|
|
Subscribe / Log in / New account

Positions forming in the Debian init system discussion

Positions forming in the Debian init system discussion

Posted Jan 1, 2014 22:12 UTC (Wed) by bojan (subscriber, #14302)
In reply to: Positions forming in the Debian init system discussion by oldtomas
Parent article: Positions forming in the Debian init system discussion

If they are so good at it, how did they get caught out? And by Microsoft employees (according to the link you posted), of all people. I mean, these guys are supposed to be in NSA's pocket, just like the guys from Red Hat etc., right?

to post comments

Positions forming in the Debian init system discussion

Posted Jan 1, 2014 23:29 UTC (Wed) by deconfliction (guest, #94407) [Link] (3 responses)

You don't get it. When people like me theorize about NSA infiltration of Microsoft and Redhat and Google, we don't mean that every employee is knowingly 'in the NSAs pocket' like you describe. A very small number of infiltrated or influenced employees in these organizations can compromise basically the major product and service lines. So in the case you are talking about, yes, it would be a natural part of the threat model applied to open source to have some innocent/unaware member of some company with compromised code and developers, to discover such a flaw in some other open source project. You keep trying to twist the debate to imply that the other side of the debate thinks "most of MS/RH/G employees are all in a vast secret spying conspiracy with the NSA". That is not what I am discussing at all. Remember, it took Snowden, a plausibly lone sysadmin gunman to basically rip a gaping hole in the security of the NSA organization. Why does it seem so unlikely to you that the NSA isn't doing that to large, otherwise unwilling/not-cooperating-enough corporations like MS/RH/G? In all likelyhood, perhaps that is where Snowden got/learned the tactical strategies to accomplish what he did?

Positions forming in the Debian init system discussion

Posted Jan 1, 2014 23:38 UTC (Wed) by mjg59 (subscriber, #23239) [Link]

There's a much easier way to obtain the same end result - just ensure that a company's security team is mostly made up of people obsessed with following federal security requirements rather than actually writing secure software, and everything else falls out naturally without anyone in the company knowing they're doing the NSA's job.

Positions forming in the Debian init system discussion

Posted Jan 2, 2014 0:58 UTC (Thu) by bojan (subscriber, #14302) [Link] (1 responses)

> Why does it seem so unlikely to you that the NSA isn't doing that to large, otherwise unwilling/not-cooperating-enough corporations like MS/RH/G?

You mentioned that they are doing that (possibly) through SELinux and systemd code and Red Hat employees. So, let's discuss that, because both MS and G can hide their tracks better, since they made no promise to open source anything.

Both of these code bases have easily identifiable commits, pointing directly back at the person that wrote each line. I am trying to imagine who would be stupid enough to do such a thing where every last shred of proof leads right back to them and I have a hard time doing it.

Also, they work alongside very smart people (both within their own company and outside), with access to the same code. Once they get made, what are their career choices? Who on earth is ever going to believe that Dan Brown guy, for instance?

But, as I said before (http://lwn.net/Articles/578406/), I never completely discarded that possibility. Apparently, there are idiots willing to try it, no matter how unlikely it is for them to actually pull it off.

Positions forming in the Debian init system discussion

Posted Jan 3, 2014 9:12 UTC (Fri) by marcH (subscriber, #57642) [Link]

> Both of these code bases have easily identifiable commits, pointing directly back at the person that wrote each line. I am trying to imagine who would be stupid enough to do such a thing where every last shred of proof leads right back to them and I have a hard time doing it.

You only need to pretend it was just yet another unintentional bug among many others - happens all the time.

You keep presenting open-source like the final answer to software quality. It is a fantastic weapon but it's nowhere near enough. Have you never heard about the massive shortage of Linux reviewers for instance? Static analyser reports published for free and never being looked at? Etc.

Seriously, who has enough expertise, time and money to audit the thousands of lines of SELinux policies? Only a few subtle security holes are needed in the whole haystack.

Just like any other war, the security war is mainly a question of means and logistics: basically money.

> Once they get made, what are their career choices? Who on earth is ever going to believe that Dan Brown guy, for instance?

1) See above
2) I am sure the NSA has plenty of other, less visible opportunities
3) Some employers won't care (or even better: they'll appreciate)
4) People forget

(Apologies to Dan Brown for keeping him as the rhetorical example here)


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds