CentOS - Apr 2017 - OT: systemd Poll - So Long, and Thanks for All the fish.

>
> There is no doubt that most security agencies have a long list of zero-
>> day exploits in their toolbox - I would hazard to suggest that they
>> wouldn't be doing their job if they didn't! But I seriously
doubt they
>> would commission exploitable code in something that is openly
>> auditable.
>>
>> P.
>>
>
> P., I used to think that too... indeed, I was thoroughly convinced of it.
> But reality changed my mind.

Indeed. I think the assertion "OSS is somehow safer because of community
audit" is a logical fallacy. How would one go about "auditing" in
the first
place? Even if the various Intelligence agencies are not injecting
vulnerabilities then they would certainly be in a strong position to
discover some of the holes already existing some time before they become
public.

Unless you're operating an air gap network you can be damn sure that
'they'
can get into your systems if they really want to.

On 04/16/2017 06:51 AM, Andrew Holway wrote:
>>
>> There is no doubt that most security agencies have a long list of zero-
>>> day exploits in their toolbox - I would hazard to suggest that they
>>> wouldn't be doing their job if they didn't! But I seriously
doubt they
>>> would commission exploitable code in something that is openly
>>> auditable.
>>>
>>> P.
>>>
>>
>> P., I used to think that too... indeed, I was thoroughly convinced of
it.
>> But reality changed my mind.
>
>
> Indeed. I think the assertion "OSS is somehow safer because of
community
> audit" is a logical fallacy. How would one go about
"auditing" in the first
> place? Even if the various Intelligence agencies are not injecting
> vulnerabilities then they would certainly be in a strong position to
> discover some of the holes already existing some time before they become
> public.
I'm more worried about cloud services and the large number of root 
certificates that software trusts by default.

That's where a lot of the hacks are going to happen, and AFAIK the only 
defense against it is DNSSEC + DANE which very few zones actually utilize.

> Indeed. I think the assertion "OSS is somehow safer because of
community
> audit" is a logical fallacy. How would one go about
"auditing" in the first
> place?
There are tools to audit source code for problems - OSS is safer
*because* the source is available and can be audited. 
>  Even if the various Intelligence agencies are not injecting
> vulnerabilities then they would certainly be in a strong position to
> discover some of the holes already existing some time before they become
> public.
Yes. And despite what people think, those agencies don't have super
powers. They have tools to help them, and lots of resources, but
nothing out of the ordinary. There is nothing that the NSA can do that
can't be done by other agencies or even individuals (or enough
individuals working together).

There is no doubt that every single security agency in the world has a
team working on discovering exploitable code in all operating systems.
It's what they do. Any exploit they find that has been reported is
probably because some other agency has found it as well so they want to
stop them using it.
> 
> Unless you're operating an air gap network you can be damn sure that
'they'
> can get into your systems if they really want to.
The only truly secure machine is one that is at the bottom of a mine
shaft, turned off and dismantled. :-)

P.

On Sun, 2017-04-16 at 18:25 +0100, Pete Biggs wrote:

> Yes. And despite what people think, those agencies don't have super
> powers. They have tools to help them, and lots of resources, but
> nothing out of the ordinary.
Untrue. They are in advance of mainstream developments. Spying has
existed for thousands, of years *and* it is their job to discover and
then discretely monitor what is going-on.

It is never one team doing everything but many highly specialist teams
dedicated to particular aspects of intelligence gathering which they do
expertly, and impressively, well.

All countries monitor, by all available means, what is happening in
their own territory and around the world. Just because, for example, the
USA and Russia are not officially loving buddies it never ever prevents
their intelligence agencies covertly sharing intelligence of mutual
interest. It is a incestuous world with an international web of contacts
doing favours and often disregarding their own government's official
political pronouncements.
>  There is nothing that the NSA can do that can't be done by other
>  agencies or even individuals (or enough individuals working together).
Mmmm, you forgot physical access to targets :-) That is one of their
advantages together with links into national infrastructures and
seemingly endless money. They are much more audacious than "normal"
people.
> There is no doubt that every single security agency in the world has a
> team working on discovering exploitable code in all operating systems.
> It's what they do. Any exploit they find that has been reported is
> probably because some other agency has found it as well so they want to
> stop them using it.
Not only software but hardware too. Most hardware has backdoors which
may not be routinely disclosed to purchasers. The question then arises
if the "official" backdoor is the only one. Difficult to detect if the
logic is coded on a chip.
> The only truly secure machine is one that is at the bottom of a mine
> shaft, turned off and dismantled. :-)
Nope, just protected from public networks like the Internet and from
radio transmissions of all types. Faraday-cage types and 'high-security
rooms' don't have to be buried at the bottom of mines; they exist
everywhere.



-- 
Regards,

Paul.
England, EU.      England's place is in the European Union.