Re: NSA software in Debian

To: Marko Randjelovic <markoran@eunet.rs>
Cc: "debian-security@lists.debian.org" <debian-security@lists.debian.org>, "debian-kernel@lists.debian.org" <debian-kernel@lists.debian.org>
Subject: Re: NSA software in Debian
From: Kevin Olbrich <kolbrich@dolphin-it.de>
Date: Mon, 20 Jan 2014 01:06:07 +0100
Message-id: <[🔎] 448B4C2D-E9C5-44A0-BEF4-AB2AC60145F3@dolphin-it.de>
In-reply-to: <[🔎] 20140120004929.2e8b1ee6@eunet.rs>
References: <[🔎] 87000BDF-320B-403F-AC8C-E0BCC89DA622@yahoo.de> <[🔎] 20140118200448.GA20697@morgul.net> <[🔎] 20140120004929.2e8b1ee6@eunet.rs>

Hi,

I did not know about grsecurity. Thanks for the hint. After some quick browsing it seemed it works like the windows code execution protection. I will try to compile the kernel with this patch like you did.

Linux is the most secure OS IMHO - distributing this patch in debian would be great I think (as soon as all apps are compatible).

Mit freundlichen Grüßen / best regards,
Kevin Olbrich.

(mobil vom iPhone)

--
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und/oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.

> Am 20.01.2014 um 00:49 schrieb Marko Randjelovic <markoran@eunet.rs>:
> 
> On Sat, 18 Jan 2014 15:04:48 -0500
> Noah Meyerhans <noahm@debian.org> wrote:
> 
>>> On Sat, Jan 18, 2014 at 08:30:49PM +0100, Marco Saller wrote:
>>> i am not sure if this question has been asked or answered yet, please do not mind if i would ask it again.
>>> Is it possible that the NSA or other services included investigative software in some Debian packages?
> 
> They don't need to do it. Software is full of security bugs. Most
> suitable are web browsers. NSA controls Internet backbone routers. Just
> check CVE records for Internet Explorer, Firefox or Chrome. Firefox ESR
> is meant for security, but 17 ESR had 11 updates, which means before
> bugs were corrected you were vulnerable. And probably there are still,
> but 17 ESR is not anymore supported and you have to go to 24 ESR which
> certainly brings new bugs and so on.
> 
>> 
>> It is absolutely possible. It's even possible that you yourself have
>> added such software to Debian! Can you prove that you haven't?
>> 
>> That line of thinking leads to madness. The only rational conclusion,
>> once you start down that path, is to turn off your computers and move to
>> a remote cabin in the wilderness.
> 
> What would make you highly suspicious.
> 
>> It will never be possible to prove
>> that there is no malicious software in Debian or in any other OS. Beyond
>> that, it will never be possible to prove that there is no malicious
>> *hardware* running executing your OS.
>> 
>> We can and do take care to ensure that all changes to Debian are made by
>> people authorized to make those changes. (Package uploads must be signed
>> by a Debian developer.) We can and do take care to ensure that that the
>> packages you download have not been modified in transmission (signing of
>> Release files, checksums on Packages files and on packages themselves.)
>> Etc. If deficiencies are found in our mechanisms or policies, then we
>> take steps to improve them. If violations are found, then we take steps
>> to audit for impact and resolve any potentially malicious actions that
>> we identify. We take great care to minimize the likelihood of any sort
>> of backdoor or malicious code in Debian, but none of this can provide
>> 100% proof that such a thing doesn't exist.
> 
> But Debian doesn't support grsecurity and similar security enhancements
> for linux kernel[1], though PaX[2] is a serious protection from
> exploiting security bugs in software. I needed a lots of time in order
> to successfully patch Debian kernel with grsecurity, though I
> immediately removed all features/* patches. It's because patch B can
> assume patch A is applied and when patch A is not applied, than patch B
> fails. But it is possible patch B is still needed. For that reason, and
> the reason of availability of newer kernel in backports repo, my
> opinion is features patches are unneeded and make more problems than
> benefit.
> 
>> Anybody that claims that
>> they can prove otherwise, for Debian or any other OS, is either lying or
>> ignorant.
>> 
>> noah
> 
> [1] https://lists.debian.org/debian-devel/2003/09/msg01133.html
> [2] https://en.wikipedia.org/wiki/PaX
> 
> -- 
> Education is a process of making people see what is advanced and not
> obvious, but also not seeing what is basic and obvious.
> 
> http://markorandjelovic.hopto.org

Reply to:

Follow-Ups:
- Re: NSA software in Debian
  - From: Andrew Merenbach <andrew@merenbach.com>

References:
- NSA software in Debian
  - From: Marco Saller <marcosaller@yahoo.de>
- Re: NSA software in Debian
  - From: Noah Meyerhans <noahm@debian.org>
- Re: NSA software in Debian
  - From: Marko Randjelovic <markoran@eunet.rs>

Prev by Date: Re: NSA software in Debian
Next by Date: Re: NSA software in Debian
Previous by thread: Re: NSA software in Debian
Next by thread: Re: NSA software in Debian
Index(es):
- Date
- Thread