Re: NSA software in Debian
I have read that the NSA proposed to include SELinux in linux 2.5. (Linux Kernel Summit 2001) Don't you think that may be one of their fancy tricks to gain access to computers running linux? Some news websites also mention vulnerabilities similar to this one. It would be a great idea to include malicious software to kernel modules. Mit freundlichen Grüßen / Best Regards / 谨致问候 Marco Saller marcosal...@yahoo.de -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/c600564a-79cc-4128-815c-604bf4c6d...@yahoo.de
Re: NSA software in Debian
On 01/20/2014 05:29 AM, Marco Saller wrote: I have read that the NSA proposed to include SELinux in linux 2.5. (Linux Kernel Summit 2001) Don't you think that may be one of their fancy tricks to gain access to computers running linux? Some news websites also mention vulnerabilities similar to this one. It would be a great idea to include malicious software to kernel modules. It is easy to come up with that idea, and it's easy to fear to it. It's easy to write about it and to popularize it and cause mass-delusion. It's difficult to prove, though. If you consider that SELinux code available and with so many auditing humans and tools it's not as easy as it sounds. It can happen, but it's not as easy as they can, therefore they are. As others have said, the NSA doesn't need specific backdoors. There are many vulnerabilities in all software already available which are already being exploited. The more general problem is that not all programmers like or know formality and that not all developers like strict code and algorithm correctness. *That* is something to worry about. I wouldn't worry about SELinux specifically. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52dd5b3c.9060...@alvarezp.ods.org
Re: NSA software in Debian
Is SELinux disabled on new debian installs? Mit freundlichen Grüßen / best regards, Kevin Olbrich. Web: http://kevin-olbrich.de/ -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und/oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. Am 20.01.2014 um 18:22 schrieb Octavio Alvarez alvar...@alvarezp.ods.org: On 01/20/2014 05:29 AM, Marco Saller wrote: I have read that the NSA proposed to include SELinux in linux 2.5. (Linux Kernel Summit 2001) Don't you think that may be one of their fancy tricks to gain access to computers running linux? Some news websites also mention vulnerabilities similar to this one. It would be a great idea to include malicious software to kernel modules. It is easy to come up with that idea, and it's easy to fear to it. It's easy to write about it and to popularize it and cause mass-delusion. It's difficult to prove, though. If you consider that SELinux code available and with so many auditing humans and tools it's not as easy as it sounds. It can happen, but it's not as easy as they can, therefore they are. As others have said, the NSA doesn't need specific backdoors. There are many vulnerabilities in all software already available which are already being exploited. The more general problem is that not all programmers like or know formality and that not all developers like strict code and algorithm correctness. *That* is something to worry about. I wouldn't worry about SELinux specifically. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52dd5b3c.9060...@alvarezp.ods.org
Re: [SECURITY] [DSA 2847-1] drupal7 security update
The person you are trying to reach no longer works for e-biz Solutions and your message has not been forwarded. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140120224728.1a89e2c60...@regular.e-hosting.lu
Re: NSA software in Debian
Kevin Olbrich: Is SELinux disabled on new debian installs? The SELinux packages are optional. The default kernel is configured so that SELinux (or another LSM) can be enabled after the packages have been installed. Cheers, Andreas -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52ddac6d.4020...@ping.de
Re: NSA software in Debian
On 01/20/2014 12:22 PM, Octavio Alvarez wrote: On 01/20/2014 05:29 AM, Marco Saller wrote: I have read that the NSA proposed to include SELinux in linux 2.5. (Linux Kernel Summit 2001) Don't you think that may be one of their fancy tricks to gain access to computers running linux? Some news websites also mention vulnerabilities similar to this one. It would be a great idea to include malicious software to kernel modules. It is easy to come up with that idea, and it's easy to fear to it. It's easy to write about it and to popularize it and cause mass-delusion. It's difficult to prove, though. If you consider that SELinux code available and with so many auditing humans and tools it's not as easy as it sounds. It can happen, but it's not as easy as they can, therefore they are. As others have said, the NSA doesn't need specific backdoors. There are many vulnerabilities in all software already available which are already being exploited. The more general problem is that not all programmers like or know formality and that not all developers like strict code and algorithm correctness. *That* is something to worry about. I wouldn't worry about SELinux specifically. There are also so many vulnerabilities below the layer that Debian occupies. There can be malware in BIOS and firmware blobs, there can even be malware built into the hardware, or added later in between when it has been shipped from the manufacturer and before it arrives at your house. The NSA hardly has exclusive domain over this stuff. UK, Canada, Australia, Russia, China, Iran, and many other countries have very capable intelligence services that are also working on such exploits. Then there are all the freelancers who just sell exploits to the highest bidder. I think the only way forward is to keep focusing on making progress and avoid getting bogged down in the paranoia. Deterministic Reproducible Builds is a good example of making key progress: https://wiki.debian.org/ReproducibleBuilds .hc -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52ddf886.1050...@at.or.at
