back to article Evil NSA runs on saintly Linux, Apache, MySQL

The United States National Security Agency's (NSA's) XKEYSCORE spookware, revealed by Edward Snowden as capable of sniffing and analysing just about any data from anywhere, runs on Red Hat Enterprise Linux. So says Snowden amanuensis Glenn Greenwald, who last week wrote that XKEYSCORE “... is a piece of Linux software that is …

  1. No. Really!?

    Add a fifth freedom

    4. freedoms 0-3 are not to be used to deprived persons of Freedom

  2. Anonymous Coward
    Anonymous Coward

    Not entirely surprising

    NSA developed the mandatory access control framework, SELinux, which Red Hat have shipped in their distribution turned-on by default for years.

  3. Anonymous Coward
    Anonymous Coward

    Well...

    You wouldn't want to rely on trusting Windows for Mission Critical stuff would you?

    1. Ole Juul

      Re: Well...

      You wouldn't want to rely on trusting Windows for Mission Critical stuff would you?

      Many, perhaps most, do.

      1. SolidSquid

        Re: Well...

        Generally the infrastructure, including things like database and backup servers, are run on *nix based systems which the Windows workstations are then plugged into. So in a solid setup the mission critical systems will be *nix but the machines people generally use will be Windows (workstations not being "mission critical" because you should be able to restore the whole thing from the backup servers if it needs replaced pretty quickly)

    2. choleric

      Re: Well...

      Nobody thinks the NSA aren't good at what they do. It's just they don't think that what they do is all good.

    3. Anonymous Coward
      Anonymous Coward

      Re: Well...

      You wouldn't want to rely on trusting Windows for Mission Critical stuff would you?

      Correct. If anyone knows just how vulnerable Windows is it is them. I'd take that hint :)

      1. Ole Juul

        Re: Well...

        I'm always surprised when government intrusions are reported that it turns out that they were running Windows. However, that must be the minority then, judging by the number of downvotes my previous comment got.

  4. Voland's right hand Silver badge
    Childcatcher

    They have sysadmins who knows autofs

    Now that is commendable. I approve. It allows you to build filesystem distribution out of thin air on any odd commodity box. The problem is - it is "old school" sysadmin tool. The whippersnappers have no clue what it is and how to use it.

    Last time I interviewed candidate sysadmins out of 87 (or was it 92?) CV submitted by UK recruiters for a Linux sysadmin position the number of people who have heard of it was a nice round ZERO.

    It is a pity it does not see the attention it deserves (for that exact reason) in Linux lately. It still works, but various corner cases (containers, phys filesystems, etc) are broken.

    1. future research

      Re: They have sysadmins who knows autofs

      autofs is easy and is only a quick conversation to transfer knowledge to a good linux/UNIX admin tso they can be up to speed. You need to look at your recruitment process if lack of autofs knowledge is a problem.

    2. Hans 1

      Re: They have sysadmins who knows autofs

      I think you are mistaken, here. The more technologically diverse your team, the more chances you have of finding the best tools for the jobs that need to be done.

      So, a,b,c are a must, x , y, z are +'s, and any other knowledge in the broader field of IT is doubleplusgood.

  5. Ole Juul

    runs on Red Hat Enterprise Linux

    “It uses the Apache web server and stores collected data in MySQL databases. File systems in a cluster are handled by the NFS distributed file system and the autofs service, and scheduled tasks are handled by the cron scheduling service.”

    It sounds like it doesn't run on anything else, or at least only on a limited set of installations. Most desktop users don't bother to install Apache2, if they even know what that is.

  6. Nick Kew
    Alert

    Open Source is Open

    If you release something open source, you accept that anyone can use it. Including people you don't like. Is there an Islamic State website? If so then it surely uses someone's software, probably perfectly legally.

    I first released Open Source web software in the mid-90s. Keeping an eye on Infoseek and Altavista (this being before Google existed), I found my first user to mention the name (and hence show up in results) was the British National Party's website. Not something I'd have wished, but they had every right to use it: that's what being open source is all about. And indeed free speech, though I didn't check up on what contents might have been accessed through the software, nor indeed whether they moderated or otherwise censored public comment.

    1. Anonymous Coward
      Anonymous Coward

      Re: Open Source is Open

      Wrong.

      So you want to say that using the nuclear energy for producing electricity is equal to using nuclear energy to drop a bomb and kill many people? Don't you agree? For you it is perfectly OK to use a nuke to kill.

  7. jonathan1
    Joke

    LAMP

    Brings a new meaning to LAMP...

    Listening, Aggregating, Menacing, Processes?

    Its early but open floor to others to do do better :o)

    1. Chemist
      Joke

      Re: LAMP

      Lost All Meaningful Privacy ?

      1. Jim 43

        Re: LAMP

        Linux Abrogating My Privacy

  8. Anonymous Coward
    Pint

    ...open sourcery...

    Very funny, ha ha ha.

  9. This post has been deleted by its author

    1. Voland's right hand Silver badge

      No need for that

      Well, I do not know their actual design, but if they are doing what I used to do (and still do on my own network with autofs) there will be no need for that. There will be _ANOTHER_ Snowden (TM) incident anyway.

      Autofs + NFS is great to stich space on worker nodes into a single filesystem view. You have node A, B, C.... Each has /exports/work-space as working area. NFS+autofs makes /var/autofs/workspace/A point to node A, B to node B and so on and you can manage that dynamically as you add and replace nodes via ldap, nis or even hook it up directly into your workload system via an executable map. The kernel unmounts workspaces that are not being used after 5 mins of inactivity so you do not get any stale mounts.

      The applications can now be unaware of actual data location - it all looks and works like magic and you get an enormous cluster which is significantly FASTER than any cluster filesystem for a large range of use cases. There are some limitations like you have to do HA in underlying RAID, but if you know what you are doing you can scale to huge sizes without cluster and OO store investment.

      There is a fly in the ointment - it is nearly impossible to do ACL control of who mounts what. Some data may be protected via permissions and NFSv4 ACLs, but not a lot. So someone with access to one node can lift all of the data over time, copy it and bugger off to Sheremetevo. This is where true cluster and OO filesystems are a better fit because they may incorporate object audit trail and a node that is reading sequentially all of the data will show up immediately.

      1. Bronek Kozicki

        Re: No need for that

        Good comment. One thing though - it is not as if Snowden could verify that his knowledge is up to date before releasing this information, right? It is quite possible that NSA came to same conclusion some 2 years ago and already took steps to improve the security of their network. Possibly by ditching autofs.

        1. Anonymous Coward
          Anonymous Coward

          Re: No need for that

          It is quite possible that NSA came to same conclusion some 2 years ago and already took steps to improve the security of their network.

          Given the size and the budget of the organisation I expect at best some pockets of change. Wholesale changes in structures this big take a LOT of time.

      2. nematoad

        Re: No need for that

        To borrow a classification from a site I've forgotten the name of.

        "Insightful"

    2. Measurer
      Black Helicopters

      Sshhh...

      Mr Torvalds has

    3. Pascal Monett Silver badge

      Re: "why don't we try to insert our own covert backdoor code into the Linux kernel"

      Um, because it is Open Source and your kernel backdoor will not only have to be approved by the kernel coders but will also have to remain invisible to all the intelligent people who are looking at the code ?

      Kernel backdoors can only exist when a restricted number of people know about them. That's something proprietary code allows because then you only have a small group of people with the right to check the code. Open Source means ANYBODY can find it as soon as they look in the right place.

      And do not mistake Open Source kernel developers for nitwits. I'm sure that many of them know the entire kernel they work on inside out and will be quick to spot anything that seems out of place.

      1. veritas1

        Re: "why don't we try to insert our own covert backdoor code into the Linux kernel"

        Wrong.

        Look at OpenSSL bug. It was "a bug" (AKA backdoor) for several years. It was OPEN SOURCE, anybody could check it, but none has found it for years. The problem is that only one tiny typo was enough to make it a bug (AKA backdoor).

        Some lunatics from the open source software keep repeating "there is no backdoor: here as a code you can check by yourself". That is a FRAUD.

        I can compare it with the Malaysian plane that disappeared over Australia. You can say "it crashed in the sea, you can check it by yourself". Yes, you can, but it might take years or/and an extreme effort to find it.

        1. SolidSquid

          Re: "why don't we try to insert our own covert backdoor code into the Linux kernel"

          There's a difference between a bug which hasn't been noticed and an intentional backdoor which has been added to exploit things. The latter of these by definition is something at least someone is aware of right from it's creation and is intended to be there, the former is quite rightly considered a mistake and will be patched out when discovered. Using closed source just makes it less likely that the bugs will be found and that any intentional backdoors can be kept hidden much more easily (since there's a much smaller pool of people looking at the code and they can be made to sign confidentiality contracts)

          Open source isn't perfect, no system is, but it *does* show a drastic improvement over closed source with regards to this kind of thing

  10. Your alien overlord - fear me

    Autofs?

    Auto f*cks sake

    LAMP - Laughable Americans Munch Pancakes

    Ligitious Ar$eholes Monetise Politics

    Lets All Moon @ sPooks

  11. Anonymous Coward
    Anonymous Coward

    Cool, just more real world applications of Open Source at massive scale.

  12. kryptylomese

    They need it to work and be reliable and secure. Give me one good reason why the NSA would use Windows for this instead?

  13. sisk

    Um....so?

    So the NSA uses open source software.....and this is a problem because....um....why? You wouldn't slam Windows for being used by the NSA. Why is Linux any different?

    Personally all this says to me is that it's trustworthy enough that the NSA trusts it.

    1. SolidSquid

      Re: Um....so?

      It's not a problem that the NSA uses open source, it's just an interesting bit of information made slightly amusing in that it shows a great example of how scalable the tool chain is but probably the majority of those involved in producing the software would be opposed to what it's being used for

  14. Frank N. Stein

    This let's us know the scalability of Red Hat Enterprise Server. This also is a tip of the hat to Open Source Software being viable for business use. And no, you wouldn't want to trust something like this to Windows, which doesn't scale nearly as high as Linux and Unix, does it?

  15. jazzmaster8837

    THANKS. Now we know how to hack the hell out of these noobs. Cuz you know as well as I do that Linux is NOT the GOVT strong suit.SQL: hey, the paid for code is just as vulnerable, if not moreso than the open source code. ORACLE hates it when people go public about thier code. I smell an injection coming.

  16. Someone_Somewhere

    No Secrets Agency's RHEL exploit Laughs At My Privacy

    Just as soon as I've worked something out for 'RHEL' that doesn't leave me curled up in the foetal position, undoing years of therapy*, I'll let you know get my coat.

    --

    *Our (dependency) Hell left me with psychological trauma I've only recently started to recover from and I try not to think about it.**

    **It's a form of self-harm, apparently, and the therapists have taken an almost catholic approach involving the thought being the precursor to the occasion of sin, so I strive to avoid thinking about anything RHEL related these days.

    1. FreeTard

      Re: No Secrets Agency's RHEL exploit Laughs At My Privacy

      Dependency hell? You're just doing it wrong. It's trivial to hook up to a repo and / or create your own local repo. Debian has the same issues you know, if your .dep file has deps, and you have no repo, same issue.

      1. Someone_Somewhere

        Re: No Secrets Agency's RHEL exploit Laughs At My Privacy

        > You're just doing it wrong.

        Nope, I'm not doing it at all.

        How can you tell a Slackware/Arch/Gentoo Linux user? - They tell you!

        The reason being, I suspect, the same for users of all three: their discovery puts an end to years of fruitless distro-hopping.

        Happily in command of my own system with one of the above (not telling bots which one though) and need never look another rpm in the face again!!!

  17. ckm5

    NSA has been running Linux & contributing code for decades

    They released SE Linux in 1998, among other things - https://en.wikipedia.org/wiki/Security-Enhanced_Linux - It's pretty much supported by every major Linux distro.

    Pretty much every US gov't agency has been running some form of Linux since the last decade of last century. I implemented several dept. wide Linux efforts at DHHS, DOC, NIH and other agencies in the mid-1990s.... I was also involved in getting FIPS140-2 for SSL sometime in the early 2000's - this was part of a DoD requirement and tied to a lot of critical Linux-based infrastructure.

    1. Someone_Somewhere

      Re: NSA has been running Linux & contributing code for decades

      Wouldn't touch SELinux with /yours/, mate!

      AppArmor's defiiencies rule it out for me as well.

      Which leaves me GRSecurity and some hand-rolled RSBAC :)

      I've been investigating the option of using the LinuxLibre kernel lately as too.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like