| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Sep 2013 09:18:09 -0700 From: coderman <coderman@...il.com> To: Steve Wray <stevedwray@...il.com> Cc: full-disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: Internet has vuln. On Wed, Sep 11, 2013 at 5:57 PM, Steve Wray <stevedwray@...il.com> wrote: > ... > Are there any kernels available after 2.6 with no selinux? How easy or > difficult would it be to strip it out? you can and should build your own kernels. this allows you to remove all the devices and protocols and other attack surface not necessary for your system, which can and do provide priv esc. and other vulns. and of course there are *bsd, other options... > ... Hardware devices that are running > Linux kernels, do they have the selinux code in them? yes, latest Android for example. > I'm pretty sure that a lot of people are going to throw their hands up in > despair at this kind of thing and say "but its open source, its been > verified and checked by people around the world, surely it can be trusted." a lot of people will point out you're focusing on a single tree while missing the forest of vulnerabilities that are in the threat model of "protecting against nation state intelligence service with $50bn budget using all means available". this includes, but is not limited to: * weakened algorithms/protocols for big players (e.g., GSM, Cisco) * weakening of RNGs * inside access by 'covert agents' to hand over secrets (e.g., big 4) * corruption of the standards process (NIST 2006?) * corruption of certification process (CSC) * corruption of appeal to authority for "off the record" pleas for backdoor access. * corruption of judial process (NSL to "compell under duress") for access to long term keys and decrypted data. * using certification process early-access to prepare backdoors for production runs (CSC) * crunching of poor passwords * black ops to steal keys * black ops to pervert systems availability of sources for review is just a small part of vetting process... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists