Schwartz Comments On NSA/Sun OpenSolaris Collaboration

sean_nestor writes to mention that Sun CEO Jonathan Schwartz took a bit of time recently to comment on last week's announcement that Sun Microsystems would be partnering closely with the NSA for security research surrounding OpenSolaris. Rather than the typical loads of legalese and confidentiality agreements Sun and the NSA are claiming that this move is more about the NSA joining the OpenSolaris community than anything else. I guess only time will tell.

OpenSolaris

[TheNinjaroach]

"Open" is the keyword here. It's not like they are going to be submitting binary patches or that we can't review the source code they submit.

I'd also like to point out the SELinux [nsa.gov] project, will you abandon Linux now too?

You should really adjust that tin foil, it's messing with the signals that are already inside your head.

Great! I liked Solaris.

[harshmanrob]

It takes me forever to pull out SELinux when I deploy a new Linux server and now I have to worry about what the hell OpenSolaris is doing instead of running an application or whatever its purpose is supposed to be doing.

Doesn't anyone else see MAJOR privacy and 4th amendment violations when government and business get into bed with each other?!?! I do not want any agency in the US government helping Sun, Microsoft, and or anyone else with "securing" their products. There is only one reason why the NSA is interested in OpenSolaris and it has nothing to do with "securing" it.

Re:SEOpenSolaris

[zappepcs]

Perhaps you will be sleeping well this weekend. I will not. Now I'm going to be looking for any group anywhere on the Internet that is monitoring the source for SELinux and OpenSolaris for oddities that might just be a backdoor for the NSA.

Have you EVER seen a leopard change its spots? ... hmmm... didn't think so. Perhaps that is why the saying came to be. The NSA is the NSA, and they won't be changing their spots. IF, and I really mean IF they had valuable contributions to commercial software or F/OSS regarding security of the system for personal or commercial use, they would be using their OWN FUCKING OS software. Did I say that loudly enough that it's still rattling around in your head? IF they knew how to make OS software safe, they would be using it, not someone else's software. UHHH, why put security enhancements in everyone else's software instead of just making the US government safe?

What they are saying goes contrary to security practices, I don't care how they say it. If you have a secret weapon, you keep it secret. Special security would be a secret. Left hand says we are helping US businesses, right hand says we are helping ourselves to the rest of the world's businesses. It's only a few words different, but a world of difference.

This very reason is why MS should be losing out all over the world to F/OSS. Any country can set up their own development company and take GNU/Linux and make it their own. There will be no back doors, no NSA visits, no sharing among friends without some sort of fair arrangements. If the co-operative efforts are for open software, where is the list of what changes were suggested?

The compiler should be watched too.... sigh

Don't trust someone that doesn't trust you as much as they want your trust. "Trading sight unseen" with the NSA is just about as risky as it gets, unless you are a Tibetan pleading with the Chinese government... that's not saying much really.

oh yeah, no car analogy but "letting the fox guard the hen house" seems to fit here

Re:New Meaning of Spyware

[wizardforce]

Why trust any contibution?

because you can literally stare at the source code and audit it. this isn't windows or Mac where you've literally put your security in their hands, FOSS is more or less transparent so if you don't like where things are going you can fork the project and take things your own way. you can submit patches if you find a flaw or backdoor of some sort in the code.

Back doors? in Open Source? YGTB Kidding.

[CodeShark]

Contrary to some of the more paranoid types around here, I think this is a great announcement. As I was reading regarding prior NSA work with Sun on security implementations, what I am seeing is an opportunity-- like Sun does -- to leverage the requirements of a hyper-security aware entity [ the NSA ] into open source systems [Open Solaris] but once opened sourced, those same techniques can be applied to harden just about any operating system.

On the NSA side, having many eyes analyzing their code has both risks -- if holes are found in their security model or implementations, potentially these could be exploited by the blackhat types and benefits -- more weaknesses discovered faster and holes plugged so that the blackhat types get closed out of NSA type stuff faster than they can do it with closed implementations.

But neither of these scenarios will let NSA somehow increase their "big brother reach" because with many eyes comes near perfect scrutiny that would quickly out any code back-doors, etc. that would be usable by the white hats or the black hats.

On the whole I find this to be a cool/worthwhile endeavor on Sun's part and look forward to it's efforts being leveraged into all of the Open Source stuff that can use it.

Re:Great! I liked Solaris.

[Falstius]

Spoken like a true delusional. Look, this is the NSA. They're pretty smart folks, some of my college classmates are probably there now (not that they'd be able to tell me). If they wanted to insert secret code into an OPEN SOURCE project they wouldn't make an announcement of collaboration, they'd create some fake person (or hire some real person) who starts submitting patches.

I suspect what really is going on is that the NSA doesn't trust closed Microsoft code and wants to make sure there are secure open source operating systems they can use (they may get access to the MS codebase, but I doubt they'd be able to set up their own secure repository and verified build).

Remember, sane people mistrust the NSA. Paranoid people work for the NSA.

Re:Great! I liked Solaris.

[TrekkieGod]

Spoken like a true Sheep.

Spoken like a conspiracy theory nut. Distrust of the government is a very good thing. Blindingly thinking the government is out to get you is as stupid as blindingly believing it's out to help you. In this case, SELinux is completely open and out there for you to see.

It takes teams of people to understand the ins and outs of large sums of source code

Do you think teams of people haven't gone through the SELinux code with a fine-tooth comb? Security researchers were all over that, when the code was first given to the community in 2000. It wasn't placed in the mainline kernel until 2003. There has been plenty of time for people to find echelon-type code in there. Not to mention it would be pretty stupid to put that type of code in the open, as it would destroy people's confidence in the NSA and allow people who looked at the code to use these hooks for their own benefits, thus potentially using it against the US Government itself, since several departments including the DoD and the NSA itself use it.

I have hacked the kernel and made changes but I do not understand the entire thing, not one person could build an OS like Linux and deploy it without community support.

No, but I guarantee you that if you submitted your kernel changes to the mainline tree, several people above you looked at those changes and vetted it as worthwhile for inclusion. And you can bet every one of those people don't understand the entire kernel, but sure as hell understood the part of the kernel you were messing with. And they understood what your code was doing. Anyone can make changes to the linux code, but it's not an open source repository that everyone submits to, there are specific processes to get things accepted to the main tree.

The government is like a sexually transmitted disease, easy to catch and hard as hell to get rid of.

The solution to sexually transmitted diseases is to be vigilant and careful, not to stop having sex. If all humans become so afraid of sexually transmitted diseases that they quit having children humanity would be gone. Similar fate would befall you in total anarchism. Be wary of your government, and require it to be open. Please don't bitch about the good and open things the government has done, we need to encourage more of that.

Re:New Meaning of Spyware

[bfields]

The NSA is a huge organization, does a lot of different things, and as a result, it can--like a lot of large companies and agencies--seem a bit schizophrenic.

NSA employees have made significant contributions to Linux already, and there have been the usual arguments over design choices that any such project faces, but there's never been the smallest suggestion of any subterfuge.

OpenSolaris's work is conducted in the light of day, and I doubt the NSA's participation will be any more nefarious there.

Part of the NSA's mandate seems to be to improve the security of everybody's operating systems. That's work that can benefit all of us, is exactly the sort of work that a "national security agency" *should* do, and we should encourage it, while still condemning the projects we disapprove of.

Spoken like a true paranoid

[LWATCDR]

1. The NSA wouldn't announce that they are trying to make Linux more secure and then slip in back doors. Heck they submit there patches for all the world to see. If they tried it the finger would point right back at them. And don't you think that everybody and their dog will look at the NSA patches just to check them for such a stupid move?
2. If the NSA wanted to pull something like that they would simply create a person and start adding code that ISN"T under their name!

Hate to tell you but this Internet thingy you are using was created in large part by the government spooks that you fear so much.

Re:I Liked Computers

[Doc Ruby]

Well, like I said, I encourage the paranoia. But it must be tested by realism.

I would wait before introducing any OS into a secure critical path until after it has had the maximum review I can afford to wait for. Thre's no reason to believe that the NSA or other spooks haven't had their sticky fingers all over the insides of any popular OS, especially a closed one in so many sensitive operations like Solaris has been for so many years. Microsoft goes without saying, but there's no reason that say NetBSD contributors couldn't have been "agents" (witting or otherwise) of NSA or other spook tricks to insert code in that OS that often runs inside secured perimeters. So since the source for OpenSolaris is open for review, that seems like the most securable approach. Public announcements of the NSA participation will even encourage new scrutiny by others who compete directly with the NSA and its "customers", so I'd expect if, for example, the German government and HSBC uses the product that it is trustworthy.

So I'm not advocating an immediate adoption of the "NSA OpenSolaris". I'd say it's worth waiting maybe 6-8 months after release to analyze (and participate in) the open security analysis of the result. But even that is overestimating the safety of the position from which one is moving, because the NSA (and other untrustworthy actors) has had plenty of time to taint previous versions, just without admitting it. And this is true of any OS. If we want to use an OS in the world where NSA and others can manipulate with giant, secret budgets, teams of extremely smart and even evil people, and immunity from any law, we want their operations to go on as much as possible in the clear public view.

If we were talking about closed source, or binaries only, or some code so complex and hard that there aren't any qualified analysts for it outside the NSA, then we could have more grounds for worry. But since the code is open, and is under review by competing interests, it seems likely to produce an OS that's both secure and trustworthy. And it also invests the NSA in doing things in the open, which is the way to keep us all the most secure in every way. My paranoia makes me fear the alternatives more.

Re:New Meaning of Spyware

[Zoidbergo]

I'll be the first to yell out at things like warrantless wiretapping, but believe it or not, even at NSA they use Windows and Linux/Unix on their hardware. It's in their best interest and the interest of their mission (as a consumer of said OSs) to make sure that those OSs are as secure as they can be. And some of the smartest security researchers on the planet work for NSA. So why not?

One of the NSA's growing missions is also to secure the electronic interests of the United States and its citizens. That includes doing anything they can to help secure the infrastructure of US interests. All our banks and national financial stability rely heavily on the security of computer systems. If they can't benefit from this added security, what's the point of securing a defense system if someone can hack into your federal bank system and make you lose billions?

So things like an overall more secure Solaris or Linux (or even Windows Vista) benefits everyone, including the electronic interests of the citizens of the USA, who the NSA also serves. Remember, they ARE a government agency (an occasionally evil one, though most of them do evil things every now and then.)

Re:SEOpenSolaris

[AlanWay]

How is:

"The ability to understand the secret communications of our foreign adversaries while protecting our own communications..." http://www.nsa.gov/about/about00003.cfm [nsa.gov]

contemptible?

From what I can see from Executive Order 12333 http://www.archives.gov/federal-register/codification/executive-order/12333.html [archives.gov] the NSA is charged with Foreign Intelligence gathering and Information Assurance. The second one is at discussion here. I'm sure they, like every other Govt department, use off-the-shelf software where possible to cut down cost (another goal of all Govt departments). Making that software secure protects your Government AND your people.

Admittedly they may have overstepped the letter of the law (which can be quite grey at times) on a few occasions, but I do believe that, in general, agencies of Democratic governments aren't inherently evil, or made up of evil people. They're just normal people trying to do a job and really are trying to do the best for the people they serve.

Having said that, as others have commented, the price of freedom is eternal vigilance. Trust your Government, they probably really are trying to do their best for you, but DO keep an eye on them!

Those of you who are paranoid, we know who you are...

Re:New Meaning of Spyware

[wizardforce]

that's hogwash. you don't use a compiler that you don't have the sources to.

Re:Government spooks helped Microsoft build Vista

[Jeremiah Cornelius]

Help with crypto isn't help with system security. ;-) Especially when you are keeping the master-key.