[GLLUG] RedHat spooked ?

Mike Brodbelt mike at coruscant.org.uk
Thu Jun 19 23:07:25 UTC 2014 

On 19/06/14 21:41, Alain Williams wrote:

> Question: What assurances can you give us that RedHat has not been spooked by the NSA.
>
> Answer: Please raise that on a support ticket to be given an answer in writing.

How.... interesting.

> This raises all sorts of interesting questions:
>
> * Are there any NSA  back doors in RedHat - in the same way that seems likely with products from
> Microsoft and other proprietary vendors ?

s/likely/certain/ - Microsoft at the least deliberately backdoored all 
their crypto for Outlook.com for FBI/NSA access, and the old NSAKEY 
thing goes back years.

> * Do the compiled RedHat binaries reflect exactly the sources that they publish ?

That's the big question, isn't it.

> * Do any of the RedHat patches generate a NSA backdoor ?

I would doubt it, *if* the patches are open source. It would be too easy 
to find a deliberately introduced exploit confined to a vendor patchset, 
and too damaging to the vendor once found. That's no guarantee though.

> * Did Mr Biswell answer as he did because he has sufficient integrity to want to not lie ?

Perhaps, perhaps not - hard to be sure. I don't think the question is a 
very good one, to be honest. It's the one you want answered, but it's 
also the one you can't ever guarantee an honest answer to, because you 
will never know whether he is under duress.

The better question is something like "How is RedHat working to 
demostrate that all binaries are verifiably buildable from published 
sources?" If they can do that, then they can just engage an external 
(non-US) company to do ongoing security audits of the open code, and 
provide a good level of security assurance.

> * Have I been complacent in assuming that Open Source distributions have not been spooked ?

We know at this stage that the NSA has attempted to place algorithm 
level backdoors in crypto (i.e. the elliptic curve magic numbers). We've 
seen Truecrypt go dark in a way that strongly suggests a warrant canary 
situation, and there have in the past been attempts made by parties 
unknown to place privilege escalation backdoors in the kernel, and these 
are only the ones that come to mind. Snowden's revelations show us the 
the NSA has made a habit of intercepting and backdooring network 
equipment without the knowledge of the vendor.

I'd find it surprising if RedHat has not been the target of the NSA. The 
questions to ask is whether or not the company has been compelled to 
assist. The only safeguard is transparency - all binaries must have full 
source available, and it must be demonstrably possible to cleanly 
rebuild identical binaries. You should also be suspicious of drivers 
that upload binary blob firmware, as that could have been backdoored 
separately. It's not a happy situation any more, and in the absence of 
proof otherwise, the default should be to assume that US companies are 
working with the NSA (willingly or otherwise).


> * Earlier this year RedHat took over the (European) CentOS project (in essence). We were given several
> commercial reasons as to why this makes sense for RedHat. Is another reason that this brings CentOS
> under RedHat control and thus subject to the demands of the NSA (via the Patriot act or whatever) ?

Personally, I doubt it. But the points above hold equally true for 
CentOS - verifiable rebuilds should be a requirement.

> * Should I be compiling and using my own: kernels, glib, openssl and ssh ?

"Reflections on trusting trust" comes to mind - you'd have to start by 
building your own compiler.

> * Am I being overly paranoid ?

Not any more, sadly.

> Please note: it is not my intention to libel anyone, however this is an important area where tough
> questions need to be asked. We cannot, unfortunately, accept what we are told at face value - Edward
> Snowden has shown us that.

The tough questions don't help. You won't get an honest answer from 
someone who can be put in prison in their home country for telling you 
the truth. At *best*, you'll get an honest man to prevaricate in such a 
way as to engender doubt. Maybe that's what just happened.... We've 
already seen what happens when honest people get NSLs - Lavabit.... For 
a public company, that isn't an option.

> I am not aware of a project that recompiles (the important parts of) Linux distros with the aim of
> verifying that they have not been spooked.  Is anyone aware of one ?

Debian is trying, but it's not there yet. OpenBSD is probably more 
trustworthy than most - development has been done outside the USA for a 
long time, IIRC.

> If we find nothing does this enhance the reputation of Open Source or just show that the NSA is more
> devious than we thought ?

I think the very fact that we can look effectively enhances the 
reputation on open source. I can't say that any Linux distribution 
hasn't been backdoored, but I would say that in light of the Snowden 
documents, I find it inconceivable that Windows and Mac OS X have *not* 
been backdoored. The full-disk crypto offered by Microsoft and Apple 
must surely be considered snake oil at this point, in the absence of 
full code availability, verifiable builds, and an independent audit.

Mike

More information about the GLLUG mailing list