Full Disclosure mailing list archives
Re: Internet has vuln.
From: coderman <coderman () gmail com>
Date: Thu, 12 Sep 2013 09:18:09 -0700
On Wed, Sep 11, 2013 at 5:57 PM, Steve Wray <stevedwray () gmail com> wrote:
... Are there any kernels available after 2.6 with no selinux? How easy or difficult would it be to strip it out?
you can and should build your own kernels. this allows you to remove all the devices and protocols and other attack surface not necessary for your system, which can and do provide priv esc. and other vulns. and of course there are *bsd, other options...
... Hardware devices that are running Linux kernels, do they have the selinux code in them?
yes, latest Android for example.
I'm pretty sure that a lot of people are going to throw their hands up in despair at this kind of thing and say "but its open source, its been verified and checked by people around the world, surely it can be trusted."
a lot of people will point out you're focusing on a single tree while missing the forest of vulnerabilities that are in the threat model of "protecting against nation state intelligence service with $50bn budget using all means available". this includes, but is not limited to: * weakened algorithms/protocols for big players (e.g., GSM, Cisco) * weakening of RNGs * inside access by 'covert agents' to hand over secrets (e.g., big 4) * corruption of the standards process (NIST 2006?) * corruption of certification process (CSC) * corruption of appeal to authority for "off the record" pleas for backdoor access. * corruption of judial process (NSL to "compell under duress") for access to long term keys and decrypted data. * using certification process early-access to prepare backdoors for production runs (CSC) * crunching of poor passwords * black ops to steal keys * black ops to pervert systems availability of sources for review is just a small part of vetting process... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Internet has vuln. coderman (Sep 06)
- Re: Internet has vuln. coderman (Sep 11)
- Re: Internet has vuln. coderman (Sep 11)
- Re: Internet has vuln. Steve Wray (Sep 12)
- Re: Internet has vuln. coderman (Sep 12)
- Re: Internet has vuln. coderman (Sep 12)
- Re: Internet has vuln. Valdis . Kletnieks (Sep 12)
- Re: Internet has vuln. Jeffrey Walton (Sep 12)
- Re: Internet has vuln. Valdis . Kletnieks (Sep 13)
- Re: Internet has vuln. Justin Ferguson (Sep 13)
- Re: Internet has vuln. Jeffrey Walton (Sep 13)
- Re: Internet has vuln. Justin Ferguson (Sep 13)
- Re: Internet has vuln. coderman (Sep 11)
- Re: Internet has vuln. coderman (Sep 11)
- Re: Internet has vuln. Tracy Reed (Sep 13)
- Re: Internet has vuln. Steve Wray (Sep 14)