Recently I have been deeply troubled by evidence revealing the degree to which U.S. based corporations (well actually all resident in any of the so-called 5-eyes countries) appear to have rolled over and assumed the position with respect to NSA inspired pressure to cripple public key encryption and facilitate intrusions into their software products. This has engendered in me a significant degree of doubt surrounding the integrity of RHEL; and therefore of CentOS since it claims to be a bug for bug, and therefore an exploit for exploit, copy of RHEL. Reinforcing my doubt is the tale surrounding the long outstanding bug report respecting OpenSSL (https://bugzilla.redhat.com/show_bug.cgi?id=319901) opened in October of 2007. This probelm was only recently addressed and then only after a good deal of pointed public questioning by numerous security commentators. RedHat's reference to 'patent' issues surrounding this 'bug' are unsubstantiated by any documented evidence. The only response justifying Redhat's lack of movement is some hand-waving about corporate legal opinion. Despite suggestive language by some RH employees (https://bugzilla.redhat.com/show_bug.cgi?id=612265#c3) the exact nature of the patent legal problem was never specifically laid out for public comment. Equally troubling to me is the complete lack of any information on what patent issue was finally resolved and how it was resolved so that the related bugs could be fixed. As patents (with very,very few exceptions) are by their very nature not secret one wonders if the so-called legal problem was of a fundamentally different nature, no less real but somewhat less savoury from a PR standpoint. In consequence, after a good deal of agonizing over what was within my means to do, I have spent the weekend rebuilding Apache httpd from Apache sources to obtain TLSv1.2. While I still do not have a working copy (yet) I did learn a great deal of how RH back-porting patch policy appears to work. But in the process of researching how to get this package built I ran across a number of discussions respecting OpenSSL, which is the fundamental layer upon which pki rests, and RedHat (http://www.linuxadvocates.com/2013/09/is-openssls-cryptography-broken.html). None of them were very comforting. Where this discourse is leading is to is the question of whether or not CentOS should provide OpenSSL built from clean sources as an extra or plus package and perhaps httpd, sshd and ssh-client and related pki based/reliant packages as well. Similarly, should CentOS.org provide tested spec files that will provide individual system admins a simple method of building these packages from source? I think that CentOS.org probably should provide this but I am afraid that I cannot make a strong public case. Suffice that my belief is informed from personal previous experience with federal agencies investigative techniques and the all too frequent willingness of commercial interests to take the road of least resistance when pressured. Particularly where the spectres of expensive litigation and targeted regulatory enforcement looms in the background. I believe that the issue is of pressing interest to the entire community and I would like to read what others have to say on the matter. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
James B. Byrne wrote:> Recently I have been deeply troubled by evidence revealing the degree to > which U.S. based corporations (well actually all resident in any of the > so-called 5-eyes countries) appear to have rolled over and assumed theposition with> respect to NSA inspired pressure to cripple public key encryption and > facilitate intrusions into their software products. This has engendered > in me a significant degree of doubt surrounding the integrity of RHEL; and > therefore of CentOS since it claims to be a bug for bug, and thereforean exploit> for exploit, copy of RHEL.<snip>> > Where this discourse is leading is to is the question of whether or not > CentOS should provide OpenSSL built from clean sources as an extra or plus > package and perhaps httpd, sshd and ssh-client and related pkibased/reliant> packages as well. Similarly, should CentOS.org provide tested spec filesthat will> provide individual system admins a simple method of building these > packages from source? > > I think that CentOS.org probably should provide this but I am afraid that > I cannot make a strong public case. Suffice that my belief is informedfrom <snip> I agree, but I just don't know how much in the way of manhours that would involved. However, if you do get it all built, and build packages out of them, there is an extras? contribs? repo, and I'd encourage you to submit it for that. mark
> RHEL nowdays supports already Elliptic Curve on openssl.Which complete misses the point. First, the initial settings of the EC are significant in determining the strength of the resulting cipher. There is considerable evidence that suggests that some of these default settings have been proposed by or adopted on behalf of interests that would benefit from having an easily compromised encryption technique. While the algorithm may be strong a carefully crafted initial setting might be all it takes to render it vulnerable. Second, the delay in providing ECC in itself taken together with the abrupt and unexplained resolution to this matter subsequent to Snowden's revelations respecting the complicity of commercial entities in furthering illicit surveillance raises my suspicion that there is more to this than meets the eye. We are talking about a matter of trust and I am afraid to say that my suspicions of the motives of large commercial enterprises in matters of trust looms large in my thinking. If it turns out to be the case that RH withheld ECC from its users because of the pressure of some external interest we cannot be certain that this was the only item that was affected. I am really at a loss as to how to proceed. Do I move off CentOS entirely? Where to? What other distribution of similar stature exists that is itself not subject to exactly the same forces that may have been brought to bear on RedHat. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
After all the news about backdoors, "planted" bugs or weakened standards in apps, in routers, hardware firmwares, etc... these days, can we trust anything? Can we trust the bios? Can we trust the compiler not to stealthily inject a backdoor in the compiled version of a clean code?Given that most entries from the The International Obfuscated C Code Contest (http://www.ioccc.org/) looks (at least to me) like magic and any average dev would not (be able to) see evil code in the middle of it...And it is not only an NSA/USA thing, since it seems many countries are cooperating or doing the same... By example, in the middle of the Snowden revelations, France just passed a blanket spying law (without judicial supervision)! Anyway, I think that having a 100% trustable environment is more and more an utopia. What? Pessimistic? Me? Yep! JD
On 2014-01-06 11:28, James B. Byrne wrote:> I believe that the issue is of pressing interest to the entire > community and I > would like to read what others have to say on the matter.I think everyone should assume the entire ecosystem is compromised and shouldn't trust anything. Code should be reviewed and bugs/weaknesses removed IMMEDIATELY. The problem is obviously not everyone is a programmer and not everyone will have the knowledge to understand how to fix/improve the security issues. Of course, some software is still good, but who's going to verify that and when? If you don't use free software, you're a goner because now you have no ability whatsoever to audit the code! We can't trust the software or the hardware any longer. When the problem runs this deep, what can anyone do? The NSA program has effectively removed my trust with every single U.S. (actually, 5 eyes) based tech company. I can only imagine what RMS thinks about all of this. If he hadn't fought for so long for free software, we would all truly be up shits creek. Don't trust proprietary anything. Use free software - it'll be fixed sooner and properly before anything else. -- Kanwar Ranbir Sandhu