Re: NSA software in Debian

2014-01-24 Thread Andreas Kuckartz
Marko Randjelovic: On Wed, 22 Jan 2014 12:24:27 +1100 Russell Coker russ...@coker.com.au wrote: The possibility of LSM hooks being used to hide a kernel rootkit is widely cited. But most sysadmins aren't going to find a kernel rootkit anyway so using a non-LSM security system for that

Re: NSA software in Debian

2014-01-22 Thread Andreas Kuckartz
Marko Randjelovic: Octavio Alvarez alvar...@alvarezp.ods.org wrote: I wouldn't worry about SELinux specifically. As I already pointed out, there is something: http://lists.debian.org/20140120005556.612de...@eunet.rs And Russel Coker carefully explained in his reply to your mail why that

Re: NSA software in Debian

2014-01-20 Thread Andreas Kuckartz
Kevin Olbrich: Is SELinux disabled on new debian installs? The SELinux packages are optional. The default kernel is configured so that SELinux (or another LSM) can be enabled after the packages have been installed. Cheers, Andreas -- To UNSUBSCRIBE, email to

Re: NSA software in Debian

2014-01-19 Thread Andreas Kuckartz
Bjoern Meier: http://en.wikipedia.org/wiki/Security-Enhanced_Linux I proposed this Debian Release Goal: https://wiki.debian.org/ReleaseGoals/SELinux Cheers, Andreas -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact

Re: NSA software in Debian

2014-01-19 Thread Andreas Kuckartz
Marko Randjelovic: SELinux security benefits are vague because it makes possible to use it's hooks to add a backdoor which would be nearly impossible to detect: https://www.rsbac.org/documentation/why_rsbac_does_not_use_lsm https://grsecurity.net/lsm.php SELinux, AppArmor, Smack and

Re: SSL for debian.org/security?

2013-11-11 Thread Andreas Kuckartz
Hans-Christoph Steiner: The crypto smartcard (aka Hardware Security Module) are some work to setup, but not really all that much. And they are easy to use once setup. And they provide a huge boost in the security of the certificate. Such hardware also costs a significant amount of money. Are

Re: Does JDK7 security hole affect OpenJDK6?

2013-01-17 Thread Andreas Kuckartz
David Gerard: I would assume the recent JDK7 hole would also affect OpenJDK7, given they're pretty much the same codebase. But OpenJDK6 is based on OpenJDK7, cut down to pass JCK6. Has anyone checked if OpenJDK6 is vulnerable? CERT states this: Systems Affected Any system using Oracle

Re: Does JDK7 security hole affect OpenJDK6?

2013-01-17 Thread Andreas Kuckartz
I found CVE-2013-0422 on the TODO list: https://security-tracker.debian.org/tracker/status/todo Cheers, Andreas --- Andreas Kuckartz: David Gerard: I would assume the recent JDK7 hole would also affect OpenJDK7, given they're pretty much the same codebase. But OpenJDK6 is based on OpenJDK7