit by a US nuke.
OK, Darl says that Linux is a threat to National Security, but the NSA who is responsible for National Security contributes to Linux.... Therefore logic says that Linux is good for National Security. But Microsoft says that they are more secure than Linux. Who's on first, what's on second...
Yeeow! Nothing like a paradigm shift without using the clutch!
For about a year, NSA stopped talking about SELinux. Then one day there was an announcement in the Linux kernel mailing list that SELinux had been updated to the current kernel version and was becoming part of the mainstream kernel.
Now it's mainstream.
I'll leave all the assumptions of motive to those who will pretend they know, but won't this be a sticking point to adoption in countries who are looking for security and may not be trusting of our government or our NSA? While the changes are GPL'd and therefore must disclose source code, read back up the page if you don't think the NSA has something close to mythical stature in many eyes. Tin foil hats aside, appearances matter, especially to bureaucracies where (wonder of wonders) there may be a chance of someone making high-level decisions without reviewing millions of lines of source code first. Before flaming, note that my hymnal comes from your church. This is merely a discussion point.
If my memory serves me correctly, didn't they stop developing their Linux tree a year or two ago? Because of some stupid ruling at political level, IIRC?
Please correct me if I'm wrong, as I can't remember. I'm happy to see them continue, as it now seems.
Just what 100% commercial private railway did you have in mind? [...] Only _very_ recently has privatization become fashionable for railservice and it is usually marked by miserable failure.
I'm afraid you have your facts backwards. The private north american rail business was booming in the early 20th century, until government stepped in with regulation. Then the multiple competing railways were reduced to a few entrenched monopolies, to everyone's detriment. Your other statements are also flawed, though I don't have time for the necessary lengthy explanation at the moment.
Higher Logics: where programming meets science.
I have had numerous occasions to work with folks from NSA, NIMA (now GIA), DSS and others on projects. Despite the Hollywood induced perception that the GP has of them, they are normal guys like you and I that are: 1.) Just REALLY good at what they do, and 2.) Will do it for less money than they could in the private sector because they feel a patriotic duty to do so. Back doors...? Give me a break guys, it's Open Source for Pete's sake. You don't think the guys maintaining the kernel have a looksee?
What a cop-out. "I don't have time." Please. If you have an argument, make it. If you can't be bothered to come up with one, don't pretend to have one.
National airlines only started privatizing in the late 1980s and they still aren't remotely divested enough to consider them anything but highly subsidized. There is no "flaw" in that argument--BECAUSE THERE'S NO ARGUMENT! It's a statement of fact.
Passenger rail died in the United States largely due to the automobile industry and the availability of air travel--the same reason the trans-atlantic oceanliners died off as a mode of transport. Government intervention, which created Amtrak in 1971, was designed to SAVE rail travel, not destroy it. It isn't profitable and would not exist today but for massive subsidy.
The SE Linux mailing list is a good place to ask questions about it, see http://www.nsa.gov/selinux/ for the details.
Also see #selinux on irc.freenode.net.
Then you can discuss it with the people who are involved in SE Linux development.
SE Linux has been going for a long time, I've been working on it for almost three years, and I wasn't involved at the start.
The NSA gets some significant benefits from releasing the code under the GPL. See the list of non-NSA contributors for a list of the work that was done for free by the community instead of having to be paid for by the NSA.
Russell Coker
Cars-building would not be so lucrative if there were not good roads. The government pays for these.
The road system is not a subsidized industry. How is a gas tax a subsidy? The gas taxes take in more than is spent on roads. Driving cars subsidizes other industries. If you include environmental costs, you would have a point.
You are right about that. I think that's generally what people complain about too; there are those who wish the groups intersected more. Prefferably, people would like to read and write, in that order.
However, even of those people who you claim would like to "read an interesting article," I still contend that the first four steps are usually followed. Of those people who don't post, the majority are still looking for pretty pictures. That's why sites like kde-look.org are so popular. That's also why almost any OSS software nowadays includes a screenshots section in their website.
I think we must assume that western governments have that capability already. How do you think they would have accomplished it? At the hardware level? How do any of us really know what's inside those chips?
Your crazy theories are interesting.
It indeed would be quite an elegant way to do it - at the hardware level - but I'm not sure how it could be done so that it is exploitable. I mean, they don't know what software will run on the chip, so what kind of hardware "backdoor" would they need...? Predictable random-number generator for weaker encryption? But wouldn't that be detectable. So would something that modofies the files written on your hard-drive.
Care to elaborate on your theory?
Treehugger? Treehugger... Treehugger!
*Meep* Wrong!
There are several ways to implement a backdoor, and many of them are practically invisible. There is no need at all to open a port and handle incoming traffic (wich would be very obvious). Instead if you want to implement a backdoor you could just leave some input-parameters of a service unchecked so it can be exploited by a buffer overflow. If anyone notices this flaw later you can still say "Ooops... but hey, everyone makes mistakes. I'll just fix it..."
I know that buffer-overflows are not a good example since they are not easily exploitable in SE-Linux anymore (iirc). But the basic concept remains still applicable.
Maybe thast's the reason a big Company like MS takes so long to correct some very simple bugs, like the one about BMP-files in IE (http://xforce.iss.net/xforce/xfdb/15210). As soon as they fixed all their bugs they would be forced to release a new Windows-Version with new backdoors^d^d^d^d^d^dvulnerabilities.
Who guarantees that MS really didn't know about some of the bugs initially and they didn't just provide a list to NSA?
regards,
q.kontinuum
Trolling is a art!
F*ck! The tinfoilhat-tags around "Maybe thats's" and "NSA?" are not shown. Should have used the preview...
Trolling is a art!
Personally, I would love to see SCO demanding money from the NSA for a linux license =) This should get rid of the SCO problem really fast ;-))
Passenger rail died in the United States largely due to the automobile industry and the availability of air travel--the same reason the trans-atlantic oceanliners died off as a mode of transport.
I can certainly vouch for that. I recently had to make a 600+ mile trip (with one other person), and I had the following options:
1. Drive - estimated cost of $450 based on Federal Mileage Deduction. Expect to arrive really tired and hope not to drive off the road at some point. On the other hand, little dependancy on outside schedules.
2. Fly - cost of $600. Hope that flight isn't too underloaded and gets canceled, hope that there are no major delays, hope that luggage makes it, etc...
3. Train - cost of about $600 also. Expect to arrive fairly tired since it takes as long as driving. Also - need to take a bus for last leg since no train runs anywhere near the destination. Hope that there are no externally-imposed delays.
4. Bus - dirt cheap - $200. Expect to take an extra two vacation days due to LARGE travel time. Expect to meet lots of interesting people. Hope that there are no delays.
Of all of these the only two really competitive options were #1 and #2. In cases where train travel was actually practical (a train actually went to the destination), it was often just as expensive as airfare. Granted, service on a train is probably better, but on the other hand travel time is at least twice as long. I'd rather spend three hours in economy than 9 hours in first class. Bus would take about 24 hours for the same trip.
Rail makes a lot of sense for shipping cargo - if I wanted to get 1000 cars from point A to point B I'd load them up on a train. However, to get one car from point A to point B it is probably cheaper to drive it there. And forget the auto-train unless you're going to Florida for the whole winter - it is cheaper to just fly and rent a car.
Everyone's saying how easy it is to put back doors in and keep them invisible. That's not really the point. MS always talked about security through obfuscation, one of the supposed advantages of keeping source code to themselves. But the real truth is, it places the power to corrupt in the hands of a few, and that is a problem. It's a problem because what if people did build back doors into Windows source? How would anyone know, regardless of how obvious they were? What if the source gets out (as it recently did)?
But the real issue is: what if someone finds a security hole that looks a lot more like an intentional back door than a mistake? With Windows, what are the chances anyone'd be able to prove that without the source? There'd always be doubters no matter how tight the case. On the other hand, with the code the NSA just released, if anyone were to find an obvious back door--even what looked like an intentionally sloppy hole--how do you suppose that would play for the most secretive, shadowy government organization?
The right answer is: not too well. The good thing about open source is that it invites you to try this kind of subterfuge, but it forces you to stake your credibility on that gamble. With all the propeller heads and tinfoil hats floating around the linux community, that's a pretty bad bet. And you know what, I'm allowed to say this only because there's such a large contingent of linux people that will read this argument and not believe it's enough to keep linux secure. There's a lot that will say, sure that's a fine and dandy argument, but I prefer to check it out for myself. And it's exactly this disagreement, this marketplace of conflicting ideas, that makes my statement above true...because these are exactly the same people that would expose these back doors.
It's like -1 trying to make itself more negative by multiplying itself by another -1. Wait a minute...it's not like that at all.
sev
but have you considered the following argument: shut up.
Actually, it would be undoable, for the simple reason that each software generates it's random numbers in different way; there's no hardware random-number generator, altought hardware timing is AFAIK used in random-number seeding under Linux and possibly other systems.
Yes, I would notice it by the time I tried to use a file system newer than the hardware it was running on, when that old hardware would manage to corrupt the filesystem because of it's mistaken assumptions of how the data is represented.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Is this the primary difference?
Is this why all the extra policies?
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
Can anyone comment on how well (or poorly) Medusa DS9 Security System compares with SELinux?
Would that be anything that's NOT part of the government? Or maybe anything that's not part of the NSA like the FBI or the CIA?
-------- In Soviet Russia, "Soviet Russia" sigs hate Slashdot.
Do they offer indemnification against rabid companies? No?
Ooooh, they must be insecure about their release.
Try going 3000 miles. On Amtrak, a trip from Los Angeles to Washington, DC costs $208 ONE WAY, which is exactly the same price as a direct, ROUND TRIP flight on Jet Blue. However, it takes about four hours on Jet Blue compared to eighty six hours on Amtrak. Do you really want to sit in a coach seat for eighty six hours? Probably not. Ok, so add a bedroom for the first half. Now it's $538--ONE WAY. Seriously, $330 for a fold-down bed and an aluminum toilet? I spent three days at the Washington Mayflower for that price. Are they joking? Want to get home? Now it's $1,076 for 172 hours on the train as opposed to $200 for eight hours on a jet, so in a way the jet is four times as expensive as the train. It's just the train is 2200% slower.
NAAAAAH, it was a government conspiracy that killed rail travel... riiiiight.
Karma: Contrapositive