Page 4 of 6 FirstFirst ... 23456 LastLast
Results 31 to 40 of 57

Thread: Does Ubuntu have malicious NSA code?

  1. #31
    Join Date
    Sep 2007
    Location
    Oklahoma, USA
    Beans
    2,309
    Distro
    Xubuntu 14.04 Trusty Tahr

    Re: Does Ubuntu have malicious NSA code?

    Quote Originally Posted by Barney View Post
    NSA Android coding; still wondering about NSA in Ubuntu?

    http://refreshingnews99.blogspot.in/...r-googles.html
    All that the article says is that code like that of SELinux is being contributed to Android. So long as ALL of the Android source is freely available, and (as pointed out years ago--read my post above) also all of the code for the compilers used to translate that source into binary, the chances of a backdoor being included are essentially zero. Prism is an abdomination, but not all of the NSA efforts go to snooping; some of them go toward improving security of all our cyberstructure (but I'd bet that the security never extends far enough to block the snooping).
    --
    Jim Kyle in Oklahoma, USA
    Linux Counter #259718
    Howto mark thread: https://wiki.ubuntu.com/UnansweredPo.../SolvedThreads

  2. #32
    Join Date
    Dec 2008
    Location
    Orlando, Fl
    Beans
    457
    Distro
    Kubuntu 12.10 Quantal Quetzal

    Re: Does Ubuntu have malicious NSA code?

    Does it matter? They can break into anything they want. You couldn't stop it if you wanted to. They really don't need a backdoor.

    In his own words: Confessions of a cyber warrior
    Grimes: How many exploits does your unit have access to?

    Cyber warrior: Literally tens of thousands -- it's more than that. We have tens of thousands of ready-to-use bugs in single applications, single operating systems.

    Grimes: Is most of it zero-days?

    Cyber warrior: It's all zero-days. Literally, if you can name the software or the controller, we have ways to exploit it. There is no software that isn't easily crackable. In the last few years, every publicly known and patched bug makes almost no impact on us. They aren't scratching the surface.
    https://www.infoworld.com/d/security...warrior-222266
    Last edited by BigCityCat; July 12th, 2013 at 02:33 AM.

  3. #33
    Join Date
    Mar 2011
    Beans
    680

    Re: Does Ubuntu have malicious NSA code?

    They can't break into anything they want. While Linux security (and distro security) may be significantly lacking, there are ways to harden your system to the point where they'll at least have to modify their attacks, which will likely take weeks depending on how well you've done it..

    But, you're correct, they don't really need a backdoor when they have something like that. We have already seen the government spend millions (many millions) on attacking other countries with very complicated attacks involving MD5 collision attacks. Unfortunately, Ubuntu is still vulnerable as it allows updating over HTTP and doesn't force it over HTTPS whereas Windows updates over HTTPS (tip: Ubuntu doesn't give a darn about security).
    Last edited by oldos2er; July 12th, 2013 at 05:04 PM. Reason: Please keep your language family-friendly.
    sig

  4. #34
    Join Date
    Aug 2013
    Beans
    1

    Re: Does Ubuntu have malicious NSA code?

    Quote Originally Posted by Hungry Man View Post
    Unfortunately, Ubuntu is still vulnerable as it allows updating over HTTP and doesn't force it over HTTPS whereas Windows updates over HTTPS (tip: Ubuntu doesn't give a darn about security).
    Are you sure? Aren't all packages signed with a trusted key that's included with the OS before installation?

  5. #35
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    11,250
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Does Ubuntu have malicious NSA code?

    Quote Originally Posted by luke6 View Post
    Are you sure? Aren't all packages signed with a trusted key that's included with the OS before installation?
    Yes, they are.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  6. #36
    Join Date
    Sep 2007
    Location
    Oklahoma, USA
    Beans
    2,309
    Distro
    Xubuntu 14.04 Trusty Tahr

    Re: Does Ubuntu have malicious NSA code?

    Quote Originally Posted by Hungry Man View Post
    (tip: Ubuntu doesn't give a darn about security).
    Actually. there's more security to the Ubuntu update process that has ever been the case for Microsoft's products. For starters, Ubuntu issues security updates as soon as a fix has been found and tested, while Redmond waits for the second Tuesday of the next month. All the update packages are signed, as is access to the repository areas themselves. Finally, there are far fewer "Mother, may I?" messages displayed by the system; the large number of them used by Windows simply trains its users to always click "OK" without paying attention to the warning.

    No computer system is totally secure unless it is stripped of all input and output capability, and disconnected from all power sources -- but such a machine is useless. Perfect security is unachieveable -- but FUD has no place in discussions of how to approach it.
    --
    Jim Kyle in Oklahoma, USA
    Linux Counter #259718
    Howto mark thread: https://wiki.ubuntu.com/UnansweredPo.../SolvedThreads

  7. #37
    Join Date
    Nov 2008
    Location
    S.H.I.E.L.D. 6-1-6
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Does Ubuntu have malicious NSA code?

    Quote Originally Posted by JKyleOKC View Post
    Actually. there's more security to the Ubuntu update process that has ever been the case for Microsoft's products. For starters, Ubuntu issues security updates as soon as a fix has been found and tested, while Redmond waits for the second Tuesday of the next month. All the update packages are signed, as is access to the repository areas themselves. Finally, there are far fewer "Mother, may I?" messages displayed by the system; the large number of them used by Windows simply trains its users to always click "OK" without paying attention to the warning.

    No computer system is totally secure unless it is stripped of all input and output capability, and disconnected from all power sources -- but such a machine is useless. Perfect security is unachieveable -- but FUD has no place in discussions of how to approach it.
    +1
    For those that think SSL is nice and secure, it isnt.

    For example, those who are using the RC4 chiper to prevent BEAST attacks. Well, thats broken. (Also see http://arstechnica.com/security/2013...ation-cookies/). That leaves us with TLS 1.2, which not all browsers support. So at the moment, it is basically the decision of the people who secure the SSL site to choose which one to use. To leave browsers that are suspectable to BEAST attacks but dont support TLSv1.2 open for attack (Dont support RC4 anymore), or to continue to use a weak cipher (Continue to use RC4)

    Those using SPDY with a FF version lower than 15 or a Chrome version lower than 21?
    Your vulnerable to CRIME SSL Compression attacks : https://www.imperialviolet.org/2012/09/21/crime.html

    There is also BREACH (which will take too long to explain): http://breachattack.com/

    There is no way to stay completely secure.
    Live with it.
    Last edited by sandyd; August 30th, 2013 at 09:03 PM.
    Don't waste your energy trying to change opinions ... Do your thing, and don't care if they like it.

  8. #38
    Join Date
    Mar 2011
    Beans
    680

    Re: Does Ubuntu have malicious NSA code?

    RC4 isn't broken (the attacks aren't viable right now). BREACH has been mitigated for some time by random length padding in browsers for HTTP headers. Firefox 15/Chrome 21 both have tiny user bases since the updated has predated both of those (automatic updates) and they both came out about 10 revisions ago.

    All major browsers now support TLS 1.1/1.2.

    Actually. there's more security to the Ubuntu update process that has ever been the case for Microsoft's products. For starters, Ubuntu issues security updates as soon as a fix has been found and tested, while Redmond waits for the second Tuesday of the next month. All the update packages are signed, as is access to the repository areas themselves. Finally, there are far fewer "Mother, may I?" messages displayed by the system; the large number of them used by Windows simply trains its users to always click "OK" without paying attention to the warning.

    No computer system is totally secure unless it is stripped of all input and output capability, and disconnected from all power sources -- but such a machine is useless. Perfect security is unachieveable -- but FUD has no place in discussions of how to approach it.
    No, there isn't.

    Ubuntu's update process: Checks for signed file. No enforcement, files can be signed with MD5.
    Windows update process: Checks for signed file. No MD5 allowed for root verification. All WU are over TLS.

    Windows patches out of cycle if the vulnerability is public, just like Ubuntu does. For internal/ reported vulnerabilities that are not public they wait one month. That's the burden of actually having a user base.

    Already covered the signed thing. Windows already signs all updates *and* they go over TLS, unlike Ubuntu, which uses HTTP.

    Total security does not exist at this moment. But you can get quite good, and understanding the issues is the only way to do so.

    Pretty sure Windows 8 ships all Windows services with ASLR/PIE, whereas Ubuntu *still* does not even ALLOW for testing PIE even on 64bit where there is little to no performance hit.
    Last edited by Hungry Man; August 30th, 2013 at 09:39 PM.
    sig

  9. #39
    Join Date
    Nov 2009
    Location
    Nutley, NJ
    Beans
    593
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Does Ubuntu have malicious NSA code?

    These are interesting articles to read that were published today about the NSA:

    1. http://www.propublica.org/article/th...net-encryption

    Then, read this second article from Mr. Schneier:

    2. http://www.theguardian.com/world/201...e-surveillance

    This third one is a call to activism:

    3. http://www.theguardian.com/commentis...net-nsa-spying

    I use Private Internet Access Virtual Private Network and they use SSL. I'm under no illusion that SSL is 110% secure.

    I recommend installing SSTP VPN protocol:

    4. http://www.strongvpn.com/setup_ubuntu_sstp.shtml

    Astrill VPN offers SSTP VPN protocol for their paid service:

    5. http://www.astrill.com

    This is also a good list of SSTP VPN providers and about SSTP VPN protocol itself:

    6. http://www.vpntunnel.co/top-sstp-vpn...e-and-provider

    I would not recommend StrongVPN as a SSTP VPN provider as they monitor and record and log your network traffic especially if you engage in peer to peer file sharing services.

    This is a good list of torrent friendly VPN service providers:

    7. http://torrentfreak.com/vpn-services...dition-130302/

    Do your research!

  10. #40
    Join Date
    Nov 2009
    Location
    Nutley, NJ
    Beans
    593
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Does Ubuntu have malicious NSA code?

    NSA and US DoD have classified sources and methods to attack any computer using any operating system worldwide including GNU/Linux. I should know. I used to work for them. Linux is not 110% safe and secure against most Western governments that are friendly with the United States of America. Most of the time, the people in this thread except for myself are not on a watchlist or target list because you're nobody to Western intelligence agencies unless you do something provocative and stupid to attract their attention. Otherwise, you're safe and secure relatively speaking and your real concern are your online accounts with companies and corporations rather than governments or military. So, do be mindful of creating accounts with businesses and organizations that you don't know too well and try to secure your online accounts using two-factor authentication or multi-factor authentication and use public ciphers to encrypt your data prior to uploading any data to a remote server or data center. Protect your passwords and encryption keys jealously.

    Don't be worried about the NSA hacking you because they usually don't care about small fries like you guys.

    Ubuntu is fairly safe and secure. It's used through some parts of the US local, state, and federal government and lots of small, medium, and large businesses and companies. I wouldn't worry so much about Ubuntu as your identities and data stored on Microsoft Windows and especially Apple Macintosh platforms. Those have backdoors and bugs that aren't published because they're closed source proprietary software code.

    Don't be alarmed about the NSA. It's doing its job to protect US national security. This means that if you're a United States citizen, the US government is protecting you too.

    NSA rarely attacks individuals that are regular citizens. It requires signed court orders to go after US citizens at home or abroad. It may be a rubber stamp by a federal judge, but it's a check and balance nevertheless.

    I consider Ubuntu safe and secure enough for my personal needs as a former employee. You shouldn't be too concerned about NSA backdoors or exploitable bugs in Ubuntu. There are plenty of ways that the NSA can attack you and your PCs and your data regardless of the platform that you use.

    Just don't stand out as a high value target. Don't be shady or suspicious. Don't be a terrorist, drug dealer, and don't get into child porn. Don't traffic illegal arms. Don't threaten official local, state, and federal employees. Don't try to hack critical infrastructure and don't steal industrial, military, or diplomatic secrets you shouldn't have.

    This is how to stay safe and secure.

Page 4 of 6 FirstFirst ... 23456 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •