Add a fifth freedom
4. freedoms 0-3 are not to be used to deprived persons of Freedom
The United States National Security Agency's (NSA's) XKEYSCORE spookware, revealed by Edward Snowden as capable of sniffing and analysing just about any data from anywhere, runs on Red Hat Enterprise Linux. So says Snowden amanuensis Glenn Greenwald, who last week wrote that XKEYSCORE “... is a piece of Linux software that is …
Generally the infrastructure, including things like database and backup servers, are run on *nix based systems which the Windows workstations are then plugged into. So in a solid setup the mission critical systems will be *nix but the machines people generally use will be Windows (workstations not being "mission critical" because you should be able to restore the whole thing from the backup servers if it needs replaced pretty quickly)
Now that is commendable. I approve. It allows you to build filesystem distribution out of thin air on any odd commodity box. The problem is - it is "old school" sysadmin tool. The whippersnappers have no clue what it is and how to use it.
Last time I interviewed candidate sysadmins out of 87 (or was it 92?) CV submitted by UK recruiters for a Linux sysadmin position the number of people who have heard of it was a nice round ZERO.
It is a pity it does not see the attention it deserves (for that exact reason) in Linux lately. It still works, but various corner cases (containers, phys filesystems, etc) are broken.
I think you are mistaken, here. The more technologically diverse your team, the more chances you have of finding the best tools for the jobs that need to be done.
So, a,b,c are a must, x , y, z are +'s, and any other knowledge in the broader field of IT is doubleplusgood.
“It uses the Apache web server and stores collected data in MySQL databases. File systems in a cluster are handled by the NFS distributed file system and the autofs service, and scheduled tasks are handled by the cron scheduling service.”
It sounds like it doesn't run on anything else, or at least only on a limited set of installations. Most desktop users don't bother to install Apache2, if they even know what that is.
If you release something open source, you accept that anyone can use it. Including people you don't like. Is there an Islamic State website? If so then it surely uses someone's software, probably perfectly legally.
I first released Open Source web software in the mid-90s. Keeping an eye on Infoseek and Altavista (this being before Google existed), I found my first user to mention the name (and hence show up in results) was the British National Party's website. Not something I'd have wished, but they had every right to use it: that's what being open source is all about. And indeed free speech, though I didn't check up on what contents might have been accessed through the software, nor indeed whether they moderated or otherwise censored public comment.
This post has been deleted by its author
Well, I do not know their actual design, but if they are doing what I used to do (and still do on my own network with autofs) there will be no need for that. There will be _ANOTHER_ Snowden (TM) incident anyway.
Autofs + NFS is great to stich space on worker nodes into a single filesystem view. You have node A, B, C.... Each has /exports/work-space as working area. NFS+autofs makes /var/autofs/workspace/A point to node A, B to node B and so on and you can manage that dynamically as you add and replace nodes via ldap, nis or even hook it up directly into your workload system via an executable map. The kernel unmounts workspaces that are not being used after 5 mins of inactivity so you do not get any stale mounts.
The applications can now be unaware of actual data location - it all looks and works like magic and you get an enormous cluster which is significantly FASTER than any cluster filesystem for a large range of use cases. There are some limitations like you have to do HA in underlying RAID, but if you know what you are doing you can scale to huge sizes without cluster and OO store investment.
There is a fly in the ointment - it is nearly impossible to do ACL control of who mounts what. Some data may be protected via permissions and NFSv4 ACLs, but not a lot. So someone with access to one node can lift all of the data over time, copy it and bugger off to Sheremetevo. This is where true cluster and OO filesystems are a better fit because they may incorporate object audit trail and a node that is reading sequentially all of the data will show up immediately.
Good comment. One thing though - it is not as if Snowden could verify that his knowledge is up to date before releasing this information, right? It is quite possible that NSA came to same conclusion some 2 years ago and already took steps to improve the security of their network. Possibly by ditching autofs.
It is quite possible that NSA came to same conclusion some 2 years ago and already took steps to improve the security of their network.
Given the size and the budget of the organisation I expect at best some pockets of change. Wholesale changes in structures this big take a LOT of time.
Um, because it is Open Source and your kernel backdoor will not only have to be approved by the kernel coders but will also have to remain invisible to all the intelligent people who are looking at the code ?
Kernel backdoors can only exist when a restricted number of people know about them. That's something proprietary code allows because then you only have a small group of people with the right to check the code. Open Source means ANYBODY can find it as soon as they look in the right place.
And do not mistake Open Source kernel developers for nitwits. I'm sure that many of them know the entire kernel they work on inside out and will be quick to spot anything that seems out of place.
Wrong.
Look at OpenSSL bug. It was "a bug" (AKA backdoor) for several years. It was OPEN SOURCE, anybody could check it, but none has found it for years. The problem is that only one tiny typo was enough to make it a bug (AKA backdoor).
Some lunatics from the open source software keep repeating "there is no backdoor: here as a code you can check by yourself". That is a FRAUD.
I can compare it with the Malaysian plane that disappeared over Australia. You can say "it crashed in the sea, you can check it by yourself". Yes, you can, but it might take years or/and an extreme effort to find it.
There's a difference between a bug which hasn't been noticed and an intentional backdoor which has been added to exploit things. The latter of these by definition is something at least someone is aware of right from it's creation and is intended to be there, the former is quite rightly considered a mistake and will be patched out when discovered. Using closed source just makes it less likely that the bugs will be found and that any intentional backdoors can be kept hidden much more easily (since there's a much smaller pool of people looking at the code and they can be made to sign confidentiality contracts)
Open source isn't perfect, no system is, but it *does* show a drastic improvement over closed source with regards to this kind of thing
It's not a problem that the NSA uses open source, it's just an interesting bit of information made slightly amusing in that it shows a great example of how scalable the tool chain is but probably the majority of those involved in producing the software would be opposed to what it's being used for
THANKS. Now we know how to hack the hell out of these noobs. Cuz you know as well as I do that Linux is NOT the GOVT strong suit.SQL: hey, the paid for code is just as vulnerable, if not moreso than the open source code. ORACLE hates it when people go public about thier code. I smell an injection coming.
Just as soon as I've worked something out for 'RHEL' that doesn't leave me curled up in the foetal position, undoing years of therapy*, I'll let you know get my coat.
--
*Our (dependency) Hell left me with psychological trauma I've only recently started to recover from and I try not to think about it.**
**It's a form of self-harm, apparently, and the therapists have taken an almost catholic approach involving the thought being the precursor to the occasion of sin, so I strive to avoid thinking about anything RHEL related these days.
> You're just doing it wrong.
Nope, I'm not doing it at all.
How can you tell a Slackware/Arch/Gentoo Linux user? - They tell you!
The reason being, I suspect, the same for users of all three: their discovery puts an end to years of fruitless distro-hopping.
Happily in command of my own system with one of the above (not telling bots which one though) and need never look another rpm in the face again!!!
They released SE Linux in 1998, among other things - https://en.wikipedia.org/wiki/Security-Enhanced_Linux - It's pretty much supported by every major Linux distro.
Pretty much every US gov't agency has been running some form of Linux since the last decade of last century. I implemented several dept. wide Linux efforts at DHHS, DOC, NIH and other agencies in the mid-1990s.... I was also involved in getting FIPS140-2 for SSL sometime in the early 2000's - this was part of a DoD requirement and tied to a lot of critical Linux-based infrastructure.
Wouldn't touch SELinux with /yours/, mate!
AppArmor's defiiencies rule it out for me as well.
Which leaves me GRSecurity and some hand-rolled RSBAC :)
I've been investigating the option of using the LinuxLibre kernel lately as too.