lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Sep 2013 15:23:46 -0400 From: Valdis.Kletnieks@...edu To: Steve Wray <stevedwray@...il.com> Cc: full-disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: Internet has vuln. On Thu, 12 Sep 2013 08:57:55 +0800, Steve Wray said: > In some cases it could be quite difficult to disengage from NSA-influenced > projects, eg selinux. So far as I can tell this is pretty much everywhere > now. Redhat embraced it ages ago, its been integrated in the kernel since > 2.6, so how do we opt out of selinux? Well, given that SELinux *did* come out of the NSA, but has had tons of code review of the base code (which isn't really all that much) and the actual policy files (which is where I'd hide a backdoor, they're a lot more obscure than the actual kernel code), by lots of people who would have *loved* to be the one who caught the NSA doing something underhanded, I think you're barking up an entirely incorrect tree. Sure, there *may* be a backdoor in there even after over a decade of outside review and several code overhauls by non-NSA people. But as Bruce Schneier continually tries to remind us, security is tradeoffs. What are the chances that the NSA will be targeting *your* box with a code exploit? What are the chances that *any hacker other than the NSA* (Chinese, Russian, bored script kiddies in Boise Idaho, whatever) will target your box with a code exploit? Which one do you want to be defending against? Yeah. It's far more likely that even with a hypothetical backdoor, SELinux will more likely stop some other attacker than it will let the NSA in. (For bonus points, the fact that SELinux is applied as a restrictive MAC after the standard unix permissive DAC means that it can't give any access you wouldn't have had *anyhow* if SELinux was entirely removed - about the only way to leverage it into a compromise is to find a buggy userspace program that misbehaves when you *remove* access, similar to the Sendmail setUID bug from some years back). Now, if you want to actually do something *USEFUL* to secure your RedHat box, there's something you can do to minimize your attack surface against an attack we *KNOW* the NSA is doing. In other words, rebuild your damned OpenSSL so that the RedHat-supplied .spec file doesn't intentionally go out of its way to disable elliptic curve DH. Google can deploy perfect forward security all it wants, it won't do you squat unless your end plays along. Patch attached. It's about 43 times larger than it really needs to be, except that turning on ECDHE also means you have to disable FIPS mode, because the FIPS self-test is insanely brain-dead and checks that your crypto library has *ONLY* FIPS-approved algos in it - and EC isn't on the list. Somebody figures out how to get EC and FIPS to co-exist, feel free to post an improved patch. Patch is against current Rawhide, but if you're clever enough to think about turning off SELinux, you should be able to fit it onto any release of OpenSSL recent enough to be safe to use.... And if you have a webserver, apply the matching patches for the server end. There's patches out there for both Apache and nginx. Oh, and if you use Firefox, you may want to go into about:config, enter 'rc4' on the filter line, and turn all of them off, and only re-enable one if you hit a website that is mandatory for you to use, and it insists on rc4 rather than AES or something else less totally borken than rc4. View attachment "openssl.spec.patch" of type "text/plain " (4651 bytes) Content of type "application/pgp-signature" skipped _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists