Why the NSA wants your computer to be secure

From Slashdot | Just How Effective is System Hardening?

Re:Lunix bailout by big daddy gubment (Score:5, Informative)

by fuzzyfuzzyfungus (1223518) on Tuesday May 13, @11:55AM (#23391776)

The NSA, and state entities in general, has an interest in increasing security, even though it sometimes makes its job less convenient. The reason is pretty simple: Insecure systems can be broken by anybody with sufficient knowledge and motivation, NSA, spammers, organized crime, foreign intelligence services, etc. Secure systems can be broken by a search warrant, only available to state entities.There are, I’m sure, a number of exceptions to this trend; but for something like computer security, the government’s best interests are pretty clear.

The rest of your post is probably trolling; but what the hell, I’ll answer it anyway: SELinux added Mandatory Access Control abilities to Linux. These are very useful, and very powerful, security features and it is definitely good that Linux now has them; but it is hardly the case that any OS without them is necessarily insecure.
As for the “handout” angle, SElinux was certainly a handout for Linux; but it was also the cheapest and most effective way for the NSA to make MAC widely available in a short period of time. The objective of the program was a handout of security from the NSA to other entities. The handout to Linux was just the easiest path to that objective.

define “effective” (Score:4, Insightful)

by darkuncle (4925) <darkuncle@gmail.PARIScom minus city> on Tuesday May 13, @11:26AM (#23391488)

system hardening is effective at defeating certain classes of attacks. that said, most security breaches are NOT due to fancy footwork with memcpy or other low-level wizardry. They’re due to either:

1) improperly designed trusts between systems (e.g. the Internet can’t talk to my database server, but my webserver has full access; when my webserver is compromised, the contents of my database are toast as well). Networks designed to fail safely and gracefully, with liberal application of the principle of least privilege, help mitigate this kind of risk.

2) stupid user tricks (I place social engineering in this category, along with phishing and the majority of email viruses). There is no technical solution for this essentially social problem – education helps, sane and safe defaults help tremendously (every unnecessary feature is an additional security risk, and the risk compounds as features are added), software policy approaches like ACL/MAC/UAC/RBAC help … but in the end, users just want to do whatever it is they’re using the computer for. If an attacker can convincingly pretend to be legitimate, or present a convincing enough temptation, users will bypass, override or disregard any level of protection. Vista’s UAC is the canonical example here – great idea foiled by end users (granted, the implementation was almost guaranteed to train users to eventually ignore the constant repeated warnings).

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Tags: , , ,

Comments are closed.