| 1 |
Hi Rich, |
| 2 |
Thanks for the response. I'll likely respond over the next few hours & |
| 3 |
days in dribs and drabs... |
| 4 |
|
| 5 |
|
| 6 |
On Tue, Aug 5, 2014 at 4:36 AM, Rich Freeman <rich0@g.o> wrote: |
| 7 |
> |
| 8 |
> On Mon, Aug 4, 2014 at 6:04 PM, Mark Knecht <markknecht@×××××.com> wrote: |
| 9 |
> > |
| 10 |
> > Essentially, what is the security model for all this source code and |
| 11 |
how do |
| 12 |
> > I verify that it hasn't been tampered with in some manner? |
| 13 |
> |
| 14 |
> Duncan already gave a fairly comprehensive response. I believe the |
| 15 |
> intent is to refactor and generally improve things when we move to |
| 16 |
> git. Even today there aren't a lot of avenues for slipping code in |
| 17 |
> without compromising a gentoo server or manipulating your rsync data |
| 18 |
> transfer (if it isn't secured). |
| 19 |
> |
| 20 |
> But... |
| 21 |
> |
| 22 |
> > There's certainly lots of other issues about security, like protecting |
| 23 |
> > passwords, protecting physical access to the network and machines, root |
| 24 |
kits |
| 25 |
> > and the like, etc., but assuming none of that is in question (I don't |
| 26 |
have |
| 27 |
> > any reason to think the NSA has been in my home!) ;-) I'm looking for |
| 28 |
info |
| 29 |
> > on how the code is protected from the time it's signed off until it's |
| 30 |
built |
| 31 |
> > and running here. |
| 32 |
> |
| 33 |
> You may very well be underestimating the NSA here. It has already |
| 34 |
> come out that they hack into peoples systems just to get their ssh |
| 35 |
> keys to hack into other people's systems, even if the admins that |
| 36 |
> they're targeting aren't of any interest otherwise. That is, you |
| 37 |
> don't have to be a suspected terrorist/etc to be on their list. |
| 38 |
> |
| 39 |
|
| 40 |
Yeah, I've read that. It's my basic POV at this time that if the NSA |
| 41 |
(or any other organization) wants something I have then they have |
| 42 |
it already. However a good portion of my original thoughts are |
| 43 |
along the line of your zero-day point below. |
| 44 |
|
| 45 |
> I run a relay-only tor node (which doesn't seem to keep everybody and |
| 46 |
> their uncle from blocking me as if I'm an exit node it seems). I'd be |
| 47 |
> surprised if the NSA hasn't rooted my server just so that they can |
| 48 |
> monitor my tor traffic - if they did this to all the tor relays they |
| 49 |
> could monitor the entire network, so I would think that this would be |
| 50 |
> a priority for them. |
| 51 |
|
| 52 |
The book I referenced made it clear that the NSA has a whole specific |
| 53 |
program & toolset to target tor so I suspect you're correct, or even |
| 54 |
underestimating yourself. That said, running tor is legal so more power |
| 55 |
to you. I ran it a little to play with and found all the 2-level security |
| 56 |
stuff |
| 57 |
at GMail and YahooMail too much trouble to deal with. |
| 58 |
|
| 59 |
> |
| 60 |
> To root your system the NSA doesn't have to compromise some Gentoo |
| 61 |
> server, or even tamper with your rsync feed. The simplest solution |
| 62 |
> would be to just target a zero-day vulnerability in some software |
| 63 |
> you're running. They might use a zero-day in some daemon that runs as |
| 64 |
> root, maybe a zero-day in the kernel network stack, or a zero-day in |
| 65 |
> your browser (those certainly exist) combined with a priv escalation |
| 66 |
> attack. If they're just after your ssh keys they don't even need priv |
| 67 |
> escalation. Those attacks don't require targeting Gentoo in |
| 68 |
> particular. |
| 69 |
> |
| 70 |
|
| 71 |
Yep, and it's the sort of thing I was thinking about when I wrote this |
| 72 |
yesterday: |
| 73 |
|
| 74 |
I'm sitting here writing R code. I do it in R-Studio. How do I |
| 75 |
know that every bit of code I run in that tool isn't being sent out to some |
| 76 |
server? Most likely no one has done an audit of that GUI so I'm trusting |
| 77 |
that the company isn't nefarious in nature. |
| 78 |
|
| 79 |
I use Chrome. How do I know Chrome isn't scanning my local drives |
| 80 |
and sending stuff somewhere? I don't. |
| 81 |
|
| 82 |
In the limit, how would I even know if the Linux kernel was doing this? I |
| 83 |
got source through emerge, built code using gcc, installed it by hand, |
| 84 |
but I don't know what's really there and never will. I suspect the kernel |
| 85 |
is likely one of the safer things on my box. |
| 86 |
|
| 87 |
In the news yesterday was this story about some pedophile sending |
| 88 |
child porn using GMail and then getting arrested because Google scans |
| 89 |
'certain' attachments for known hashes. Well, that's the public story (so |
| 90 |
far) but it seems to me that Google isn't likely creating those hashes but |
| 91 |
getting them from the FBI, but the point is it's all being watched. |
| 92 |
|
| 93 |
I think one way you might not be as John Le Carre-oriented as me is |
| 94 |
that if I was the NSA and wanted inside of Linux (or M$FT or Apple) in |
| 95 |
general, then I would simply pay people to be inside of those entities and |
| 96 |
to do my bidding. Basic spycraft. Those folks would already be in the |
| 97 |
kernel development area, or in KDE, or in the facilities that host the |
| 98 |
code, |
| 99 |
or where ever making whatever changes they want. They would have |
| 100 |
already hacked how iOS does signing, or M$FT does updates, etc. |
| 101 |
|
| 102 |
When it comes to security, choose whatever type you want, but how |
| 103 |
do I as a user know that my sha-1 or pgp or whatever is what the |
| 104 |
developers thought they were making publicly available. I don't and |
| 105 |
probably never will. |
| 106 |
|
| 107 |
> If your goal is to be safe from "the NSA" |
| 108 |
|
| 109 |
It's not. Nor do I think I'll ever know if I am so I have to assume |
| 110 |
I'm not. Life in the modern era... |
| 111 |
|
| 112 |
<SNIP> |
| 113 |
> |
| 114 |
> In the early post-Snowden days I was more paranoid, but these days |
| 115 |
> I've basically given up worrying about the NSA. |
| 116 |
|
| 117 |
Similar for me, although reading this book, or watching the 2-episode |
| 118 |
Frontline story, or (fill in whatever) raises the question, but more in a |
| 119 |
general sense. I'm far less worried about the NSA and more worried |
| 120 |
about things like general hackers after financial info or people looking |
| 121 |
for code I'm writing. |
| 122 |
|
| 123 |
Thanks for all the info, and thanks to Duncan also who I will write more |
| 124 |
too when I've checked out all the technical stuff he posted. |
| 125 |
|
| 126 |
Cheers, |
| 127 |
Mark |
Archives