Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
paranoide
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
farmer.ro
Apprentice
Apprentice


Joined: 20 Aug 2016
Posts: 179

PostPosted: Fri Nov 11, 2016 8:20 am    Post subject: paranoide Reply with quote

i watched speeches of Jacob Appelbaum exposing the NSA and it left me a few questions regarding Gentoo security;

Question: how can we know for sure that the NSA is not spying on us while using Gentoo, when the NSA seems to have the power to pwn tools like AIDE or Wireshark

Question: it seems to me when using for example Debian it is much easier to wipe the entire disk and do a fresh install within 30 minutes, in contrast Gentoo install might take 1 or 2 days. does this leaves Gentoo more vulnerable to attacks from the NSA

Question: is it possible that the NSA got employees in the GNU/Linux software development team and might program software with malicious tools

how can i maintain anonymity ?
Back to top
View user's profile Send private message
Maxxx
Guru
Guru


Joined: 12 Jan 2016
Posts: 515
Location: Italia

PostPosted: Fri Nov 11, 2016 9:15 am    Post subject: Re: paranoide Reply with quote

farmer.ro wrote:
... in contrast Gentoo install might take 1 or 2 days. does this leaves Gentoo more vulnerable to attacks from the NSA...


Excuse me but i don't understand why Gentoo is more vulnerable than others linux distro only because for install it might take 1 or 2 days.
Could you explain it to me?
Back to top
View user's profile Send private message
farmer.ro
Apprentice
Apprentice


Joined: 20 Aug 2016
Posts: 179

PostPosted: Fri Nov 11, 2016 9:24 am    Post subject: Reply with quote

if there are 10 vulnerabilities that we know of there might actually be 15, so lets reduce it to 5

what i am trying to say is if you get a possible webkit exploit or any other kind of attack then wiping the disk and do a fresh install lets say once a week which only takes about 30 minutes, reduces the chances of a compromised box, in contrast where the installation takes 2 days and wiping the disk once a week is not really worth the installation time

i hope someone can answer my other questions
Back to top
View user's profile Send private message
Maxxx
Guru
Guru


Joined: 12 Jan 2016
Posts: 515
Location: Italia

PostPosted: Fri Nov 11, 2016 9:32 am    Post subject: Reply with quote

Ah ok...

For your question i can't answer... i don't know.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42592
Location: 56N 3W

PostPosted: Fri Nov 11, 2016 11:47 am    Post subject: Reply with quote

farmer.ro,

Its no comfort but we can't be sure. Gentoo is no worse that any other distro in this regard.

Consider the following Gentoo comprises only Portage and the Gentoo ebuild repository.
All the applications that you choose to install are $UPSTREAM. Wit a few patches here and there, $UPSTREAM is the same for everyone.
That's a little bit of a simplification - in Gentoo you get to choose ow your packages are built, so you might get lucky and configure security problems out.

As for wiping the HDD and reinstalling, do you really need to rebuild everything?
You only need rebuild vunerable packages. The rest can be reinstalled from your saved binaries, unless you believe that they have been compromised too.

Can you trust $UPSTREAM not to include exploits?
Absolutely not. That's why security is like the layers of an onion. You make it difficult for an attacker to get in, difficult to do anything useful if they do got in and difficult to phone home.

Your firewall makes it harder for things to get in. You know why you are running listening services and on what ports. Everything else is blocked
You don't run a half open firewall either. Only things you want to use are allowed out.
You may run a hardend system (not SELinux). That will stop several classes of exploits.
You can try Tinhat Linux. That runs entirely from DVD. No hdd access at all.
You monitor your logs for nasty things.
Add in tripwire to keep checksums of installed files (on RO media)

The more layers you add to your security onion, the more the security intrudes into your day to day use of your install.
You have to determine the threats you want to defend against and deploy security you are happy to work with.

Oh, you won't be targeted by a government.
Its much easier for a government to extract your pass phrases from you directly by sending the boys round.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Maxxx
Guru
Guru


Joined: 12 Jan 2016
Posts: 515
Location: Italia

PostPosted: Fri Nov 11, 2016 2:55 pm    Post subject: Reply with quote

NeddySeagoon wrote:
...You may run a hardend system (not SELinux). That will stop several classes of exploits...


Execuse me, why not SELinux? Maybe because SELinux is developed directly by NSA?
And then, what alternative?
Back to top
View user's profile Send private message
fedeliallalinea
Bodhisattva
Bodhisattva


Joined: 08 Mar 2003
Posts: 21352
Location: here

PostPosted: Fri Nov 11, 2016 3:06 pm    Post subject: Reply with quote

Maxxx wrote:
Execuse me, why not SELinux? Maybe because SELinux is developed directly by NSA?

https://en.wikipedia.org/wiki/Security-Enhanced_Linux
_________________
Questions are guaranteed in life; Answers aren't.
Back to top
View user's profile Send private message
Maxxx
Guru
Guru


Joined: 12 Jan 2016
Posts: 515
Location: Italia

PostPosted: Fri Nov 11, 2016 3:29 pm    Post subject: Reply with quote

Android smartphone has Dirty Cow bug, SELinux isn't secure...
It will be that the safest is the "old" Windows? :lol: :lol:
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5593

PostPosted: Fri Nov 11, 2016 5:48 pm    Post subject: Re: paranoide Reply with quote

farmer.ro wrote:
how can i maintain anonymity ?

When you've defined the threat model as an omnipotent, omniscient entity out to get everyone?

Don't make enough noise to be noticed.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13509

PostPosted: Sat Nov 12, 2016 2:10 am    Post subject: Reply with quote

Maxxx wrote:
NeddySeagoon wrote:
...You may run a hardend system (not SELinux). That will stop several classes of exploits...


Execuse me, why not SELinux? Maybe because SELinux is developed directly by NSA?
And then, what alternative?
No, not because NSA employees worked on it. SELinux is primarily focused on defining new and detailed ways to define which entities may access which resources. Relative to other hardening systems, SELinux spends comparatively little effort dealing with the possibility that the kernel has exploitable defects, so unless you can assume that your kernel functions exactly as its authors intend, SELinux cannot protect against certain classes of threat.

Maxxx wrote:
Android smartphone has Dirty Cow bug, SELinux isn't secure...
It will be that the safest is the "old" Windows? :lol: :lol:
Windows has so many security problems people no longer really recognize them as such. Even worse, the vast majority of Windows' problems are in programs that you cannot reasonably expect to be able to fix, even once you know the defect is there.
Back to top
View user's profile Send private message
59729
Apprentice
Apprentice


Joined: 21 Jun 2004
Posts: 279

PostPosted: Sat Nov 12, 2016 10:56 am    Post subject: Reply with quote

farmer.ro wrote:
i watched speeches of Jacob Appelbaum exposing the NSA and it left me a few questions regarding Gentoo security;

Question: how can we know for sure that the NSA is not spying on us while using Gentoo, when the NSA seems to have the power to pwn tools like AIDE or Wireshark

Question: it seems to me when using for example Debian it is much easier to wipe the entire disk and do a fresh install within 30 minutes, in contrast Gentoo install might take 1 or 2 days. does this leaves Gentoo more vulnerable to attacks from the NSA

Question: is it possible that the NSA got employees in the GNU/Linux software development team and might program software with malicious tools

how can i maintain anonymity ?

NeddySeagoon wrote:
farmer.ro,

Its no comfort but we can't be sure. Gentoo is no worse that any other distro in this regard.

Consider the following Gentoo comprises only Portage and the Gentoo ebuild repository.
All the applications that you choose to install are $UPSTREAM. Wit a few patches here and there, $UPSTREAM is the same for everyone.
That's a little bit of a simplification - in Gentoo you get to choose ow your packages are built, so you might get lucky and configure security problems out.

As for wiping the HDD and reinstalling, do you really need to rebuild everything?
You only need rebuild vunerable packages. The rest can be reinstalled from your saved binaries, unless you believe that they have been compromised too.

Can you trust $UPSTREAM not to include exploits?
Absolutely not. That's why security is like the layers of an onion. You make it difficult for an attacker to get in, difficult to do anything useful if they do got in and difficult to phone home.

Your firewall makes it harder for things to get in. You know why you are running listening services and on what ports. Everything else is blocked
You don't run a half open firewall either. Only things you want to use are allowed out.
You may run a hardend system (not SELinux). That will stop several classes of exploits.
You can try Tinhat Linux. That runs entirely from DVD. No hdd access at all.
You monitor your logs for nasty things.
Add in tripwire to keep checksums of installed files (on RO media)

The more layers you add to your security onion, the more the security intrudes into your day to day use of your install.
You have to determine the threats you want to defend against and deploy security you are happy to work with.

Oh, you won't be targeted by a government.
Its much easier for a government to extract your pass phrases from you directly by sending the boys round.


I think this is a good point, install the nesessary software, and add the checks that you can work with / and keep up and running without interferring with day to day use, add layers when applicable/meaning it's not a 24/7 job to keep 'a' private server or workstation up and running. In my case I had to disable the firewall as my current knowledge and health made it impossible to keep everything working / up and running. I have started to add that layer again but it will be a slow process documenting what i need/why and understanding what I need to do to maintain it so it works for me/and my situation.

If that is not enough, the next step would be to audit the source code for every package installed, and even then something might be missed so that's not really applicable in real life.
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 308

PostPosted: Sat Nov 12, 2016 12:26 pm    Post subject: Re: paranoide Reply with quote

farmer.ro wrote:
how can i maintain anonymity ?

use tails
Back to top
View user's profile Send private message
Maxxx
Guru
Guru


Joined: 12 Jan 2016
Posts: 515
Location: Italia

PostPosted: Sat Nov 12, 2016 4:19 pm    Post subject: Reply with quote

Hu wrote:
...SELinux spends comparatively little effort dealing with the possibility that the kernel has exploitable defects, so unless you can assume that your kernel functions exactly as its authors intend, SELinux cannot protect against certain classes of threat...


Ah, ok... i understand.

About Windows, i think that with Windows 10 it is a total end of privacy... i have windows 10 too, but i use it only for some games; minimal internet navigation, no e-mail, and no remote desktop; for example i use VNC only with linux and android smartphone (but maybe it's the same thing than with windows).
Regarding e-mail there are various crypto locker or similar virus and i think that must be careful with linux too, but with windows it's easier to take.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum