|
[QUOTE=ewmayer;345967]I'm sure the NSA folks who wrote the code in question feel the same way. ;)[/QUOTE]
Please forgive me for this, but I suspect you have no knowledge. Please don't try to claim knowledge until you've disabled a SELinux installation. A bit like a "Cow-boy" at the calgarystampede.com "He didn't catch the nose, so he loses that $5,000 prize because he didn't catch the nose... Sucks to be him.... |
You misunderstand ... while I believe - based on the statements of experts in the Linux community - that at present the codebase is free of NSA spyware - I think it entirely plausible that those folks have ulterior motives, of course with "noble aims", blah blah. Say your intention was a long-term spyware infiltration of such an open-source project - how to go about it? The only viable way would be a long-term co-option of the relatively small number of people with the necessary skills and in a position to recognize truly devious, subtle malware of Stuxnet-like sophistication. The way to effect such co-option is long-term, but invariably begins with a series of trust-building exercises - "here, we have written some code which will make your system more secure, and we're gonna give it to you free of charge!"
I'm not saying there is definitely such an intention w.r.to open-source OSes like Linux, nor that it would realistically have a chance to succeed, but one would be naive to rule out that Big Intelligence would foreclose possible future options here. No one who has not literally inspected the code, line by line, can first-hand claim anything here. Have you done such an inspection? How many people in the world - again possessing the aforementioned subtle-malware-recognition skills - do you think have? Of course there currently are much richer and much easier targets, many of which have glaring security holes in addition to whatever secret backdoors may have been built in - mobile devices and much-more-widespread closed-system OSes such as Windows and MacOS. But it was only a short while ago that most anyone claiming that the NSA collects phone records and other digital metadata on all phone an internet traffic in the U.S. would have been labeled a tinfoil-hatter. Extreme vigilance is called for. |
[QUOTE=ewmayer;345974]Have you done such an inspection?[/QUOTE]
I have done reasonable due diligence. Frankly, this is a bit of an interesting question coming from someone who didn't even know how to configure a network card under Linux a few days ago.... |
Domestic-spying-R-us behavior - in the present instance in Luxembourg - has claimed its first "victim" amongst high officialdom:
[url=http://www.bbc.co.uk/news/world-europe-23264789]Luxembourg PM Juncker to resign over spy scandal[/url] Juncker, as head of the Eurogroup of EU finance-ministers, against the backdrop of the ongoing EU banking-system and sovereign-debt crisis, of course gave us the (in)famous quote, "when it becomes serious, you have to lie." Good riddance to bad rubbish - this is likely hoping for too much, but may this be only the first of a global wave of resignations amongst lying, spying, criminal-organization-bail-outing politicians. |
[QUOTE=chalsall;345976]I have done reasonable due diligence..[/QUOTE]
Which means what, precisely? And you never addressed my question as to how many people are really in a position to do the needed d.d. Is it many thousands? Hundreds? What? [QUOTE]Frankly, this is a bit of an interesting question coming from someone who didn't even know how to configure a network card under Linux a few days ago....[/QUOTE] Ooh, your taunts sting me so, Chris! Never claimed to be a Linux expert - for me to do so would be as silly as for someone to claim that the NSA has no interest in co-opting popular computer operating systems to serve their remote-eavesdropping ends. Is that what you in fact are claiming? |
[QUOTE=ewmayer;345977]Good riddance to bad rubbish - this is likely hoping for too much, but may this be only the first of a global wave of resignations amongst lying, spying, criminal-organization-bail-outing politicians.[/QUOTE]
How's your Linux installation going? Figured out how to configure the local Ethernet interfaces yet? Here's a hint: # ifconfig eth0 172.16.16.1 netmask 255.255.0.0 |
[QUOTE=ewmayer;345978]Ooh, your taunts sting me so, Chris! Never claimed to be a Linux expert - for me to do so would be as silly as for someone to claim that the NSA has no interest in co-opting popular computer operating systems to serve their remote-eavesdropping ends. Is that what you in fact are claiming?[/QUOTE]
Relax, my friend. I do find it a bit interesting that my posts appear at the same minute as your. But we're not actually fighting. We're both bigger than that.... |
[QUOTE=chalsall;345979]How's your Linux installation going?
Figured out how to configure the local Ethernet interfaces yet? Here's a hint: # ifconfig eth0 172.16.16.1 netmask 255.255.0.0[/QUOTE] Uh, I'm all set up - got the onboard ethernet working as eth0, which solves my last remaining problem, that of the bad female connector on the Intel ethernet card Scott Bardwick sent me. (Which was still useful in that it led to discovery of the persistent-net-rules file issue, which then indicated that the onboard ethernet was correctly being recognized, just that the persistent entry for the no-longer-used motherboard was blocking things.) Oh, and the above IP# and netmask were entirely irrelevant to my problem. But it seems you find inane playground-style taunting easier than actually answering on-topic questions. |
[QUOTE=ewmayer;345981]But it seems you find inane playground-style taunting easier than actually answering on-topic questions.[/QUOTE]
LOL... Such as? Please forgive me if I'm a little slow. What questions would you like answered? Exactly? |
Most modern linux installations ship with Selinux and something like it is badly needed on Android devices, since my understanding is that the Android version of linux combines together many OS functions that would ordinarily be in separate processes, making the whole system more vulnerable to exploits.
There are some interesting presentations on SE-Android [url="http://selinuxproject.org/page/SEAndroid"]here[/url] In related reading, [url="http://underhanded.xcott.com/"]the Underhanded C Code Contest[/url] is just delightful. |
@Chalsall: OK, you mentioned having done reasonable due diligence. Couple of questions for you:
1. Which Linux distrib did you add the SE layer to, and which aspects of the SEL mandatory access control add-on subsystem did (or do) you use? 2. How many source lines of SEL have you personally examined, and what fraction of the total is that? Please provide a link to the source branch in question. --------------------------------- Here is a good discussion of the "do you trust it?" issue from 2008 on [url=http://www.schneier.com/blog/archives/2008/04/nsas_linux.html]Bruce Schneier's site[/url]. Here is one of the better (IMO) comments: [quote] Carlo Graziani • April 8, 2008 3:11 PM I think it requires paranoia above and beyond the usual obsessive variety peculiar to security-conscious folks to believe that the NSA is trying to pull a fast one here. A backdoor concealed in a giant pile of source code might be possible, but it is certain to be discovered sooner or later. There is no guarantee that it would wind up on some system that the NSA would like to break into before it is discovered, and in fact it seems kind of unlikely. And they can only pull that stunt once, after which nobody would ever trust them with 'hello_world.c', let alone a major kernel subsystem. Given the level of development effort that has gone into SELinux, one would have to believe that the NSA is capable of throwing away tens of programmer-years for an uncertain, but almost certainly small intelligence return. I don't doubt they'd like a backdoor into every linux box on the planet, but I'm quite sure they're not that stupid.[/quote] OTOH, I think the calculus related to "paranoia above and beyond the usual obsessive variety" has shifted measurably due to the recent revelations about the scale of snooping and data-vacuuming, both foreign and domestic, that is ongoing. Probably the best argument for SE Linux probably being reasonably trustworthy is that there are far easier and much "wider" targets out there. Another good comment: [quote] Russell Coker • April 9, 2008 6:33 AM It seems strange to me that we are still having these discussions after eight years. Anyone who is intelligent enough to put a back-door in a system is probably not going to do it under their own name (anyone can use a gmail.com account to send in kernel patches) and they are probably not going to put it in systems that they use (the LSPP certification process that RHEL4 went through with SE Linux was to enable sales to the US Government). I've been working on SE Linux for almost seven years now. The NSA code I've reviewed as part of this process has been of greater quality than the typical Linux source code - which of course makes it easier to read than it might otherwise be. [url]http://www.coker.com.au/selinux/play.html[/url] If you find a bug in a random piece of Linux code then it won't be a big deal. If you find a security bug in SE Linux then it will get significantly more attention. There are lots of people trying to break SE Linux in various ways. See the above URL about my SE Linux Play Machine for a current challenge (NB DOS attacks are out of scope). Bruce, if you would like some background information on SE Linux development then send me a private email.[/quote] |
| All times are UTC. The time now is 06:35. |
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.