Forgot your password?
typodupeerror
Sun Microsystems Security

Schwartz Comments On NSA/Sun OpenSolaris Collaboration 92

Posted by ScuttleMonkey
from the color-me-skeptical-for-now dept.
sean_nestor writes to mention that Sun CEO Jonathan Schwartz took a bit of time recently to comment on last week's announcement that Sun Microsystems would be partnering closely with the NSA for security research surrounding OpenSolaris. Rather than the typical loads of legalese and confidentiality agreements Sun and the NSA are claiming that this move is more about the NSA joining the OpenSolaris community than anything else. I guess only time will tell.
This discussion has been archived. No new comments can be posted.

Schwartz Comments On NSA/Sun OpenSolaris Collaboration

Comments Filter:
  • by al0ha (1262684)
    From the article, "MAC's exists so that not just anyone, for example, can look at your passport file without permission..." Whaaaa?? Isn't that what just happened to the presidential candidates?
    • From the article, "MAC's exists so that not just anyone, for example, can look at your passport file without permission..." Whaaaa?? Isn't that what just happened to the presidential candidates?

      Yes, that's why he picked that particular example.

  • by harshmanrob (955287) on Friday March 28, 2008 @02:10PM (#22896244) Journal
    It takes me forever to pull out SELinux when I deploy a new Linux server and now I have to worry about what the hell OpenSolaris is doing instead of running an application or whatever its purpose is supposed to be doing.

    Doesn't anyone else see MAJOR privacy and 4th amendment violations when government and business get into bed with each other?!?! I do not want any agency in the US government helping Sun, Microsoft, and or anyone else with "securing" their products. There is only one reason why the NSA is interested in OpenSolaris and it has nothing to do with "securing" it.
    • by Jeremiah Cornelius (137) * on Friday March 28, 2008 @02:18PM (#22896366) Homepage Journal

      Helping a Vole out of a hole
      By Nick Farrell: Tuesday, 09 January 2007, 2:26 PM

      THE USA GOVERNMENT'S cryptologic organisation, the National Security Agency, has admitted that it is behind some of the security changes to Microsoft's operating system Vista.
      According to the Washington Post, the agency which was once so secret that it was jokingly referred to as 'No such Agency' has admitted making 'unspecified contributions' to Vista.

      Tony Sager, the NSA's chief of vulnerability analysis and operations group, told the Post that it was the agency's intention to help everyone these days.

      The NSA used a red and a blue team to pull apart the software. The red team posed as "the determined, technically competent adversary" to disrupt, corrupt or steal information. The Blue team helped Defense Department system administrators with Vista's configuration.

      Vole said that it has sought help from the NSA over the last four years. Apparently its skills can be seen in the Windows XP consumer version and the Windows Server 2003 for corporate customers.

      The assistance is at the US taxpayers' expense, although the NSA says it all makes perfect sense. Not only is the NSA protecting United States business, its own Defense Department uses VoleWare so it is in the government's interest to make sure it is as secure as possible.

      Microsoft is not the only one to tap the spooks. Apple, with its Mac OSX operating system, and Novell with its SUSE Linux also asked the NSA what it thought of their products. The NSA is quite good at finding weapons of mass destruction that are not there.
      • Re: (Score:3, Interesting)

        by failedlogic (627314)
        I guess the most obvious question: If help was provided with XP and Vista in security, why so many security patches?
    • Re: (Score:3, Informative)

      by BlowHole666 (1152399)
      With Linux don't you have the source? So how can your 4th amendment rights and privacy be violated when you can just remove the stuff? Maybe the businesses are trying to make money and the government has deep pockets so they secure their software so the government will spend money on their products. It is just capitalism at work. The world is full of smart people, I am sure the NSA can not slip some nice little "feature" into an operating system and someone will not find it. Maybe just maybe the NSA is tr
    • Doesn't anyone else see MAJOR privacy and 4th amendment violations when government and business get into bed with each other?!?! I do not want any agency in the US government helping Sun, Microsoft, and or anyone else with "securing" their products.

      Not necessarily. Without government and business "in bed with each other" - even ignoring the basic impossibility of avoiding that in the real world, unless the government has its entire separate economy, industrial base, telecom system... which sounds much scari

      • Doc Ruby...I can totally understand what you are saying and where you are coming from. However, as a person who works in IT Security I can tell you the paranoid attitude is a hard thing to shake, and is a valuable asset. I serve myself and I trust no one unless I am SURE they can be trusted. US government need not apply.

        That is the reason I stopped going to Infragard meetings. Those just oozed mistrust. Oh, the FBI will be more than happy to listen to everything you have to say, but tell never return t
        • Re: (Score:3, Insightful)

          by Doc Ruby (173196)
          Well, like I said, I encourage the paranoia. But it must be tested by realism.

          I would wait before introducing any OS into a secure critical path until after it has had the maximum review I can afford to wait for. Thre's no reason to believe that the NSA or other spooks haven't had their sticky fingers all over the insides of any popular OS, especially a closed one in so many sensitive operations like Solaris has been for so many years. Microsoft goes without saying, but there's no reason that say NetBSD con
    • On the contrary, this is exactly what I believe the "National Security Agency" should be doing. They should be using their vast economic and intellectual resources to help the people. Currently my tax dollars pay for a huge amount of internal research, just so they can use the knowledge against perceived enemies should the need arise.

      The resources that they spend on static analysis and cryptanalysis should be put to work making the nation more secure. By locking up information, they are making everyone l
    • by bujon (1157453)
      they could infiltrate any open source project, and submit their backdoor-code. if discovered, it would look like some unintentional coding mistake... (and I think they are already doing it) no need for official partnerships of this kind to dothe dirty job...

    • The 4th amendment:
      The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

      Please tell me how NSA code contributions to a project involve any form of "searches and seizures", much less "unreasonable" ones. Or alternatively, show me how
    • by aztektum (170569)
      [quote]It takes me forever to pull out SELinux when I deploy a new Linux server[/quote]

      Why not use a distro that doesn't use it by default? Or do all distros use it by default? Serious question.
  • SEOpenSolaris (Score:4, Interesting)

    by krlynch (158571) on Friday March 28, 2008 @02:18PM (#22896370) Homepage
    If you read between the lines, and know anything about SELinux (also orginating inside the NSA), you come away with the impression that this is SELinux ported to OpenSolaris. Since the code will be as open as the rest of the OpenSolaris code, it doesn't sound like that big a deal to me ...
    • Re: (Score:2, Insightful)

      by zappepcs (820751)
      Perhaps you will be sleeping well this weekend. I will not. Now I'm going to be looking for any group anywhere on the Internet that is monitoring the source for SELinux and OpenSolaris for oddities that might just be a backdoor for the NSA.

      Have you EVER seen a leopard change its spots? ... hmmm... didn't think so. Perhaps that is why the saying came to be. The NSA is the NSA, and they won't be changing their spots. IF, and I really mean IF they had valuable contributions to commercial software or F/OSS rega
      • Re:SEOpenSolaris (Score:5, Informative)

        by dr2chase (653338) on Friday March 28, 2008 @03:20PM (#22897248) Homepage
        [disclaimer - I work for Sun, and I KNOW that some of my friends have worked for the NSA, and I KNOW that I have relatives with security clearances. Who knows what's going on that I don't know.] As has been pointed out elsewhere, if the NSA wanted to insert backdoors in software, it is not likely that they would announce it loudly. Ditto for anyone other country's version of the NSA. There is a legitimate national security reason that the NSA would be interested in plugging holes in software that is widely-used within the US -- as bad as worms/spam etc might be, imagine how it would turn out if a nation decided to launch some sort of a cyber attack, concurrent with who knows what other action. That's bad news that we just don't need to hear. As far as the compiler goes, ab-so-lutely, be wary.
        • by zappepcs (820751)
          I can imagine cyber attacks that people don't want to hear. Some of them may already be in the wild and still dormant. While a DDoS is underway, company A is not likely to notice the discreet insertion of a specialized virus whose damage will not be apparent until it is needed. For all we know, Facebook may be a virus. While you might argue, also take the devil's side and tell me why that would not work? The ability to spread viruses is merely a test, not just for those that would spread specialized malicio
        • As far as the compiler goes, ab-so-lutely, be wary.

          Let's not forget the CPU itself. It's interesting that Sun has put a couple of their chips under a community source license. I'd guess that it would be very difficult to verify whether a chip was fabricated based on a certain set of microcode, unaltered.

          I don't know one way or another whether the NSA has other motivations. I do believe that if they wanted to insert a back door in open source products they would be forced to go to great lengths to do so g
          • by dr2chase (653338)
            I don't mean to be too contrary, but how-do-you-know that the proprietary code should be easier to have altered? The possibility that many eyes could look at open source code (carefully, not casually) does not mean that it happens. Proprietary code also goes past many eyes, and employees come and go, and they poke around code that isn't "theirs" (at least, I do, when I have the chance). If people just assume that the open source stuff is ok because people could be looking at it, well, we all know about a
            • I don't mean to be too contrary, but how-do-you-know that the proprietary code should be easier to have altered?

              For a few reasons, but here is the main one:

              A company could be "bullied" by the government to make certain changes to their code, such as adding a back door. An individual could be bullied as well. But with open source code you can't do that because there is no single owner to bully and there could be people all over the globe willing to run the project from their country, safe from some other g
      • by init100 (915886)

        Now I'm going to be looking for any group anywhere on the Internet that is monitoring the source for SELinux and OpenSolaris for oddities that might just be a backdoor for the NSA.

        SELinux has been out for around eight years, six years in the official Linux kernel. You'd think that they would have found any back-doors by now, if there would really be any.

  • I wonder if they'll actually use the word "backdoor" in the comments to the code they contribute, or is there a more fashionable word nowadays ?
  • Whatever happened to the project embedding a Solaris kernel inside a Debian/GNU OS? Would the current version of that OS work properly with this FMAC and the TrustedExtensions to run "Linux" apps on a much more secure OS?
  • Contrary to some of the more paranoid types around here, I think this is a great announcement. As I was reading regarding prior NSA work with Sun on security implementations, what I am seeing is an opportunity-- like Sun does -- to leverage the requirements of a hyper-security aware entity [ the NSA ] into open source systems [Open Solaris] but once opened sourced, those same techniques can be applied to harden just about any operating system.


    On the NSA side, having many eyes analyzing their code has both risks -- if holes are found in their security model or implementations, potentially these could be exploited by the blackhat types and benefits -- more weaknesses discovered faster and holes plugged so that the blackhat types get closed out of NSA type stuff faster than they can do it with closed implementations.

    But neither of these scenarios will let NSA somehow increase their "big brother reach" because with many eyes comes near perfect scrutiny that would quickly out any code back-doors, etc. that would be usable by the white hats or the black hats.

    On the whole I find this to be a cool/worthwhile endeavor on Sun's part and look forward to it's efforts being leveraged into all of the Open Source stuff that can use it.

    • You can imagine the hue-and-cry that would result if an NSA-originated back door (or other deliberate remote exploit) was found. In a product like Windows, I suppose they could get away with it (probably already have) but an open-source product is a different matter. No plausible deniability.

      I imagine the Chinese will be looking upon this effort with some interest.
    • With the NSA involved, I wouldn't even trust the source code. It has to be compiled, and who knows what backdoors they've put into the compiler executable itself. You can't even trust the source code for the compiler if the binary you're compiling the compiler with is bugged. Has anyone built a working version of OpenSolaris with a gcc they've bootstrapped themselves?
      • by CodeShark (17400)
        Good questions, but I still dispute the trust issue. No one in their right mind would attempt to compile an "open source" operating system with a proprietary or closed source provided compiler. The whole goal of the projects is to allow software to be created that meets or exceeds the NSA standards so that they don't have to do it themselves, so why would they then sabotage the process by trying to cheat and get backdoors into the very code they are trying to harden. AKA backdoors weaken security, not en
  • You take an extremely robust, complex OS and pair it up with a complex, robust/political organization will equate to .... a mess.

    All this collaboration will do is create 5% really good gems, and 95% throw away code--and it will take 4yrs to see any result knowing how fast both organization move.

    I like openSolaris, but I unless Nexenta gets it butt in gear, Linux will win hands down on the usability front.

    • by init100 (915886)

      I think that you may have missed SELinux, which the NSA contributed in the year 2000 (accepted into the mainline kernel in 2002).

  • Schwartz: Historically, this type of collaboration used to involve reams and reams of legal documents describing all kinds of confidentiality restrictions, intellectual property exchanges, or cumbersome institutional processes. But it got really simple when we embraced the open source community - now our most fruitful collaborations boil down to this: "come join the community." And that's exactly what we're announcing with the National Security Agency, they've joined the OpenSolaris community.

    [...]

    Vass: If

  • Sun sells a lot of equipment to the US government. Anyone who has dealt with adding a new system to a classified network understands the amount of extensive documentation and accreditation that is required before IATO. Hopefully, NSA's contributions to improving Solaris security will pay dividends in reducing this.
  • All your (data)base belong to us
  • This has strong implications on physics. Suppose time does tell, then the NSA decides to 'disappear' time. What then? Huh?
  • Since veryone has them tin foil hats on... I think it isn't to modify the OS to monitor people, it is to infiltrate the open source community. Remember that they see the internet as a threat and a place for extended warfare. If that is truely the case you need only to have read the art of war to understand what they are trying to do and how they are trying to position themselves.
  • This isn't news... (Score:3, Informative)

    by giminy (94188) on Friday March 28, 2008 @09:42PM (#22901688) Homepage Journal
    This isn't news. .GOV helped Sun build Trusted Solaris back in the day (they also helped Hewlett-Packard develop Trusted HP/UX). The government isn't doing this stuff to be evil, and I know my saying, "Don't be paranoid," won't make anyone any less paranoid -- but really the government needs certain security features to solve its problems (such as Cross-Domain information sharing), and the commercial industry simply doesn't need that stuff. Or, at least, it doesn't think it needs it. The only way for the government to get the OS features it needs is to work with a company directly to do it, or use an open source alternative.

    Originally, .GOV decided to work with companies. Like I said, Trusted Solaris, Trusted HP/UX, and some others that I can't think of, were created. Along came Stephen Smalley and his FLASK security architecture. Linux was the first and easiest place to implement it, and the NSA spearheaded the project. You can imagine that Sun (the only vendor of an OS that supported multi-level data just a few years ago) wasn't all that happy -- .GOV pretty much promised Sun, "If you build and maintain your trusted OS, we'll keep buying licenses and hardware."

    Now that isn't so. It seems only fair to help Sun and the Solaris community in the same way that the government has helped RedHat and the Linux community: provide some resources and some know-how to make the OS do what the government wants, so as to not hand RedHat a huge government-assist...the government basically wants competition here. As a taxpayer, I can't say that I'm complaining...

    Reid
  • Quote: "Sun and the NSA are claiming that this move is more about the NSA joining the OpenSolaris community than anything else..." Gimme a big break on that. NSA is afraid of Linux and wants to get away from Microsoft's vulnerability. Thinking they have security through obscurity. Not gonna happen. Besides, why would anyone expect the truth about what they are doing from the National Security Agency? Christ. Cr0vv.

"From there to here, from here to there, funny things are everywhere." -- Dr. Seuss

Working...