Re: NSA enhancing Linux security?

• Previous message: Carlos Moreno: "Re: NSA enhancing Linux security?"
• In reply to: Carlos Moreno: "NSA enhancing Linux security?"
• Next in thread: Skorpion (CET): "Re: NSA enhancing Linux security?"
• Reply: Skorpion (CET): "Re: NSA enhancing Linux security?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 28 Feb 2004 04:32:03 GMT

Carlos Moreno wrote:
>
> [...]
>
>
> Yes, I know I may sound overparanoid... But, let's face
> it: the NSA? There is no such thing as being too paranoid
> when we're talking about the NSA.
>
> Any comments?
>
> Carlos
> --

Since you asked for comments, I will give you some. As I'm typing this in,
the NSA--either directly or under contract from other intel agencies like
the FBI--is currently:

   (1) recording every telephone call that originates or terminates within
       the USA, including all local phone calls.

   (2) logging ALL email and web-browsing on all USA backbones.

   (3) transcribing all credit-card, banking, and Fedwire transactions.

   (4) Ditto for faxes, telegraphs, and satellite communications.

All of this--and LOTS more--are currently being warehoused in an obscure NSA
basement where the true TIA program is digesting it. (The "official" TIA
program that Congress shot down was only an expendable decoy sent out to
let the privacy advocates score a kill.)

Oh, and, by the way, as for all of the "civilian-grade" ciphers like AES,
3DES, Blowfish, etc., they are breaking those in realtime (or near
realtime, depending on what the cleartext data was), so don't delude
yourself into thinking that buys you any -real- security. Dittos for
so-called "quantum encryption" that tries to use the Heisenberg Uncertainty
Principal to detect if someone has tapped the line. The NSA discovered
that back in the mid-70s and has since developed methods to circumvent it.

And if you think the FBI snooping at libraries and booksellers is bad
enough, they've also been demanding the customer databases of grocery-store
chains to see what you've been buying with your "Valued Customer" discount
card (Sam's Club or CostCo, anyone?), as well as demanding certain video
rental agencies install their software so they can monitor what DVDs you've
been renting.

God only knows what they've installed into Windows...

As regards Linux, in the words of one knowledgeable source, "it isn't all
that secure." Remember, this is coming from an agency that has an
unlimited budget to hire the very brightest techies--the kind of people you
put in a darkened room, chained to their PCs, and pass food to through a
slot in the door and through which they pass PoCs and working attacks--to
relentlessly analyze and attack every possible facet of every possible
feature and in every possible configuration. From this formidable pool of
talent they log every possible weakness in every possible version of every
possible software package they find, from the device drivers on up, so if
they want to break into your system they simply go to the logs, match what
they know about your system and then call up the appropriate attack modules
to step their way, "labyrinth"-style, into your system.

By comparison, when was the last time YOU analyzed the Linux kernel source
code with such finesse? Do you use a cable modem or DSL? If so, when was
the last time YOU exhaustively analyzed your NIC's driver to see if a
specially-malformed Ethernet packet could cause a cascading ripple through
your system?

And that's just a humble NIC driver. Imagine what treasures they found in
xfree86....

We are talking way, WAY beyond the FBI's toothless "Carnivore."

And you're worried about SELinux? You have a number of NSA analysts
laughing at your naivite right now.

As for SELinux, it is merely a research project intended to install
Mandatory Access Controls (MACs) into the Linux kernel. For what it's
worth, as an erstwhile SELinux contributor (I was working on securing
X-Windows at one time) I personally reviewed the code, line-by-line, and
there's nothing in it except for the MAC stuff. In fact, SELinux is so
damned good it ought to be held up as an example of how to properly
implement system security. Gone are the days that the computer is a
"smorgasbord of resources" from which a program can freely pick and choose
to access (within the limits of the Discretionary Access Controls). With
SELinux the Security Administrator can establish so-called "domains" around
every program and explicitly state what aspects of which resources that
program is allowed to access--and to log/block anything that's not
authorized. Furthermore, the architectural design of SELinux is such that
it can be the engine of an amazing Intrusion Detection System (and which is
another project I'm working on).

So, I wouldn't sweat SELinux if I were you. Especially when there's so much
more about Linux to be frightened of.

Cheers.

-- 
Bill Laut

• Previous message: Carlos Moreno: "Re: NSA enhancing Linux security?"
• In reply to: Carlos Moreno: "NSA enhancing Linux security?"
• Next in thread: Skorpion (CET): "Re: NSA enhancing Linux security?"
• Reply: Skorpion (CET): "Re: NSA enhancing Linux security?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]