Red Star Linux Adds Secret Watermarks To Files

An anonymous reader writes: ERNW security analyst Florian Grunow says that North Korea's Red Star Linux operating system is tracking users by tagging content with unique hidden tags. He particularizes that files including Word documents and JPEG images connected to but not necessarily executed in Red Star will have a tag introduced into its code that includes a number based on hardware serial numbers. Red Star's development team seems to have created some quite interesting custom additions to Linux kernel and userspace, based on which Grunow has written a technical analysis.

"privacy of North Koreans"

[xxxJonBoyxxx]

>> privacy of potential users (especially from North Korea) may be impacted

I didn't know privacy was a thing in North Korea.

Re:"privacy of North Koreans"

[Penguinisto]

I'm just hoping the NSA doesn't get any ideas.

It does lead to a question, though - could someone in North Korea (with a sufficient level of ability) remove or obfuscate those, or is the source code even available to the typical user in NoKo?

Re:"privacy of North Koreans"

[gstoddart]

Do you honestly think the dictatorship makes the source code for Red Star Linux available to its people?

I'm sorry, but what part of dictatorship are you forgetting?

This is the government approved version. That's all there is.

Re:"privacy of North Koreans"

What makes you think it isn't being done already?

A code injecting "virus" is only identified today via other software that looks for pre-defined signatures. You think that's fail-safe? Or that there aren't back-doors allowing certain signatures in the scan too?

Re:"privacy of North Koreans"

[Archangel+Michael]

Yeah, I can see it now. NSA Linux, "Freedom Edition with Proprietary Patriot Act Protection!"

And a Obama working with Boehner will get it done.

Re:"privacy of North Koreans"

[Adriax]

I didn't know there were more than a dozen north koreans who could afford computers.

Re:"privacy of North Koreans"

[Lumpy]

if details on the tags are revealed, then it will be trivial to write a patch that randomizes the tag making the government furious.

Re:"privacy of North Koreans"

I'd highly doubt the source is being made available. But yes, if they can implement this, someone with sufficient access and remove it. Many Linux users compile their own builds, as long as the source is available it can be tweaked.

But why on earth would a repressive regime who created a custom linux distro specifically to track users, make that source code available to anyone?

I suspect that a good programmer/admin would be able to not only detect this, but block it right in the OS. This is linux, there's very little being hidden from you unlike windows or MAC. I'd suspect it wouldn't take much to find the hook that calls the proceedure, and murder it, or replace the call to call something innocuous.

So really though, this is tagging files with serial numbers, so it's only really going to be tracking and datamining whomever purchased the machine in the first place, provided they paid with credit or debit instead of cash.

As well, if this system is adding information to a file, exactly how many times will it do this? Lets say I create a jpeg on my infected box and send it to your box also running this os. Your copy should have my information in it, does your OS also tag it? Does it append?

How long of a history does it keep? How long before the file size starts to bloat? What exactly is the point of all of this? If they are building a custom os with backdoors for tracking, why even bother with tagging individual files with serial numbers that may or may not be traceable?

From the Article:
"When analysing the OS the first thing that came to our attention is that they have built an own kernel module named rtscan. There is a binary running that is named opprc and a few more binaries, one that seems to simulate/pretend to be some kind of 'virus scanner' and seems to share some code base with opprc,"

Well there you go, kill or replace that binary, or simply remove the call or change it's destination, no more tagging.

Re:"privacy of North Koreans"

I didn't know privacy was a thing in North Korea.

I didn't know privacy was a thing in the USA.

Re:"privacy of North Koreans"

[rockmuelle]

That already exists. It's called SELinux: https://en.wikipedia.org/wiki/...

-Chris

Re: "privacy of North Koreans"

[WindBourne]

And yet, there is nothing in selinux remotely similar to redstar.

Re: "privacy of North Koreans"

[Varka]

As far as you know.

Re:"privacy of North Koreans"

[barbariccow]

But... It's GPL... and they're modifying it! And Distributing it!

Re:"privacy of North Koreans"

[Austerity+Empowers]

The ones who can afford them are the ones most in need of monitoring.

Re:"privacy of North Koreans"

[macs4all]

Do you honestly think the dictatorship makes the source code for Red Star Linux available to its people?

I'm sorry, but what part of dictatorship are you forgetting?

This is the government approved version. That's all there is.

So, is this a violation of the GPL? Is NK even bound by the GPL?

If so, let's see how big the balls of the FSF REALLY are...

Re:"privacy of North Koreans"

Am I the only one the read this as :- And a Obama working with Boner will get it done.

Re:"privacy of North Koreans"

[Actually,+I+do+RTFA]

Well there you go, kill or replace that binary, or simply remove the call or change it's destination, no more tagging.

You realize that only select few (very few) North Koreans can access the internet. Those are exclusively in the cyberwar wing, so they knew about this anyway or so senior they love the regime because they're helping to rule it. No one else is really going to know about the watermarking.

Re:"privacy of North Koreans"

Yeah randomized tags are all well and good util random tag = the hardware tag assigned to Bob next door and he gets hauled off in the middle of the night because of your south korea is best korea meme's.

Re: "privacy of North Koreans"

As far as you know.

You might want to adjust your tinfoil hat. It seems to be so tight that it's cutting off circulation to your brain.

Re:"privacy of North Koreans"

>> privacy of potential users (especially from North Korea) may be impacted

I didn't know privacy was a thing in North Korea.

I recall Bruce Schneier making the case in one of his newsletters for encryption everywhere. Only when every single thing is encrypted can we reasonably expected to get some of our privacy back. In particular his argument is for countries that are oppressive to their citizens that encryption provides a means for them to communicate privately that is vital to the development of a just and fair government everywhere. When only a few things are encrypted you tend to have a presumption of guilt about those few things, and that is scary. Right now our government has elected representatives wanting to backdoor everything so they can spy on anything and everything else the terrorists win. I.E. it is the give us all your liberty and we will give you infinite security argument, which is of course just flat out wrong. It is also obviously wrong to even believe that you can totally control encryption software and insert back doors everywhere. Even if the theories behind it were not common knowledge, they are not so difficult that they couldn't be discovered again and again and again.

Looked at another way, most politicians would likely support the development of secure communications for the everyday citizen in North Korean. Those politicians know it is not a good thing that the North Korean government can spy on their citizens so easily. (Of course most don't have computers so it is a non issue, but for the sake of the argument assume that they did.) Those same politicians now don't want their own citizens communications to be secure...

Re:"privacy of North Koreans"

[Stan92057]

Just how would a normal non techie know if his version of Linux hasn't has stuff added by the say NSA? Unless your a coder you wouldn't know. How do people know the copy they download from so and so university hasn't been NSAed? Unless you download from the Official servers you can be getting anything right?

Re:"privacy of North Koreans"

[penguinoid]

I didn't know privacy was a thing in North Korea.

Well not everywhere is as willing to give up their privacy as the US.

Re:"privacy of North Koreans"

[shentino]

NK has sovereign immunity to US copyright law on its own soil.

Re:"privacy of North Koreans"

[psyclone]

I don't think encryption would help here. Assume the user is still using Red Star Linux which in addition to watermarking, has tweaked the prngs so that all private keys (including symmetric keys and session keys) are created with a known set of values, thus making the user think they are secure but allows the government to still eavesdrop on all communication.

Re:"privacy of North Koreans"

[KGIII]

Someone should sue for violating the GPL. It would be damned amusing. I saw this download on a torrent site the other day, they had directions to change to English, I did not bother with it.

Re:"privacy of North Koreans"

Yes, if people must use an OS that is fully controlled and only runs government approved and signed applications then it would not help. If it can run unapproved application then doors open, but yes trusting a government provided cryptography component that has not undergone peer review is likely unwise. Of course, running unapproved applications on an OS that is completely under the control of an oppressive government is likely not a good idea either, since if it has any network connectivity it is apt to report those nefarious applications.

Personally, if I had such an OS and knew I could not remove it, I might consider just running a Linux Mint LiveCD/USB. At that point you then have to wonder what nefarious hardware might exist in such a country, which might still have a back door into it. Of course given the rarity of computers in North Korea I'm not sure it is not all for moot, but in time it may not be. Developing secure applications on top of an insecure environment is not impossible after all, just really difficult. After all, your average PC deals with a huge range of threats on the internet. Sure it is not perfect, but it does work.

Re:"privacy of North Koreans"

So the hardware tag will take a little longer to become... useless.

Just as trying to tie IP addresses to users has become useless in a world where I can moderate posts in this discussion using my home IP *and* post in it myself using the IP of a machine on another continent.

And other than my 4-digit UID, I ain't nobody special.

--Z.

Suppose today is dupe day.

Where are the MOOs?

Who cares?

Should we be surprised or otherwise care?

Supreme Glorious Idiot with bad haircut and tiny penis is a draconian asshole. Does draconian things.

Film at 11. Kill off Supreme Glorious Idiot with bad haircut and tiny penis. Hang tiny penis on wall for all to laugh at.

Re:Who cares?

[Geoffrey.landis]

Should we be surprised

no.

or otherwise care?

Yes.

custom kernel?

[red+crab]

Is www.kernel.org accessible from North Korea? One can then pull the sources and compile a custom kernel omitting their "rtscan" module.

Re:custom kernel?

Is www.kernel.org accessible from North Korea?

Not any more.....

Re:custom kernel?

[behrooz0az]

Ken Thompson's C compiler is an interesting read on the subject:
http://programmers.stackexchan...
http://www.reddit.com/comments...
Basically, It's a compiler with a backdoor that injects it's source code when it's compiling itself. pretty interesting idea for 1984.

Re:custom kernel?

[gstoddart]

Seriously?

Most North Koreans don't have access to the internet. Most North Koreans don't know a damned thing about Linux. Most North Koreans don't know a damned thing about kernels or spying modules installed on their computers.

Do you really think people are going to compile a custom kernel to get around the brutal dictatorships surveillance and risk their lives for something they probably don't know exists?

Come on, guys, learn a little about North Korea before suggesting the populace just whips up a custom kernel to work around this.

Under a third generation pisspot dictator, the overwhelming majority of North Koreans will only know what they've been told. They're poor, starving, and isolated from much of the rest of the world.

And the suggestion is to go to kernel.org? Pathetic.

Re:custom kernel?

[Ramze]

My guess (and I admit, it's pure speculation) is that only a select few who created the OS have access to such sources -- that and perhaps NK sponsored hackers. Everyone else is restricted to the national intranet. Well, everyone else that is lucky enough to even see, much less use a computer in NK. The country has enough trouble providing food, much less electronics for its citizens.

Re:custom kernel?

At which point you become 100% suspicious because you're on the few not producting tainted files.

Re:custom kernel?

[PPH]

Most North Koreans don't have access to the internet.

This sort of thing is aimed at government employees who might become disaffected and begin working for some western intelligence agency. Your office PC watermarks every document on its way to the thumb drive (or floppy disk). In the event the media is intercepted on its way out of the country, they know whose desk to visit.

Re:custom kernel?

Movies and music from the west are already smuggled into North Korea on thumb drives. Why not a rogue Linux distro on a thumb drive?

Re:custom kernel?

And a rouge distro that's actually Red Star, but not compromised! Ideally it would still do the watermarking, but not use your real hardware's identifiers.

Slashdotted, or down

Looks like NK isn't too happy about this. Site down.

Is this any different than the US government?

[AndyKron]

Is this any different that our government forcing printer manufacturers to put secret watermarks on pages printed?

Re:Is this any different than the US government?

If it was your government, then they wouldn't be spying on you as if you were a criminal.

Re:Is this any different than the US government?

[bluefoxlucid]

Yes. People don't use ink-jet printers for child pornography; obviously, they just want to know what computers the child pornography has been bittorrented through.

Re:Is this any different than the US government?

Or tracking/spying on every phone call, email and web site they visit?
Face it, North Korea is poor, but its leaders and the 'free worlds' are all a sham, sure, you can 'vote', but only for those the power structure has approved of. Members of the US congress are vetted by big money, and remember, theres ONLY two parties, errr, make that ONE party
the Republicratian party.

Re:Is this any different than the US government?

[Gravis+Zero]

Is this any different that our government forcing printer manufacturers to put secret watermarks on pages printed?

actually, yes it is! the point of the watermarks made on color printers is to make it easy to track down counterfeiters, specifically those printing USD. fun fact, North Korea loves to counterfeit $100 USD notes.

Re:Is this any different than the US government?

[gstoddart]

Sorry, but it has the net effect of making every printed document uniquely identifiable.

Which means whatever pretense they used, they can now use it for anything else they damned well please.

You can keep believing your government isn't trying to monitor and control everything you do. But you'd be wrong.

Much like terror laws are being used to piggy back for the rest of law enforcement, despite assurances to the contrary, they can and will abuse any other technology which is made available to them.

There's really no difference between one government spying on everybody and another. The only difference is in how much people believe there's a difference. But if they can get away with it, Western governments are just as likely to do it.

Re: Is this any different than the US government?

[WindBourne]

If it is secret, than how do you know about it?

Re:Is this any different than the US government?

[westlake]

Is this any different that our government forcing printer manufacturers to put secret watermarks on pages printed?

1 It is not "our" government alone, but "all" governments whose currency can be plausibly counterfeited by a color laser printer that demand watermarks.

The geek living "off the books" needs a $20 bill which is generally trusted.

2 The laser printer is not an operating system that can tag all files sent and received.

Re:Is this any different than the US government?

Um... sure. Let's go with that.

Re:Is this any different than the US government?

Iran loves to counterfeit $100 too, and those dollar bills I've seen are immaculate except for the to light color and wrong paper. I bet they have the original tools just wrong paper and ink.

Re:Is this any different than the US government?

[macs4all]

Yes. People don't use ink-jet printers for child pornography; obviously, they just want to know what computers the child pornography has been bittorrented through.

IIRC, the watermarks (yellow dots) were mandated on COLOR printers as an anti-counterfeiting measure, not (for once) as a "Think of the Children!" anti-child-porn thing. The Feds were worried that color printers were getting good enough that people (other than the gummint) would be able to use them to print bogus money. Of course, anyone who has seen the output of pretty much any consumer-grade color printer knows that this is laughable; but this is the gummint we're talking about.

Re:Is this any different than the US government?

[ZombieBraintrust]

It isn't just consumer-grade gear that has it. I worked at a copy shop 10 years ago and the color copier could detect money.

Re:Is this any different than the US government?

[Gravis+Zero]

it has the net effect of making every printed document uniquely identifiable.

wrong. it only applies to color printouts. the jillions of black and white text pages printed out are unaltered.

Re:Is this any different than the US government?

Yes, but I can shout out "OBAMA SUCKS DEAD DONKEY BALLS!" on a street corner in downtown Washington, DC, and the worst there that'll happen is I might get asked to move along.

Try that in Pyongyang and you'll end up at the wrong end of an AA gun.

Re:Is this any different than the US government?

So if I remove the colour ink cartridges from my printer, and use only the black cartridge, I'm safe?

Your naïveté is heart-warming, to say the least.

Not news

This would be news if it did not add a tracking watermarks. I expect pretty much everything in North Korea to be track to the nth degree.

North Korea may not be the worst country

North Korea may not be the worst country in the world, but it's the worst non-Muslim country by far

Re:North Korea may not be the worst country

North Korea may not be the worst country in the world, but it's the worst non-Muslim country by far

There are several places in Africa you should visit, starting with Liberia, ask for General Butt Naked aka. Joshua Milton Blahyi. He has some stories to tell about cannibalism and blood drinking, oh, and he fairly recently converted to Christianity. After you are done with Africa, and assuming you survive try South and Central.... eh.. make that large portions of the Americas South of the Rio Grande. I hear Mexico is particularly screwed up these days. If you have a blog I'd recommend not telling them because the local Zetas have a habit of hanging bloggers from bridges but only whey they are not randomly murdering people with guns sold to them by entrepreneurially minded US citizens. The lesson here is that there are plenty of shitholes just as bad or even worse than N-Korea, a whole string of them are non Moslem countries and most are pretty uniformly christian.

Re:North Korea may not be the worst country

[tekrat]

I've heard of this country that tortures people and then denies it, imprisons others without ever charging them of a crime, has a byzantine legal system where only the wealthy come out unscathed (hell, you can rape and murder if you are rich enough, and get away with it).

This country also has classes of people based on skin color, sexual orientation and other factors, yet is ruled by a party or parties that claim they represent all their people; in reality they represent none. Corruption is rampant, politicians routinely earn gifts of millions; but because these corrupt people have classified it as "legal", you can't even call it corruption there.

Trust me, you want to stay away from that place.

Oh the horror

[Blaskowicz]

Desktop software is really horrible these days. To preserve your freedoms, use Chrome OS or Android and organize your collaborations and activities over Facebook. Capitalist computing is much more trustworthy than that evil communist Linux thing.

Re:Oh the horror

[myowntrueself]

Desktop software is really horrible these days. To preserve your freedoms, use Chrome OS or Android and organize your collaborations and activities over Facebook. Capitalist computing is much more trustworthy than that evil communist Linux thing.

See sig.

Re:Oh the horror

Chrome, Android, and facebook violate your privacy also. Or are you joking? Or just ignorant?

Re:Oh the horror

Desktops are really horrible these days. To preserve your freedoms, use an abacus and a stack of post-it notes. ...What's that? The post-it notes have serial numbers?

Well fuck me sideways.

We are safe

[Bandit2]

Luckily we are safe :) !\:&%4-n|S.#%'K5:G%M],%"&$ W78]E_EOF

Does it make a difference?

[Dcnjoe60]

Does it make a difference whether the software is doing this or your printer/copier does it? For a long, long time, laser printers and copiers have been doing the same thing to show where the document came from. Isn't this just the paperless version of what we've all been living with for a a very long time?

Re:Does it make a difference?

[gstoddart]

Shhhh .... it's not fair to point out how "free" societies try to do the same fucking thing.

It confuses the plebes who still think their own governments aren't actively trying to become fascists too.

Re:Does it make a difference?

I would say that yes, there is a difference between watermarks on **color** printers (with a legitimate anti-counterfeiting justification) and adding tracking information to every file which touches a machine.
North Korea is under a horrible, repressive regime. I suggest reading "Escape from Camp 14" before trying to make equivalencies between any western democracy & North Korea.

Re:Does it make a difference?

[Darinbob]

I use text format for everything. Pretty hard to add watermarks there without noticing.

Re:Does it make a difference?

[Dcnjoe60]

If you send it to a laser printer or copy it on a copier there are watermarks. Doesn't matter the format used. Unlike the old fashioned typewriters where law enforcement could match the document to the typewriter based on how individual keys hit, in the digital age they had to find some other way. So, every laser printer and copy machine prints a tiny watermark that can trace the document to the machine that produced it.

Wish people

would put CDN links in the summary by default.

No, it doesn't

[kromozone]

Before: https://i.imgur.com/oOoWssF.pn...
Open in Red Star 3.0: https://i.imgur.com/MiORhD3.jp...
After: https://i.imgur.com/uqAvXC6.pn...

The above uses an MS Word document created in Office 2011.

I've tried jpg, docx created in MS Word, docx from LibreOffice, and numerous other random file formats copied onto my thumb drive - the MD5 remains exactly the same in every case.

Re:No, it doesn't

[barbariccow]

Are you viewing the hex on RedSTAR OS as well? They may have "fixed" that problem, though TFA does seem to be claiming to use md5sum on the OS itself, so probably not likely. Also really they don't post any evidence supporting the notion that it is a hardware serial number inserted or anything. Maybe they had flash enabled, tried browsing the web, THEN performed this experiment?

Re:No, it doesn't

Nonsense. Unless each and every write operation finds an MD5 collision for each and every file, there is no way that the MD5 would remain the same after a watermark would be added.

Re:No, it doesn't

[kromozone]

I'm viewing the hex on Mac OS X. I formatted a thumb drive, saved a newly created .docx file on it, ejected, connected to a Red Star 3.0 VM, opened the drive on Red Star, ejected and then connected back to OS X. The md5 and hex were exactly the same before and after. When I posted this to a thread on reddit the author came back to claim that the behavior didn't occur with .docx created in MS Word but did occur with .docx created in LibreOffice and with .jpg files. The .docx file I'd used in the first trial was created in MS Word so I repeated the process with a .docx from LibreOffice and a .jpeg file. Again the md5 and hex were exactly the same before and after connection to RS3.0.

Re:No, it doesn't

Did you try actually creating said document on RedStar OS? It seems that is the main intent is to track who is creating content---not to modify documents you are reading.

Re:No, it doesn't

[penguinoid]

Did you wait long enough for their "virus scanner" to run? Also, maybe you need to spoof it so it looks like your computer is in Korea.

Re:No, it doesn't

[psyclone]

And you've verified you have the same kernel modules and binaries running described in TFA?

Is there a slight chance if the VM can't access the hardware IDs needed to watermark, that it does not apply one? You have an old box you can run Red Star on natively?

English as she is spoke

[jeremyp]

He particularizes

I don't know what makes me sadder: that he used that word or that it apparently is a word.

Re:English as she is spoke

[ScentCone]

Well, all you have to do is come up with an enbiggened disincentivicationism to counterproduce the linguinistical resultifacts that meet your desirenessifity.

Re:English as she is spoke

[Deep+Esophagus]

That was my first reactification, too, but apparently that word has been verbed since at least the 19th century.

Re:English as she is spoke

[glwtta]

I don't know what makes me sadder: that he used that word or that it apparently is a word.

I feel sadder for the poor fellow who apparently spontaneously disassociated into a cloud of particles.

Re:English as she is spoke

I don't get it. Why are you sad that a word exists?

Re:English as she is spoke

Paricularizes is a perfectly cromulent word.

Re:English as she is spoke

Your comment was short; do you care to ideate any further, or utilize examples?

I'm okay w/ watermarks, but not secrecy

Okay, I know this is North Korea we are talking about, but non-secret watermarks can be useful in some "overlord" situations.

Back before cell-phone cameras became common, I worked for a company where every photocopier put a visible, human-readable watermark. They also banned cameras without a permit from corporate security. It was never stated outright but I'm sure this was either to deter industrial espionage or to comply with a contractual obligation that they take such steps.

Re:I'm okay w/ watermarks, but not secrecy

[AHuxley]

The US and UK became very interested in the photocopier aspect when the UK found a photocopier without a counter or security in an area with its security document vaults. An individual had been using it to make all the copies wanted of secure documents and walking out with the clean copies.
The US and UK then upgraded and further restricted photocopier access policy with counters, educated security staff and by installing cameras in the photocopier units to record what was been copied and by what person.
Very old ideas that had to be rushed out to solve unexpected wider problems.
The tracking of digital files worked in the same way. Baited access to plain text databases to see how staff would respond and what they searched or did not attempt to search.

NSA SELinux open source, in mainline kernel 12 yrs

[perpenso]

As far as you know.

Actually we do know, we have the source code, have had it for about 15 years. Its been in the mainline Linux kernel for about 12 years. In case you haven't heard changes to the kernel get, uh, ... reviewed.

Re:NSA SELinux open source, in mainline kernel 12

[Varka]

This is one of those eternal security arguments; without manually reviewing the code YOURSELF, and compiling the kernel from that manually reviewed code YOURSELF, it's "as far as you know." Maybe you do that, I don't know; I'm just aware that the security of my linux installs relies on a chain of trust, and even if that chain is 100% verifiable from source to binary, there's still no guarantee that there isn't an obfuscated back door or malicious code exploit that was overlooked.

Kwangmyong versus?

The GTA V intranet.. Must be about the same size.

Re:NSA SELinux open source, in mainline kernel 12

[perpenso]

The kernel is heavily viewed, studied, etc. Its changes are reviewed, at multiple levels in a hierarchy. Its probably the one part of Linux where the many eyeballs notion is reality rather than myth.

irony pherhaps?

Leah in Star Wars said "the more you tighten your grasp, the more fall through your fingers". That is interestingly true here.

If any node in their network is compromised by a nation-state it can, through such watermarks in traffic, both fully characterize the nature of users of all traffic going through the node, and "sculpt" it - transform it - to present false data to the system managers. The more of a trust imbalance they put into or requier out from their data, the more powerful any corruption of that data is at sculpting their decision-making.

Commercial applications exist

The source code, documentation, and research developed employees of companies are owned by companies in the majority of cases. Tracking stolen materials back to a leaker is a desirable and there is a market for such a capability.

jhead and MAT

I wonder if the CLI program "jhead" and the GUI program "MAT" (see mat.boum.org) can sanitize these.

Re:NSA SELinux open source, in mainline kernel 12

[Tanktalus]

And yet, regressions and other bugs still get in. I'm a big fan of the many eyeballs theory, but there are limitations to it.

Re:NSA SELinux open source, in mainline kernel 12

[perpenso]

And yet, regressions and other bugs still get in. I'm a big fan of the many eyeballs theory, but there are limitations to it.

Yes, but successful exploitation is a very different story. And such attempts are a bit unlikely when the code is publicly coming from the NSA. Anything coming from them will get extra scrutiny by some.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:NSA SELinux open source, in mainline kernel 12

[stasike]

We have had source code for Bash for decades, and it got reviewed multiple times, yet, we got shellshock exploit. Who knows how long it was being exploited before discovery.