[GLLUG] RedHat spooked ?

Alain Williams addw at phcomp.co.uk
Thu Jun 19 20:42:24 UTC 2014 

Today I have been at the RedHat forum in London. This was largely about what is new in RHEL 7
(released recently). There is much in there that is interesting and I have been looking forwards to.
RedHat has been my distro of preference for almost 20 years.

One question asked but curiously answered has got me very worried - it was the question that I was going to ask.
The question was asked to Graham Biswell (RedHat Principle Solution Architect, UK & Ireland).

Question: What assurances can you give us that RedHat has not been spooked by the NSA.

Answer: Please raise that on a support ticket to be given an answer in writing.

(Wording prob inexact, by my memory, but the right sentiment.)

This raises all sorts of interesting questions:

* Are there any NSA  back doors in RedHat - in the same way that seems likely with products from
Microsoft and other proprietary vendors ?

* Do the compiled RedHat binaries reflect exactly the sources that they publish ?

* Do any of the RedHat patches generate a NSA backdoor ?

* Did Mr Biswell answer as he did because he has sufficient integrity to want to not lie ?

* Have I been complacent in assuming that Open Source distributions have not been spooked ?

* Earlier this year RedHat took over the (European) CentOS project (in essence). We were given several
commercial reasons as to why this makes sense for RedHat. Is another reason that this brings CentOS
under RedHat control and thus subject to the demands of the NSA (via the Patriot act or whatever) ?

* Should I be compiling and using my own: kernels, glib, openssl and ssh ?

* Am I being overly paranoid ? I think that I need to be.

Please note: it is not my intention to libel anyone, however this is an important area where tough
questions need to be asked. We cannot, unfortunately, accept what we are told at face value - Edward
Snowden has shown us that.

I am not aware of a project that recompiles (the important parts of) Linux distros with the aim of
verifying that they have not been spooked.  Is anyone aware of one ? Creating such a project would
be interesting and although some progress would be easy, it is probably hard to do properly and
fully [think validating the compiler].  This probably ought to also be done for: Suse, Debian and
others.

If we find nothing does this enhance the reputation of Open Source or just show that the NSA is more
devious than we thought ?

(I use the term 'NSA' as a sobriquet for all of the world's spooks and security services.)


-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
#include <std_disclaimer.h>

More information about the GLLUG mailing list