Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

NSA Releases High Security Version Of Linux

Hemos posted more than 13 years ago | from the making-things-secure-=-good dept.

Linux 257

We had an extremely interesting submission from Ted T'so,, Linux kernel developer, who also has an obvious interest in security, given his work with Kerberos [?] . He wrote in concerning the release by the NSA (Yes, that NSA) of a high security version of Linux. I've included his comments below.

tytso writes: "I recently attended a DARPA workshop which focused on high security open source operating systems. It turns out that parts of the U.S. government are really interested this topic; having an operating system with the necessary high-security features which they need, and for which source code is available, would be a really good thing for them. Among other things, for example, it would mean that they wouldn't have to live in terror about what might happen if Sun, IBM, SGI, et. al decided to pull the plug on Trusted Solaris, Trusted AIX, or Trusted IRIX. And they're serious enough that DARPA's willing to throw money at the problem.

While I was at this workshop, I met some folks from the NSA and they told me about a really neat project that they've been working on, called Security-enhanced Linux. One of the cool things about it is that it separates enforcement and policy. So selinux can easily support many different security policies, from the old (some would say outdated/silly) Multi-Level Secure/Bell-LaPadula model, to Domain-Type enforcement and Rule-Based Access Control models. So if you think that high-security features means the old silly, Secret / Top Secret / CMW bullshit, and needing to make sure that Secret windows don't get expose events from Top Secret windows, think again. A number of folks have found Domain Type Enforcement and Rule-Based Access Control systems very useful for securing Web servers and other real world systems.

The NSA folks just recently got permission to make their stuff available on the Web. It's just a proof of concept, and no doubt a lot of changes will need to made before people will accept integrating it into the kernel, but they have released a working system (both kernel and userspace patches --- RPM's aren't quite ready yet) based on Linux 2.2 and RedHat 6.1. So it's definitely worth a look, and in fact some folks with specialized needs might find it useful, even though it's a prototype.

Of course, the source code is all there, and we're encouraged to look at and audit the code. So paranoiacs who think that the NSA is trying to infiltrate trap doors into the Linux kernels needn't worry. (Besides, it's a different part of the government who's interested in spying on U.S. citizens, and it's much more efficient for them to break into your house, and insert a wiretapping device between your computer and your keyboard as part of a black bag job. :-)

The Web site is http://www.nsa.gov/selinux. I think it's really great that some folks at NSA's Information Assurance Research Office (IARO) have made this contribution to the Linux community. They're really nice folks (even if they can't talk about a lot of what they do at work :-).

P.S. Apparently it's not easy to get stuff published by the NSA, since their entire culture, not surprisingly, is based around not letting stuff out. This Web page went up a few days ago, and then some bureaucrats made the folks in the IARO take it down temporarily, much to their disappointment. At the moment it looks like they've finally crossed all of the bureaucratic t's and dotted all of the bureaucratic i's. But just in case, it might not be a bad idea if someone mirrored the entire tree just in case some flack in some other part of the agency tells them to take it down again....

"

Sorry! There are no comments related to the filter you selected.

Re:hahahahahahah (1)

JEL (24988) | more than 13 years ago | (#543697)

IIRC, GPL says that you do not have to release stuff you created based on GPLed software. It says that you have to release the source code whenever releasing your stuff to public.

Re:But why the old kernel? (2)

phil reed (626) | more than 13 years ago | (#543700)

Hey, the whole effort is only in prototype stage. They've probably been working on it for a while, and released what they had. You can probably be sure they will integrate their changes into a more current kernel.


...phil

Re:rsh and WU-FTPd (2)

blogan (84463) | more than 13 years ago | (#543705)

I'm sure including these was to provide a backdoor in case the product got into the hands of the enemies.

"Sir, Saddam has Secure Linux running, what should we do?"
"Does he still have rsh running and wu-ftpd?"
"Sir, let me say that you are a true genius."

Trusting the Government and OpenSource OS's (1)

Anonymous Coward | more than 13 years ago | (#543707)

I'm not the most trusting person of the US Government, but, of course, it was the founder father who said don't trust the government. However, I respect the NSA and known people who work inside of NSA, one guy was friends with a top sysadmin in the NSA NOC. These guys were highly respected, highly trust worlthy people who stricly kept to thier outh.

I don't adgree with all of the NSA ops, but this one I do. I see highly unlikey that the NSA would "plant" bugs in open sourced code. That would be stupid. Even though we belive the NSA, CIA, FBI is sometime above the law, they have to follow laws (I'm about to go to court fighting unlawful action of a police officer). So why would they do such a thing. Everybody know this code will be audited, I know I will audit it myself, so why put bugs or backdoors into the code? Somebody will find it. If there is back doors in the code, that would be one of the dumpest thing the NSA has ever done.

Re:Hey Taco & Crew (1)

Packratt (257218) | more than 13 years ago | (#543712)

Oh it just gets way too complicated because then you have to add mods like:

Score +1 Optimistic
Score -1 Naive
Score -3 AOL user level of naivety
Score -5 I believe the government really cares about my needs naivety

You see, it just gets too wierd when you try to bring balance to the force, (or farce(or schwartz))...

Re:But... (1)

F452 (97091) | more than 13 years ago | (#543713)

Yeah. So?

Re:Wow. (1)

ThePixel (47166) | more than 13 years ago | (#543714)

geez. will this not end? We have a very simple system. a machine looks at the votes. the machine is not biased. the machine counts only votes that are absolutely a positive vote. there is no question about this fact. Unfortunately, some people are unable to read directions, and then bitch about thier own incompetence. It amazes me that these people are able to drive cars, but can't seem to puch out the right hole.
.e.
www.perceive.net [perceive.net]

The end is near. (3)

bmongar (230600) | more than 13 years ago | (#543715)

First sign: Courts finding Microsoft guilty of leveraging a monopoly

Second Sign : NSA releasing information to the public about security

Third sign : Rivers turn to blood

The end is coming just one more sign

Why did they have to use Linux? (1)

electricmonk (169355) | more than 13 years ago | (#543717)

This seems counterproductive, in my opinion. They could have just as easily contributed to the TrustedBSD [trustedbsd.org] project. If they had done that, then their code could have actually been used in more than just one operating system, instead of just Linux, due to the incompatibilities between the GPL and the BSD license.

Mirror (3)

PxT (26449) | more than 13 years ago | (#543721)

Mirror being built Here [droflet.net] .

Re:hahahahahahah (2)

GrenDel Fuego (2558) | more than 13 years ago | (#543723)

But you don't have to worry about hidden trojans in binaries that aren't released. That kind of makes it a moot point.

Either they release it, and have to release the code, or the don't release it, and you dont' have to worry.

No problem... (5)

G-Man (79561) | more than 13 years ago | (#543725)

...just be sure to comment out "backdoor.h" before compiling anything...

This IS a Good Thing(TM) (1)

Anonymous Coward | more than 13 years ago | (#543727)

I work for the government on a Multi-Level Secure network (yeah, complete with all that "can't expose one security level to another stuff" -- ugh!) with a TS/SCI clearance and I, for one, think this is a Good Thing(TM). The issue is not who is releasing it but rather that it is being released AT ALL!

My office is currently migrating our network from an older technology to PC-based tech and I've been pulling my hair out with these guys about their choice of operating system and application software. You guessed it: Micro$oft. Why? Because Linux, despite its virtues, raises the hackles of too many old-timers who still believe in security through obscurity.

This release by the NSA lends legitimacy to the security claims of Linux proponents. Old-timers can feel good because the NSA "endorses" the use of Linux and the rest of us can finally get a chance to use Linux in government projects. As other posters have mentioned, the source code will be available for perusal to calm the fears of anyone fearing Trojan Horses. If that is your fear, you are missing the point! The point is that Linux is making it into US Government Machines. If the US Government wants to spy on itself, there are easier ways to do it than to trap an custom version of Linux! C0deM0nkey "Doh! Forgot my password! -- I'm not an AC! Really!"

Re:So.. What about Sun, IBM, and SGI ?? (1)

Coz (178857) | more than 13 years ago | (#543733)

(*ducks preemptively*)

Nothing wrong with x86 hardware - if it's in a Beowulf cluster....

(*flees*)

Re:easy way to secure a box (1)

linuxmop (37039) | more than 13 years ago | (#543737)

Sorry, chumpy, but more secure doesn't necessarily mean less usable. There are much better methods for security than those used today. Also, do you REALLY think NSA wrote Security Linux for the average desktop user? Can't use IRC.. give me a break.

NSA is not that secretive (4)

Anonymous Coward | more than 13 years ago | (#543739)

Just go to the bars in Georgetown where the younger NSA members hang out, but them a few brews, and in an hour or two they're giving you their lifestory, and handing out floppies of classified algorithms.

All they really want is a little human warmth.

Re:Why Linux instead of OpenBSD? (1)

god, did I say that (253932) | more than 13 years ago | (#543741)

Because the BSD license would not prevent me from taking their modifications and making them my own.
I can do that with the GPL too, but I'd have to show show the NSA (well, anyone) any changes I make to the code.

Understandably, the NSA doesnt want to see their code modified for nefarious purposes. Under the GPL you would (1) have to disclose the source and (2) find assasins parked outside your window.

I prefer the BSD license over the GPL but every license has its application and the GPL is ideal for this particular example.


--

Wow (4)

phil reed (626) | more than 13 years ago | (#543742)

The only thing I can think of at the moment is how bad this is going to piss off Microsoft. Doesn't Microsoft have a web page someplace dedicated to dissing Linux? Isn't security one of Microsoft's hot buttons?


...phil

Re:hahahahahahah (1)

Tin Weasil (246885) | more than 13 years ago | (#543743)

The NSA would also be forced, under the GPL, to release all source code for their distribution. That makes planting a trojan very unlikely, as you could compile from source if you don't trust the NSA's binaries.

Re:Why did they have to use Linux? (1)

jeffry_smith (5065) | more than 13 years ago | (#543744)


the only question that can possibly arise here, is whether they must assign copyright to Linus just to make their patches into mainstream kernels or not?

no.

Re:Why Linux instead of OpenBSD? (1)

dbrutus (71639) | more than 13 years ago | (#543745)

I would guess that the requirements for this projects were something like this:

1. Get the public to harden their systems before the Chinese, or the Russians, or any of a dozen other countries with computer warfare military units, penetrates enough systems to make infowar a practical venture.
2. Get it adopted without a heck of a lot of vendor threats/handholding (probably why it's open source)
3. Greatest good for the greatest number of systems (Linux)

Sound good?

This is good news for sure! (1)

SethD (42522) | more than 13 years ago | (#543748)

The NSA is actually encouraging people to get involved with the discussion and source code of the OS at this link [nsa.gov] ! Who would of thought the NSA would do something like this? Sure creates a little bit of a different picture of the big security bully that we've all grown to hate.

Bill Gates...eat your heart out: "Linux was chosen as the platform for this work because its growing success and open development environment provided an opportunity to demonstrate that this functionality can be successful in a mainstream operating system and, at the same time, contribute to the security of a widely used system."

Re:hahahahahahah (1)

Tin Weasil (246885) | more than 13 years ago | (#543749)

Please take a look at my post in the context of the thread to which I was replying.

The AC who posted the original comment said that he would not run a version of Linux distributed by the NSA.

Under this scenario, if the NSA were to distribute thier Linux "version", then they WOULD have to release the source, and that would essentially take care of the problem.

Thanks.

Re:hahahahahahah (1)

bmongar (230600) | more than 13 years ago | (#543751)

Gotcha, since the original post was a sub 1 post, I didnt' see it.

Re:hahahahahahah (1)

Strog (129969) | more than 13 years ago | (#543754)

Unless they write their own programs for it and only release binaries. You put any license on a program you write from scratch since it is yours.

Re:The end is near. (4)

Erasmus Darwin (183180) | more than 13 years ago | (#543756)

Second Sign : NSA releasing information to the public about security

Err, ever hear of the rainbow books? They're a series of standards for classifying trusted computer systems. They were published by the DoD, which is the parent organization for the NSA; the odds are good that there was NSA involvement in the project.

Re:What potential! (1)

tech_imp (115846) | more than 13 years ago | (#543766)

I agree that this is a very nice thing to see.
With the recent increases of cyberattacks on sites this is a very good thing to have happen. I happen to be sitting on a pice of backbone that is shared with some government offices and when the Washington State web site was clobbered my business took a hit from all the flooded traffic.
By offering to raise the security bar like this we all will be better off.

Re:What potential! (2)

Lally Singh (3427) | more than 13 years ago | (#543768)

Not to mention that a large part of the cold war mission of the intelligence community is to prevent foreign industrial espionage, in which case a (more) secure operating system is directly in line with their goals.

--

Re:Source code woudln't be entirely safe... (1)

linuxmop (37039) | more than 13 years ago | (#543771)

Of course you don't use their precompiled binaries for anything! Jeez! And good god, they aren't out to get you here. They just wanted a good secure OS that they could modify, so they modified an open OS and gave the changes back, possibly as thanks for writing the OS to begin with. Stop being paranoid.

Re:A little confused about this one (1)

klapp (262896) | more than 13 years ago | (#543775)

If you pulled your head out of your ass you'd realize that the NSA is not just legally, but as a culture morally compelled not to spy in the US. Knowing some of those guys, they make great efforts not to spy in the U.S.

Re:Why Linux instead of OpenBSD? (2)

god, did I say that (253932) | more than 13 years ago | (#543779)

No, you lunix idiot. It has nothing to do with the relative merits of the code. If it did, Linux would be the perennial last choice on every professional's list. It has everything to do with the license. The GPL forces the initial code and all its derivatives to remain open. This effectively makes it impossible for a private company to take the NSA code, make unknown modifications to it and sell it as their own. If you stop to think for a moment, you would quickly understand why the NSA cant have that happen.

--

Re:But why the old kernel? (1)

X.25 (255792) | more than 13 years ago | (#543780)

It uses Kernel 2.2.12 and RH 6.1.
Both are old, and both are known to be buggy.


I don't know many people that are (basically) starting the project and making sure that all they do is 'in sync' with the latest releases of everything. Of course they don't have 2.2.18 patch or whatever - it's not fully finished product yet, so why bother to keep masses (that just love the 'latest versions') happy?

Re:Why did they have to use Linux? (1)

egor duda (36055) | more than 13 years ago | (#543783)

as copyright holders, they can distribute their code under different licenses simultaneously. So, the only question that can possibly arise here, is whether they must assign copyright to Linus just to make their patches into mainstream kernels or not? And do they want to distribute their code under BSD-style license at all.

So.. What about Sun, IBM, and SGI ?? (1)

chemguru (104422) | more than 13 years ago | (#543784)

You think that government throwing money towards a "trusted" open source OS will put any kind of pressure on Sun, IBM, and the such?

Maybe not now, but if these project DO see some light of day, Sun, IBM, etc., will have to do something to keep their market share with the government.

good but lets hope the script kids dont mess it up (1)

johnjones (14274) | more than 13 years ago | (#543786)

This can only be a Good Thing tm

the more guv depts use linux the better
this would mean the market for surport would go up so more business for folks
but lets hope that all the fools dont bring the website down and spam them

this looks like linux distro by stealth (-;
(the only way it gets into most companys)

I wish them well

regards

john jones


(a deltic so please dont moan about spelling but the content)

easy way to secure a box (1)

xSemi (266102) | more than 13 years ago | (#543788)

You can easily secure ANY computer, unplug all cords from it, and hide it behind about 3 miles of concrete everyway, sure, you could not use it but no 'evil h4x0rs' will either. What's my point? The more secure a computer is, the less useable it is. Sure you can keep a computer from crashing as much by never using beta software, but where the fun in that? Have to use at least some bug ware sometime. You could also set it so you have NO ports open, but then you can't get on most irc networks because of no ident... so just stick with slak 7.1 with a chmod'd suid perl
--Semi-----------------------
|semi@nix.org
|#resistance irc.otherside.com

Look out! It;'s a trap! (1)

emc3 (22477) | more than 13 years ago | (#543791)

Don't you see? It's all a trick! The NSA is obviously going to track down the identities of everyone who downloads selinux, and flag them in a secret database of "potential hackers". Anyone interested in a secure system *must* have something to hide, right?

To cover our tracks, everyone should start posting messages in alt.sex.furry about the "cool new animorphic porn screensaver that you can download from http://www.nsa.gov/selinux/slinux-200012181053-rel ease.tgz -- don't worry about the file size, the pictures will be worth it!" Then their servers will be overwhelmed by irrelevant requests, and the real security freaks will just get lost in the noise.



--
Ernest MacDougal Campbell III / NIC Handle: EMC3

Re:But... (1)

Ded Bob (67043) | more than 13 years ago | (#543801)

I was replying to his comment that they picked Linux over OpenBSD because Linux was open source and OpenBSD was not.

Re:NSA is not that secretive (1)

monkeymcgee (191237) | more than 13 years ago | (#543805)

uh...what's echelon then? a really big calculator?

Government and GPL (4)

CharlieG (34950) | more than 13 years ago | (#543806)

Actually, they CAN'T release it under GPL! Huh? It's worse (better?) than that - It's public domain! We PAID for it.

There are other government groups that talk about this. There is a Linux probram called EMC (Enhanced Machine Controler) that has been let out by the government, and there was a whole discussion of the GPL issue, and they said "We can't GPL it, we MUST Public domain it"

Go to www.linuxcnc.org for more details!

Re:Nice step forward (1)

natenate (172771) | more than 13 years ago | (#543809)

and the fact that they make of their modifications public is great for the open source software.

How do you know that they make *all* of their modifications public?

Re:But we have the source, right? Nope. Read this: (1)

Olmy's Jart (156233) | more than 13 years ago | (#543810)

Ken Thompson's lecture proposed a hypothetical backdoor, it didn't reveal an existing backdoor.

AFAIK, It never existed and no-one, to my knowledge, ever implimented one in the wild. I may be wrong, but I don't even think Ken demonstrated a working model, himself.

It was great fun, back in those days, to set up something that looked like it might be the great Ken Thompson compiler backdoor, but never was.

It was a scheme and nothing more. Unless by "existence" you mean the existence of the possibility of a complier propagated backdoor that doesn't show up in the sources.

It would also have to be sophisticated enough as to hide the existance of the backdoor code in it's own binaries (where they could be found by string searches) since you would want it to be platform independent and couldn't depend on assembly or binary code.

It's worth remembering and always being on the lookout for. :-)

The art of computer "tapping" (1)

Packratt (257218) | more than 13 years ago | (#543817)

The author mistakenly states that "it's much more efficient for them to break into your house, and insert a wiretapping device between your computer and your keyboard as part of a black bag job. :-)"

Actually, it's much more convenient for them to employ EMF eavsdropping techniques via a van accross the street that picks up each 'click' of the keyboard and each char on the monitor. This is a relatively old technology called Tempest that doesn't even require them to break into your house or have a back door into your system.

But, I'm just nitt-picking I guess...

Oh, and doesn't it sound a little frightening to have a government sponsored O/S? Oh well, I guess I'm just one of those paranoiacs, even though I would rather be an Animaniac...

If they pull it, can Linus sue? (1)

supabeast! (84658) | more than 13 years ago | (#543819)

If they pull the site again, would that be a violation of the GPL? And could the NSA be sued over it?

That would be another secret evidence trial for sure....

Open source is NOT news to the gov't (1)

bsdbigot (186157) | more than 13 years ago | (#543821)

Early BSD development - in fact, the very basis for the Internet - was funded by DARPA many moons ago.

By the way, I believe NASA (not NSA) uses/used OpenBSD as they used to run the mirror site that I would always download from - I think this was at Goddard? in Silicone Valley (Sunnyvale/Mountain View area)

Re:hahahahahahah (1)

Karellen (104380) | more than 13 years ago | (#543823)

Yeah, just like when they changed the S-boxes in DES before it was released to make it easier for them to crack.

No - wait a minute. That secured DES against differential cryptanalysis, making it harder...

Stop your knee from jerking like that.

Big question, but still nice move (1)

dj.dule (87188) | more than 13 years ago | (#543824)

I am not from USA, so I do not know much about NSA (except from reading, NSA key in Win NT etc.). Why they made this linux distro is uder big question. But one thing is sure. You do not have to use the distro but releasing such code in open source is worth a lot. Computer security is very important this days since internet is by default insecure. For linux you do not have a lot of choices in security field (as i know, only source code from Trusted Irix that gives linux C2/B1 is released). So you can read source code and do whatever you want with it.

An audit doesn't change anything (2)

darsal (18194) | more than 13 years ago | (#543825)

What the stupid default password in Pirahna "proved" was that system security is an active pursuit, not a passive one. The flaw in the fish only bit people who never changed the password, even when instructed to during installation, never mind on a regular basis as many standard system security practices recommend.

Yes, by all means, do "your own damn auditing", but don't waste your time by doing so before you have an actual policy of secure practices in place to audit.

And be really careful about calling in an outside auditor. You won't get your money's worth if you and your system aren't ready, and you might wind up paying contractor rates to fix really stupid things - anyone who needed an outside auditor to find and fix the Pirahna flaw shouldn't be trusted to carry their own money, let alone their company's.

Good long term prognosis, bad short term (1)

scotay (195240) | more than 13 years ago | (#543826)

Whether you love or hate the NSA, this is a good thing for Linux. It's a seal of legitimacy when an agency like the NSA wants to use your OS and needs it to be easier to secure.

If this thing takes off, it's sure to lead to better security in the long run. Short term this might make things worse.

If you have to put your machine on a network, there is some level of security in the anonymity of your OS. If you are running a Unix variant that is not widely distributed with a security model that isn't widely used, the number of hackers who have direct knowledge of how your system works is smaller. If I know what variant you are running and how it works, I have a better chance of uncovering flaws.

If the NSA standard for securing Linux becomes ubiquitous, you will have a large pool of potential hackers with an intimate insight of potential flaws. In the beginning this should uncover many security flaws. It will take time for corrections to be made, but the source code access should insure that there is just as big a pool of people ready to correct flaws. This will lead to a hardening of the new model over time. In the short run, this secured OS may be less secure than its more anonymous cousins. Over time, a widely available, heavily attacked, open source OS should trump any security found in the less common deployments.

It will be ironic if the NSA gives the world an OS that allows individuals the same levels of security that the NSA expects will protect American secrets. The NSAs work may become much harder if other countries start adopting the fruits of NSA labor. Will this be such a bad thing?

What potential! (5)

dsplat (73054) | more than 13 years ago | (#543827)

The NSA has a mandate to protect the information security of our government. I believe they would interpret that to include protection of the information security of the industrial base that supports our country. I would love to see a group within the NSA charged with working with the open source community to enhance the security of open source software. I would never trust software solely because it comes with a security seal of approval only from an agency which also has other priorities which may be at odds with my privacy. However, I would consider their assurance to be a valuable addition.

I applaud the effort that these people within the NSA who brought this project to light went to. The fact that they have released this work at all is surprising. But they have demonstrated their good faith by honoring the GPL. Bravo.

Linux vs. *BSD (2)

Mike Hicks (244) | more than 13 years ago | (#543828)

I'm a big Linux guy, but I have to wonder why the NSA decided to do this at all when they could have just as easily played around with one or all of the BSDs. The licensing is such that they would never have to release their modified code, right?
--

Trusted Irix? (2)

small_dick (127697) | more than 13 years ago | (#543829)

I was not aware of a "Trusted Irix".

Even if it exists, AFAIK SGI is switching over to Linux "soon" anyway, so a "Trusted Linux" is a natural progression.

This is great news for Linux...we've had a hard time getting Linux taken seriously where I work because there has been little "solid" government interest outside of clusters.

But being able to use "NSA" and "Linux" in the same sentence (and in print) will ease a lot of fears 'round these parts.

I hope someone out in slashdot land, with the requsite graphics skills, does a spoof of a "NSA Linux" distro.

Maybe a spoof of Austin Powers or something? Yeah Baby! Trusted Linux!

Re:NSA is not that secretive (2)

Ashran (107876) | more than 13 years ago | (#543830)

That would be the CIA, NSA is for number crunchers, not spies

NSA (1)

freediver211 (208205) | more than 13 years ago | (#543854)

HEY, GOOD FOR THEM! The government is so far up Bill Gates ass that I think it's great that they are looking at Linux. Please Note: The government is the largest buyer of software in the world, and Bill Gates has gotten most of that money. So, I say we support the NSA's move to Linux as much as possible. I am so tired of writting code for the government that has to run on Microsoft boxes (that doesn't work) that I think it would such a joy to write code for Linux (that would work). Way to go NSA!

Re:tech supposrt (1)

bmongar (230600) | more than 13 years ago | (#543855)

Goat Sex link above.

Who the hell modded this ad insightful, I wish I could metamod

Re:NSA is not that secretive (1)

Anonymous Coward | more than 13 years ago | (#543856)

Why waste time trying to get an NSA guy to spill?

You forgot all the Soviet Babes who'll do *anything* for you if they think you know something! Well... at least up until recently. Now it's Arab chicks from Hamaas, or Baghdad, or from China and Pakistan. Dammit! Why can't Sweeden be an Evil Communist Regime(tm)?

NSA Slashdotted (2)

SMQ (241278) | more than 13 years ago | (#543857)

Am I the only one that finds great mirth in the NSA being slashdotted? :-)

Re:Mirror (2)

sxpert (139117) | more than 13 years ago | (#543858)

and here [esitcom.org]

Re:NSA is not that secretive (4)

mrzaph0d (25646) | more than 13 years ago | (#543859)

"...and in an hour or two they're giving you their lifestory..."

since they're the NSA, shouldn't that read "...and in an hour or two they're giving you your lifestory..."?

"Leave the gun, take the canoli."

Mirror of three main SELinux Packages (1)

Akardam (186995) | more than 13 years ago | (#543860)

I've established a mirror of the three main packages here: http://mike.akardam.net/dump/selinux/ [akardam.net]

Re:What potential! (1)

freediver211 (208205) | more than 13 years ago | (#543861)

I agree! Go NSA!

Re:hahahahahahah (1)

Ares (5306) | more than 13 years ago | (#543862)

Except that it's from the US Government, which automatically places it in the public domain.

Or so I'm told.

Re:But... (1)

Ded Bob (67043) | more than 13 years ago | (#543863)

OpenBSD is open source.

rsh and WU-FTPd (5)

pete-classic (75983) | more than 13 years ago | (#543864)

According to the package list [nsa.gov] it includes rsh and WU-FTPd.

Come on, an ultra-secure system with rsh and WU-FTPd?

Okay, so it says WU-FTPd is untested, but there is no excuse for using rsh.

This makes me skeptical of the whole thing.

Re:Dont just assume. Audit it yourself (1)

nanojath (265940) | more than 13 years ago | (#543865)

This is solid advice, but you do you not agree that open peer review is a valid and useful addition to other security audits? I mean, I would obviously hope that the NSA would not just trust the internet community to vet its software security. But just as the group can ignore what an expert might notice, the reverse can easily be true. The point others are making is that open source doesn't necessarily mean low security, not that open source guarantees high security.

Re:Why Linux instead of OpenBSD? (3)

Devi0us (21988) | more than 13 years ago | (#543866)

There's also other simple reasons besides "Linux is the in thing". OpenBSD would probably have been a good place for them to start, except for some serious factors against it. OpenBSD isn't scalable. At all. It's great for small corporate networks, or home firewalls and such, but wiht no plans for SMP in the future, it can't compete as a server environment. OpenBSD is great for IDS sensors, and specific appliance type hardened boxes, but it's not well rounded enough to put into a big multi user production environment. Have you ever heard of any major e-commerce site using OBSD as their primary server software? Then there's the whole problem with Theo not playing well with others. And being Canadian. Because Theo wholly manages the project himself, it would cause issues. I believe the NSA folks are looking to put together something that can go into general release, possibly as an option on any distribution. OBSD can't do this, because a) the NSA would have to pay Theo to audit their code [see how OBSD architecture ports end up getting made.. its interesting], or he wouldn't let them integrate it into his source tree, and B) there's all kinds of weird issues with the project maintainer not being a US national. I'm not knocking OpenBSD. I'm a big supporter. I run it on a lot of appliance type boxes, rnuning security centric tasks. However, don't believe for a second its secure. It requires the same amount of tweaking as any other operating system to get it into shape. I've had OBSD machines get owned before, where there were serious user errors in judgement. Just because there aren't any *remote* exploits, doesn't mean your users aren't going to get drunk and give away their account. Trusted OSes are a little more forgiving when this kind of thing happens. My $.02 . Take it for what its worth. Or ask for change back.

Re:But we have the source, right? Nope. Read this: (1)

Ares (5306) | more than 13 years ago | (#543867)

No one ever said we had to use their gcc (scc??).

Re:Public Development -- With a difference! (1)

Nilatir (179045) | more than 13 years ago | (#543868)

Like maybe the confirmation isn't an email, but is instead two gentlemen with sunglasses, dark suits and menacing ties who come to you door?

Now why would a couple of bible salesmen care about NSA's Linux?

Re:NSA is not that secretive (2)

Karellen (104380) | more than 13 years ago | (#543869)

"We're from the Government - the National Security Agency"

"Oh - so you're the guys I hear breathing on all my telephone converstions?"

"No. That's the FBI"

"So you just set up foreign dictatorships and finance black ops"

"No. That's the CIA. We're the good guys Marty."

Two spooks + Marty (Robert Redford) - Sneakers.

Re:hahahahahahah (3)

phil reed (626) | more than 13 years ago | (#543875)

Yeah, right. I'll trust a high security version of Linux from the NSA. No fucking way. I wonder how much spyware is in that one, considering the NSA key in Windows story in the past.

Maybe you missed the part of the article where they will be releasing source code?


...phil

As long as they release the code... (1)

Strog (129969) | more than 13 years ago | (#543878)

will anyone actually trust it. Considering their history, they will have to show us the code. I'm a lot of people will want the code to compile themselves to make sure there isn't anything hidden in a binary.

Nice step forward (5)

CaptJay (126575) | more than 13 years ago | (#543883)

Like it or not, NSA is an organization that really cares about tough and efficient security in computer systems. They also have alot of experts in that domain, and the fact that they make all of their modifications public is great for the open source software.

Even without taking all their modifications directly and integrating them, they might just show developpers innovative ways to secure Linux, which can lead to better security for everyone and alot of other software in which security is critical.

So in short, I think they're contributing to open source as a whole, not only to Linux. I also think their contribution is a BIG one. This sounds great!

Re:hahahahahahah (1)

Anonymous Coward | more than 13 years ago | (#543886)

Are you kidding? Read the article? No way. I know there are subliminal algorithms contained within to make me trust the NSA. no No NO. Where's my aluminium beanie?

Wow. This is very cool. (4)

Tin Weasil (246885) | more than 13 years ago | (#543890)

Whatever your opinion of the NSA might be, this is going to be a real boost to fighting the argument that "an open source operating system can't be secure." What I am looking forward to, though, is the incorporation of some of the NSA's code into some of the existing major Linux Distributions. Most of us would have a problem running the NSA's software right out of the box because we are so well trained to mistrust authority. Still... very cool.

I like it. (4)

bmongar (230600) | more than 13 years ago | (#543895)

Wow the government is waking up to the fact that security through obscurity is not security at all.

Plus think of all the money they save with all us crypto geeks hacking at their code testing for bugs, coming up with new additions just because it would be cool to say you helped write part of the NSA's security system

Dont just assume. Audit it yourself (5)

simpleguy (5686) | more than 13 years ago | (#543897)

As we saw in the Red Hat pirahna saga, you should not assume that because something is open source, it must be secure. People assumed that because pirahna was open sourced, someone would have noticed the obvious password flaw within hours or just a few days after it was released. But NO, it took longer than that.

Do not rely only on peer review. If you want to be sure about what you are using, especially in environments needing ultimate security, do your own damn auditing and testing or pay someone to do it.

Oh, and Merry Christmas.

Re:Dont just assume. Audit it yourself (5)

John Sullivan (234934) | more than 13 years ago | (#543902)

People assumed that because pirahna was open sourced, someone would have noticed the obvious password flaw within hours or just a few days after it was released. But NO, it took longer than that.

Of course it did, that's the point. Security isn't something you achieve overnight, the status of any particular system is very much the result of consensus building which takes time. It's down to how many eyeballs have looked at the system, how deep they've looked at it, and how long they've looked at it.

Opening up the source results, eventually, in a more secure system because those people who do so can look deeper, and also because the skills to analyse source code are more widespread than the skills required to analyse a running binary, so hopefully more people will do so. But anyone who takes a newly released system and immediately relies on it for security has to be insane.

Do not rely only on peer review. If you want to be sure about what you are using, especially in environments needing ultimate security, do your own damn auditing and testing or pay someone to do it.

And while doing your own audit is good advice, the most valuable result will be a new data point to add to the global consensus. Relying on your own analysis isn't much better than relying on no analysis at all, but if 100 people have looked at the system over 5 years or so and not found it wanting, then we start to feel some level of confidence in it.

Of course this is if you want to do security properly, but for most people, for most applications, this level of care is just not necessary.

But we have the source, right? Nope. Read this: (1)

(Score 5:Insightful) (201164) | more than 13 years ago | (#543903)

The dictionary entry for 'back door' from the Jargon file 4.0.0

Historically, back doors have often lurked in systems longer than anyone expected or planned, and a few have become widely known. Ken Thompson's 1983 Turing Award lecture to the ACM admitted the existence of a back door in early Unix versions that may have qualified as the most fiendishly clever security hack of all time. In this scheme, the C compiler contained code that would recognize when the `login' command was being recompiled and insert some code recognizing a password chosen by Thompson, giving him entry to the system whether or not an account had been created for him.

Normally such a back door could be removed by removing it from the source code for the compiler and recompiling the compiler. But to recompile the compiler, you have to use the compiler -- so Thompson also arranged that the compiler would recognize when it was compiling a version of itself, and insert into the recompiled compiler the code to insert into the recompiled `login' the code to allow Thompson entry -- and, of course, the code to recognize itself and do the whole thing again the next time around! And having done this once, he was then able to recompile the compiler from the original sources; the hack perpetuated itself invisibly, leaving the back door in place and active but with no trace in the sources.

Still trust the NSA?

--

Re:Wow (1)

pallex (126468) | more than 13 years ago | (#543904)

I doubt it. Why would they care? 4% of market share is 4%, no matter how you look at it.

Reason: Windows has backdoors (1)

gnarly (133072) | more than 13 years ago | (#543905)

I think they are going with Linux now because windows source code (with its NSA backdoors [slashdot.org] ) is in the hands of somebody in St. Petersburg. [slashdot.org]

Linux supports multiprocessor configurations (1)

jherber (179099) | more than 13 years ago | (#543906)

I'm pretty sure BSD does not.

jim

Re:Wow (2)

Kewlwolf (260643) | more than 13 years ago | (#543907)

Actually, MS does care about linux. I saw a notice about linux being the biggest threat to MS dominence of server markets in the next ten years.......(I work for the evil empire, but am part of the rebel alliance):P

Source code woudln't be entirely safe... (1)

azephrahel (193559) | more than 13 years ago | (#543908)

Lets say for a moment, that they do release a distro, with full source. You don't trust them. So you install their distro, then recompile everything, and your all safe and cozy. So you think. Since you just compiled the code with their compiler, you have no way of knowing if the compiler was compromised. The compiler could be set up to stuff a little bit of code into certain programs, everytime their compiled, including itself. So if you compiled a new compiler with source you downloaded from the gnu web site lets say, your new compiler would still put in those nasty bits. I recall reading a really good article about this by Dennis Richie I think....

But the basic premise of it is, if your going to install their distro, copy all the source onto another linux box (read never had their distro on it), examine it, then compile all the peices and install from your compiled versions....and if you don't, don't you DARE ever ever ever share binaries compiled on that system with anyone. Just share source..please.

As was indicated in the article... (1)

Akardam (186995) | more than 13 years ago | (#543909)

... in case The Man makes them take it down again.

I've already started to mirror [slashdot.org] the main packages themselves.

Re:So.. What about Sun, IBM, and SGI ?? (2)

ironduke (97331) | more than 13 years ago | (#543910)

Probably not, these guys (Sun, IBM, etc.) want to sell lots and lots of high dollar hardware. Their interest in software is to protect their hardware sales. The NSA has to run their software on something and I for one hope that my government is using something other than 80x86 PCs to do the work that the NSA does.

Hey Taco & Crew (2)

GW Hayduke (19878) | more than 13 years ago | (#543911)

I think we need to add a few new options for the mods...
Score +1 Cautious
Score -1 Paranoid
Score -5 Written from a Y2K Bunker

Re:What potential! (2)

bwt (68845) | more than 13 years ago | (#543912)

From their web page:

Security-enhanced Linux is being released under the conditions of the GNU General Public License (GPL). The release includes documentation and source code for both the system and some system utilities that were modified to make use of the new features. Participation with comments, constructive criticism, and/or improvements is welcome.

This is unbelievably cool! For ANY government agency to release GPL code is huge, but for the NSA to do it is a stunning precedent. I just wonder if this action will survive the change of administration.

I recommend that people write their Congressmen and express support for this.

Why Linux instead of OpenBSD? (3)

astrashe (7452) | more than 13 years ago | (#543915)

Does anyone want to speculate why the NSA chose linux instead of OpenBSD, or some other BSD?

Re:hahahahahahah (3)

bmongar (230600) | more than 13 years ago | (#543924)

Actually they aren't forced to make it public, they are only forced to give the source code to who the os is distributed. They could just distribute internally and make it avaliable to anyone who uses their systems. This release is really a decision they made based on the need for security or publicity. Which one doesn't matter, what matters is they were not forced to do this.

Re:As long as they release the code... (5)

Black Parrot (19622) | more than 13 years ago | (#543928)

> Considering their history, they will have to show us the code.

I'm not one to read the articles either, but in this case I made a special exception, and yes, there is a download link [nsa.gov] .

You may also find this note at the bottom of the main site interesting:
Security-enhanced Linux is being released under the conditions of the GNU General Public License (GPL). The release includes documentation and source code for both the system and some system utilities that were modified to make use of the new features. Participation with comments, constructive criticism, and/or improvements is welcome.

--

Public Development -- With a difference! (1)

kfringe (6134) | more than 13 years ago | (#543929)

They've even set up majordomo for a public list. Does that make anyone else nervous? Like maybe the confirmation isn't an email, but is instead two gentlemen with sunglasses, dark suits and menacing ties who come to you door?


"Someone, possibly you, subscribed to the mailing list 'selinux' at tycho.nsa.gov. Please confirm this action if you wish to subscribe."

Re:Linux supports multiprocessor configurations (1)

elbuddha (148737) | more than 13 years ago | (#543934)

Jim said:
I'm pretty sure BSD does not.

You would be wrong.

FreeBSD [freebsd.org]

NetBSD [netbsd.org]

BSD/OS [bsdi.com]

OpenBSD does not. But don't perpetuate the falsehood that all BSD does not.

Downloading it now ... (1)

Anonymous Coward | more than 13 years ago | (#543937)

The code is available for download. They also posted a "TO-DO" list. "However, this list of expected research shall not be considered as a request for proposal or otherwise construed as a commitment by the National Security Agency to anyone for the procurement of equipment, services, or any obligation" So, you too, young Anakin, can work for a "jenyouwine" NSA project. Just don't expect to be paid for it (at least in beer).

Of course, this is not something that just appeared out of the wild blue yonder, we all heard about this last year.

href=http://mail.nl.linux.org//securedistros/2000- 01/msg00014.html [linux.org]

http://slashdot.org/articles/00/01/13/1029206.shtm l [slashdot.org]

As for the enhancements, if I understand this correctly, think of them as providing the kernel the ability to "sandbox" any application somewhat like the java model. This limits the ability to use a root exploit of one application to gain access to the rest of the system.

Source unzipped, untarred and ready to go C-Ya!

Big guns at the NSA (1)

Mandi Walls (6721) | more than 13 years ago | (#543940)

Whether or not you agree with the NSA and its mission, they do have a lot of smart people over there, who have access to all the things we just sit here and speculate about.

There are certain pockets in the US govt that are working toward more incorporation of open source products, thanks (from my perspective) in a large part to Apache. (Oracle's port didn't hurt, either) Also, the govt buys hardware from the same vendors other companies buy hardware from - and you can get some delicious rackmount servers from Dell with Linux on them.

For every project that succeeds with an open source product, the door opens a little wider for more projects...and government contracting means big money. Why should micro$oft benefit? I think it would be great to see companies like VA , RedHat, Lineo, etc, to get attention from the federal sector. Maybe then the commercial sector will pay more attention.

And we could get frickin' Quicken, or Bryce, or Flash for Linux.

--mandi

Re:Why Linux instead of OpenBSD? (1)

linuxmop (37039) | more than 13 years ago | (#543941)

Why would that suck?

Re:Why Linux instead of OpenBSD? (1)

Geekboy(Wizard) (87906) | more than 13 years ago | (#543943)

Then there's the whole problem with Theo not playing well with others. And being Canadian
But Linus is Finnish, and Alan Cox (major contributor) is English. IIRC most "high-level" security software requires you to be american or canadian. (tough noogies to our friends across the puddle) I know Linus lives in the US now, but I don't think he is a citizen quite yet.

But why the old kernel? (1)

Sc00ter (99550) | more than 13 years ago | (#543945)

It uses Kernel 2.2.12 and RH 6.1.
Both are old, and both are known to be buggy. Sure they have a beta version for 2.2.17, but still, most production places arn't going to want to use beta stuff, or a buggy kernel.


--

Wow. (3)

Black Parrot (19622) | more than 13 years ago | (#543947)

Just think, soon you'll be hearing "Hi, I'm Bob and I run NSALinux."

Wonder when they're going to have their IPO.

--

Yeah, but..... (2)

NTSwerver (92128) | more than 13 years ago | (#543950)

....it doesn't matter if M$ diss Linux, because we have conclusive proof that Linux is better! [bbspot.com]

----------------------------

Re:Why Linux instead of OpenBSD? (1)

xscarecrowx (118632) | more than 13 years ago | (#543953)

Probably because linux is the "in" thing right now, you say linux to someone on the floor of the stock market and they have a general idea your talking about something with computers, you say BSD and you will probably just get a blank look.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?