Re: NSA software in Debian

[Octavio Alvarez <alvarezp@alvarezp.ods.org>]

On 01/20/2014 05:29 AM, Marco Saller wrote:
> I have read that the NSA proposed to include SELinux in linux 2.5. (Linux Kernel Summit 2001)
> Don't you think that may be one of their fancy tricks to gain access to computers running linux? Some news websites also mention vulnerabilities similar to this one.
> It would be a great idea to include malicious software to kernel modules.

It is easy to come up with that idea, and it's easy to fear to it. It's
easy to write about it and to popularize it and cause mass-delusion.
It's difficult to prove, though.

If you consider that SELinux code available and with so many auditing
humans and tools it's not as easy as it sounds. It can happen, but it's
not as easy as "they can, therefore they are".

As others have said, the NSA doesn't need specific backdoors. There are
many vulnerabilities in all software already available which are already
being exploited.

The more general problem is that not all programmers like or know
formality and that not all developers like strict code and algorithm
correctness. *That* is something to worry about.

I wouldn't worry about SELinux specifically.