CYBERPUNK: A Little NSA In Your Computer?

So, why is the National Security Agency taking such an interest in Linux?

That was the unspoken question in the air March 14 at the monthly meeting of the Maryland Columbia Area Linux Users Group (CALUG). That night, in a second-floor room in an otherwise empty office building, NSA rep Peter Loscocco, wearing jeans and a faded red shirt, and the likewise casually attired Steven Smalley, of NSA contractor http://www.pgp.com/research/nailabs/default.asp>NAI Labs, explained how the federal agency had modified a version of Linux to make it truly "secure."

But will normally open-minded Linux devotees accept code from America's premier spy agency?

This meeting was set up by CALUG coordinator Randy Schrickel, who does some consulting for NSA himself and already knew a bit about Security-Enhanced Linux, as the modified-by-NSA version is called. Since NSA's headquarters at Fort Meade is near Columbia, Schrickel called the agency to ask if someone would be willing to come to the group's meeting to talk about it.

Loscocco and Smalley agreed to stop by, and their talk was a treat. Both worked on SELinux, and what they described that night seems to be, even as a prototype, some serious stuff. SELinux goes way beyond the "firewalls," or virtual barriers, that keep intruders out of today's networked computers. As system administrators know all too well, firewalls don't entirely fireproof computers. Crackers sniff out passwords or sneak in open ports, viruses come through e-mail, damaging codes are dumped through Web-page forms, Trojan Horse-style. And once someone gains "root access" to a machine, they own it. In contrast, SELinux, through the use of something called mandatory access control, checks every process the computer undertakes against a customizable matrix of allowable actions. It's security management for control freaks.

That NSA concerns itself with Linux at all might seem surprising at first blush. After all, the operating system and the federal agency occupy opposing ideological poles. Linux is all about openness: Only because its code is publicly available for programmers worldwide to improve upon can it grow and prosper. This belief is the basis of the near fervent "open source" software movement, which has little use for corporate walls or national borders. In contrast, the NSA is all about secrecy: Only by maintaining a cloak of absolute anonymity can it carry out its chief mission of monitoring foreign communications for information of interest to the feds.

So, it's not often that the secrecy-minded NSA goes out on speaking engagements, much less offers help to renegade software movements. One tech writer, Larry Loeb, wrote on IBM's DeveloperWorks site that NSA introducing SELinux to the world is the "equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few loaves of bread and some fishes, and then inviting everyone to come over to his place to watch the soccer game and have a few beers."

Of course, the conspiracy-minded could find motives quite easily. And inevitably, someone in the back row of the CALUG asked the question that, however embarrassing it may have been to do so, nonetheless had to be asked: Is there some sort of back door written into SELinux? Meaning, did the NSA plant secret access points that it can use to gain entry into people's computers?

It is a good question. After all, just last week it was reported that Germany is banning Microsoft software from its sensitive posts, fearing that the NSA had already planted back doors in that company's products ("German armed forces ban MS software, citing NSA snooping," The Register). Although German officials later denied the reports, a similar concern was also voiced last September when an ex-NSA analyst accused the agency of persuading some commercial software companies to add booby-hatches to their products ("Ex-NSA expert warns of concealed backdoors," ZD Net ). And a few years ago, when the government was hammering out a standard for creating electronic signatures, the NSA okayed a proposed digital signature but didn't identify a serious flaw that would allow a sophisticated party -- such as, say, the NSA -- to install a trapdoor (and NSA denies this was the case ). Lastly, let's not forget the supposed "NSAkey" that got Microsoft- and NSA-haters all in an indignant huff ("Security Expert Says Microsoft Placed NSA Backdoor In Windows," HackWatch).

Loscocco's answer was simple -- and he was adamant that NSA's goal is not to "pollute Linux." Back doors can't be done with Open Source software like Linux, he said, not without being discovered. After all, anyone can examine the code to see what it does. Sooner or later, some inquisitive programmer would find it.

But would they? After all, we're talking about code written by America's greatest employer of mathematicians, and one of the world's biggest users of computers. If anyone could plant secret code in Open Source, it would be NSA. No slouches of the deep calculation are they.

Loeb, who has examined the code in detail, would agree that there is no sneaky business going on, although he wouldn't go as far as to verify that there were no back doors. "I have seen nothing in the code to indicate any computational effort to swipe data, but to really answer that, the code would have to be analyzed for dependencies that are not obvious," Loeb e-mails. "The thing is, the released version is sort of useless as is. It's a framework, much like a Linux distribution. You have to set the permissions and stuff. Doing that customization seems to cut off any way that 'They' could count on to transmit data out of the shell.

"But that's just my opinion. I can't truly prove it mathematically."

Actually, SELinux seems to have more to do with NSA's other mission, the one fewer people know about. While its chief duty is monitoring foreign communications for political and economic items of interest, NSA has a second task of building communications systems that can't be cracked, listened in on, or otherwise compromised. As one CALUG member noted after the meeting, "The wars between nations today are economic ones." Especially since the Cold War, operatives cut loose from foreign spy agencies are now engaged in all manner of espionage for foreign companies and governments. So it is in the United States' best interest, the argument goes, that the government build crack-proof systems for U.S. corporations.

And who better to do that than NSA itself, which certainly knows a thing or two about compromising systems? The agency's Web site has a whole slew of security-related technologies ready for some enterprising companies to take out into the marketplace (http://www.nsa.gov/programs/tech/toc.html) -- from disk sanitization to a wafer-coating technique that prevents reverse engineering of chips. And this is nothing new. Back in the '70s, when IBM was working on what would soon become the government Data Encryption Standard (DES), NSA brainboxes quietly stepped in to assist Big Blue in refining its design. Turns out they'd been secretly working on something similar for years.

But SELinux is the NSA's first outreach effort in open source.

SElinux seems to be the result of standard-issue technology transfer -- the U.S. government's ongoing attempt to get its own research into the marketplace to advance the frontiers of technology and, not incidentally, bring down the costs of the government systems those technologies are employed in. Loscocco pointed out that night how the NSA, like a lot of government agencies, is interested in using Linux itself to cut costs. Many of the U.S. Department of Defense's computers are required to have high-level security implementations, and SELinux addresses that need.

"They need a secure OS internally," e-mails Loeb. "They want something they can put on cheap [computers] that will still give them the security they need and currently implement on lots of disparate hardware. I think [SELinux] is really an admission that the world has changed."

Both Loscocco and Smalley seemed earnest about what they were doing, and in doing so, they are testing the philosophy of the many adherents of open source software. After all, one of the tenets of open source, at least according to the non-profit policy group Open Source Initiative, is that "in order to get the maximum benefit from the process, the maximum diversity of persons and groups should be equally eligible to contribute to open sources. Therefore we forbid any open-source license from locking anybody out of the process." And would that include America's premier spy agency?

We'll find out shortly. It is Linux creator Linus Torvalds and his cohorts who decide which volunteer-written features to add into the next version of the Linux kernel˜the "core" part of the operating system. If they accept NSA 's well-engineered improvements, the code will be folded into Linux itself. It'll be a tough choice. In the long run, NSA's contributions could strengthen Linux immeasurably, but will vocal Linux adherents really want a kernel with "NSA inside"?

And if not, will they only be losing out from blind prejudice?

E-mail: Secreto@joabj.com

#story_page_post_article

Understand the importance of honest news ?

So do we.

The past year has been the most arduous of our lives. The Covid-19 pandemic continues to be catastrophic not only to our health - mental and physical - but also to the stability of millions of people. For all of us independent news organizations, it’s no exception.

We’ve covered everything thrown at us this past year and will continue to do so with your support. We’ve always understood the importance of calling out corruption, regardless of political affiliation.

We need your support in this difficult time. Every reader contribution, no matter the amount, makes a difference in allowing our newsroom to bring you the stories that matter, at a time when being informed is more important than ever. Invest with us.

Make a one-time contribution to Alternet All Access, or click here to become a subscriber. Thank you.

Click to donate by check.

DonateDonate by credit card
Donate by Paypal
{{ post.roar_specific_data.api_data.analytics }}