Full Disclosure mailing list archives

Re: Internet has vuln.

From: coderman <coderman () gmail com>
Date: Thu, 12 Sep 2013 09:18:09 -0700

On Wed, Sep 11, 2013 at 5:57 PM, Steve Wray <stevedwray () gmail com> wrote:

...
Are there any kernels available after 2.6 with no selinux? How easy or
difficult would it be to strip it out?


you can and should build your own kernels. this allows you to remove
all the devices and protocols and other attack surface not necessary
for your system, which can and do provide priv esc. and other vulns.

and of course there are *bsd, other options...

... Hardware devices that are running
Linux kernels, do they have the selinux code in them?


yes, latest Android for example.

I'm pretty sure that a lot of people are going to throw their hands up in
despair at this kind of thing and say "but its open source, its been
verified and checked by people around the world, surely it can be trusted."


a lot of people will point out you're focusing on a single tree while
missing the forest of vulnerabilities that are in the threat model of
"protecting against nation state intelligence service with $50bn
budget using all means available".

this includes, but is not limited to:

* weakened algorithms/protocols for big players (e.g., GSM, Cisco)
* weakening of RNGs
* inside access by 'covert agents' to hand over secrets (e.g., big 4)
* corruption of the standards process (NIST 2006?)
* corruption of certification process (CSC)
* corruption of appeal to authority for "off the record" pleas for
backdoor access.
* corruption of judial process (NSL to "compell under duress") for
access to long term keys and decrypted data.
* using certification process early-access to prepare backdoors for
production runs (CSC)
* crunching of poor passwords
* black ops to steal keys
* black ops to pervert systems


availability of sources for review is just a small part of vetting process...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Internet has vuln. coderman (Sep 06)
- Re: Internet has vuln. coderman (Sep 11)
  - Re: Internet has vuln. coderman (Sep 11)
    - Re: Internet has vuln. Steve Wray (Sep 12)
    - Re: Internet has vuln. coderman (Sep 12)
    - Re: Internet has vuln. coderman (Sep 12)
    - Re: Internet has vuln. Valdis . Kletnieks (Sep 12)
    - Re: Internet has vuln. Jeffrey Walton (Sep 12)
    - Re: Internet has vuln. Valdis . Kletnieks (Sep 13)
    - Re: Internet has vuln. Justin Ferguson (Sep 13)
    - Re: Internet has vuln. Jeffrey Walton (Sep 13)
    - Re: Internet has vuln. Justin Ferguson (Sep 13)
    - Re: Internet has vuln. Tracy Reed (Sep 13)
    - Re: Internet has vuln. Steve Wray (Sep 14)
- Re: Internet has vuln. Georgi Guninski (Sep 12)

(Thread continues...)