NSA Releases Open Source Network Security Tool for Linux

Discussion in 'all things UNIX' started by lotuseclat79, Jul 20, 2015.

  1. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    I'm not sure that I'd trust an NSA tool. How many outside US government would? Or should, I mean?
     
  3. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,635
    Location:
    European Union
    The article specifies that the tool was released mainly for the US government (and related agencies) to use. So I wouldn't count on other governments to use it. What I don't understand though is what this tool actually do - could someone enlighten me, please? :)
     
  4. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Why would they backdoor or punch holes in something that's open source? I don't think they like getting caught
     
  5. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    If FSB ( the Russian Security Bureau) releases an open source linux security tool, how many outside Russian government would like to use it? Will you prefer to test it?

    So why should American NSA be any different?
     
  6. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    I took the linkbait and followed through to https://github.com/NationalSecurityAgency/SIMP github.com/NationalSecurityAgency/SIMP

    "Much ado about nothing" ~~ so far, that's the status quo.
    The github pages currently amount to nothing other than a placemarker, reserved for future use
    (and, in the meantime, serving as a honeypot destination for chumps like me)

    Interestingly (or not), 129 github denizens have already "forked" the emptyshell SIMP repo.

    No, but reading through the code might be interesting/enlightening reading, eh?
    Also, I have this wild idea (inkling) that creation/announcement of this SIMP repo is intended, at least partially, as a recruitment tendril.
    Good pay, free South American vacations with all expenses (and prostitutes) included ~~ yeah, that's an appealing prospect.
     
    Last edited: Jul 23, 2015
  7. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    That's really not the point. It is completely possible to hide a backdoor in one "open source" project, for many reasons such as:

    * Almost nobody will go through all lines of code;
    * Not many people are skilled to spot backdoors;
    * If a backdoor is present, the publisher could say it's a simple "bug";
    * A simple bug could hide a potential backdoor.

    Heck, even TrueCrypt's source code hasn't been fully analized for a decade, yet people assumed that somebody should have looked into the code and that it was supposedly clean. Only a full code review can say that, and in the case of Linux, which has almost 20 million lines of code, it's impossible to make a complete audit on it.

    So yes, you might as well have a backdoor in your Linux system right now, that hasn't been yet discovered and probably will be undiscovered for decades. Or worse, will never be discovered.
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Also, vulnerabilities that facilitate access can be very subtle, and can depend on very subtle vulnerabilities in other software and firmware. So there's much more involved than reviewing code.
     
  9. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Exactly.

    There's a possibility, even though unlikely, that a few lines of code into key programs (e.g. network stack, encryption drivers, random number generators) will turn out to be a backdoor, even though separately they seem "OK".
     
  10. Nanobot

    Nanobot Registered Member

    Joined:
    Jun 23, 2010
    Posts:
    473
    Location:
    Neo Tokyo
    http://blog.cryptographyengineering.com/2015/04/truecrypt-report.html
     
  11. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
  12. Nanobot

    Nanobot Registered Member

    Joined:
    Jun 23, 2010
    Posts:
    473
    Location:
    Neo Tokyo
    Well, apparently those 99.999% of people were right and you were wrong with your assumption that Open source = nobody's gives a flying ~ Snipped as per TOS ~ checking the source code, I can assure you when it comes to major open source projects (Can't talk for smaller projects) the source code is under heavy scrutiny and constant auditing, and that's an undeniably fact.
     
    Last edited by a moderator: Jul 26, 2015
  13. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    That is not what I said, please don't spread misinformation.

    What I said is, just because a program has it's source code open doesn't mean it can't contain backdoors, and it also doesn't mean that somebody is checking the source code for them. The most obvious example was OpenSSL: people assumed that other people were looking in the code and searching for vulnerabilities, "because it has its source code open and it's critical for security".. Yet, the "genius lamp" saying "WE SHOULD REALLY FUND THIS AND ACTUALLY READ THE CODE" only appeared on the top of our heads AFTER OpenSSL had compromised hundreds of thousands of Linux systems.

    It's hard to analize long code and it takes a hell of a time and money to do so. The example I gave earlier, TrueCrypt, has only 3 MB of compiled source, and it took months and 70,000 dollars to make sure it didn't contain backdoors. Imagine more complex programs, like the Linux Kernel which has almost 20 million lines of code: even if we started out today to see if Linux has a backdoor, we probably wouldn't finish the task, ever.

    And this is just for one program. Imagine the efforts that would take to analize all lines of code of the most OpenSource'd programs out there. We might never ever ever know.

    So yes, as off right now, Linux might have one or multiple backdoors, just like OpenSSL had. It doesn't matter that it has it's source code open.
     
    Last edited by a moderator: Jul 26, 2015
  14. Nanobot

    Nanobot Registered Member

    Joined:
    Jun 23, 2010
    Posts:
    473
    Location:
    Neo Tokyo
    You can't really compare TrueCrypt, OpenSSL and Linux kernel, the later has literally thousands of people around the globe that have their eyes on the code on a daily basis, including big companies like Red hat. so yeah it's possible (but unlikely) to "hide" a backdoor (or exploit a bug to have a kernel access which is more likely) somewhere into the Linux kernel but then this happens...

    https://lwn.net/Articles/57135/
     
  15. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Do the math, it's impossible to review and analize all lines of code of Linux. And thousands of developers won't do the job, specially since what they mostly do is analize the "diff" on each patch or analize the new features that are pushed, and not the old lines. Nobody is going to invest that ammount of money into looking at Linux's code.
    We literaly have to trust that Linus hasn't allowed a backdoor by mistake.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.