| 1 |
Hello all, |
| 2 |
|
| 3 |
I've been very interested in this topic myself, so I'll pile on my |
| 4 |
question after answering one of Mark's |
| 5 |
|
| 6 |
<Snip> |
| 7 |
On 05/08/2014 1:50 PM, Mark Knecht wrote: |
| 8 |
> I'm sitting here writing R code. I do it in R-Studio. How do I |
| 9 |
> know that every bit of code I run in that tool isn't being sent out to |
| 10 |
> some |
| 11 |
> server? Most likely no one has done an audit of that GUI so I'm trusting |
| 12 |
> that the company isn't nefarious in nature. |
| 13 |
> |
| 14 |
> I use Chrome. How do I know Chrome isn't scanning my local drives |
| 15 |
> and sending stuff somewhere? I don't. |
| 16 |
> |
| 17 |
> In the limit, how would I even know if the Linux kernel was doing this? I |
| 18 |
> got source through emerge, built code using gcc, installed it by hand, |
| 19 |
> but I don't know what's really there and never will. I suspect the kernel |
| 20 |
> is likely one of the safer things on my box. |
| 21 |
> |
| 22 |
|
| 23 |
The answer to most things security related seems to be independent |
| 24 |
verification. If you're going to be the person to do that verification |
| 25 |
because you don't trust others to do it or can't find proof that it's |
| 26 |
been done, then there are two factors at play; time and money. |
| 27 |
|
| 28 |
Where you're only running your own traffic through your system (unlike |
| 29 |
Duncan's TOR example) this is relatively easy and cheap to accomplish. |
| 30 |
For ~$100 you can buy a consumer grade switch with a configurable |
| 31 |
mirroring port which will effectively passively sniff all the traffic |
| 32 |
going through the switch. You then connect this mirrored port to a spare |
| 33 |
junker computer running optimally a different distro of linux like |
| 34 |
Security Onion or anything else with TCPDump capturing full packet |
| 35 |
captures which you can do analytics on. I do the same for my home |
| 36 |
network to detect compromised hosts and to see if I'm under attack for |
| 37 |
any reason. Things I find useful for getting a finger on the pulse are: |
| 38 |
|
| 39 |
- DNS Query monitoring to see who my home network is reaching out to |
| 40 |
- GeoIPLookup mappings against bandwidth usage to see if lots of data |
| 41 |
is being slurped out of my environment |
| 42 |
- BroIDS, Snorby and Squert (security onion suite of tools) for at a |
| 43 |
glance view of things going wrong and the ability to dig into events quickly |
| 44 |
|
| 45 |
My question is what kind of independent validation, or even peer review, |
| 46 |
is done over the core of Gentoo? Now that new users are being pushed to |
| 47 |
use the Stage3 tarball and genkernel, is seems to me that much of the |
| 48 |
core of the Gentoo system is a "just trust me" package. What I love |
| 49 |
about the Stage 1 approach is you get all the benefits of compiling the |
| 50 |
system as you go, essentially from scratch and customized for your |
| 51 |
system, and all the benefits of the scrutiny Duncan mentioned applying |
| 52 |
to ebuilds is applied. There is much more control in the hands of the |
| 53 |
person using Stage 1, and it's a smaller footprint for someone to |
| 54 |
independently validate malicious code didn't get introduced into it. |
| 55 |
Should someone have been manipulated to put something malicious into the |
| 56 |
stage3 tarball it could much more easily give a permanent foothold over |
| 57 |
your system to a malicious 3rd party (think rootkit) then stage 1 would |
| 58 |
allow. |
| 59 |
|
| 60 |
Thanks to anyone who can provide light on the topic, |
| 61 |
Max |
Archives