[LINK] Security: from a different direction

[Craig Sanders]

On Thu, Dec 16, 2004 at 05:53:28PM +1100, Howard Lowndes wrote:
> On Thu, 2004-12-16 at 16:12, Stilgherrian wrote:
> > At 15:34 +1100 16/12/04, Howard Lowndes wrote:
> > >Yes, because I have faith in the Linux community.  Bear in mind that SEL
> > >was written by NSA and released back to the Linux community under the
> > >GPL _as_source_code_
> > >
> > >You can be damned sure that many suspicious, paranoid and knowledgable
> > >eyes have looked it over very closely.
> > 
> > Ah but can we be "sure"?
> 
> Given the very sceptical nature of the Linux community at large towards
> governments and government agencies, esp those who have a history  like
> that of the NSA (No Such Agency) I am prepared to believe that this code
> has probably been more thoroughly scrutinised than most of the rest of
> the code.  I guess you would need to rummage thru the code looking for
> fingerprints to be absolutely sure.

and there's also the cypherpunks and crypto-geeks and professional
cryptographers like Bruce Schneier - all of whom saw the NSA saying "here's a
security enhancement for linux" as a challenge.  these people like to pick
holes in crypto algorithms for fun and recreation (and also for reputation -
anyone who did find a hole or backdoor in SE Linux would have a huge boost to
their standing amongst their peers).


also, look at what happened when the diebold source code was leaked - it was
torn apart by hundreds of people all around the world, and that's not even open
source.

admittedly, diebold programmers probably aren't anywhere near as good as NSA
programmers at hiding sneaky things in the source.  after all, they're only
pre-programming an election and subverting the democratic process - it's not
like that's illegal or anything.


craig

ps: i know a few very smart people working on & with SE Linux.  i'm prepared
to trust their judgment.

-- 
craig sanders <cas at taz.net.au>           (part time cyborg)