NSA Releases Security-Enhanced Android

← Back to Stories (view on slashdot.org)

NSA Releases Security-Enhanced Android

Posted by timothy on Friday January 13, 2012 @02:16PM from the but-don't-worry dept.

An anonymous reader writes with the recent news that, in line with its goal to provide secure phones to government employees in various domains, "The NSA has released a set of security enhancements to Android. These appear to be based on SELinux, which was also originally created by the NSA."

81 comments

Min score:

Reason:

Sort:

Enhancement, from the NSA? by sethstorm · 2012-01-13 14:19 · Score: 1, Troll

Another platform, more backdoors?

--
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
1. Re:Enhancement, from the NSA? by pushing-robot · 2012-01-13 14:27 · Score: 5, Funny
  
  One source said it has twice as many backdoors as SELinux. Another source said ten times as many.
  I think they're both correct.
  
  --
  How can I believe you when you tell me what I don't want to hear?
2. Re:Enhancement, from the NSA? by Baloroth · 2012-01-13 14:32 · Score: 5, Insightful
  
  SELinux Android is OSS, same as SELinux. Look at the code yourself if you are convinced there are backdoors. That is part of the point of OSS after all.
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
3. Re:Enhancement, from the NSA? by Anonymous Coward · 2012-01-13 14:40 · Score: 0, Insightful
  
  Don't you believe that the NSA could obfuscate a backdoor good enough that the average person couldn't detect it when looking at the code?
  Wait - the average person couldn't detect anything when looking at the code, obfuscated or not.
4. Re:Enhancement, from the NSA? by Anonymous Coward · 2012-01-13 15:14 · Score: 0
  
  The average person? Yes. But the NSA can't beat the internet. If you don't think it's safe just wait a month, there's enough high-level security analysts out there who _will_ take it apart and check for backdoors, and a good percentage of them would be the type to scream foul if they find something. If nobody finds anything within a month (or two, if you're paranoid) just consider it good.
5. Re:Enhancement, from the NSA? by Feyshtey · 2012-01-13 15:44 · Score: 1
  
  Probably true, .. but source?
  
  --
  "But we have to pass the bill so that you can find out what is in it,..." - Nancy Pelosi
6. Re:Enhancement, from the NSA? by Anonymous Coward · 2012-01-13 15:44 · Score: 0
  
  Secure == real-time updates of all activity
  in the same way Good is Evil to the Devil
7. Re:Enhancement, from the NSA? by Nerdfest · 2012-01-13 15:51 · Score: 1
  
  I'm just amazed to see an Android story without a first post by Bonch or one of his ilk.
8. Re:Enhancement, from the NSA? by Anonymous Coward · 2012-01-13 15:56 · Score: 0
  
  It would be small contractors that are used as a proxy for government influence. That is generally the way it has been done in the past, like with the attempts on OpenBSD from NETSEC (http://www.linuxjournal.com/content/allegations-openbsd-backdoors-may-be-true). Having small companies helps defuse the legal risks that would otherwise be present with a high-profile government contractor or sub-contractor.
9. Re:Enhancement, from the NSA? by Anonymous Coward · 2012-01-13 16:06 · Score: 0
  
  That must mean that neither has any backdoors.
  2 * 0 = 10 * 0 = 0
10. Re:Enhancement, from the NSA? by Anonymous Coward · 2012-01-13 16:08 · Score: 1
  
  One source said it has twice as many backdoors as SELinux. Another source said ten times as many.
  I think they're both correct.
  Wait, if it has both twice as many backdoors as SELinux and ten times as many, wouldn't that imply both have zero backdoors?
11. Re:Enhancement, from the NSA? by mathimus1863 · 2012-01-13 16:18 · Score: 5, Informative
  
  Have you ever heard of the Underhanded C Contest. You get points for making the code exhibit some kind of backdoor, extra points for the more it looks like it could've been an innocent mistake (for instance, code where using a less-than-or-equal-to operator instead of less-than operator actually opens up an obscure security hole, and it's a mistake programmers make all the time).
  
  I recommend you look at some of the examples of winning entries. It's amazing what these people have come up with. No number of eyes will find it. Simply put, even if it's a popular open-source project, thousands of eyes are likely to miss a well-placed backdoor like these. And if anyone is capable of doing it, the NSA certainly is.
  
  Still don't believe me? How about the OpenSSH PRNG flaw that went unnoticed for two years, despite being used in servers all over the world. It was due to someone removing what appeared to be a useless line of code, but that code was actually adding some necessary extra entropy to the random number generator. It might've been an accident, or malicious. But the point is it happened, and on a high-profile project.
12. Re:Enhancement, from the NSA? by Anonymous Coward · 2012-01-13 16:30 · Score: 0
  
  ...not sure if serious.
13. Re:Enhancement, from the NSA? by Darkness404 · 2012-01-13 16:48 · Score: 3, Interesting
  
  You can't be 100% secure, 100% of the time. There will /always/ be a weak link. Be it a backdoor or a security flaw. The goal is to manage your risks. Using security enhanced Android (after about a good month for security researchers to look at the code) is unlikely to introduce any more government-imposed security risks than simply being in the US and its tyrannical laws (PATRIOT Act, CALEA, etc.). Chances are, SEA is going to be more secure than the patched together stock Android system.
  
  Of course they can hide a backdoor in it. But why bother when they already have nearly unlimited powers due to the PATRIOT act, have many corporations that will bend over backwards for the police state, and laws like CALEA.
  
  --
  Taxation is legalized theft, no more, no less.
14. Re:Enhancement, from the NSA? by Anonymous Coward · 2012-01-13 16:56 · Score: 5, Insightful
  
  Capable? Yes. The NSA hires geniuses. But so do foreign nations, various companies, and universities. If we're going to indulge in an encomium of the extraordinary competence of the NSA, though, the most honest praise would be for an NSA imagined as most likely trying to provide genuine security with this effort, not backdoors, which open up the possibility of breaches or discovery.
  Consider the NSA's purpose in making a secure version of Android: it's a system built by geniuses to be operated, in the end, by idiots, who are targeted for attack by other geniuses. From the NSA's perspective, there are two opponents: the brilliant Enemy and the Friendly moron. Leaving a backdoor, however well-obfuscated, provides the brilliant Enemy with an avenue for taking advantage of the Friendly moron who violates security procedures for his ill-conceived convenience. Backdoors allow breaches, and the NSA has to be smart enough to know that there are enough geniuses out there working for the other side(s) to find one and exploit it.
  Consider also the fallout if a backdoor were to be discovered in the NSA's source code. Geniuses will be reading this code, if for no other reason than because it demonstrates the NSA's thinking. If someone found a backdoor and, instead of exploiting it or selling it to exploiters, decided to publicize it as an example of a purposeful NSA backdoor, the NSA would lose immense credibility. What kind of turf and funding wars would they face then, if the rest of the government agencies lost trust in them? Would the much-vaunted geniuses of the NSA consider that risk acceptable?
  It's in the NSA's interest not to introduce even well-obfuscated backdoors in this product. It is in their interest to have such facilities available in consumer-grade products and exports, and God only knows what's baked into the phone companies' customized builds that they've compiled and installed onto a consumer-grade phone. It is not, however, useful to them to have such access in source code that is publicly available to be read by people looking for problems or compiled by people smart enough to know what they're doing.
  If the NSA really is as smart as we'd all like to believe, they'll make this an honest, open, secure product without backdoors or traps. They'll make a product that will solidify their place in the government funding arena as the authority in hardened security.
15. Re:Enhancement, from the NSA? by aintnostranger · 2012-01-13 16:57 · Score: 1
  
  As others have said, the internet has many "non average" users. Besides, what is this myth about the "NSA superpowers"?? I mean, the people that work there and code there are human beings that went to the same colleges as everyone else. Not only that, but the internet is bigger than the US. If there's one superpower US agencies have that is money.
16. Re:Enhancement, from the NSA? by dgatwood · 2012-01-13 19:09 · Score: 4, Insightful
  
  But the NSA can't beat the internet.
  You're joking, right? Do you honestly think that, if someone were injecting a flaw, they would inject a flaw that was readily discoverable? No. Of course not. They'd introduce some miniscule mistake in some random number generator that makes the result no longer be quite uniformly distributed in such a way that the error is only detectable by performing thousands of calls and doing heavy math on them, thus enabling a side channel attack on the randomly generated symmetric keys used for SSL or some such.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
17. Re:Enhancement, from the NSA? by justforgetme · 2012-01-13 19:48 · Score: 4, Funny
  
  While I don't necessarily disagree with your premise; could I interest you in one of my new security enhanced tinfoil hats?
  
  --
  -- no sig today
18. Re:Enhancement, from the NSA? by FormOfActionBanana · 2012-01-13 20:41 · Score: 1
  
  Having done a little tinkering in this area myself, trust me. The Internet is not working very hard on this.
  
  --
  Take off every 'sig' !!
19. Re:Enhancement, from the NSA? by justforgetme · 2012-01-13 21:02 · Score: 3, Interesting
  
  while mainly correct, your proposition ignores the fact that in programming you have a lot of plausible deniability in form of the programming mistake. A wrongly placed comparison or wrongly compiled regexp can have huge side effects while looking like little mistypes even a good albeit tired dev would make. Now think that by implanting such a small discrepancy into a big project you could do very many things without being ever detected. Also the side effects of such a behavior are very difficult to follow in a big project making the possibilities of it being forcibly discovered ridiculous since you would have to follow every reroute into oblivion before being sure there are not deliberate side effects.
  
  --
  -- no sig today
20. Re:Enhancement, from the NSA? by justforgetme · 2012-01-13 21:04 · Score: 1
  
  BTW the UCC hasn't been updated in two years? the last contest post is from early 2010 and there is no winners anouncement.
  
  --
  -- no sig today
21. Re:Enhancement, from the NSA? by hairyfeet · 2012-01-13 21:42 · Score: 1
  
  Oh please! That many eyes bullshit was proven to be just that, bullshit, or did you forget the KDELook bug? That one lasted 6 months. The Quake 3 malware? Lasted on the repo for a YEAR AND A HALF. The ONLY way the "many eye" theory would work is if you had many eyes of the appropriate skill level but as those and many other examples prove you do NOT have eyes of the appropriate skill actually looking at the majority of the code. Hell I'd bet my last dollar that at least a quarter of the code that makes up ANY average distro is ONLY looked at by the ones who wrote the thing in the first place. Now if the NSA went to one of them with a big fat check you don't think they'd take it? those guys at NETSEC were working with OpenBSD for FOUR YEARS and nobody caught on, if the one hadn't talked after his NDA ran out they'd have probably never known!
  Remember friends just because you HAVE the ability does NOT mean that the ability has been used. How many here have looked at the code in your distro of choice networking stack? how many here have the skill to explain what each line is calling and what EXACTLY its doing? thought so, just because someone CAN doesn't mean someone HAS.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
22. Re:Enhancement, from the NSA? by arose · 2012-01-13 21:56 · Score: 1
  
  If you are afraid of the NSA plating that kind of backdoor, then why would you be concerned about the obvious source (NSA code contributions), one that sees minority usage and extra scrutiny from security folks (being security code) no less? The smart way is to plant an individual into the dev community of a universally, gain trust, then plant it through them.
  
  --
  Analogies don't equal equalities, they are merely somewhat analogous.
23. Re:Enhancement, from the NSA? by Anonymous Coward · 2012-01-13 22:13 · Score: 0
  
  hey i like your spiel friend, but you don't cite a single thing.
  On top of that, what credibility would be destroyed en masse on all sides if the NSA left a backdoor in the open - F/OSS would be hurt, the NSA would be hurt and proprietary software would be hurt. We would all be had for fools - 'we' the smart people of computer land.
24. Re:Enhancement, from the NSA? by VortexCortex · 2012-01-13 22:59 · Score: 2
  
  The politically correct term is: "Magnetically Shielded Helm" or "Induction Resistant Headwear", never "tinfoil hats"...
  ...we stopped using "tinfoil hats" when the government had all of the household construction materials replaced with useless aluminum foil.
25. Re:Enhancement, from the NSA? by Anonymous Coward · 2012-01-13 23:26 · Score: 0
  
  'ten' != 10b. Obviously, you do not speak binary either.
26. Re:Enhancement, from the NSA? by Anonymous Coward · 2012-01-14 00:26 · Score: 1
  
  Learn to read. Nobody said "ten", decimal "2" is represented in binary as "10".
  
  Obviously you don't understand binary or English.
27. Re:Enhancement, from the NSA? by GameboyRMH · 2012-01-14 02:57 · Score: 1
  
  If this app has its own RNG algorithm in it I'd say that's a pretty big red flag already.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
28. Re:Enhancement, from the NSA? by K.+S.+Kyosuke · 2012-01-14 03:03 · Score: 1
  
  Nobody said "ten", decimal "2" is represented in binary as "10".
  Nobody said "ten", but the OP wrote "ten", if you really insist on being pernickety.
  
  --
  Ezekiel 23:20
29. Re:Enhancement, from the NSA? by Anonymous Coward · 2012-01-14 03:05 · Score: 0
  
  Merely looking at such code isn't sufficient to identify introduced faults. Doing a thorough audit, with something as simple as diff -u, on the other hand, catches the class of faults introduced in source.
  Audits of source code will not catch Trojans in compilers, as described in Ken Thompson's Reflections on Trusting Trust, but if we diff the compiler binaries, the auditor will catch the change.
  Therefor one can confirm a high degree of security if one invests a good chunk of work.
  I won't speculate on the NSA, but back in the day when Sun still existed, we had this debate about Trusted Solaris, and the professional paranoids were horrified at the thought of leaving a backdoor that someone else could use. The amateur paranoids though it would be a fine idea (;-))
  dave (a semi-professional paranoid, back in my Sun days) c-b
30. Re:Enhancement, from the NSA? by Anonymous Coward · 2012-01-14 04:25 · Score: 0
  
  WHOOSH
31. Re:Enhancement, from the NSA? by Anonymous Coward · 2012-01-14 05:04 · Score: 0
  
  2*0 = 10*0 = 0
32. Re:Enhancement, from the NSA? by julesh · 2012-01-14 06:00 · Score: 0
  
  your proposition ignores the fact that in programming you have a lot of plausible deniability in form of the programming mistake
  You do. I do. The NSA don't. Seriously -- if you heard there was a "bug" in NSA-provided code that effectively allowed back door access to people's phones, would you consider for more than a couple of seconds the possibility that it was accidental?
33. Re:Enhancement, from the NSA? by IAmR007 · 2012-01-14 06:21 · Score: 1
  
  The NSA develops things like SELinux for its own use, not out of charity. Putting an intentional flaw in SELinux would open up back doors into their systems as well. Something tells me an intelligence agency wouldn't allow anyone clever enough to spot their flaw to access their systems, which might contain classified information.
34. Re:Enhancement, from the NSA? by justforgetme · 2012-01-14 06:30 · Score: 2
  
  You kind of have to at least acknowledge the fact that somebody could just have screwed up, it still is just "sacks of mostly water" that write those programs. That, of course, if you aren't pathologically paranoid.
  
  --
  -- no sig today
35. Re:Enhancement, from the NSA? by formfeed · 2012-01-14 08:29 · Score: 1
  
  While I don't necessarily disagree with your premise; could I interest you in one of my new security enhanced tinfoil hats?
  Don't be silly. We all know you can't trust a tinfoil hat unless you folded it yourself from source.
36. Re:Enhancement, from the NSA? by evilviper · 2012-01-14 11:02 · Score: 1
  
  Still don't believe me? How about the OpenSSH PRNG flaw that went unnoticed for two years, despite being used in servers all over the world.
  No such thing... You probably meant OpenSSL, but I doubt a typo made you omit the fact that this was ONLY in the Debian packages of it, and worse, they were warned the patch was a terrible idea and ignored the advice.
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
37. Re:Enhancement, from the NSA? by damium · 2012-01-14 13:09 · Score: 1
  
  The algorithms for RNGs are quite simple and hardly easy to program in a flaw that would survive a review at that level. Entropy gathering, that's more complex but entropy is usually assumed to be non-uniform so we have some nice simple methods for converting it to be uniform. Also non-uniform RNGs would be detected in scientific work rather quickly and it's quite easy to test for statistical flaws by making a few hundred thousand random numbers.
  Now, some package maintainer commenting out the line in OpenSSH that actually makes the numbers random, that could be a while...
38. Re:Enhancement, from the NSA? by swalve · 2012-01-14 15:27 · Score: 1
  
  I agree. I think they are more worried about keeping their shit secret than they are getting into other people's stuff.
39. Re:Enhancement, from the NSA? by dgatwood · 2012-01-14 20:42 · Score: 1
  
  You'd think this would be detected rather quickly. Unfortunately, history disagrees with you. It took almost two years. And this one wasn't even deliberately obfuscated by anyone.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
40. Re:Enhancement, from the NSA? by cduffy · 2012-01-15 11:31 · Score: 1
  
  *sigh*. Think about it for a moment. For which values of x is it true that 2x == 10x?
41. Re:Enhancement, from the NSA? by damium · 2012-01-15 20:26 · Score: 1
  
  That was the incident I was referring to. In that case valgrind points it out rightfully as uninitialized memory, a patch to initialize it was reviewed by the OpenSSL team in 2003 and rejected with the stated reason that the PRNG used the uninitialized data as part of the entropy (they even have an FAQ entry for it). The Debian maintainer for OpenSSL proceed to patch the code in their build script later in 2006 by actually removing the call to the function! So in this case the bad patch wasn't reviewed by anyone who was familiar enough with the code to see the error (I couldn't find any place where the maintainer tried to send the patch upstream), that is why the bug was only on Debian based systems. Most of the people reviewing OpenSSL/OpenSSH were reviewing the source tree not the internal Debian patches.
  On PRNGs: I've only coded PRNGs for my algorithms class years ago and only 1 of 3 algorithms was required to gather entropy so I wouldn't consider myself an expert on the topic. I do recall the math being exceeding simple however, no more than a few lines of code for the sequence generator itself (most of the work in the assignment was verifying the random distribution). I would doubt that one could hide a flaw in one from eyes that knew the algorithm properly. This is of course the main flaw with the many eyes claim - It's not the number of eyes that matter but rather the quality of the eyes (more eyes just increases the chance for quality).
42. Re:Enhancement, from the NSA? by JasterBobaMereel · 2012-01-16 03:41 · Score: 1
  
  The issue is not skilled eyes or appropriate eyes, but eyes at all, no-one is looking because it works..
  The code does get security audited, by professional companies, often the same ones that audit closed source systems, it does get regression tested, but mostly by the people who wrote it ...
  The flaw is that no-one is really looking for bugs in code that works, but that is also true of closed source systems ..
  
  --
  Puteulanus fenestra mortis
43. Re:Enhancement, from the NSA? by Anonymous Coward · 2012-01-16 09:02 · Score: 0
  
  The NSA does not inject flaws. The NSA actively discourages inclusions of flaws that are not known to researchers outside of the NSA. It's only later that the rest of us discover why they suggested the change. Security experts take suggestions from the NSA about changes very seriously. The interest they have in making stuff unbreakable, even to them, far outweighs any interest they have in leaving an exploitable backdoor in something.
Is it secure from the NSA et al? by TeddyR · 2012-01-13 14:21 · Score: 3, Interesting

The question is what backdoors have they placed on it. Is it secure from themselves (NSA) and other three letter agencies?

--

--
Time is on my side
1. Re:Is it secure from the NSA et al? by chill · 2012-01-13 14:32 · Score: 4, Insightful
  
  Considering Android was pretty much swiss cheese to begin with, you'd have to wonder why they'd bother.
  And the risk involved in doing something like that and releasing it all as source code makes even less sense.
  No, I think the simple truth is the NSA realizes that being secure is hard work. Even people whos lives depend on it get it wrong. The average schmoe hardening up their smartphone is still going to fall prey to an easily shoulder-surfed password. Or the XKCD $5 wrench. Or all of the data that goes thru the boot-licking telecom companies. Or... or...
  No, this is probably the real deal. The NSA guys hate Blackberries as much as the rest of us and are looking for approved replacements.
  
  --
  Learning HOW to think is more important than learning WHAT to think.
2. Re:Is it secure from the NSA et al? by Anonymous Coward · 2012-01-13 14:37 · Score: 5, Informative
  
  NSA is made up of two sections; one does cryptanalysis (i.e. signals intelligence), the other provides crytographic help for the government (and the public), often being at the cutting edge of cryptographic research.
  SHA1 and SHA2 were NSA designed; do you trust those?
  In any case it's open source (info page is here: http://selinuxproject.org/page/SEAndroid . currently down; use google cache)
3. Re:Is it secure from the NSA et al? by Anonymous Coward · 2012-01-13 14:43 · Score: 0
  
  From them? No, because they can hire a guy with a wrench, or just direct a satellite to read the reflections on your glasses.
  Is it more secure? Well,I certainly hope so.
4. Re:Is it secure from the NSA et al? by Undead+Waffle · 2012-01-13 15:03 · Score: 1
  
  I'm guessing this is more related to the fact that the militar is looking into using tablets and other such consumer devices in the field. (See previous /. articles for reference. I'm too lazy to find links to them myself.)
5. Re:Is it secure from the NSA et al? by thegarbz · 2012-01-13 15:16 · Score: 1
  
  Check the source code and let us know. Kinda hard to place a back door in OSS isn't it.
6. Re:Is it secure from the NSA et al? by The+Grim+Reefer · 2012-01-13 15:22 · Score: 4, Funny
  
  or just direct a satellite to read the reflections on your glasses.
  Sorry, we're talking about the NSA, not CSI.
  This is probably appropriate too.
7. Re:Is it secure from the NSA et al? by stephanruby · 2012-01-13 16:36 · Score: 2
  
  And the risk involved in doing something like that and releasing it all as source code makes even less sense.
  If you believe in security through obscurity, then yes that would make no sense to you.
8. Re:Is it secure from the NSA et al? by MagusSlurpy · 2012-01-13 18:55 · Score: 3, Interesting
  
  Unless the "security through obscurity" is to make the OS more widespread, and so make actual NSA phones less obvious targets. One thousand "sensitive" phones amongst an install base numbering one hundred thousand slashdotters and tinfoil hatters is a good starting point.
  
  --
  My sister opened a computer store in Hawaii. She sells C shells by the seashore.
9. Re:Is it secure from the NSA et al? by Anonymous Coward · 2012-01-13 22:19 · Score: 0
  
  There were flaws in popular OSS that were only discovered after several years, that could have been exploited in a way resembling a backdoor.
  Nobody found them in all this time, because if they had been so easy to see they wouldn't have been in there in the first place.
  But now imagine there is someone - a single government organization - who knows of such a flaw from the beginning and is secretly exploiting it the whole time.
10. Re:Is it secure from the NSA et al? by Patchw0rk+F0g · 2012-01-13 22:35 · Score: 1
  
  or just direct a satellite to read the reflections on your glasses.
  Sorry, we're talking about the NSA, not CSI.
  That's not CSI, that's 007.
  
  --
  When the going gets weird, the weird turn pro. ~~ Hunter S. Thompson
11. Re:Is it secure from the NSA et al? by SpzToid · 2012-01-13 23:20 · Score: 1
  
  That clip was amusing. What I found even more amusing was clicking one of the YouTube thumbnail videos off to the right side of that page, which lead me to the CSI gem below.
  Never seen the show myself but it seems to be a clip where one of the agents is quoted as saying:
  
  I'll go make a GUI interface using Visual Basic. See if I can track an IP address. [to find a killer]
  Somebody got paid how much to write that? I can only believe some screen-writer slipped that in as an Easter egg for those with a clue. But for all I know, the medical shows are equal in this regard.
  https://www.youtube.com/watch?v=hkDD03yeLnU&feature=related
  
  --
  You can't be ahead of the curve, if you're stuck in a loop.
12. Re:Is it secure from the NSA et al? by GameboyRMH · 2012-01-14 03:06 · Score: 1
  
  CSI has lots of product placement advertising for MS products. I'd really like to believe it was a hidden joke for techies, but... :-(
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
13. Re:Is it secure from the NSA et al? by The+Grim+Reefer · 2012-01-14 04:20 · Score: 1
  
  Oops. I meant to link CSI to this They forgo the reflection off of the glasses and get the one right off of an eye. And of course: "Enhance!" "Zoom!" "Stop!" "Enhance!"...
14. Re:Is it secure from the NSA et al? by strikethree · 2012-01-16 08:11 · Score: 1
  
  The funny thing is, all of that IS actually possible IF the camera records the data. Zooming in on photos can reveal details you did not notice when the picture was shown at normal detail levels... however
  I am not aware of any consumer or professional grade cameras that are capable of recording that much information in a single frame.
  
  --
  "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
It needs encryption not security controls by Anonymous Coward · 2012-01-13 14:39 · Score: 0

Seriously, the biggest problem with Android is it's complete lack of filesystem encryption.
1. Re:It needs encryption not security controls by Zeroedout · 2012-01-13 15:54 · Score: 1
  
  Seriously, the biggest problem with Android is it's complete lack of filesystem encryption.
  And how do you propose to securely decrypt the filesystem at boot? Have a touch screen keyboard as part of the boot-loader?! I'm sure U-Boot will accept your patches....
2. Re:It needs encryption not security controls by Anonymous Coward · 2012-01-13 17:25 · Score: 0
  
  Seriously, the biggest problem with Android is it's complete lack of filesystem encryption.
  And how do you propose to securely decrypt the filesystem at boot? Have a touch screen keyboard as part of the boot-loader?! I'm sure U-Boot will accept your patches....
  Thats what mine does (4.0.1), starts to boot..... pops up keyboard, I enter passphrase, then it continues. Honestly, I'm not really sure what all is actually encrypted though.
3. Re:It needs encryption not security controls by Anonymous Coward · 2012-01-13 19:15 · Score: 0
  
  encryption has been introduced in ICS. Works fine on my galaxy nexus. http://source.android.com/tech/encryption/android_crypto_implementation.html
4. Re:It needs encryption not security controls by FormOfActionBanana · 2012-01-13 20:45 · Score: 2
  
  Probably not the decryptor function!
  
  --
  Take off every 'sig' !!
5. Re:It needs encryption not security controls by GameboyRMH · 2012-01-14 03:08 · Score: 1
  
  What's wrong with that (apart from the standard PITA factor of on-screen keyboards that most people seem to accept)? They'd have to randomize the keypad layout though to prevent password recovery via fingerprint-lifting.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
6. Re:It needs encryption not security controls by chill · 2012-01-14 03:17 · Score: 1
  
  The Asus Transformer running v2.3 Honeycomb had full disc encryption. When it started to boot, it would show a virtual keyboard and I'd have to enter my password.
  It is a little easier on a tablet, with the bigger screen, but it certainly was possible and not cumbersome.
  
  --
  Learning HOW to think is more important than learning WHAT to think.
SELinux? by Anonymous Coward · 2012-01-13 14:42 · Score: 0

Oh, yeah. That thing I have to always disable to get anything working in my Linux desktop.
The NSA has a good track record too by Sycraft-fu · 2012-01-13 15:13 · Score: 5, Informative

Take a look at DES. There was a big to do about the NSA "messing" with the S-boxes in DES. People conspiracy theoried that they had weakened it so they could crack it. Nobody at the NSA or IBM (who made DES) would say anything about it. The, in 1990, differential cryptanalysis was discovered by public researchers and it turned out the DES S-boxes were way more resilient to it than had then been random. Turns out IBM and the NSA knew about it back in the 70s, but the NSA asked IBM to keep a lid on it. The NSA's changes made DES more resilient.
Time has borne it out too. DES is decades old now and there has been no magic break in it discovered, no "backdoor" that would let people in, it is just too short a key to be useful anymore.
Along those lines, the NSA has signed off on AES (which was originally developed in Finland) as an approved standard to be used for classified data and said that AES is good security for the commercial world (which was the point of the AES standard). Again, time seems to bear them out on that, it is the most analyzed cryptosystem out there, and nobody has found any "backdoor" in it.
While there's no doubt the NSA takes their signals intelligence mission seriously, they seem to take their security mission seriously too. Their track record so far is excellent. Everything they've released has stood the test of time.
Now I suppose it is possible in theory that they are so far advanced of everyone else, and so arrogantly confident in their superiority, that they have hidden "backdoors" they figure nobody will ever notice... However if they really were that much better, would they need to?
1. Re:The NSA has a good track record too by Darkness404 · 2012-01-13 16:57 · Score: 0
  
  Yep, I mean, after all, the police state has many other avenues to control the citizens, spying via a backdoor hidden in an OSS project is unlikely. Through corporations who are willing to bend over backwards to further the spread of tyranny, through totalitarian laws like the PATRIOT act and CALEA the government has many more legal (and more PR friendly) ways of spying on citizens. Making a backdoor in an open source security program if discovered would be nothing short of an embarrassment. However, by calling them a "terrorist" and detaining them indefinitely, seizing their phones, recovering records or wiretapping via the major telecom companies via laws that subvert the constitution, they can avoid embarrassment.
  
  --
  Taxation is legalized theft, no more, no less.
2. Re:The NSA has a good track record too by IAmR007 · 2012-01-14 06:24 · Score: 1
  
  Yeah, why break something that you are going to use, especially when your security requirements are far higher than an average user.
Hardly New by Anonymous Coward · 2012-01-13 16:24 · Score: 0

This project has been up for around a month now. More importantly, it wasn't written by the NSA, they only advised when someone started posting on the selinux mail list. Check the archives, I could be wrong, but I don't think the guy was a plant. He had valid questions to ask.
Doesn't Android already us SELinux? by Anonymous Coward · 2012-01-13 17:31 · Score: 0

I could swear I saw something in the source previously. Might be mistaken.
AES Finland? by Anonymous Coward · 2012-01-13 23:05 · Score: 3, Informative

No Sir, you must be joking. AES ie. Rijndael comes from Belgium.
AES
And yet, ..... by Anonymous Coward · 2012-01-13 23:14 · Score: 1

These are manufactured in China. As long as that occurs, nothing about these can be secured. The west, if not the USA, should require that phones be produced in the west, using western components. After all, Chinese gov. is bright enough to do the same. They refuse phones that do not have parts PHYSICALLY produced in their nation. Of course, they are in a cold war with the west, so it makes sense for their actions.
Its funny by Anonymous Coward · 2012-01-13 23:54 · Score: 4, Insightful

Having gone through the comments here, to read the distrust of the NSA. To be honest, that is good.
Yet, for a number of you, you will trust the physical hardware is OK coming in from China. Why on god's green earth, would you trust china, a nation that has more spies running around the world, esp. in the west, then does America, while screaming that America has planted a backdoor in open code?
A truly NEEDED GOOD THING (kudos 2 the NSA) by Anonymous Coward · 2012-01-14 03:59 · Score: 0

See subject-line: Says it all...
Assuming it's solid & for the same purposes intended as SeLinux & no "secret backdoors" are in it as some folks here alluded possible suspicions of?
Well, then the folks @ the NSA have done "penguins" worldwide, & ordinary "non-techie" end-users a favor hopefully (because ANDROID based phones are a Linux variant due to Linux kernel code usage)...
* So that "all said & aside": I think this is great, and yes, that it was needed!
APK
P.S.=> Then, it's a matter of the folks with JAVA doing the same & shoring up its security (not sure how much of the "dalvik" JAVA interpreter engine's directly related to Oracle's JAVA etc. though anymore)!
Yes - I do honestly think that Android based "smartphones" really ARE "neat/cool", but they're being "torn up" security-wise is all!
So, it's a matter of securing them better now's all because of all of the exploitation of various "holes" in its KERNEL and what rides on it too above that (again, this SeAndroid is a good move for that & in the right direction)... apk
fembots by pbjones · 2012-01-14 08:50 · Score: 1

many times I read the title and think of something very different, this time it was 'enhanced android', must be a fembot! from Austin Powers.

--
There was an unknown error in the submission.
BACKDOOR by Syobon · 2012-01-14 09:00 · Score: 1

SELinux was the only way the US government could reach the linux kernel and implement a obfuscated backdoor worldwide. What is a difference between a bug or backdoor, from inside the source code they are the same.
Another noose for the dev manufactorers. by Bill,+Shooter+of+Bul · 2012-01-14 13:30 · Score: 1

Anything that removes potential security flaws from android is a double edged sword. Its many of those flaws that allow us to get root and install custom roms.

--
Well.. maybe. Or Maybe not. But Definitely not sort of.