1 |
On Mon, Aug 4, 2014 at 6:04 PM, Mark Knecht <markknecht@×××××.com> wrote: |
2 |
> |
3 |
> Essentially, what is the security model for all this source code and how do |
4 |
> I verify that it hasn't been tampered with in some manner? |
5 |
|
6 |
Duncan already gave a fairly comprehensive response. I believe the |
7 |
intent is to refactor and generally improve things when we move to |
8 |
git. Even today there aren't a lot of avenues for slipping code in |
9 |
without compromising a gentoo server or manipulating your rsync data |
10 |
transfer (if it isn't secured). |
11 |
|
12 |
But... |
13 |
|
14 |
> There's certainly lots of other issues about security, like protecting |
15 |
> passwords, protecting physical access to the network and machines, root kits |
16 |
> and the like, etc., but assuming none of that is in question (I don't have |
17 |
> any reason to think the NSA has been in my home!) ;-) I'm looking for info |
18 |
> on how the code is protected from the time it's signed off until it's built |
19 |
> and running here. |
20 |
|
21 |
You may very well be underestimating the NSA here. It has already |
22 |
come out that they hack into peoples systems just to get their ssh |
23 |
keys to hack into other people's systems, even if the admins that |
24 |
they're targeting aren't of any interest otherwise. That is, you |
25 |
don't have to be a suspected terrorist/etc to be on their list. |
26 |
|
27 |
I run a relay-only tor node (which doesn't seem to keep everybody and |
28 |
their uncle from blocking me as if I'm an exit node it seems). I'd be |
29 |
surprised if the NSA hasn't rooted my server just so that they can |
30 |
monitor my tor traffic - if they did this to all the tor relays they |
31 |
could monitor the entire network, so I would think that this would be |
32 |
a priority for them. |
33 |
|
34 |
To root your system the NSA doesn't have to compromise some Gentoo |
35 |
server, or even tamper with your rsync feed. The simplest solution |
36 |
would be to just target a zero-day vulnerability in some software |
37 |
you're running. They might use a zero-day in some daemon that runs as |
38 |
root, maybe a zero-day in the kernel network stack, or a zero-day in |
39 |
your browser (those certainly exist) combined with a priv escalation |
40 |
attack. If they're just after your ssh keys they don't even need priv |
41 |
escalation. Those attacks don't require targeting Gentoo in |
42 |
particular. |
43 |
|
44 |
If your goal is to be safe from "the NSA" then I think you need to |
45 |
fundamentally rethink your approach to security. I'd recommend |
46 |
verifying, signing, and verifying all code that runs (think iOS). I |
47 |
doubt that any linux distro is going to suit your needs unless you |
48 |
just use it as a starting point for a fork. |
49 |
|
50 |
However, I do think that Gentoo can do a better job of securing code |
51 |
than it does today, and that is a worthwhile goal. I doubt it would |
52 |
stop the NSA, but we certainly can do something about lesser threats |
53 |
that don't: |
54 |
1. Have a 12-figure budget. |
55 |
2. Have complete immunity from prosecution. |
56 |
3. Have an army of the best cryptographers in the world, etc. |
57 |
4. Have privileged access to the routers virtually all of your |
58 |
traffic travels over. |
59 |
5. Have the ability to obtain things like trusted SSL certs at will |
60 |
(though I don't think anybody has caught them doing this one). |
61 |
|
62 |
In the early post-Snowden days I was more paranoid, but these days |
63 |
I've basically given up worrying about the NSA. After the ssh key |
64 |
revelations I just assume they have root on my box - I just wish |
65 |
they'd be nice enough to close up any other vulnerabilities they find |
66 |
so that others don't get root, and maybe let me access whatever |
67 |
backups they've made if for some reason I lose access to my own |
68 |
backups. I still try to keep things as secure as I can to keep |
69 |
everybody else out, but hiding from the NSA is a tall order. |
70 |
|
71 |
Oh yeah, if they have compromised my box you can assume they have my |
72 |
Gentoo ssh key and password and gpg key if they actually want them... |
73 |
:) |
74 |
|
75 |
Rich |