Re: NSA software in Debian

To: debian-security@lists.debian.org
Subject: Re: NSA software in Debian
From: Hans-Christoph Steiner <hans@at.or.at>
Date: Mon, 20 Jan 2014 23:33:10 -0500
Message-id: <[🔎] 52DDF886.1050400@at.or.at>
In-reply-to: <[🔎] 52DD5B3C.9060604@alvarezp.ods.org>
References: <[🔎] 87000BDF-320B-403F-AC8C-E0BCC89DA622@yahoo.de> <[🔎] C600564A-79CC-4128-815C-604BF4C6D6B0@yahoo.de> <[🔎] 52DD5B3C.9060604@alvarezp.ods.org>

On 01/20/2014 12:22 PM, Octavio Alvarez wrote:
> On 01/20/2014 05:29 AM, Marco Saller wrote:
>> I have read that the NSA proposed to include SELinux in linux 2.5. (Linux Kernel Summit 2001)
>> Don't you think that may be one of their fancy tricks to gain access to computers running linux? Some news websites also mention vulnerabilities similar to this one.
>> It would be a great idea to include malicious software to kernel modules.
> 
> It is easy to come up with that idea, and it's easy to fear to it. It's
> easy to write about it and to popularize it and cause mass-delusion.
> It's difficult to prove, though.
> 
> If you consider that SELinux code available and with so many auditing
> humans and tools it's not as easy as it sounds. It can happen, but it's
> not as easy as "they can, therefore they are".
> 
> As others have said, the NSA doesn't need specific backdoors. There are
> many vulnerabilities in all software already available which are already
> being exploited.
> 
> The more general problem is that not all programmers like or know
> formality and that not all developers like strict code and algorithm
> correctness. *That* is something to worry about.
> 
> I wouldn't worry about SELinux specifically.

There are also so many vulnerabilities below the layer that Debian occupies.
There can be malware in BIOS and firmware blobs, there can even be malware
built into the hardware, or added later in between when it has been shipped
from the manufacturer and before it arrives at your house.  The NSA hardly has
exclusive domain over this stuff.  UK, Canada, Australia, Russia, China, Iran,
and many other countries have very capable intelligence services that are also
working on such exploits.  Then there are all the freelancers who just sell
exploits to the highest bidder.

I think the only way forward is to keep focusing on making progress and avoid
getting bogged down in the paranoia.

Deterministic Reproducible Builds is a good example of making key progress:
https://wiki.debian.org/ReproducibleBuilds

.hc

Reply to:

References:
- NSA software in Debian
  - From: Marco Saller <marcosaller@yahoo.de>
- Re: NSA software in Debian
  - From: Marco Saller <marcosaller@yahoo.de>
- Re: NSA software in Debian
  - From: Octavio Alvarez <alvarezp@alvarezp.ods.org>

Prev by Date: Re: NSA software in Debian
Next by Date: Re: NSA software in Debian
Previous by thread: Re: NSA software in Debian
Next by thread: Re: NSA software in Debian
Index(es):
- Date
- Thread