Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Linux health given the reveletion of NSA crypto-subverting attacks?

deepdive (843737) writes | about a year ago


deepdive (843737) writes "I have a basic question. What is the privacy/security health of the Linux kernel (and indeed other FOSS OS's) given all the recent stories about the NSA going in and deliberately subverting various parts of the privacy/security sub-systems. Basically, can one still sleep soundly thinking that the most recent latest/greatest ubuntu/opensuse/what-have-you distro she/he downloaded is still pretty safe. Or do people need to get a little worried and start burning some extra night oil over this?"

Sorry! There are no comments related to the filter you selected.

All it takes (1)

AHuxley (892839) | about a year ago | (#44788559)

is for a working group to trust the wrong person to be "the person" for some tiny aspect of encryption or networking. On average crypto history (1950-90's) shows the result.
The idea that Linux would be left alone is like saying Apple was too small for the US gov invite.

At this point (1)

santosh.k83 (2442182) | about a year ago | (#44789635)

We can say that while the open source based Linux/BSD ecosystems are without a doubt safer security wise, and better privacy wise, from non-state crackers and blackhats, it is probably at best only marginally more difficult for state players like the NSA to infiltrate. NSA is primarily exploiting the human weakness angle in it's efforts towards surveillance, and that human element is as weak in the open source community as in the commercial sectors. The one real advantage is the "many eyes" effect, which still allows for potential backdoors and weaknesses to be spotted and corrected, which would be hopelessly impossible within a closed source codebase who's parent company is in the NSA's pocket.

Re:At this point (1)

deepdive (843737) | about a year ago | (#44791291)

My point is not to compare FOSS with the rest of the closed source stuff. FOSS definitely has an advantage with the "many eyes" effect etc. But that still does not guarantee that the 'control freaks' wont be able to sneak in something sinister into a benign looking app in an major Linux distro. Question is whether the FOSS community would go through some sort of SOP yet again for 'driving out these demons'.

Re:At this point (1)

santosh.k83 (2442182) | about a year ago | (#44791453)

Well from what I see, the kernel itself is pretty heavily reviewed and inspected, but on the other hand it is also a HUGE code base, and many old code could be lurking without any recent review. Also lots of manufacturer provided binary blobs are accepted into the kernel, and these could conceivably be an easy route for NSA etc to infiltrate the kernel, by forcing the company providing the binary blob to insert their backdoor. There was also discussion recently how writable microcode on recent Intel chips can be another possible vector for malicious code, again by NSA forcing the microcode provider to include their payload.

And then there's the whole area of compromising the integrity of cryptographic code, both when the standards themselves were being framed, and also specific cryptographic implementations, by inserting a mole into the development team. Such types of "subtle compromises" would be very hard to detect except by an expert in that area, and presumably, for cryptography, such experts are few and far between, and more than a few of them could've been contacted by the NSA...

So while it is a bleak picture, at least the open nature of the code base gives a chance of auditing (not sure if that'll happen though. People seem to've pretty much given up at this point) and replacing suspect components, but again, it could always be compromised again, and the NSA has unlimited resources and patience on their side. How long can the community keep auditing, and stay vigilant? Eventually it'll erode mutual trust in the community, and people will get tired and give up.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?