Re: The NSA's Security-Enhanced Linux

["Scott D. Yelich" <scott () SCOTTYELICH COM>]

On Fri, 22 Dec 2000, Michael H. Warfield wrote:
>       Huh?  What was this?  A troll?  Must have been.  Nobody could
> be that clueless...  Ok...  Let's nibble...

no.  There is no need to insult.  I was not trolling and I am
seriously interested in the question I posed.  You really did
not address it, completely.

>       The government seem to feel that it makes a lot MORE sense to
> trust something that they have the sources for and that they don't
> have to be held captive to a vendors path and fixes and support (or
> lack thereof).
>       My God!  Look at the mess Microsoft had in the version 1 security
> service provider.  That wasn't getting fixed until the Samba team started
> kicking over those rocks and exposed it for the joke that it was...

Linux vs mickeysoft?  Well, I agree with you there.  But, then, I guess
that's why the government and military has standardized on windows, eh?
Don't we all know how well mickeysoft likes the Samba team and its
product?  Why even dream of interopability when you can't even get
compatibility between components of the same operating system.  Lets
just not go there, ok?

I'm seriously not advocating windows or linux.  I'm simply asking if
anyone views the selinux as anything more than a demo.  That is, should
it be trusted?  The docs seem to indicate that it's mostly a proof of
concept demo.  Will it one day mutate into something that is trustable?

Did people trust the FBI DDoS scanner?  Will they trust NSA code? Yeah,
sure, the FBI refused to release the source for their code and its
execution was traced inside and out -- but I'd still wonder.

In the eyes of the government and these agencies, it's the good guys
(ie: them) vs the bad guys (ie: that'd be anyone who's not them, and
perhaps even themselves).  To me, that's a very scary mentality.

>       Solaris is rather precious, too...  Took Sun over a year to fix
> the rsh hole that Alan Cox reported to them.  Took them over 9 months
> to finally tell me that there would be no fix for the NISNuke problem
> and that they recommended installing open source versions of the finger
> daemon (they really made that recommendation).

Did I ever mention out of the box security of Solaris, linux or windows?
It seems to me that most systems need quite a bit of "fixing" if not a
whole heck of a lot of configuring.

>       Frightens me that anyone would trust a closed source operating
> system for security.  :->

Exactly.  Lets hear it for the government, eh?

Anyway, what closed OS are you referring to?  Solaris is hardly closed.
At least, it's a whole heck of a lot more open than mickeysoft,
until/unless some jokers release the code they they might have stolen
from mickeysoft.  On problem I see with this is that it would mostly be
useless as one has to upgrade so often with windows, and who knows
what's actually going on with the code.  mickeysoft will go the way  of
apple, at some point in time.  Of course, with Bush as president, they
almost get a reprieve to steal more from the consumer.  Anyway...

>       (A trolling we will go, a trolling we will go, a hie ho the
> merry'o, a trolling we will go...)

h0h0h0

I am serious.  Were you?  Except for the clueless part, I refer you
back to your first paragraph in your response.

Scott