1 |
Hi Rich, |
2 |
Thanks for the response. I'll likely respond over the next few hours & |
3 |
days in dribs and drabs... |
4 |
|
5 |
|
6 |
On Tue, Aug 5, 2014 at 4:36 AM, Rich Freeman <rich0@g.o> wrote: |
7 |
> |
8 |
> On Mon, Aug 4, 2014 at 6:04 PM, Mark Knecht <markknecht@×××××.com> wrote: |
9 |
> > |
10 |
> > Essentially, what is the security model for all this source code and |
11 |
how do |
12 |
> > I verify that it hasn't been tampered with in some manner? |
13 |
> |
14 |
> Duncan already gave a fairly comprehensive response. I believe the |
15 |
> intent is to refactor and generally improve things when we move to |
16 |
> git. Even today there aren't a lot of avenues for slipping code in |
17 |
> without compromising a gentoo server or manipulating your rsync data |
18 |
> transfer (if it isn't secured). |
19 |
> |
20 |
> But... |
21 |
> |
22 |
> > There's certainly lots of other issues about security, like protecting |
23 |
> > passwords, protecting physical access to the network and machines, root |
24 |
kits |
25 |
> > and the like, etc., but assuming none of that is in question (I don't |
26 |
have |
27 |
> > any reason to think the NSA has been in my home!) ;-) I'm looking for |
28 |
info |
29 |
> > on how the code is protected from the time it's signed off until it's |
30 |
built |
31 |
> > and running here. |
32 |
> |
33 |
> You may very well be underestimating the NSA here. It has already |
34 |
> come out that they hack into peoples systems just to get their ssh |
35 |
> keys to hack into other people's systems, even if the admins that |
36 |
> they're targeting aren't of any interest otherwise. That is, you |
37 |
> don't have to be a suspected terrorist/etc to be on their list. |
38 |
> |
39 |
|
40 |
Yeah, I've read that. It's my basic POV at this time that if the NSA |
41 |
(or any other organization) wants something I have then they have |
42 |
it already. However a good portion of my original thoughts are |
43 |
along the line of your zero-day point below. |
44 |
|
45 |
> I run a relay-only tor node (which doesn't seem to keep everybody and |
46 |
> their uncle from blocking me as if I'm an exit node it seems). I'd be |
47 |
> surprised if the NSA hasn't rooted my server just so that they can |
48 |
> monitor my tor traffic - if they did this to all the tor relays they |
49 |
> could monitor the entire network, so I would think that this would be |
50 |
> a priority for them. |
51 |
|
52 |
The book I referenced made it clear that the NSA has a whole specific |
53 |
program & toolset to target tor so I suspect you're correct, or even |
54 |
underestimating yourself. That said, running tor is legal so more power |
55 |
to you. I ran it a little to play with and found all the 2-level security |
56 |
stuff |
57 |
at GMail and YahooMail too much trouble to deal with. |
58 |
|
59 |
> |
60 |
> To root your system the NSA doesn't have to compromise some Gentoo |
61 |
> server, or even tamper with your rsync feed. The simplest solution |
62 |
> would be to just target a zero-day vulnerability in some software |
63 |
> you're running. They might use a zero-day in some daemon that runs as |
64 |
> root, maybe a zero-day in the kernel network stack, or a zero-day in |
65 |
> your browser (those certainly exist) combined with a priv escalation |
66 |
> attack. If they're just after your ssh keys they don't even need priv |
67 |
> escalation. Those attacks don't require targeting Gentoo in |
68 |
> particular. |
69 |
> |
70 |
|
71 |
Yep, and it's the sort of thing I was thinking about when I wrote this |
72 |
yesterday: |
73 |
|
74 |
I'm sitting here writing R code. I do it in R-Studio. How do I |
75 |
know that every bit of code I run in that tool isn't being sent out to some |
76 |
server? Most likely no one has done an audit of that GUI so I'm trusting |
77 |
that the company isn't nefarious in nature. |
78 |
|
79 |
I use Chrome. How do I know Chrome isn't scanning my local drives |
80 |
and sending stuff somewhere? I don't. |
81 |
|
82 |
In the limit, how would I even know if the Linux kernel was doing this? I |
83 |
got source through emerge, built code using gcc, installed it by hand, |
84 |
but I don't know what's really there and never will. I suspect the kernel |
85 |
is likely one of the safer things on my box. |
86 |
|
87 |
In the news yesterday was this story about some pedophile sending |
88 |
child porn using GMail and then getting arrested because Google scans |
89 |
'certain' attachments for known hashes. Well, that's the public story (so |
90 |
far) but it seems to me that Google isn't likely creating those hashes but |
91 |
getting them from the FBI, but the point is it's all being watched. |
92 |
|
93 |
I think one way you might not be as John Le Carre-oriented as me is |
94 |
that if I was the NSA and wanted inside of Linux (or M$FT or Apple) in |
95 |
general, then I would simply pay people to be inside of those entities and |
96 |
to do my bidding. Basic spycraft. Those folks would already be in the |
97 |
kernel development area, or in KDE, or in the facilities that host the |
98 |
code, |
99 |
or where ever making whatever changes they want. They would have |
100 |
already hacked how iOS does signing, or M$FT does updates, etc. |
101 |
|
102 |
When it comes to security, choose whatever type you want, but how |
103 |
do I as a user know that my sha-1 or pgp or whatever is what the |
104 |
developers thought they were making publicly available. I don't and |
105 |
probably never will. |
106 |
|
107 |
> If your goal is to be safe from "the NSA" |
108 |
|
109 |
It's not. Nor do I think I'll ever know if I am so I have to assume |
110 |
I'm not. Life in the modern era... |
111 |
|
112 |
<SNIP> |
113 |
> |
114 |
> In the early post-Snowden days I was more paranoid, but these days |
115 |
> I've basically given up worrying about the NSA. |
116 |
|
117 |
Similar for me, although reading this book, or watching the 2-episode |
118 |
Frontline story, or (fill in whatever) raises the question, but more in a |
119 |
general sense. I'm far less worried about the NSA and more worried |
120 |
about things like general hackers after financial info or people looking |
121 |
for code I'm writing. |
122 |
|
123 |
Thanks for all the info, and thanks to Duncan also who I will write more |
124 |
too when I've checked out all the technical stuff he posted. |
125 |
|
126 |
Cheers, |
127 |
Mark |