Hint: :q!
Sister communities:
Community rules (click to expand)
1. Follow the site-wide rules
sudo in Windows.Please report posts and comments that break these rules!
Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't fork-bomb your computer.
The NSA, the original primary developer of SELinux, released the first version to the open source development community under the GNU GPL on December 22, 2000.[6] The software was merged into the mainline Linux kernel 2.6.0-test3, released on 8 August 2003. Other significant contributors include Red Hat, Network Associates, Secure Computing Corporation, Tresys Technology, and Trusted Computer Solutions.
Only because they use Linux too and had to make it public as Linux is a public, open-source kernel
GPLv2 only says that people with access to the binary need access to the source code too. If they only used it internally they'd never have to make it public.
While they created a set of patches that would implement the security features that selinux provides, what was actually merged was the result of several years of open collaboration and development towards implementing those features.
There's general agreement that the idea that the NSA proposed is good and an improvement, but there was, and still is, disagreement about the specific implementation approaches.
To avoid issues, an approach was taken to create a more generic system that selinux would then take advantage of. That's why selinux, app armor and others can live side by without it being a constant maintenance and security nightmare. Each one lives in their little self contained auditable boxes, and the kernel just makes the "check authorization" function call and it flows into the right module by configuration.
The Linux community was pretty paranoid about the NSA in 2000, so the code definitely got a lot more scrutiny than the typical proposal.
A much easier way to introduce a backdoor would be to start a tiny company that produces some arbitrary piece of hardware which you then add kernel support for.
https://github.com/torvalds/linux/tree/master/drivers/input/keyboard - that's just the keyboard drivers.
Now you're adding code to the kernel and with the right driver and development ability you can plausibly make changes that have non-obvious impacts, and as a bonus if someone notices, you can just say "oops!" And not be "the god-damned NSA" who everyone expects to be up to something, and instead be 4 humble keyboard enthusiasts with an esoteric set of lighting and input opinions like are a dime a dozen on Kickstarter.
We saw a very sophisticated attack on Linux earlier this year with the XZ exploit. That stuff is terrifying and the sort of thing people should be worried about. SELinux is tame, by comparison.
I haven't looked at the keyboard drivers, or much Linux source. I never really had a reason to do a lot of C other than small microcontroller projects.
But I see this stuff and think of how awesome it must have felt to get a different keyboard working on an OS the first time. I have to do all this stuff with cloud, and api levels, and configuring CI/CD pipelines, and sometimes I get to write backend C# code or they let me play in the front end. Most of the time it's telling another team of developers what to do, and listening to our clients explain the problems and I have to figure out if we already have anything to fulfill at least some of those needs.
These drivers are the divine marriage of hardware that's not native to the machine that an OS is running on. It's so beautiful to read. You can visualize where the values enter a memory address, and bits get shifted or something is static so the keyboard always uses the right thing.
do i remember correctly that android is based on se?
Yes, android is actually a very secure system if you get rid of the vendor rom and google
You wouldn't phrase it like that. Android is based on Linux, and selinux is part of the Linux security subsystem. Android makes use of selinux features, among others, for security sandboxing.
Most modern androids enforce it btw
I mean, leaving aside their surveillance tasks, it's still their job to ensure national security. It's in their best interest to keep at least themselves and their nation safe, and considering how prevalent Linux is on servers, they likely saw a net benefit this way. They even open sourced their reverse engineering toolkit Ghidra in a similar vein
Ghidra was about hiring and cost savings. Its easier to hire when people already know your tools. Also people are more willing to use your tools rather than expensive ones if they can still use them when they leave (go into contracting). Also interoperability with contractors may improve.
And we're all the better for it! Needs polish and development of course, but it's a decent alternative already
I mean, it's still Open Source, right? So it would be pretty hard for them to hide a backdoor or something??
I guess I don't know what's so sus when it's easily auditable by the community and has been for two decades now.
If it's just because it's memes and you're not being that serious, then disregard please.
I maintain open source software on a much smaller codebase that is less security critical. We have dozens of maintainers on a project with about 3k stars on GitHub. Stuff gets by that are potentially security vulnerabilities and we don’t know until upstream sources tell us there is a vulnerability
I'd imagine in this case there has been extra community scrutiny since it's security software and it comes from less than trustworthy source.
So it would be pretty hard for them to hide a backdoor or something??
Do you know of any good comprehensive followup to this? A quick search shows me lots of outdated info and inconclusive articles. Do you know if they conclusively found anything or if there is a good writeup on the whole situation?
I did some follow-up research and found that subsequent audits found no backdoors. They're either incredibly sneaky, or the person making these claims wasn't being entirely honest.
This is also probably the reason why you lost your DARPA funding, they more than likely caught wind of the fact that those backdoors were present and didn't want to create any derivative products based upon the same.
Though this implies that the Department of Defense doesn't want to use compromised tools, since DARPA is DoD. NSA is also DoD.
They wouldn't want to use or derive any compromised software themselves. They would want any adversaries to have it implemented.
I mean, it’s still Open Source, right? So it would be pretty hard for them to hide a backdoor or something??
Right but maybe it combined with other tools they have is what helps them with some exploit.
Like they figured out an exploit but needed SELinux as a piece of the puzzle. It's open source
and we can all read the code but we can't see the other pieces of the puzzle.
Come on, put your conspiracy hat on! ;)
Ok, conspiracy hat on...Maybe Snowden was the only NSA contributor with the sole purpose of making tracking citizens harder!
This is why I use templeOS
Dude, that one got a spy built-in! Direct telemetry to god.
That explains why it doesn’t need internet