| 1 |
On Mon, Aug 4, 2014 at 6:04 PM, Mark Knecht <markknecht@×××××.com> wrote: |
| 2 |
> |
| 3 |
> Essentially, what is the security model for all this source code and how do |
| 4 |
> I verify that it hasn't been tampered with in some manner? |
| 5 |
|
| 6 |
Duncan already gave a fairly comprehensive response. I believe the |
| 7 |
intent is to refactor and generally improve things when we move to |
| 8 |
git. Even today there aren't a lot of avenues for slipping code in |
| 9 |
without compromising a gentoo server or manipulating your rsync data |
| 10 |
transfer (if it isn't secured). |
| 11 |
|
| 12 |
But... |
| 13 |
|
| 14 |
> There's certainly lots of other issues about security, like protecting |
| 15 |
> passwords, protecting physical access to the network and machines, root kits |
| 16 |
> and the like, etc., but assuming none of that is in question (I don't have |
| 17 |
> any reason to think the NSA has been in my home!) ;-) I'm looking for info |
| 18 |
> on how the code is protected from the time it's signed off until it's built |
| 19 |
> and running here. |
| 20 |
|
| 21 |
You may very well be underestimating the NSA here. It has already |
| 22 |
come out that they hack into peoples systems just to get their ssh |
| 23 |
keys to hack into other people's systems, even if the admins that |
| 24 |
they're targeting aren't of any interest otherwise. That is, you |
| 25 |
don't have to be a suspected terrorist/etc to be on their list. |
| 26 |
|
| 27 |
I run a relay-only tor node (which doesn't seem to keep everybody and |
| 28 |
their uncle from blocking me as if I'm an exit node it seems). I'd be |
| 29 |
surprised if the NSA hasn't rooted my server just so that they can |
| 30 |
monitor my tor traffic - if they did this to all the tor relays they |
| 31 |
could monitor the entire network, so I would think that this would be |
| 32 |
a priority for them. |
| 33 |
|
| 34 |
To root your system the NSA doesn't have to compromise some Gentoo |
| 35 |
server, or even tamper with your rsync feed. The simplest solution |
| 36 |
would be to just target a zero-day vulnerability in some software |
| 37 |
you're running. They might use a zero-day in some daemon that runs as |
| 38 |
root, maybe a zero-day in the kernel network stack, or a zero-day in |
| 39 |
your browser (those certainly exist) combined with a priv escalation |
| 40 |
attack. If they're just after your ssh keys they don't even need priv |
| 41 |
escalation. Those attacks don't require targeting Gentoo in |
| 42 |
particular. |
| 43 |
|
| 44 |
If your goal is to be safe from "the NSA" then I think you need to |
| 45 |
fundamentally rethink your approach to security. I'd recommend |
| 46 |
verifying, signing, and verifying all code that runs (think iOS). I |
| 47 |
doubt that any linux distro is going to suit your needs unless you |
| 48 |
just use it as a starting point for a fork. |
| 49 |
|
| 50 |
However, I do think that Gentoo can do a better job of securing code |
| 51 |
than it does today, and that is a worthwhile goal. I doubt it would |
| 52 |
stop the NSA, but we certainly can do something about lesser threats |
| 53 |
that don't: |
| 54 |
1. Have a 12-figure budget. |
| 55 |
2. Have complete immunity from prosecution. |
| 56 |
3. Have an army of the best cryptographers in the world, etc. |
| 57 |
4. Have privileged access to the routers virtually all of your |
| 58 |
traffic travels over. |
| 59 |
5. Have the ability to obtain things like trusted SSL certs at will |
| 60 |
(though I don't think anybody has caught them doing this one). |
| 61 |
|
| 62 |
In the early post-Snowden days I was more paranoid, but these days |
| 63 |
I've basically given up worrying about the NSA. After the ssh key |
| 64 |
revelations I just assume they have root on my box - I just wish |
| 65 |
they'd be nice enough to close up any other vulnerabilities they find |
| 66 |
so that others don't get root, and maybe let me access whatever |
| 67 |
backups they've made if for some reason I lose access to my own |
| 68 |
backups. I still try to keep things as secure as I can to keep |
| 69 |
everybody else out, but hiding from the NSA is a tall order. |
| 70 |
|
| 71 |
Oh yeah, if they have compromised my box you can assume they have my |
| 72 |
Gentoo ssh key and password and gpg key if they actually want them... |
| 73 |
:) |
| 74 |
|
| 75 |
Rich |
Archives