Hacker News new | past | comments | ask | show | jobs | submit login

>He was a sysadmin. He had access. Most of the audits and controls protect against normal users; someone with root access is going to be able to bypass a lot of them. And he had the technical chops to cover his tracks when he couldn't just evade the auditing systems.

SElinux, from our friends at the NSA, was specifically built to remove the special powers that root holds on a Linux box. Not saying you can't bypass these things, but it's a lot more involved than "I'm root, so I'm in".

http://en.wikipedia.org/wiki/Security-Enhanced_Linux




My theory is that they know exactly what he took, bitwise. It's just shitty work looking through 500GB of shitty power point presentations to try to figure out which one he's going to use next and how to respond to that... It's not an exact science here. So they know the information he has, they just don't know how it, or which of it, will be used. Also, He probably just has .ppt/.doc/.xls program level kinda files, it's not like he siphoned of the data under super duper lock and key that is on completely separate systems with completely separate auditing practices. (Ie all the data they actually have collected on you, etc..)


Right, that's one of the more embarrassing pieces of this whole mess, to my mind...


Obviously not having knowledge as to how the NSA uses it on their systems, but out of the box and in every realworld configuration I've come across it has little to no impact on what the root user can do.


Have you ever worked on a Mandatory Access Control computer system of any kind? They are extremely inconvenient, and thus rare to find outside classified environments. The engineering effort to write and maintain a functional set of SELinux policies is a large budget item. But the NSA did not engineer and release SELinux because it doesn't work.


Mostly due to so many programs "requiring" if you have selinux enabled, disable it prior to installation and use.

That and its not always trivial to setup policies to make things work (or to "know" that you haven't missed something) I see a lot of selinux set to just not enforce at all.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: