mailing list archives
Re: Internet has vuln.
From: coderman <coderman () gmail com>
Date: Thu, 12 Sep 2013 09:18:09 -0700
On Wed, Sep 11, 2013 at 5:57 PM, Steve Wray <stevedwray () gmail com> wrote:
Are there any kernels available after 2.6 with no selinux? How easy or
difficult would it be to strip it out?
you can and should build your own kernels. this allows you to remove
all the devices and protocols and other attack surface not necessary
for your system, which can and do provide priv esc. and other vulns.
and of course there are *bsd, other options...
... Hardware devices that are running
Linux kernels, do they have the selinux code in them?
yes, latest Android for example.
I'm pretty sure that a lot of people are going to throw their hands up in
despair at this kind of thing and say "but its open source, its been
verified and checked by people around the world, surely it can be trusted."
a lot of people will point out you're focusing on a single tree while
missing the forest of vulnerabilities that are in the threat model of
"protecting against nation state intelligence service with $50bn
budget using all means available".
this includes, but is not limited to:
* weakened algorithms/protocols for big players (e.g., GSM, Cisco)
* weakening of RNGs
* inside access by 'covert agents' to hand over secrets (e.g., big 4)
* corruption of the standards process (NIST 2006?)
* corruption of certification process (CSC)
* corruption of appeal to authority for "off the record" pleas for
* corruption of judial process (NSL to "compell under duress") for
access to long term keys and decrypted data.
* using certification process early-access to prepare backdoors for
production runs (CSC)
* crunching of poor passwords
* black ops to steal keys
* black ops to pervert systems
availability of sources for review is just a small part of vetting process...
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Re: Internet has vuln. Georgi Guninski (Sep 12)