|
<<
^
>>
Date: 2001-04-12
NSA liebt Linux III
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
q/depesche 01.4.12/1
NSA liebt Linux [III]
"Das ist sehr unüblich" meint der Sprecher der NSA,
namentlich sei es ein Paradigmenwechsel, eine Allianz mit
der Open Source Community und NAI einzugehen.
Das sei nichts wirklich Neues, sagt Microsoft, schließlich
habe "die NSA schon seit 1972 mit Betriebssystemen
herumgepfuscht."
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
relayed Wed, 11 Apr 2001 23:13:47 by Georg
Schöfbänker www.fogis.de Austrian Information-Center for
Security Policy and Arms Control
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
NSA Takes the Open Source Route by Jeffrey Benner
2:00 a.m. Apr. 11, 2001 PDT On January 2, the super-
secretive National Security Agency did something unusual: It
issued a press release.
Stranger still, the statement actually contained important
news: The NSA had developed a prototype of a more secure
kernel for Linux, dubbed SELinux. And, in the spirit of open-
source development, the agency would release the code to
the public.
Yes, the NSA -- legendary for closed doors and tight lips --
had become part of the open-source community.
"This is very unusual," said Brian Snow, technical director for
the NSA's information assurance department. "It's a
paradigm shift for the NSA."
The attitude shift was reinforced this week as a private
security firm announced it had signed a two-year, $1.2-million
contract with the NSA to continue its work on the SELinux
prototype.
The NSA's partner is NAI labs, a division of a firm called PGP
Security. Although Network Associates now owns it,
cryptology legend and long-time NSA nemesis Phil
Zimmermann founded PGP (short for "Pretty Good Privacy")
Security in the early 1990s.
Despite the irony of his old firm teaming up with the agency
that tried to have him locked up for publishing the PGP
program in 1991, Zimmermann wasn't all that surprised to
hear of the partnership. "There are numerous government
agencies that use PGP," he said.
The $1.2-million dollar NSA-NAI Labs deal extends a
partnership that began in June 2000. The NSA has been
working since 1999 to develop a new set of security controls
for the Linux kernel. NAI has developed a prototype to
demonstrate how these new controls can be used to improve
security.
The agency has made its SELinux source code and the NAI-
developed prototype available to the public. Linux developers
can discuss the prototype with NSA researchers on a public
bulletin board.
Late last month, NSA representatives gave a presentation on
SELinux at the annual Linux kernel conference.
According to its Web page on the Secure-Linux project, the
agency chose the Linux platform because "its growing
success and open development environment provided an
opportunity to demonstrate that {mandatory access controls}
can be successful in a mainstream operating system."
Revealing the fruits of its research to the public may seem
like a strange way for the NSA to improve the security of
classified information. But the agency hopes that working
with the open-source community will lead to a secure
operating system that would be less expensive than if the
NSA had to build one on its own, Snow said. Snow did not
feel revealing the code was a security risk. "If a code is
written well enough, it should be safe from attack," he said.
The theory is that peer review among developers will make
the system more secure. If the system is secure, it doesn't
matter who knows the code.
The agency hopes that SELinux will gain acceptance and
continue to improve through open collaboration with Linux
developers. Eventually, the hope is that a commercial
distributor will build upon the improvements and incorporate
them into off-the-shelf software products secure enough for
national security agencies to use.
"It's an attempt to get in the market things the Department of
Defense can buy," Snow said. "If we have to write custom
software, it's very expensive. But if we can help commercial
vendors do the job right, I can save the taxpayers a lot of
money."
NSA and NAI researchers, including NAI's Smalley, wrote a
joint paper on the inadequacy of operating systems entitled
"The Inevitability of Failure." The paper compares running
"secure" software programs on currently available operating
systems to "building castles on sand."
SELinux will offer user-specific access controls analogous to
those on Windows NT, Smalley said, but they will be
mandatory instead of discretionary, and function closer to the
real guts of the system, making them more effective.
...
Smalley predicted that the new system could make its way
into commercially available products within a few years, but
stressed that he was speculating.
Should competitors worry that SELinux will provide the
foundation of a superior operating system that government
agencies, banks and other security conscious organizations
will prefer?
Dave Martin, a product manager for Microsoft's Windows
division, sounded unconcerned. A prototype is a long way
from a full-scale operating system with the kind of
functionality the market demands, he said.
"This isn't really anything new," Martin said. "It's a research-
only prototype, and the NSA has been messing around with
operating systems since 1972."
Wired News
http://www.wired.com/news/print/0,1294,42972,00.html
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
edited by Harkank
published on: 2001-04-12
comments to office@quintessenz.at
subscribe Newsletter
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
<<
^
>>
|
|
|
|