lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 12 Sep 2013 08:57:55 +0800
From: Steve Wray <stevedwray@...il.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Internet has vuln.

I'm wondering how much of the industry/community is going to be in denial.

In some cases it could be quite difficult to disengage from NSA-influenced
projects, eg selinux. So far as I can tell this is pretty much everywhere
now. Redhat embraced it ages ago, its been integrated in the kernel since
2.6, so how do we opt out of selinux?

Are instructions like "you just need to edit the kernel boot line, usually
in /boot/grub/grub.conf, if you're using the GRUB boot loader. On the
kernel line, add selinux=0 at the end." just laughable? The code is in the
kernel therefore the kernel is (potentially) compromised, right?

Are there any kernels available after 2.6 with no selinux? How easy or
difficult would it be to strip it out? Hardware devices that are running
Linux kernels, do they have the selinux code in them?

I'm pretty sure that a lot of people are going to throw their hands up in
despair at this kind of thing and say "but its open source, its been
verified and checked by people around the world, surely it can be trusted."

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists