1 |
Hello all, |
2 |
|
3 |
I've been very interested in this topic myself, so I'll pile on my |
4 |
question after answering one of Mark's |
5 |
|
6 |
<Snip> |
7 |
On 05/08/2014 1:50 PM, Mark Knecht wrote: |
8 |
> I'm sitting here writing R code. I do it in R-Studio. How do I |
9 |
> know that every bit of code I run in that tool isn't being sent out to |
10 |
> some |
11 |
> server? Most likely no one has done an audit of that GUI so I'm trusting |
12 |
> that the company isn't nefarious in nature. |
13 |
> |
14 |
> I use Chrome. How do I know Chrome isn't scanning my local drives |
15 |
> and sending stuff somewhere? I don't. |
16 |
> |
17 |
> In the limit, how would I even know if the Linux kernel was doing this? I |
18 |
> got source through emerge, built code using gcc, installed it by hand, |
19 |
> but I don't know what's really there and never will. I suspect the kernel |
20 |
> is likely one of the safer things on my box. |
21 |
> |
22 |
|
23 |
The answer to most things security related seems to be independent |
24 |
verification. If you're going to be the person to do that verification |
25 |
because you don't trust others to do it or can't find proof that it's |
26 |
been done, then there are two factors at play; time and money. |
27 |
|
28 |
Where you're only running your own traffic through your system (unlike |
29 |
Duncan's TOR example) this is relatively easy and cheap to accomplish. |
30 |
For ~$100 you can buy a consumer grade switch with a configurable |
31 |
mirroring port which will effectively passively sniff all the traffic |
32 |
going through the switch. You then connect this mirrored port to a spare |
33 |
junker computer running optimally a different distro of linux like |
34 |
Security Onion or anything else with TCPDump capturing full packet |
35 |
captures which you can do analytics on. I do the same for my home |
36 |
network to detect compromised hosts and to see if I'm under attack for |
37 |
any reason. Things I find useful for getting a finger on the pulse are: |
38 |
|
39 |
- DNS Query monitoring to see who my home network is reaching out to |
40 |
- GeoIPLookup mappings against bandwidth usage to see if lots of data |
41 |
is being slurped out of my environment |
42 |
- BroIDS, Snorby and Squert (security onion suite of tools) for at a |
43 |
glance view of things going wrong and the ability to dig into events quickly |
44 |
|
45 |
My question is what kind of independent validation, or even peer review, |
46 |
is done over the core of Gentoo? Now that new users are being pushed to |
47 |
use the Stage3 tarball and genkernel, is seems to me that much of the |
48 |
core of the Gentoo system is a "just trust me" package. What I love |
49 |
about the Stage 1 approach is you get all the benefits of compiling the |
50 |
system as you go, essentially from scratch and customized for your |
51 |
system, and all the benefits of the scrutiny Duncan mentioned applying |
52 |
to ebuilds is applied. There is much more control in the hands of the |
53 |
person using Stage 1, and it's a smaller footprint for someone to |
54 |
independently validate malicious code didn't get introduced into it. |
55 |
Should someone have been manipulated to put something malicious into the |
56 |
stage3 tarball it could much more easily give a permanent foothold over |
57 |
your system to a malicious 3rd party (think rootkit) then stage 1 would |
58 |
allow. |
59 |
|
60 |
Thanks to anyone who can provide light on the topic, |
61 |
Max |