Hi,

I was going to use an SE Linux mailing list for this, but, figured
I'd ask on this list first, figuring that I may have a better chance of
not getting a biased answer.

I've heard all of this "talk" about how secure SE Linux is.
However, how secure can this thing be if it has been developed by the
NSA? I mean, wouldn't THEY know how to get into your computer? And,
it's the NSA! If this question sounds elementary, it's because I'm
still learning how to secure my computer(s). I'm not a nihilist, just a
little skeptical of how secure SEL is in reality (and the NSA). Thanks.
~Telly


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Telly Williams wrote:
> Hi,
>
> I was going to use an SE Linux mailing list for this, but, figured
> I'd ask on this list first, figuring that I may have a better chance
> of not getting a biased answer.
>
> I've heard all of this "talk" about how secure SE Linux is.
> However, how secure can this thing be if it has been developed by the
> NSA? I mean, wouldn't THEY know how to get into your computer? And,
> it's the NSA! If this question sounds elementary, it's because I'm
> still learning how to secure my computer(s). I'm not a nihilist, just
> a little skeptical of how secure SEL is in reality (and the NSA).
> Thanks. ~Telly
>
>
Given how invasive American and British politicians and bureaucrats have
become, I think that this is a very reasonable question to ask. As for
any specific answer about the guts of SE Linux, I cannot comment (lack
of technical aptitude). Nonetheless, I would suggest that if the
Raymond's (
http://www.redhat.com/support/wpaper...thedral-1.html
) idea of "many eyes makes shallow bugs" applies, then it is unlikely
that the NSA have been able to install back door through which they can
monitor the goings on of your machine.

But ... I could be wrong ... or I could be an NSA plant, intending to
psychops you with disinformation.

:-)

A

--

"If they can get you asking the wrong questions, they don't have to worry about the answers." - Thomas Pynchon, "Gravity's Rainbow"


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Thu, Jun 14, 2007 at 03:22:11PM -0600, Telly Williams wrote:
>
> I've heard all of this "talk" about how secure SE Linux is.
> However, how secure can this thing be if it has been developed by the
> NSA? I mean, wouldn't THEY know how to get into your computer? And,
> it's the NSA! If this question sounds elementary, it's because I'm
> still learning how to secure my computer(s). I'm not a nihilist, just a
> little skeptical of how secure SEL is in reality (and the NSA). Thanks.
> ~Telly
>
Hmm. I am not sure if you are seriously asking or if you are trolling.
I guess the answer to your question depends on what you consider
"secure" and also whether you think that they have a reasonable chance
to be able to "sneak" something in.

To the first point, only you can answer that. To the second point, I
think that no such chance exists. The Linux kernel is one of the most
popular open source projects in the world. Arguably, more people work
on development on the Linux kernel than on any other open source
project. If someone tried to "sneak" something in, it *would* be
noticed. Now, if you were talking about a project with only a few core
developer, then maybe they could "sneak" something in. If that small
number of developers worked for the same company, even moreso.

Hmm, come to think of it, that sort of describes Microsoft (small number
of core developers all working for the same company). They even don't
release their source code, except under the most restrictive
circumstances (e.g., some select academic research labs). Also, don't
forget that the NSA gave a great deal of "assistance" with "security
matters" on the windows codebase prior to the release of Vista. I think
that you have much more to worry about from the NSA on Windows than you
do on Linux.

Regards,

-Roberto

--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFGcbwF1snWssAFC08RAvI2AKCIDhjxbFrR/hFM5jpqF7fXszDMnACff72G
NDpnG9NCPZ1yaYiwSW5bZYw=
=GiPV
-----END PGP SIGNATURE-----

On 06/14/07 16:38, andy wrote:
> Telly Williams wrote:
>> Hi,
>>
>> I was going to use an SE Linux mailing list for this, but, figured
>> I'd ask on this list first, figuring that I may have a better chance
>> of not getting a biased answer.
>>
>> I've heard all of this "talk" about how secure SE Linux is.
>> However, how secure can this thing be if it has been developed by the
>> NSA? I mean, wouldn't THEY know how to get into your computer? And,
>> it's the NSA! If this question sounds elementary, it's because I'm
>> still learning how to secure my computer(s). I'm not a nihilist, just
>> a little skeptical of how secure SEL is in reality (and the NSA).
>> Thanks. ~Telly
>>
>>
> Given how invasive American and British politicians and bureaucrats have
> become, I think that this is a very reasonable question to ask.

And it was asked (repeatedly ad nauseum) 6 years ago.

Apparently, enough people have pored over the code (it's open
source, you know...) that it's been satisfactorily answered.

--
Ron Johnson, Jr.
Jefferson LA USA

Give a man a fish, and he eats for a day.
Hit him with a fish, and he goes away for good!


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Roberto C. Sánchez wrote:
> On Thu, Jun 14, 2007 at 03:22:11PM -0600, Telly Williams wrote:
>
>> I've heard all of this "talk" about how secure SE Linux is.
>> However, how secure can this thing be if it has been developed by the
>> NSA? I mean, wouldn't THEY know how to get into your computer? And,
>> it's the NSA! If this question sounds elementary, it's because I'm
>> still learning how to secure my computer(s). I'm not a nihilist, just a
>> little skeptical of how secure SEL is in reality (and the NSA). Thanks.
>> ~Telly
>>
>>
> Hmm. I am not sure if you are seriously asking or if you are trolling.
> I guess the answer to your question depends on what you consider
> "secure" and also whether you think that they have a reasonable chance
> to be able to "sneak" something in.
>
> To the first point, only you can answer that. To the second point, I
> think that no such chance exists. The Linux kernel is one of the most
> popular open source projects in the world. Arguably, more people work
> on development on the Linux kernel than on any other open source
> project. If someone tried to "sneak" something in, it *would* be
> noticed. Now, if you were talking about a project with only a few core
> developer, then maybe they could "sneak" something in. If that small
> number of developers worked for the same company, even moreso.
>
> Hmm, come to think of it, that sort of describes Microsoft (small number
> of core developers all working for the same company). They even don't
> release their source code, except under the most restrictive
> circumstances (e.g., some select academic research labs). Also, don't
> forget that the NSA gave a great deal of "assistance" with "security
> matters" on the windows codebase prior to the release of Vista. I think
> that you have much more to worry about from the NSA on Windows than you
> do on Linux.
>
> Regards,
>
> -Roberto
>
>
Thanks Roberto,

I try to be suspicious about most things I just get wind of. I'm
also getting tired of reading about all of this silly stuff like
"spying" and "cracking" and what-not, so I want to do the utmost and try
to prevent it from happening to me /as much as possible/. I'd feel
embarrassed if I were to preach about securing computers only to have
some "back-door" on my computer from using a program created by the NSA
(one of those "what were you thinking in the first place" moments).

And, no, I'm not trolling. ~Telly


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Telly Williams writes:
> I've heard all of this "talk" about how secure SE Linux is. However, how
> secure can this thing be if it has been developed by the NSA? I mean,
> wouldn't THEY know how to get into your computer?

If they are capable of sneaking a backdoor past the FOSS community why
wouldn't they put it directly into the kernel?

> And, it's the NSA!

And you know what? They are _people_! Yes! The NSA consists of human
beings! Regular, old-fashioned, limited, fallible human beings!


And consider this: even if NSA developed SE Linux in order to slip a
backdoor into secure Linux systems the best way for them get it widely
adpted would be to make it secure against everyone else. So unless your
threat model includes attacks from the NSA you still would better off using
it.
--
John Hasler


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Thu, Jun 14, 2007 at 03:22:11PM -0600, Telly Williams wrote:
> I was going to use an SE Linux mailing list for this, but, figured
> I'd ask on this list first, figuring that I may have a better chance of
> not getting a biased answer.
>
> I've heard all of this "talk" about how secure SE Linux is.
> However, how secure can this thing be if it has been developed by the
> NSA? I mean, wouldn't THEY know how to get into your computer? And,
> it's the NSA! If this question sounds elementary, it's because I'm
> still learning how to secure my computer(s). I'm not a nihilist, just a
> little skeptical of how secure SEL is in reality (and the NSA). Thanks.

A reasonable question.

Unless you write your whole OS yourself, you have to trust someone.

For open source you have two general categories: Linux and BSD.

With the BSD category:
FreeBSD: focus on i386, performance, features, security
NetBSD: focus on many archetectures, security.
OpenBSD: focus on security first, and they keep the system small
so they can watch it all. Some call it the most secure
publicly-available OS in the world. It's also based in
Canada not the US.

Within the Linux category:
Debian: (IMHO) the most stable and secure linux.
Others: various foci.

However, the linux kernel is, as you've seen in other posts,
the biggest open-source project in the world with thousands of
pairs of eys on it. It is highly improbable that NSA slipped
something in unnoticed (and highly unlikely that those who
notice are complicit).

Also as you've heard, even if NSA did slip something in, that's
only a concern if the NSA (or more broadly, the US Government)
is on your threat list.

If your threat list does include the US government, then you may want to
consider OpenBSD and carry on this discussion on the OBSD mailing list.
Note, however, that OBSD is a steeper learning curve than Debian.

If you wish to continue the thread here:

Remember, that if you're new to an OS (any OS) and you change any
configs, you are more likely to be the biggest security threat.

What are your security concerns?

Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Douglas Allan Tutty wrote:
> On Thu, Jun 14, 2007 at 03:22:11PM -0600, Telly Williams wrote:
>> I was going to use an SE Linux mailing list for this, but, figured
>> I'd ask on this list first, figuring that I may have a better chance of
>> not getting a biased answer.
>>
>> I've heard all of this "talk" about how secure SE Linux is.
>> However, how secure can this thing be if it has been developed by the
>> NSA? I mean, wouldn't THEY know how to get into your computer? And,
>> it's the NSA! If this question sounds elementary, it's because I'm
>> still learning how to secure my computer(s). I'm not a nihilist, just a
>> little skeptical of how secure SEL is in reality (and the NSA). Thanks.
>
> A reasonable question.
>
> Unless you write your whole OS yourself, you have to trust someone.

Even if you write the OS, you have to trust the hardware
manufacturers. If you construct your own hardware, you'll
need to make sure that you are personally attaching
every component to each card. You'll also have to design
the chips, verify the firmware, etc, etc, ad nauseum. You
have to rely on people you don't know. There's
no way around it.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Fri, Jun 15, 2007 at 06:34:22AM +0100, William Pursell wrote:
> Douglas Allan Tutty wrote:
> >On Thu, Jun 14, 2007 at 03:22:11PM -0600, Telly Williams wrote:
> >> I was going to use an SE Linux mailing list for this, but, figured I'd ask on this list first, figuring that I may have a better chance of
> >>not getting a biased answer.
> >>
> >> I've heard all of this "talk" about how secure SE Linux is. However, how secure can this thing be if it has been developed by the NSA? I
> >>mean, wouldn't THEY know how to get into your computer? And, it's the NSA! If this question sounds elementary, it's because I'm still
> >>learning how to secure my computer(s). I'm not a nihilist, just a little skeptical of how secure SEL is in reality (and the NSA). Thanks.
> >A reasonable question. Unless you write your whole OS yourself, you have to trust someone.
>
> Even if you write the OS, you have to trust the hardware
> manufacturers. If you construct your own hardware, you'll
> need to make sure that you are personally attaching
> every component to each card. You'll also have to design
> the chips, verify the firmware, etc, etc, ad nauseum. You
> have to rely on people you don't know. There's
> no way around it.
Also, with FLOSS just like Nixon said "trust but verify". FLOSS folks
just don't take anyones word for it, the have the source and thus can
verify what it does. And what if some "J. random hacker " made it? Would
it be any more or less trustworthy?
--
| .''`. == Debian GNU/Linux == | my web site: |
| : :' : The Universal |mysite.verizon.net/kevin.mark/|
| `. `' Operating System | go to counter.li.org and |
| `- http://www.debian.org/ | be counted! #238656 |
| my keyserver: subkeys.pgp.net | my NPO: cfsg.org |
|join the new debian-community.org to Debian! |
|_______ Unless I ask to be CCd, assume I am subscribed _______|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGciQTv8UcC1qRZVMRAuVXAJ4l2FG9UR1+ILyn1ZdNn9 oShNerRgCeOFaP
gI3AE6FjmXibrngmbY03KpM=
=XL0D
-----END PGP SIGNATURE-----

On 06/15/07 00:30, Kevin Mark wrote:
[snip]
> Also, with FLOSS just like Nixon said "trust but verify". FLOSS folks

I know that Democrats confuse Reagan and Nixon on a regular basis,
but it actually was Reagan quoting a Russian proverb.

--
Ron Johnson, Jr.
Jefferson LA USA

Give a man a fish, and he eats for a day.
Hit him with a fish, and he goes away for good!


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

* Ron Johnson <ron.l.johnson@cox.net> [2007-06-15 11:33:55 -0500]:


> I know that Democrats confuse Reagan and Nixon on a regular basis, but it
> actually was Reagan quoting a Russian proverb.
>
Or, more precisely, Reagan's speechwriters.

--
Regards,
Klein.

A black cat crossing your path signifies that the animal is going somewhere.
-- Groucho Marx


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org