[GLLUG] RedHat spooked ?
mike at coruscant.org.uk
Thu Jun 19 23:07:25 UTC 2014
On 19/06/14 21:41, Alain Williams wrote:
> Question: What assurances can you give us that RedHat has not been spooked by the NSA.
> Answer: Please raise that on a support ticket to be given an answer in writing.
> This raises all sorts of interesting questions:
> * Are there any NSA back doors in RedHat - in the same way that seems likely with products from
> Microsoft and other proprietary vendors ?
s/likely/certain/ - Microsoft at the least deliberately backdoored all
their crypto for Outlook.com for FBI/NSA access, and the old NSAKEY
thing goes back years.
> * Do the compiled RedHat binaries reflect exactly the sources that they publish ?
That's the big question, isn't it.
> * Do any of the RedHat patches generate a NSA backdoor ?
I would doubt it, *if* the patches are open source. It would be too easy
to find a deliberately introduced exploit confined to a vendor patchset,
and too damaging to the vendor once found. That's no guarantee though.
> * Did Mr Biswell answer as he did because he has sufficient integrity to want to not lie ?
Perhaps, perhaps not - hard to be sure. I don't think the question is a
very good one, to be honest. It's the one you want answered, but it's
also the one you can't ever guarantee an honest answer to, because you
will never know whether he is under duress.
The better question is something like "How is RedHat working to
demostrate that all binaries are verifiably buildable from published
sources?" If they can do that, then they can just engage an external
(non-US) company to do ongoing security audits of the open code, and
provide a good level of security assurance.
> * Have I been complacent in assuming that Open Source distributions have not been spooked ?
We know at this stage that the NSA has attempted to place algorithm
level backdoors in crypto (i.e. the elliptic curve magic numbers). We've
seen Truecrypt go dark in a way that strongly suggests a warrant canary
situation, and there have in the past been attempts made by parties
unknown to place privilege escalation backdoors in the kernel, and these
are only the ones that come to mind. Snowden's revelations show us the
the NSA has made a habit of intercepting and backdooring network
equipment without the knowledge of the vendor.
I'd find it surprising if RedHat has not been the target of the NSA. The
questions to ask is whether or not the company has been compelled to
assist. The only safeguard is transparency - all binaries must have full
source available, and it must be demonstrably possible to cleanly
rebuild identical binaries. You should also be suspicious of drivers
that upload binary blob firmware, as that could have been backdoored
separately. It's not a happy situation any more, and in the absence of
proof otherwise, the default should be to assume that US companies are
working with the NSA (willingly or otherwise).
> * Earlier this year RedHat took over the (European) CentOS project (in essence). We were given several
> commercial reasons as to why this makes sense for RedHat. Is another reason that this brings CentOS
> under RedHat control and thus subject to the demands of the NSA (via the Patriot act or whatever) ?
Personally, I doubt it. But the points above hold equally true for
CentOS - verifiable rebuilds should be a requirement.
> * Should I be compiling and using my own: kernels, glib, openssl and ssh ?
"Reflections on trusting trust" comes to mind - you'd have to start by
building your own compiler.
> * Am I being overly paranoid ?
Not any more, sadly.
> Please note: it is not my intention to libel anyone, however this is an important area where tough
> questions need to be asked. We cannot, unfortunately, accept what we are told at face value - Edward
> Snowden has shown us that.
The tough questions don't help. You won't get an honest answer from
someone who can be put in prison in their home country for telling you
the truth. At *best*, you'll get an honest man to prevaricate in such a
way as to engender doubt. Maybe that's what just happened.... We've
already seen what happens when honest people get NSLs - Lavabit.... For
a public company, that isn't an option.
> I am not aware of a project that recompiles (the important parts of) Linux distros with the aim of
> verifying that they have not been spooked. Is anyone aware of one ?
Debian is trying, but it's not there yet. OpenBSD is probably more
trustworthy than most - development has been done outside the USA for a
long time, IIRC.
> If we find nothing does this enhance the reputation of Open Source or just show that the NSA is more
> devious than we thought ?
I think the very fact that we can look effectively enhances the
reputation on open source. I can't say that any Linux distribution
hasn't been backdoored, but I would say that in light of the Snowden
documents, I find it inconceivable that Windows and Mac OS X have *not*
been backdoored. The full-disk crypto offered by Microsoft and Apple
must surely be considered snake oil at this point, in the absence of
full code availability, verifiable builds, and an independent audit.
More information about the GLLUG