Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 7th November 2007, 03:35 PM
guest1234567 Offline
Registered User
 
Join Date: Nov 2007
Posts: 1
Selinux = NSA-Backdoor?

Someone pointed out that Selinux might be a NSA-Backdoor:

http://etbe.blogspot.com/2006/12/se-...5-minutes.html
http://www.schneier.com/blog/archive...s_micro_1.html
http://blogs.techrepublic.com.com/op...obile.php?p=37

On the one hand, it does protect our systems before worms and “normal” user cracking. But on the other hand it might grant NSA a backdoor in case they would want to use it.
I know, Selinux is open source, so it seems clear that someone would someday stumble over it, when reviewing the code. But how can we be sure, that somebody ever would audit the code thoroughly? Perhaps it is well hidden in the code, maybe in some harmless looking lines, or scattered across the whole code in tiny bits, which are waiting to receive a secret signal and then get activated? Who could possibly find it, given the fact that Selinux is such a complex program. That even to handle it is too difficult for most users. And the sheer size of the program and it's depending parts. May well be over hundred's of thousands lines of code.
Facing all this, i cannot be absolutely sure, that this code is really clean.

What is your opinion? Just paranoid, or perhaps a good point?
Reply With Quote
  #2  
Old 7th November 2007, 04:46 PM
rjstaaf Offline
Registered User
 
Join Date: Jun 2005
Location: Upstate, SC USA
Age: 51
Posts: 270
I can understand your concerns and they are probably warranted considering how much the US Constitution has been trampled on these days. I am sure you aren't the first one to have these concerns either. I seriously doubt though that even the NSA would be able to hide the necessary code in software where the source code is freely available and looked at on a regular basis.
__________________
Bob

Embarrassing myself, one post at a time!
http://community.webshots.com/user/rjstaaf
Reply With Quote
  #3  
Old 7th November 2007, 09:52 PM
Dan Offline
Administrator
 
Join Date: Jun 2006
Location: Paris, TX
Posts: 23,279
Paranoid, I'd say. But that doesn't mean you're either right or wrong.

However, If this causes you concern, you have many options. One of which is to either not use/enable/install a distro that has SELinux in it, or instead use/purchase what you feel may be a safer alternative.

It also occurs to me, that if the NSA really wants to know what's in my computer, all they have to do is either get a warrant and come fetch it, or even easier, just knock on the door and politely ask if they can look. Might be nice if they called first, though. Just so I can have a fresh pot of coffee ready.


Dan
Reply With Quote
  #4  
Old 7th November 2007, 10:33 PM
Iron_Mike Offline
Registered User
 
Join Date: Jul 2005
Location: Ft Huachuca, AZ
Posts: 3,772
YES, we did put in a BACKDOOR, after all we were instrumental in designing system. How else could we monitor people such as yourself. We see all and know all, we know what porn, drm protected music, even what beer you drink. Remember we are watching.........


Director
National Security Agency
ATTN: Information Assurance Policy, Procedures, and Insecurities Division (141)
Fort George G. Meade, MD 20755-6722
Reply With Quote
  #5  
Old 7th November 2007, 10:38 PM
RHamel Offline
Registered User
 
Join Date: Sep 2004
Location: Denver, Colorado
Posts: 560
Yeah, a back door in open source, that no one noticed. lol
Reply With Quote
  #6  
Old 7th November 2007, 11:27 PM
ElJoeb Offline
Registered User
 
Join Date: Sep 2007
Posts: 45
Quote:
Originally Posted by Iron_Mike
YES, we did put in a BACKDOOR, after all we were instrumental in designing system. How else could we monitor people such as yourself. We see all and know all, we know what porn, drm protected music, even what beer you drink. Remember we are watching.........
Not the back door I was thinking of <shiver>. If this is a valid concern, its a valid concern for all open source software, because it would apparently be easy to hide this from people.
Reply With Quote
  #7  
Old 7th November 2007, 11:52 PM
Dan Offline
Administrator
 
Join Date: Jun 2006
Location: Paris, TX
Posts: 23,279
Quote:
Originally Posted by Iron_Mike
YES, we did put in a BACKDOOR, after all we were instrumental in designing system. How else could we monitor people such as yourself. We see all and know all, we know what porn, drm protected music, even what beer you drink. Remember we are watching.........


Director
National Security Agency
ATTN: Information Assurance Policy, Procedures, and Insecurities Division (141)
Fort George G. Meade, MD 20755-6722
Yeah ... about that. Hate to ask, Mike. But could you possibly please re-task a satellite over my neighbor's backyard? I can't find my weed-eater!


Dan
Reply With Quote
  #8  
Old 7th November 2007, 11:55 PM
bradchaus Offline
Registered User
 
Join Date: May 2006
Posts: 548
in order for an se-linux exploit to work its first got to get through your firewall and tcp-wrappers defences. IMHO, if those are set up properly, it would be a hard task to get to the se-linux layer.

my 2 cents
__________________
* AMD Phenom 9750, 8GB DDR-1066, Gigabyte MA770UD3, ATI X550, F12 64bit
* Dual Athlon MP2800+, Gigabyte GA-7DPXDWP, 1GB, Centos 5.4

Linux Rules
Reply With Quote
  #9  
Old 8th November 2007, 12:25 AM
Iron_Mike Offline
Registered User
 
Join Date: Jul 2005
Location: Ft Huachuca, AZ
Posts: 3,772
Quote:
Originally Posted by TangledWeb
Yeah ... about that. Hate to ask, Mike. But could you possibly please re-task a satellite over my neighbor's backyard? I can't find my weed-eater!


Dan
Right where you left it Dan. Behind the shed......
Reply With Quote
  #10  
Old 8th November 2007, 01:13 AM
Dan Offline
Administrator
 
Join Date: Jun 2006
Location: Paris, TX
Posts: 23,279
Aw, crud! Sure enough. Uh ... Thanks.
Reply With Quote
  #11  
Old 25th November 2007, 07:29 PM
Nick Levinson Offline
Registered User
 
Join Date: Sep 2007
Posts: 109
The parts of the SELinux enhancements that are in the kernel or in other components that are frequently maintained by people other than NSA loyals are likelier to be seen as the kernel or those other components are rewritten from time to time, and NSA would have anticipated that. That means the main problem is with the other parts (files that are exclusively for SELinux or that are in components that are rarely maintained by other people). Perhaps that reduces the amount of code that should be re-examined.

One could examine code to be sure that every line of code (and every command, argument, etc.) has a legitimate purpose. That reduces the problem to one of finding dual-purpose code.

If you find code that appears questionable, either dual-purpose code or code lacking any apparent purpose, one option is simply to go public with the specific lines and challenge them in a forum. That's not very different from going public with other exploits that are likely already known to secrecy-shrouded hackers anyway, such as viruses that attack Windows. There's no big dispute about whether Linux vulnerabilities should be revealed, too, and that includes SELinux.

The NSA is highly reputed for its IT capabilities. Auditing the work of secret agencies has been an open issue because of the prospect of appearing to approve when one hasn't and thus of not serving the public nonsecret interest. But this is different because an outsider's audit of open source software can be done publicly, by many people working independently of each other, repeatedly regardless of prior results, without new permission, and without any cooperation with any secret agency, including the NSA. You don't have to tell anyone. And you can hang a banner announcing your intention right outside NSA headquarters (if they won't let you and they saw what your banner said, they're on notice). And then someone else can do the same thing, so if someone in black bribes you not to reveal your findings someone else can reveal what they find.

Besides, there's another reason -- or another objective -- that can be satisfied at the same time. Some of us who have faith in SELinux and prefer to use it also have problems. I had a problem installing Linux with particular settings in SELinux; I don't remember what the problem was that I experienced, but I wound up using a default setting without the particular adjustments that it offered. And I came across a topic in FedoraForum.org about difficulty using a website in a browser because SELinux objected to text relocation that usually isn't needed and presents a security issue (that's not my evaluation). In short, if SELinux seems to cause more problems than it's worth to administrators, the NSA won't achieve its published objective of aiding other Federal agencies with their information security requirements and of showing a model to mainline OS designers (I assume they don't mean Linux but perhaps they mean Microsoft) that this kind of security is feasible (leaving to mainliners how they'd implement it, and maybe they already have).

You can examine source code for illegitimacy, undersecurity, and for impediments to productivity, creativity, etc. (you could call that oversecurity) (I imagine gamers will encounter problems with SELinux, since games often push the limits of hardware and software, and advanced programmers having nothing to do with SELinux also want high performance from their programming setups, which oversecurity impedes.) Even if you find only one problem, that's a benefit to the rest of us.

Even if the most obscure parts of the SELinux source code were thoroughly examined during development and at first distribution as stable and passed strict scrutiny, times have changed, technology has developed, computers have gotten somewhat more capable and will only get more capable, and there likely are more people with relevant skills on both sides of the good/evil fence and in the gray zone. That's good reason to reexamine sooner or later.

Perhaps you should give it a shot.

--
Nick
Reply With Quote
  #12  
Old 25th November 2007, 08:50 PM
Crito Offline
Registered User
 
Join Date: Aug 2007
Location: Knoxville, TN
Posts: 256
Say, hypothetically of course, someone were to put a malicious selinux policy update in the main fedora repository. How long before that replicated to all the mirrors and was downloaded to tens of thousands of machines? Sounds like a single point of failure to me.

SELinux solves problems I don't have and creates a bunch of new ones that didn't exist before. In fact, I'd say those who advocate its use are more paranoid than the NSA conspiracy theorists. I really have no need for it.
__________________
How to Block Google Spyware
"They're going to sell it to us as a security system -- they may even have convinced themselves it will improve security -- but it's fundamentally a control system." - Bruce Schneier
Reply With Quote
  #13  
Old 25th November 2007, 08:59 PM
lazlow Offline
Registered User
 
Join Date: Aug 2005
Posts: 3,172
Crito

Your single point failure would apply to any part of the system. I would be more concerned about an iptables update being tampered with. In either case, I think it is highly unlikely that it would get through the "checks and balances" built into the system.

Lazlow
Reply With Quote
  #14  
Old 25th November 2007, 09:13 PM
Crito Offline
Registered User
 
Join Date: Aug 2007
Location: Knoxville, TN
Posts: 256
Yet, bad updates get through these checks and balances on a routine basis already. Therefore, one should strive to create fewer, not more, single points of failure.

Fact remains SELinux doesn't solve any problems I've had or am likely to ever have on a desktop computer. All it does is create more problems for me.
__________________
How to Block Google Spyware
"They're going to sell it to us as a security system -- they may even have convinced themselves it will improve security -- but it's fundamentally a control system." - Bruce Schneier
Reply With Quote
  #15  
Old 25th November 2007, 09:57 PM
lazlow Offline
Registered User
 
Join Date: Aug 2005
Posts: 3,172
There is a huge difference between buggy and malicious.
Reply With Quote
Reply

Tags
nsabackdoor, selinux

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
selinux: hand tweaking policieand yum selinux-policy updates: overriden or perserved? mbiggerstaff Security and Privacy 2 20th January 2014 09:52 PM
Problem configuring SElinux using system-config-selinux GUI majdi Servers & Networking 0 6th September 2008 12:33 PM
Backdoor or Trojan Potentially in Hashcalc jimc52 Security and Privacy 12 12th November 2007 06:21 PM
Root user account expired. Backdoor to fix? msenner Using Fedora 2 15th October 2004 06:11 AM
Test 3 w7o selinux installed, though lotsa selinux during usage? gafami Fedora Core 2 Test Releases 7 15th May 2004 09:15 AM


Current GMT-time: 08:53 (Wednesday, 26-11-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Yashan Travel Photos - Oskarshamn - Pyinmana Travel Photos on Instagram