Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

PGP Division to Work With NSA on Secure Linux

jamie posted more than 13 years ago | from the didn't-see-that-one-coming dept.

Encryption 151

NAI Labs, a division of PGP Security, just sent out a press release announcing that they're "joining with the National Security Agency (NSA) and its other partners to further develop the NSA's Security-Enhanced Linux (SELinux) prototype." Wow.

cancel ×

151 comments

Sorry! There are no comments related to the filter you selected.

NSA (1)

Anonymous Coward | more than 13 years ago | (#304373)

As opposed to the national insecurity agency (who worked on Internet Explorer) which is busy with microsoft's .NET ;)

So? phUck PGP and uze Blowfish. (2)

Anonymous Coward | more than 13 years ago | (#304375)

Better yet, daisy chain several different crypto algs together. If any one crypto is broken, your data is still safe.

Relying on any one crypto methodology is stupid. Why would anyone so worried about people snooping their data put all their trust into one crypto format?

dd if=/dev/random of=/somefile-1 bs=1M count=1024

losetup -e blowfish /dev/loop1 /somefile-1
mke2fs /dev/loop1
mount /dev/loop1 /mnt/chain1
cd /mnt/chain1
dd if=/dev/random of=/somefile-2

losetup -e serpent /dev/loop2 /chain1/somefile-2
mke2fs /dev/loop2
mount /dev/loop2 /mnt/chain2
cd /mnt/chain2
dd if=/dev/random of=/somefile-3

losetup -e cast128 /dev/loop3 /chain2/somefile-3
mke2fs /dev/loop3
mount /dev/loop3 /mnt/chain3
cd /mnt/chain3
dd if=/dev/random of=/somefile-4

losetup -e rijndael /dev/loop4 /chain3/somefile-4
mke2fs /dev/loop4
mount /dev/loop4 /mnt/chain4
cd /mnt/chain4
dd if=/dev/random of=/somefile-5

losetup -e twofish /dev/loop5 /chain3/somefile-5
mke2fs /dev/loop5
mount /dev/loop5 /mnt/chain5
cd /mnt/chain5

Store secure data here. When Feds rip out your machine (they never conduct data searches on the spot cuz they're stupid), they won't be aboe to mount that 1GB of random data without the 5 passphrases.

Performance hit? Yes. Security costs. Which is more important? Get a faster CPU.

NAI Labs == former TIS Labs (2)

Anonymous Coward | more than 13 years ago | (#304376)

Oops, the 'you have to preview first' code didn't do its job and I accidentally submitted when I meant to preview....try again...

Some of you are over-interpreting the occurence of the word "PGP" in this press release. This has little or nothing to do with Phil Zimmerman's program.

A merger-and-acquisition review for those who missed it:

  • McAfee and Network General merged to form Network Associates in October 1997.
  • Network Associates goes on a buying spree, snapping up other security companies.
  • NAI buys PGP in December 1997.
  • NAI buys Trusted Information Systems in February 1998. This includes TIS labs, a research arm that has always done DARPA contract work.
  • NAI buys many other companies


NAI took these various companies and tried, totally unsuccessfully, to merge their products into one product line so they would become a "one stop shop" for security purchases.

NAI dismally failed at this strategy, outmaneuvered by competitors like Cisco, Axent and in particular Internet Security Systems.

NAI reorganizes, and essentially splits into several groups. These are called:

  • McAfee (anti virus consumer stuff)
  • PGP Security (PGP, TIS and other serious security products)
  • Sniffer Technologies (Sniffer)
  • ...probably other divisions too...


In this reorg, "TIS Labs" became "NAI Labs".

So as you can see the juxtaposition of "PGP" with "NAI labs" is merely a happenstance of the merger and acquisition history of this company.

Awesome! (3)

Anonymous Coward | more than 13 years ago | (#304377)

It's actually refreshing to see people like PGP who have traditionally been at the forefront of providing encryption to the masses working with a place like the NSA. This could mean a lot of good things for Joe User. I personally can't think of any company I'd like working with NSA more than PGP.

PGP is just an all around good company, and I'm sure their participation on this project will only make it better for everyone involved.

I really can't see any way in which this could turn out badly!

Re:Moderator Crack Day! (1)

Bill Currie (487) | more than 13 years ago | (#304378)

there's another possibility which doesn't seem to have been considered often: a troll that managed to get mod points, post under another account (eg, ac), then mod up that post. All for the purpose of wasting other moderators' mod points. (a troll post at +2 will waste more mod points than one at +1 or 0 and +5 even more (though how it would get there in the first place boggles the mind)).

Bill - aka taniwha
--

Hack Shoeboy... (1)

On Lawn (1073) | more than 13 years ago | (#304380)

is Mojo Dojo?


~^~~^~^^~~^

LIDS (1)

Tracy Reed (3563) | more than 13 years ago | (#304385)

www.lids.org [lids.org]
Very nice implementation of MAC. Not as flexible as the NSA's scheme but it's useable right now and greatly limits the amount of damage an intruder with root access can do. Highly recommended for any system.

Re:Not bad (1)

elandal (9242) | more than 13 years ago | (#304386)

Nice deal, but not very big. Consider that it's 1.2M for two year project.. 600k/year pays for perhaps two programmers (100-120k salaries * 5-6 for other costs and profit). Or a top-notch researcher working part-time in the project. Or something between - the most likely choice.

Without the specifics of the deal, it's of course hard to say, but as it's about Linux security and cryptography commercial/NSA joint project and, from reading the press release, there are more partners in this project, the total impact is likely to be big.

However, I don't remember if mandatory access control framework was generally accepted as a target for 2.5 development by the kernel guys. And, being a big change, I think it's either one of the main targets, or it's going to wait for the next development cycle. Which might fit nicely for the 2-year project deadline ;)

Re:Backdoors? (1)

mengel (13619) | more than 13 years ago | (#304388)

Fortunately, unless the NSA does their own distribution, other folks can review their code looking for backdoors. And besides, would you take a distribution from the NSA? They'd probably reintroduce the old trusted compiler [neca.com] hack, where the binary for the compiler inserts backdoor code into the login program, and new versions of the compiler. A more modern implementation could just do calls to listen(), so every network server automatcially gets a backdoor...

Computing is the only field in which we consider adding a wing to the building to be maintenance.

To Quote McCullagh, (2)

griffjon (14945) | more than 13 years ago | (#304390)

[Bet y'all didn't see this coming, say, five years ago. --Declan]

It's certainly a new (is that, gnu?) world out there. This does raise, however, further questions about PGP-via-NAI's security and lack of governmental collusion. One wonders if the talks leading up to this were what spurred Zimmerman to leave to focus on OpenPGP?

Re:Backdoors? (2)

Moofie (22272) | more than 13 years ago | (#304395)

The NSA is chartered to protect the communications security of the United States, and to break the protections on communications of foreign powers and other percieved national security threats.

Why is the NSA doing this? How can it benefit them? What could possibly motivate them to cooperate with an open source effort, if not to compromise its security?

Trust the NSA??? Yea Right (1)

SSR (23230) | more than 13 years ago | (#304398)

As soon as their budget sees the light of day and their Secret Operational Mandate is publically debated and their data streams exposed....

Like that'll happen, I wonder how many 'hooks and back-doors' they can hide? I guess it's a fasntasy to think the public could ever have an encryption scheme strong enough to block their eyes anyway...

clever folks (5)

J.J. (27067) | more than 13 years ago | (#304399)

You know, I've really got to hand it to the NSA. Somewhere, deep in that organization, is an individual who is driving this whole SELinux project, and I think it's safe to say that He's got a clue.

Don't think that it wasn't difficult for the NSA to do what we've seen with SELinux. For an organization who's entire history has been built upon the idea that incognito is good, this movement of opening up and embracing the open source community was certainly hampered by the knee-jerk reaction of middle-managers who can't imagine working openly with private companies, much less thousands of developers worldwide.

Bravo, NSA. And bravo, Mr. Man-behind-the-scenes who's making this happen. My hat's off to you.

re: Why Now? (1)

chill (34294) | more than 13 years ago | (#304402)

Because no matter what else they are, the NSA is still a gov't agency and has more red tape than you can imagine. Just because they are a "black budget" agency doesn't mean they are free from politics.

The people that RUN the agency (like every OTHER gov't agency) are politicians. Remember, George Bush Sr. was Director of the CIA before becoming VP -- a politician.
--
Charles E. Hill

Re:Easier to predict... (1)

chill (34294) | more than 13 years ago | (#304403)

"But it's still easier to predict the possible results of one's actions than of one's inactions, so a thoughtful person concentrates on the former.

Not necessarily. It is difficult either way because it is so rare that anyone actually has enough facts to predict anything accurately.

Remember, inaction is an action. You have to go on what you know. Learn from your mistakes.
--
Charles E. Hill

Re:Not the start of involvement.... (1)

chill (34294) | more than 13 years ago | (#304404)

Required to comply? Are you joking? Do the words "national security" mean anything to you? They would to the lawyers/judges who were stupid enough to try to even gather evidence of anything they were doing in regards to this. They'd be in a military jail so fast it would make your head spin.
--
Charles E. Hill

Re:"Wolf works with farmer to help safeguard sheep (1)

chill (34294) | more than 13 years ago | (#304405)

Actually not a bad idea if the wolf had enough incentive. After all, he WOULD know exactly what to protect against, wouldn't he?

There simply has to be enough incentive for the wolf to override his interest in snatching the sheep for himself.

The cost of "trusted" OSes like Solaris, AIX, etc. that they use probably adds up. They are also rumored to be a big consumer of OpenBSD.
--
Charles E. Hill

Obligatory quote from "Good Will Hunting" re NSA (3)

Silas (35023) | more than 13 years ago | (#304407)

Why shouldn't I work for the NSA? That a tough one, but I'll take a shot.

Say I'm working at the NSA and somebody puts a code on my desk, something nobody else can break. Maybe I take a shot at it, maybe I break it. I'm really happy with myself, because I did my job well.

But maybe that code was the location of some rebel army in North Africa or in the Middle East and once they have that location they bomb the village where the rebel army is hiding. Fifteen hundred people that I never met, never had no problem with, just got killed.

Now the politicians are saying "Oh, send in the Marines to secure the area," because they don't give a shit. It won't be their kid over there getting shot just like it wasn't them when their number got called because they were pulling a tour in the National Guard.

It'll be some kid from Southie over there taking shrapnel in the ass. He comes back to find that the plant he used to work at got exported to the country he just got back from, and the guy that put the shrapnel in his ass got his old job, because he'll work for fifteen cents a day and no bathroom breaks.

Meanwhile he realizes that the only reason he was over there in the first place was so we could install a government that would sell us oil at a good price. And of course the oil companies use the little skirmish to scare up oil prices. It's a cute little ancillary benefit for them, but it ain't helping my buddy at two-fifty a gallon.

They're taking their sweet time bringing the oil back, of course, and maybe they took the liberty of hiring an alcoholic skipper who likes to drink martinis and fucking play slalom with the icebergs. It ain't too long until he hits one, spills the oil, and kills all the sea life in the North Atlantic.

So now my buddy's out of work, he can't afford to drive, so he's walking to the fucking job interviews which sucks because the shrapnel in his ass is giving him chronic hemorrhoids. Meanwhile, he's starving because any time he tries to get a bite to eat the only Blue Plate Special they're serving is North Atlantic Scrod with Quaker State.

So what did I think? I'm holding out for something better.

I figure, fuck it. While I'm at it, I might as well just shoot my buddy in the ass, take his job, give it to his sworn enemy, hike up gas prices, bomb a village, club a baby seal, hit the hash pipe and join the National Guard. I could be elected President.

--From "Good Will Hunting" (Matt Damon's character speaking to an NSA recruiter, in a heavy Boston accent)

NSA responsibilities (2)

coyote-san (38515) | more than 13 years ago | (#304408)

Remember that the NSA has multiple responsibilities. Specifically, it also has the responsibility to ensure that our (government, contractors) computers aren't compromised by others.

A truly secure COTS OS won't hurt the NSA and FBI too much - they have plenty of other resources available to them. But not many groups will be able to afford the HumInt required to get around NSA/FBI safeguards, if the easy technical backdoors have been eliminated.

Re:Backdoors? (2)

MadAhab (40080) | more than 13 years ago | (#304409)

Good point. But people using stock distributions would be the most vulnerable, which would really most likely include large corporate installations. They'd get a distribution from vendors, and the vendor contract would probably specify that alterations would fubar the support contract, and a lot of old-school IT guys don't wipe their ass without checking vendor agreements... Which is probably fine for the NSA, since they'd probably rather spy on those folks anyway. Real Administrators would work on their own chain of trust.

On the flip side, actually doing something useful with this hack would be very difficult. It would be too easy to get caught if someone with the right skills goes poking around binaries and finds something amiss. And it's a fair bet that any NSA-blessed code would get such a close look. It wouldn't be so easy to hide, either. This is much easier with Microsoft OSes, which have such a large amount of undocumented stuff all over teh place that could be linked together.

Who knows, often things are no more complex than they appear. I bet that the NSA has found that it would be much easier to protect themselves and other government agencies if there were a distribution that THEY could trust without the expense of coding it all themselves. With proprietary software, they are at a slight disadvantage in that cat and mouse game. Maybe the _NSAKEY was a Microsoft trick to backdoor the NSA...

But the lesson from the compiler hack is that you can really only trust it if you've examined it yourself. And a secure linux distrubution would undeniably be of very high utility all on it's own to the NSA.

Now let us have no more curiosity about this bizaare cover-up.

Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.

NAI labs and NSA (2)

Mr. Slippery (47854) | more than 13 years ago | (#304410)

... who approached who first. PGP going to NSA, or vice versa?

A few years ago, Network Associates gobbled up Trusted Information Systems - the folks who brought you the TIS Firewall Toolkit, and brought me my first job out of grad school. TIS was very cozy with the NSA (founder and many employees were ex-NSA), and did several research projects for them (including the one I worked on, Trusted Mach).

I don't know what the current organizational structure of Network Associates is, but I suspect that NAI labs may be the remains of TIS. I wouldn't be surprised if the NSA came to Network Associates as the result of this relationship.

(In the interests of full disclosure: I'm a Network Associates stockholder.)

Tom Swiss | the infamous tms | http://www.infamous.net/

What prior work? (2)

cybaea (79975) | more than 13 years ago | (#304419)

The contract builds upon NSA's prior work in developing a set of new security controls for the Linux kernel and NAI Labs' prior work in developing an example security policy configuration for these controls and several additional kernel controls.

Does anybody know what NSA's prior work on the kernel is? Any pointers, web sites, /. articles, ... for the un-initiated?

Re:NSA Linux (2)

cybaea (79975) | more than 13 years ago | (#304420)

Funny!

But for reference: it's licenced under the GPL [nsa.gov] - that's the normal GPL.

Useful information on NSA web site (3)

cybaea (79975) | more than 13 years ago | (#304421)

Stupid me: should have checked the NSA web site [nsa.gov] for the information.

Excellent! (1)

Wind_Walker (83965) | more than 13 years ago | (#304422)

Finally! Now Linux has some real backing in the industry (well, not really the industry, but the government at least).

Now, this means that the NSA can personally secure the file system, password protection schemes, and so on for all Linux users. Can you imagine the kind of security that Linux can have now?!?!!? Finally, Linux might become a viable online brokerage operating system. The only reason that Windows is still being used is because it's the most secure O/S out there.

I'm looking forward to seeing the new O/S that the NSA will come out with. It should be interesting.

------
That's just the way it is

Good! (3)

supabeast! (84658) | more than 13 years ago | (#304423)

At least this will make it harder for the Micro$oft marketers to ramble on about how Linux is insecure :)

Re:Backdoors? (1)

dgb2n (85206) | more than 13 years ago | (#304424)

Those NSA guys are really sneaky. I'm sure they'll just slip it unnoticed into the SOURCE CODE .

Re:NSA Linux (1)

holzp (87423) | more than 13 years ago | (#304426)

nah its meta-humor. somebody moderate these moderators +1 funny!
/. where the fun never ends!

Moderator Crack Day! (1)

GreyyGuy (91753) | more than 13 years ago | (#304428)

Whats up with people with mod points today? I've seen at least one huge troll go up to 4 before it was modded down (though last time I looked it was still "0, Informative" which made me laugh. And now this is "Insightful".

I have to wonder if somehow the folks at /. managed to give out free drugs to people with mod points today. Now that would be an interesting web interface :)

NSA Linux (3)

zpengo (99887) | more than 13 years ago | (#304432)

From the NPL (NSA Public License):

All privacy functions within NSA Linux have been removed or disabled, all Internet traffic is cached at NSA headquarters for your convenience, and nearly-anonymous statistics are recorded about you to improve customer service. Any attempt to circumvent these features will result in quiet, painless death in the middle of the night.

NSA Info (4)

zpengo (99887) | more than 13 years ago | (#304433)

Here [nsa.gov] 's the NSA page on SELinux.

Re:What would be the mascot? (1)

Ravagin (100668) | more than 13 years ago | (#304434)

Perhaps a heavily armed/armored penguin. A penguin in SW stormtrooper armor? That might have negative connotations which you may or may not want. Maybe a penguin in traditional knight's armor....

The real question is, why am I putting so much thought into this? :)

-J

Re:What I want to know (1)

Simon Garlick (104721) | more than 13 years ago | (#304435)

You shouldn't trust any version of PGP more recent than 6.5.8.

Re:Awesome! (1)

Simon Garlick (104721) | more than 13 years ago | (#304436)

"PGP is just an all around good company" Are you on crack?

Hasn't Slashdot Said Encryption is Pointless? (1)

Cheshire Cat (105171) | more than 13 years ago | (#304437)

Fort Mead, MD

The National Security Agency today abandonded its plans to integrate a well-known encryption program into its secure version of Linux. According to an anonymous agent of the NSA, the department was shocked when they read a post on a forum known as Slashdot, that encryption was pointless. [slashdot.org] Said the staffer, "We've decided to forgo even putting this in, cause, whats the point. In fact we're getting out of the code business altogether. That question on Ask Slashdot was a blow to a lot of people who've spent their lives working on encryption, only to learn its pretty much pointless."

Nice (5)

Cheshire Cat (105171) | more than 13 years ago | (#304439)

All I've read so far are numerous posts about how the NSA will now be able to spy on PGP-encrypted material. Personally, I think this is a load of bullshit. I doubt the NSA needs to ask the people at PGP labs for assistance in cracking this. Either its been cracked (doubtful) or else the NSA has been so impressed by it, that its decided to integrate it into its OS.

Come on, stop being so damn paranoid. Trust me, you're not nearly as intersting to the government as you might think you are.

Re:Backdoors? (1)

portege00 (110414) | more than 13 years ago | (#304440)

What better way to protect communcations that with a tried and true operating system that has almost no security holes (at least, it won't after the NSA gets done with it--they'll probably audit every line of code as was done with OpenBSD)? Would you sleep better at night if they were protecting our communications with an operating system made by people who are to incompetent to know how write an e-mail program that doesn't run viruses automatically?

Re:Backdoors? (2)

portege00 (110414) | more than 13 years ago | (#304441)

It would be extremely hard to add backdoors to Linux. The code is all Open Source. Under the GNU, the NSA is required by law to release source code modifications to the public. How would they explain a source code modification like, "05/13/01 - Added backdoor code to the TCP stack."?

People are overly paranoid. Just because its the NSA doesn't mean that they're doing this just to add backdoors to Linux. Even if they did, and they somehow manged to get away with it (which is extremely doubtful), it would only be applicable to their distribution. They could always convince Torvalds to let them add it to the kernel as a whole, but do you think all the other kernel hackers wouldn't notice?

I have no doubt that the NSA puts backdoors in Microsoft software, but I also have very little doubt that they will try the same with Linux. An ex-spook even admitted to Microsoft backdoors. Try the same with Open Source software, and you'll have hundreds upon thousands of angry hacker-types banging down your doors. Give the NSA a little more credit.

If anything, this is a step in the right direction for the NSA. They realize that security through obscurity is a poor way to protect systems, and that Linux can provide them with an ultra-secure OS. They can then give this back to the people, and show what years of security and encryption research has produced. I say encourage them. Nothing will make Linux more secure than the US government pumping money and their best security hackers (yes, I mean hackers, not crackers) into the OS. As long as they follow the GNU license, we should see lots of excellent security enhancements in Linux coming soon!

Re:What would be the mascot? (1)

rjamestaylor (117847) | more than 13 years ago | (#304442)

How about a Penguin who's not afraid to cry at a wedding?

What would be the mascot? (3)

SpanishInquisition (127269) | more than 13 years ago | (#304447)

Secure Linux -> Penguin in Bondage?

--

Re:The Next Step of Linux... Audited Security (1)

rgmoore (133276) | more than 13 years ago | (#304448)

I mean, they'd probably rebuild Linux to B1 or better in the Orange Book.

Actually, one of the interesting points that they make is that Orange Book standards are not the be-all end-all of computer security. To quote:

The TCSEC provides a narrow definition of mandatory security which is tightly coupled to the multi-level security policy of the Department of Defense. This has become the commonly understood definition for mandatory security. However, this definition is insufficient to meet the needs of either the Department of Defense or private industry as it ignores critical properties such as intransitivity and dynamic separation of duty. This paper instead uses the more general notion of mandatory security ... in which a mandatory security policy is considered to be any security policy where the definition of the policy logic and the assignment of security attributes is tightly controlled by a system security policy administrator.

The Orange Book was designed to implement the military's system of data security, but there are other potential security models that depend on mandatory access controls. To take this into account, the NSA researchers designed a much more flexible system in which the kernel implements some very generic mandatory access control structures but the details of the security model are substantially configurable. That means that you can implement an Orange Book B-class security model, but that's not the only security model that's available.

Re:Backdoors? (2)

rgmoore (133276) | more than 13 years ago | (#304449)

What could possibly motivate them to cooperate with an open source effort, if not to compromise its security?

Gee, I don't know could it be:

The NSA is chartered to protect the communications security of the United States...

I don't know about you, but I think that pretty clearly covers the idea of new, higher security versions of existing software. Remember that SE Linux isn't really about encryption, but about adding a better security architecture to the system. That means helping to make the system cracker-proof, not making its communications more secure. They still have plenty of room to intercept and decode the other guys' communications even if they can't crack his boxen anymore.

Re:Backdoors? (2)

rgmoore (133276) | more than 13 years ago | (#304450)

Of course there's still a very serious need to make those systems secure. Not being on the Internet does reduce your risk of being hax0red by skript kiddiez, but being a high profile, high value target attracts other kinds of attackers. You can bet that just about every unfriendly power out there is trying to get access to Intelink, either by infiltrating a mole or suborning someone who already has access. The number of potential attackers may be lower, but their dedication, skill, and support is likely to be a lot higher than random kiddiez.

And, of course, there's more to national security than keeping top secret military secrets from the prying eyes of the baddies. The long term economic health of the country is critical for national security, and that means helping companies that need security to get it. The NYSE, for instance, needs to have a lot of its critical systems exposed to the net, since their whole purpose is to send out critical information. It would be no good at all if they were broken into by morons intent on vandalizing the computers, and really, really bad if they were cracked by somebody with some subtlety and bad intentions, though I'm pretty confident that they're already running something more secure than Apache/Linux or IIS/Win2000. And, of course, that's just one example. Corporate espionage is a real potential problem, as is large scale credit card fraud, both of which could be carried out by cracking the right computers.

Not the start of involvement.... (3)

ssimpson (133662) | more than 13 years ago | (#304451)

It's interesting to note that NAI have been involved for months with the project - see an NSA Press Release from January here [nsa.gov] .

An interesting techy overview is available from IBM here. I'm a serious NSA-paranoid (in 98 I wrote the rhyme: "Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."), but I for one think that NSA 'hardened' Linux is a VERY good thing....Don't forget that, as well as being dirty spying bastards , the NSA (and the rest of the USG) are the largest consumers of secure computing.

At the moment they pay through the nose for 'hardened' versions of AIX, Solaris, HP-UX etc. They see that Linux is a 'free' alternative and would like to cut costs. They see that Linux isn't secure enough (e.g. would struggle to get c2 rating, let along B*), so they decide to start coding themselves, adding functionality such as MAC.

Rather than keep the changes themselves, the NSA decide to share the source code back with the community - this really embraces the Free Software / Linux philosophy. Any code released will be scrutinized no end - a peer review of the initial code for example uncovered a potential buffer overflow vulnerability.

I appreciate that my comments may not be popular with the ultra-paranoid, but if you can objectively view the facts this development really is a good thing for Linux. Hell, if you don't want to use the changes, then don't apply the diffs.

The bottom line: I strongly support NAI in their efforts to further develop Linux.

Re:Great (1)

Ziest (143204) | more than 13 years ago | (#304454)

Now everybody and their mother will start screaming about NSA hiding "backdoors" to PGP. Remember, you being a paranoid doesn't mean they aren't after you.

You are a fool to trust this goverment. Look up the word "contelpro" in any search engine and then tell us you have nothing to fear and the goverment will never trample on your rights. Wake up! Your rights are almost gone.

The Next Step of Linux... Audited Security (2)

d.valued (150022) | more than 13 years ago | (#304456)

I believe, backdoors notwithstanding, that the NSA port of Linux has great potential. I mean, they'd probably rebuild Linux to B1 or better in the Orange Book. (This puts it in the same class as BSDi (I believe), Trusted Irix, and other Unixes with high security standards.) Manditory Access Controls are made stronger, Access Control Lists are part of the OS, probably paranoia levels of logging, good crypto. Good times.

For those of you who are concerned about this port, pay close attention to this next line.

GPL/OSS's strength is in the availablity of source which can be audited.

For those of you cryptonauts and paranoids who don't quite know C (present company included), you've a very good reason to learn. Reading the multitudinous (ooh! big word!) kilos and megs of kernel source ain't my idea of a great vacation, but the results of the extensive audit will be worth it. (B1 operating systems are, shall we say, DAMNED hard nuts to crack.)

If that's not enough, there's an article (name, site, and url escape me) where Linus says that audited parts of the NSA port may well be injected into the source tree.


Windows.. Good for targeting rocks.

Re:Trust the NSA??? Yea Right (2)

d.valued (150022) | more than 13 years ago | (#304457)

From the mouth of Robert Steele, former CIA spook and runner of OSS.net (Open Source Secrets), a site which offers information to businesses and others on open information which is encoded in that most hard to crack of codes, other languages:

"The Morris Worm was the worst thing to happen to the CIA, because then system administrators looked for all those cracks in security!"

Full audio at h2k.net.
Windows.. Good for targeting rocks.

Re:Nothing (1)

Bren (153085) | more than 13 years ago | (#304458)

Yeah... the old joke says that NSA means No Such Agency.

Bren.

Re:Wow... that's a HUGE amount of plug (1)

Misch (158807) | more than 13 years ago | (#304459)

These are what are know as "Looking Forward" statements, and are standard on all business press releases.

I mean, take a look at Business Wire [businesswire.com] for more of these bloated statments. Here's one [businesswire.com] .

Re:Great (1)

cant_get_a_good_nick (172131) | more than 13 years ago | (#304462)

Nitpicking, but Cointelpro, not contelpro
Counter intelligence program
Or was that Coprocessor for Intel Pentium Pro?

I get old, and the voices in my head get harder to hear....

Re:Excellent! (2)

eean (177028) | more than 13 years ago | (#304463)

The only reason windows is still being used? What the heck are you talking about? Windows... Secure?!?

Well, paranoid delusionists, it is Open Source.... (1)

mikehoskins (177074) | more than 13 years ago | (#304464)

Well, paranoid delusionists, it is Open Source....

If there are backdoors and if it is Open Source, it will get red flagged before being put in something like Red Hat.... Open Source == ability to software audit.

Maybe we'll get REAL SECURITY for once. Now if Immunix, SWAN, and Bastille were all involved....

The sky is rising.... The sky is rising...

Makes sense (1)

shankster (178759) | more than 13 years ago | (#304465)

Why rely on M$ and all it's back doors and glaring omissions when you can have your own stuff built to your specifications? I'm a bit surprised it's taken them this long to get here...

You may say I'm a dreamer, but I'm not the only one

Re:Awesome! (1)

Bingo Foo (179380) | more than 13 years ago | (#304466)

Is sarcasm completely lost on you moderators?

Bingo Foo

---

Re:Backdoors? (3)

Bingo Foo (179380) | more than 13 years ago | (#304467)

probably reintroduce the old trusted compiler hack,

This (infiltrating the linux community through the prebuilt compiler or even kernel) would actually work to a certain extent with the current Linux community. How many of you are running a home-compiled kernel? [OK, lots] Now keep your hands up if you are running a kernel you comlpiled with a compiler you compiled. [most hands go down.] What kernel were you running when you compiled the compiler? And what compiler did you use on that kernel?

The mechanism for complete infection would not be there, though, since there would be plenty of people and distros out there that would begin to track and maintain the purity of the lineage of their compilers and kernels, but the NSA could get a foothold into the more promiscuous script kiddies community, which they have some incentive to do anyway.

Bingo Foo

---

Re:Backdoors? (1)

cnkeller (181482) | more than 13 years ago | (#304468)

I've said this a few times before on here, so perhaps I'm subjecting myself to (-1: repetitive).

Almost all classified goverment systems are not hooked up to the internet in any way shape or form. They are on Intelink (the classified top secret version of the internet). Assuming everything works according to plan, the only people having access to Intelink are those who are supposed to have it and who wouldn't hack the systems. Therefore, if NSA left any gaping holes that weren't discovered, it doesn't really impact them as 99.9% of the people in the world will never see a Linux system on Intelink, they simply aren't accessible if you don't have a reason to be on there.

Disclaimer: I worked at Ft Meade (yes at NSA) for a few years as a contractor. Gaping security holes in Linux (or most other OS's) don't really apply. I mean they do, but not like these are unprotected systems. They are guard by steel walls, marines with nasty tempers and machine guns and zero access to the free world.

At any rate; yes NSA people are pretty intelligent. They are doing this for a reason; it obviously serves their best interests in some way to have a freely distributable but secure OS. But let's keep this in proportion; any exploits found are going to have minimal effect on this country's operations. It's not like linux clusters running NSA Linux are going to handle CNWDI stuff (Critical Nuclear Weapons Design Information). Anyway just some thoughts from someone who was behind the gates at No Such Agency....

Re:That's not how a backdoor can hurt (1)

cnkeller (181482) | more than 13 years ago | (#304469)

I'm not really arguing with you, mainly your phrasing.
Suicidal? Not likely. Short of every DNS server running the exact same setup with the same flaws, is there enough of an installed base of any one type of system (or software) that a failure would bring the the entire nation down? So that a single backdoor could bring about the type of nationwide blizzard effect you described. A scary thought, but probably not overly likely. Anyone who has studied these disaster type scenarios care to comment? DNS? Sendmail? MSN going down for a day or two due to DNS was certainly a pain, but tragic? Maybe...you've got me pondering now.....

I would change the phrase to NSA would be foolish to install any type of backdoors in and open source product and leave it at that.

Way, way, too cool (1)

gatesh8r (182908) | more than 13 years ago | (#304470)

It is nice to see the contribution and efforts to open source for crypto and secure linux boxes. PGP is an ideal company to implement such a thing, going to open source because of how the crypto is able to be used...
Otherwise, yay, and hope that Dubya doesn't get to be a prick about it.

Re:Great (3)

milo_Gwalthny (203233) | more than 13 years ago | (#304472)

Actually, I was thinking about open-source revealing any potential backdoors, and I think it ain't necessarily so. Remember that the NSA employs a high percentage of the math PhDs in this country. Some of their odd design choices for the DES were not explained and raised some speculation that they might have an obscure way to crack it that no one else had discovered (I believe it was Schneier in Applied Cryptography that raised this issue to my attention).

Although they have a reason to want the net to be unhackable, they also have a reason to be the exception. Given the brainpower they have, they could conceivably know something we don't. Beware of algorithms you don't understand.

"Wolf works with farmer to help safeguard sheep" (1)

$kr1p7_k177y (208396) | more than 13 years ago | (#304474)

'Nuff said.

What I want to know (1)

Cberg (209899) | more than 13 years ago | (#304475)

is weither this will cause /.er's to trust NSA's distro? Seriously, I don't trust the NSA, but I do trust PGP.

Backdoors? (1)

tswinzig (210999) | more than 13 years ago | (#304476)

Since the U.S. government is always interested in adding back doors to encryption technology that the public uses, I'm assuming they'll be working with the PGP folks to add a similar backdoor to their Linux systems? I mean, that's only fair, right?

Humor? (1)

tswinzig (210999) | more than 13 years ago | (#304477)

Apparantly you people are smart, but not clever enough to detect BLATANT SARCASM!

Sorry, I won't try it again.

Clarification? (1)

White Roses (211207) | more than 13 years ago | (#304478)

Isn't PGP Security (the enterprise version anyway) a division of NAI Labs (not the other way around as stated above)? AFAIK, NAI Labs does all sorts of other things, not the least of which is virus detection and analysis. OTOH, PGP itself is it's own business identity outside of NAI in general, so maybe I'm just wrong. It happens.

Not bad (4)

wmoyes (215662) | more than 13 years ago | (#304479)

Before the Slashdot effect kicks in and everyone starts screaming about back doors lets look at the facts. 1.2 million dollars will be pumped into the development of Linux. That's quite a few man-hours that will be contributed to an open source project to enhance its security and capabilities.

Now lets look at other times a joint commercial/NSA endeavor has taken place, DES. The standard was published in January 1977 and no major cryptographic break has been discovered yet save brute force (I hardly consider linear cryptanalysis a real threat).

Personally I am a little more worried about NAI's involvement than the NSA's .

Great (1)

Mik!tAAt (217976) | more than 13 years ago | (#304480)

Now everybody and their mother will start screaming about NSA hiding "backdoors" to PGP. Remember, you being a paranoid doesn't mean they aren't after you.

Re:What prior work? (1)

JemalCole (222845) | more than 13 years ago | (#304481)

The link doesn't seem to be working, but I think this [utah.edu] is the right site. FLASK is what started all of the SELinux stuff, and was a joint project between NSA, some private company and a university in Utah. Any general search on FLASK will turn up a bunch of stuff...

For the Goatse overloaded: http://www.cs.utah.edu/flux/fluke/html/flask.html

Re:There goes the neighborhood (2)

HongPong (226840) | more than 13 years ago | (#304482)

Which perhaps is all part of a vast conspiratorial plot to draw scrutiny away from key components of Linux which are ACTUALLY controlled by the NSA from the shadows.

Note to obtuse mods: J/K ;)

--

NSA must like PGP (2)

corvi42 (235814) | more than 13 years ago | (#304483)

The NSA has always been so close-doored about exactly what it does and doesn't know in the crypto field, it has a lot of public domain cryptography experts wondering whether all their hard work is actually in any way useful, or whether the NSA is so much further ahead of them that they're just wanking - to use the parlance of our times.

Its interesting to me then that the NSA has chosen to partner with NAI on this, it seems to give some very strong support to the belief that public domain cryptography is at least as good as NSA level stuff.

Of course it could all be a massive ruse to put us poor saps off guard - but honestly I'm not willing to go that paranoid today. any takers?

Re:enemy of the state (2)

corvi42 (235814) | more than 13 years ago | (#304484)

Doesn't publishing the source kind of make it meaningless to incorporate monitoring features? Somebody out there will find the monitoring features pretty quick, and then nobody will use your code. Somehow I think the NSA is a bit smarter than that.

Re:clever folks (2)

corvi42 (235814) | more than 13 years ago | (#304485)

Thank you for saying exactly what I was thinking. I think that whoever the people are at the NSA who're driving this thing are very smart and very bold, and worthy of respect.

Great... (1)

Ultimo (237838) | more than 13 years ago | (#304486)

This'll be a nice little backdoor that they write, and give to the FBI to include in Carnivore.

How long did it take anybody to find the hole in PGP?

Re:The Next Step of Linux... Audited Security (1)

IanA (260196) | more than 13 years ago | (#304492)

If that's not enough, there's an article (name, site, and url escape me) where Linus says that audited parts of the NSA port may well be injected into the source tree.
I certainly hope this happens. A major pain for NSA Secure Linux could be that a new kernel with support for a driver you need is released, yet doesn't have the security added to it(I believe it can be patched). Adding major security at the hardware level will be a big step for Linux, if only because the default installs might not be so vulnerable when left to a clueless admin.

Re:Great (1)

IanA (260196) | more than 13 years ago | (#304493)

Actually, I was thinking about open-source revealing any potential backdoors, and I think it ain't necessarily so. Remember that the NSA employs a high percentage of the math PhDs in this country.

If I'm not mistaken, a number of professors and PhDs use Linux every day. Do you realize believe someone like Linus or Alan aren't smart enough to work at the NSA if they had tried to get into the agency?And thats just the 2 main kernel coders! I'm _positive_ that many extremely high-level math users use Linux. Its obvious that they could not instill something into the source which could not be read. Hell, I'd assume that binaries could be reverse engineered and figured out.

NSA Linux Experience (1)

Proud Geek (260376) | more than 13 years ago | (#304494)

I expect the NSA has enough experience working with the security weaknesses in Linux that they will really know how to fix them. We should be able to pinpoint unknown vulnerabilities by carefully examining their patches. On the other hand, if it is too cryptic, they may also be making it more vulnerable to some obscure attacks.

On the other hand, encryption is more of a consumer feature, I think. Security professionals have no problem using end user installed third party solutions, but it is a key for things like media rights management. In that light, I think it is a bit funny that PGP gets involved in this effort.

Re:What would be the mascot? (1)

ragefan (267937) | more than 13 years ago | (#304495)

Brings a whole meaning to the "GIMP"!!

THE TRUTH SHALL BE TOLD~~ (1)

deran9ed (300694) | more than 13 years ago | (#304496)

and everyone thinks I'm paranoid

Our society has always stigmatized stuttering. People who stutter are assumed to be nervous, incompetent, and even mentally ill. They are ridiculed, bullied and discriminated against. Because of this social penalty, most people who stutter want desperately to stop stuttering.

Most traditional stuttering treatments aim at helping people control their speech so they don't stutter at all -- or modify their stuttering so that it is more socially acceptable. Even when speech therapy is successful, however, many stutterers still experience significant fear and shame because they're afraid they MIGHT stutter. Some go to great lengths to hide their stuttering -- all because of the traditional mind-set that stuttering is a bad thing to do.

The National Stuttering Association is changing the rules about stuttering. We still want to speak fluently when we can, of course. But we also believe that stuttering is NOT a bad thing -- and that people who stutter have the right to be treated with the same respect and accommodation as people with other developmental disorders.

So we in the NSA [nsastutter.org] are working to promote greater public acceptance of stuttering and to accept ourselves as people who stutter. When we begin feeling free to stutter in public instead of trying to hide our stuttering, we often speak MORE fluently because we're no longer fighting all the fear, guilt and shame that compounds the problem of stuttering.

har har har Fight the Future [antioffline.com]

enemy of the state (2)

deran9ed (300694) | more than 13 years ago | (#304497)

Its nice to see companies joining to assist the NSA, however I would never install it, for paranoia reasons. Aside from that its not all that. (read this [ibm.com] to back those claims and we can't forget its first security incident [ox.ac.uk] )

Its a nice idea, but ask yourself this question... The NSA could have done this a long time ago, why now? With the rising amount of cybercrime, one would think that, _THAT_ would be their motives however, if that were the case they would be strong opponents of crypto for the masses, so why one and not the other?

So again jumping into the paranoia stage, could it be because the typical script kiddiot is using various forms, of Linux, this could be a method to monitor them? If so how do corporations who use this (SELin) fall into the muck of it all, what about employees of the NSA, and NAI, if they were capturing data, that could affect stock markets, integrity of people, confidence. Total PR nightmare...

Anyways it is nice to see a secure (for now) OS on the market, but as for me... I'd take Open over SELinux anytime.

click this link... get fired [antioffline.com]

P.S. almost forgot about PGP (2)

deran9ed (300694) | more than 13 years ago | (#304498)

why hasn't this security issue [www.icz.cz] with PGP been address yet? Are they waiting for an epidemic? Less reason to go goo goo over PGP.

Outguess [outguess.org]

Not a threat?!? (2)

deran9ed (300694) | more than 13 years ago | (#304499)


Vaudenay, S. 1995. An Experiment on DES Statistical Cryptanalysis.

Linear cryptanalysis and differential cryptanalysis are the most important methods of attack against block ciphers. Their efficiency have been demonstrated against several ciphers, including the Data Encryption Standard. We prove that both of them can be considered, improved and joined in a more general statistical framework. We also show that the very same results as those obtained in the case of DES can be found without any linear analysis and we slightly improve them into an attack with theoretical complexity

Wow... that's a HUGE amount of plug (1)

Ancient Eye (300895) | more than 13 years ago | (#304500)

Very beside the point... but I'm just amused at how much of the article is consumed by the normal "we released this article, we're going to tail our personal statement" (standard stuff for PR Newswires, except the SIZE...
Here, I've quoted it for you

-------
NAI Labs is an industry leading security research organization with 100 dedicated researchers in four research facilities throughout the United States and is a founding member of the Security Research Alliance. NAI Labs is a multi-discipline research organization with world-renowned expertise in the areas of network security, applied cryptographic technologies, secure execution environments, security infrastructure, adaptive network defenses, distributed systems security, and information assurance. In addition to its prominent role in the security research community, all unclassified network and cryptographic research is shared with Network Associates' product development and support organizations to enable superior solutions for Network Associates customers.
PGP Security, a Network Associates company, is a worldwide leader in products and services focusing on solving privacy and data confidentiality issues, and has a strong history of setting security industry standards. PGP Security's breadth of security products, including firewall, encryption, intrusion detection, risk assessment and VPN technologies, address the full range of security and privacy issues, anywhere information is transmitted or stored. PGP Security's products secure over seven million users and include several of the industry's well-known security brands, including Gauntlet Firewall and VPN, PGP Data Security, CyberCop Scanner, and PGP e-ppliances. PGP Security's COVERT research team identifies and works to resolve serious vulnerabilities before attackers are able to exploit them. The findings are incorporated into the product offerings, ensuring protection from the latest vulnerabilities. For more information and software evaluations, visit http://www.pgp.com .

About Network Associates
With headquarters in Santa Clara, Calif., Network Associates, Inc. is a leading supplier of security and availability solutions for e-businesses. Network Associates is comprised of four business units: McAfee, delivering world class anti-virus products; PGP Security, providing firewall, intrusion detection and encryption products; Sniffer Technologies, a leader in network and application management; and Magic Solutions, providing web-based service desk solutions. For more information, Network Associates can be reached at 972-308-9960 or on the Internet at http://www.nai.com .
NOTE: Network Associates, PGP, McAfee, Sniffer, Magic Solutions, Gauntlet, CyberCop and CyberCop Scanner are registered trademarks of Network Associates, Inc. and/or its affiliates in the U.S. and/or other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

Sounds just like the Psi Corps (1)

arbours (302317) | more than 13 years ago | (#304502)

Remember in Babylon 5 when Bester of the Psi Corps would team up with Girabaldi and Sheridan, and they would both need each other, but were always ready to crack each over the heads with bats? you knew Bester always has a 2nd and 3rd plan up his sleeve, always looking to exploit a hole (a la his girabaldi exploit).

This whole NSA things sounds just like that! they may NEED a secure linux for their own communications, but damn, who doesn't think they have alternate scenarios in their head ;-)

wow, this could be a cool story if it hadn't already been done.

alex

Re:Backdoors? (1)

arbours (302317) | more than 13 years ago | (#304503)

-- quote --

any exploits found are going to have minimal effect on this country's operations. It's not like linux clusters running NSA Linux are going to handle CNWDI stuff (Critical Nuclear Weapons Design Information)

-- end quote --

why would anyone, say like the Chinese Red Army, even bother taking the time and effort to put backdoors into linux and break into our nuclear secrets? they did it just by walking in the front door and copying them to a floppy!

What a joke. the Chinese were 35 years behind us 8 years ago and are now, at least in theory, equals - and the Washington Times reported today that they are preparing to test nuclear weapons:
http://www.washtimes.com/national/default-200149 22 4735.htm

that's the reason our plane was flying so close to china, before getting yanked down.

security in this country is a joke. you are worried about technical security, and they cracked it with holes in the "social" security. i'm laughing but shouldn't be, since young boys are going to be dying in 5 - 20 years fighting wars over this stupidity.

alex

Re:NSA Linux (1)

mech9t8 (310197) | more than 13 years ago | (#304504)

Um... score 3, informative?

methinks someone didn't get it... ;)
--
Convictions are more dangerous enemies of truth than lies.

what irony.... (1)

carlcmc (322350) | more than 13 years ago | (#304505)

PGP (pretty good privacy) combined with the common expression "Good enough for government work" brings the humor level of this thing to the boiling point very quickly.

People have been doing that for years (1)

Spamalamadingdong (323207) | more than 13 years ago | (#304506)

I think (it's been a long time) that there was speculation that the NSA had found a backdoor in the RSA algorithm itself when they stopped trying to get the original Rivest, Shamir and Adelman paper classified.
--

That's not how a backdoor can hurt (1)

Spamalamadingdong (323207) | more than 13 years ago | (#304507)

But let's keep this in proportion; any exploits found are going to have minimal effect on this country's operations. It's not like linux clusters running NSA Linux are going to handle CNWDI stuff (Critical Nuclear Weapons Design Information).
That information wouldn't affect the USA's operations even if it was shown on prime-time television; those are strategic issues. The issue is that an attacker could take down the Internet "storefronts" of lots of businesses and other essential or important parts of many more. Imagine a blizzard which shuts down New York City...

... only it hits the entire nation...

... and it keeps coming down in different types of snow as soon as you learn how to plow the last one. That's what the problem is: it's the economic impact of the disruption of something we rely on for more and more.

I stand by my judgement that the NSA would be suicidal to leave a backdoor in this system. First, the NSA doesn't need back doors; they have enough computing power to brute-force many things. Second, if this "blizzard" scenario came about because a hostile group found a back door inserted by the NSA, the NSA would take enough heat to incinerate whole cabinet-level departments. I doubt that they would be that dumb.
--

Re:Backdoors? (2)

Spamalamadingdong (323207) | more than 13 years ago | (#304508)

Maybe not this time. If you consider the vulnerability of the IT infrastructure to various modes of attack and the damage this could do to the USA, it's entirely possible that the NSA is absolutely serious about trying to help people lock down their systems. Look at it this way; if the NSA can't figure an automated crack against the systems, it's unlikely that an enemy could either. This radically reduces the possible damage.

Leaving a backdoor in would be pretty stupid, because the impact (to the nation and the NSA itself) if it was found and exploited would be enormous. You may think of the NSA as a bunch of goons, but they do have a sense of self-preservation; they'd have to be suicidal to do what you're proposing.
--

Nothing (1)

Diplomat73 (323901) | more than 13 years ago | (#304510)

What are you talking about! There is no such thing as the NSA!

NSA hysterics (5)

Canonymous Howard (325660) | more than 13 years ago | (#304511)

Great, another round of NSA hysterics.

You know what the saddest thing is about this?

Somebody busted his hump to get his boss at NSA to let him work on Linux. Said person then busted his hump even further to get his boss to actually allow the release of the source code. What, you think it was easy to get the NSA to release the source code?

I can only imagine how many levels of authorization this poor guy had to go through to get permission to release the source code. Can you even begin to imagine the hell he went through for our benefit?

And as his reward, this poor soul now gets a bunch of idiots screaming about the NSA trying to break Linux's security. If he ever gets invited to speak at a conference, he'll probably be booed off the stage for his efforts.

Doesn't anybody think before going into hysterics?

I wonder... (1)

Guppy06 (410832) | more than 13 years ago | (#304512)

... who approached who first. PGP going to NSA, or vice versa?

Re:Makes sense (1)

Guppy06 (410832) | more than 13 years ago | (#304513)

You mean it's taken this long for them to ADMIT they've gotten here. There's no reason not to believe that the NSA has been using Linux for years and has only come forward with thier implementation of it after Windows' risks to national security has reached a certain threshold.

Re:Good! (1)

Guppy06 (410832) | more than 13 years ago | (#304514)

Why? Not having their operating systems classified as secure by the NSA has yet to stop them from intimating that it does.

For the paranoid (2)

Guppy06 (410832) | more than 13 years ago | (#304516)

The paranoid are going to think that SELinux is in some way compromised by the NSA, no matter how unrealistic it seems (paranoia is an irrational by definition, after all). However, this leaves you with one more question: Who would you rather have access to your information, the NSA, or Microsoft? U. S. citizens at least have the option of complaining to Congress, taking them to court, et al. Microsoft, on the other hand, has a habit of negating all your legal rights through their liscening scheme. Just look at the recent Passport fiasco.

The NSA has to worry about the GAO breathing down their necks and the CIA, DIA, and FBI competing with them in some things. Microsoft is a monopoly. Who's going to be the one to worry more about the end-user?

Re:There goes the neighborhood (5)

Guppy06 (410832) | more than 13 years ago | (#304517)

If the NSA has to be working with an operating system, I'd prefer it to be Linux. Even if they were to put in back doors, at least the users have the legal right to look at the source code and try to find it and fix it. And I can almost guarentee that anything that has the NSA stamp of approval on it will be rigorously tested by the community, if for no other reason than because it says "NSA" on it.

Anyone still wonder why Phill left NAI? (1)

grassy_knoll (412409) | more than 13 years ago | (#304518)

When Phill Z. left NAI, the suits were quick to say there would be no back doors installed, even though the source was being closed. Now NAI and the NSA are all but tickling each others tonsils. Is there anyone left who doesnt think PGP is broken?

Re:Great (1)

forming (413168) | more than 13 years ago | (#304519)

This is true, and I am sure we all remember the stuff that happened with Microsoft and the NSA, but "Open Source" will keep people from being able to hide the backdoors.

Re:Not the start of involvement.... (2)

stuccoguy (441799) | more than 13 years ago | (#304520)

Rather than keep the changes themselves, the NSA decide to share the source code back with the community - this really embraces the Free Software / Linux philosophy.

Actually, the Linux GPL requires them to make the modifications available under GPL. They are not symbolically embracing "Free Software / Linux philosophy"; they are simply complying with the licensing agreement.

On the other hand, this in and of itself seems amazing.

Hack Shoeboy (1)

Hack Shoeboy (441994) | more than 13 years ago | (#304521)

His password is "overbearing-and-undercaring"

Re:Hack Shoeboy (1)

Hack Shoeboy (441994) | more than 13 years ago | (#304522)

His password is "flat-you-lens"
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>