Okay, there's NSA code in android. Is it defacto a backdoor? my understanding was that SE-Linux was simply a configuration, not a special program. Could someone explain?
The way I read the article, it sounds like the NSA commit code like any other contributer. If I had the time, I would look the the commit log and mailing lists to see exactly what they did.
If not for the fact that "NSA=big brother" is a trending story outside of highly techy circles, I would think this article was a piece of satire. Even its main point that it can quote them saying the NSA's code tries to be invisible to apps and users doesn't mean anything, because, that is the point, to transparrently offer increased security without inconveniencing everyone.
If the NSA wanted to slip a back door into the kernel, they would do something much more sneaky, such that it looks like an innocent mistake in some random part of the code.
They cite NSAKEY as a qualifying example of an NSA software backdoor... am I ignorant and/or naive or has it never actually been proven that that's what it was?
It's code that was written in the open, that everyone knew about. It wasn't written in secret, and meant as a backdoor (you know, like with Skype, Outlook and Skydrive).
This seems pretty alarmist to me. The code was peer-reviewed, and the NSA does actually have an interest in improving general security - and there are a lot of smart people there.
I'd be a lot more concerned about the many instances of NSA contributing code we don't know about and can't inspect than I am about their contributing to open-source, which I consider a good thing.
Does not appear to be a backdoor or anything like that - it's standard security stuff to get Android certified as Blackberry is. If there is a backdoor, it's one incredibly complicated and well hidden one.
Of course, there is not much doubt that anything you send through Google is going to be accessible to the NSA - eg, Google Play, Gmail, push notifications, etc. And if you're in the USA, anything you send through AT&T etc.
One of the NSA's duties is enhancing US cybersecurity (to the point where only they can break into things, I'd imagine), so this is hardly surprising and not the "zomg conspiracy" crap this blog is pushing. Their "how to harden" guidelines (http://www.nsa.gov/ia/mitigation_guidance/security_configura...) have long been a trusted resource.
After reading a lot of other people comments on all the aspects of trusting open source or not I do believe now that even if something is open source does not mean it should be trusted by default. I am sure (could be wrong) that a lot of code in linux (shell & apps) would have never been peer reviewed or peer reviewed but by those who are not extremely good at understanding how things are hidden.
After all NSA has some of the brightest minds on its payroll and those guys sure know computers better than some people know the back of their hands.
But do the non-tech users and tech users (who are not great at programming) have a choice? We have to use what is available in the market if we want to use computers.
The article starts out by claiming Windows's _NSAKEY[1] provides "backdoor access", then goes on to claim that Linux is compromised because SELinux[2] was originally developed by the NSA, and then concludes that porting SELinux to Android means that Android has been compromised.
The author notes that all of the SELinux code is open-source, but appears to believe that the NSA is capable of writing backdoor code that eludes extensive auditing by the entire world's security community.
In other words, this site is Timecube for techies.
11 comments
[ 5.1 ms ] story [ 43.8 ms ] threadIf not for the fact that "NSA=big brother" is a trending story outside of highly techy circles, I would think this article was a piece of satire. Even its main point that it can quote them saying the NSA's code tries to be invisible to apps and users doesn't mean anything, because, that is the point, to transparrently offer increased security without inconveniencing everyone.
If the NSA wanted to slip a back door into the kernel, they would do something much more sneaky, such that it looks like an innocent mistake in some random part of the code.
I'd be a lot more concerned about the many instances of NSA contributing code we don't know about and can't inspect than I am about their contributing to open-source, which I consider a good thing.
Of course, there is not much doubt that anything you send through Google is going to be accessible to the NSA - eg, Google Play, Gmail, push notifications, etc. And if you're in the USA, anything you send through AT&T etc.
After all NSA has some of the brightest minds on its payroll and those guys sure know computers better than some people know the back of their hands.
But do the non-tech users and tech users (who are not great at programming) have a choice? We have to use what is available in the market if we want to use computers.
The author notes that all of the SELinux code is open-source, but appears to believe that the NSA is capable of writing backdoor code that eludes extensive auditing by the entire world's security community.
In other words, this site is Timecube for techies.
[1] http://en.wikipedia.org/wiki/NSAKEY
[2] http://en.wikipedia.org/wiki/Security-Enhanced_Linux