From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 41703138A1F for ; Thu, 7 Aug 2014 15:32:49 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 18E5FE0878; Thu, 7 Aug 2014 15:32:47 +0000 (UTC) Received: from gproxy6-pub.mail.unifiedlayer.com (gproxy6-pub.mail.unifiedlayer.com [67.222.39.168]) by pigeon.gentoo.org (Postfix) with SMTP id 23315E0874 for ; Thu, 7 Aug 2014 15:32:45 +0000 (UTC) Received: (qmail 12246 invoked by uid 0); 7 Aug 2014 15:32:43 -0000 Received: from unknown (HELO CMOut01) (10.0.90.82) by gproxy6.mail.unifiedlayer.com with SMTP; 7 Aug 2014 15:32:43 -0000 Received: from box440.bluehost.com ([69.89.31.240]) by CMOut01 with id brYa1o00R5Aqrl901rYdlW; Thu, 07 Aug 2014 09:32:41 -0600 X-Authority-Analysis: v=2.1 cv=LbyvtFvi c=1 sm=1 tr=0 a=oreptVIjotwtFGwWY5O1Gw==:117 a=oreptVIjotwtFGwWY5O1Gw==:17 a=cNaOj0WVAAAA:8 a=f5113yIGAAAA:8 a=9OUHrRrJHNsA:10 a=ksghowXa03gA:10 a=xUJq_5EvWxsA:10 a=5kFhziJdleYA:10 a=IkcTkHD0fZMA:10 a=HsxHS2d0AAAA:8 a=fKKSVMoMos8A:10 a=-9KIWofkY9sA:10 a=4O7-zMMhVxGbRCasyzIA:9 a=PyY33GEJZLWiB7cm:21 a=3JIOdR1_FaZdUPHi:21 a=QEXdDO2ut3YA:10 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=maxandcarrie.com; s=default; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:To:MIME-Version:From:Date:Message-ID; bh=gExmE+9uOzgUSZqE/MswjSa1ubPk4L09ItzLwM1vzZg=; b=T6U4LyhDIvoqT+VUVyauglueXAwTUomeDCMvAhiKwWscofoVyuJDDRMWm7m7w7OL4iodwaV/CyNVh+t3wQT4aYFSazZyaQJ+9vojhUfhDqtQp0QABcW2qeTsckxhSGuE; Received: from [24.215.78.54] (port=41058 helo=[10.0.1.18]) by box440.bluehost.com with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.82) (envelope-from ) id 1XFPgA-0005hH-Vr for gentoo-amd64@lists.gentoo.org; Thu, 07 Aug 2014 09:32:35 -0600 Message-ID: <53E39D0E.5020808@maxandcarrie.com> Date: Thu, 07 Aug 2014 11:36:46 -0400 From: Max Cizauskas User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-amd64@lists.gentoo.org Reply-to: gentoo-amd64@lists.gentoo.org MIME-Version: 1.0 To: gentoo-amd64@lists.gentoo.org Subject: Re: [gentoo-amd64] "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?) References: <46751df7496f4e4f97fb23e10fc9f5b4@mail10.futurewins.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {1630:box440.bluehost.com:maxandca:maxandcarrie.com} {sentby:smtp auth 24.215.78.54 authed with max@maxandcarrie.com} X-Archives-Salt: 27e2a24c-36e3-4323-ae0e-456d56d6b048 X-Archives-Hash: 48bc52e28b21ccc8fbcddf2b915494e0 Hello all, I've been very interested in this topic myself, so I'll pile on my question after answering one of Mark's On 05/08/2014 1:50 PM, Mark Knecht wrote: > I'm sitting here writing R code. I do it in R-Studio. How do I > know that every bit of code I run in that tool isn't being sent out to > some > server? Most likely no one has done an audit of that GUI so I'm trusting > that the company isn't nefarious in nature. > > I use Chrome. How do I know Chrome isn't scanning my local drives > and sending stuff somewhere? I don't. > > In the limit, how would I even know if the Linux kernel was doing this? I > got source through emerge, built code using gcc, installed it by hand, > but I don't know what's really there and never will. I suspect the kernel > is likely one of the safer things on my box. > The answer to most things security related seems to be independent verification. If you're going to be the person to do that verification because you don't trust others to do it or can't find proof that it's been done, then there are two factors at play; time and money. Where you're only running your own traffic through your system (unlike Duncan's TOR example) this is relatively easy and cheap to accomplish. For ~$100 you can buy a consumer grade switch with a configurable mirroring port which will effectively passively sniff all the traffic going through the switch. You then connect this mirrored port to a spare junker computer running optimally a different distro of linux like Security Onion or anything else with TCPDump capturing full packet captures which you can do analytics on. I do the same for my home network to detect compromised hosts and to see if I'm under attack for any reason. Things I find useful for getting a finger on the pulse are: - DNS Query monitoring to see who my home network is reaching out to - GeoIPLookup mappings against bandwidth usage to see if lots of data is being slurped out of my environment - BroIDS, Snorby and Squert (security onion suite of tools) for at a glance view of things going wrong and the ability to dig into events quickly My question is what kind of independent validation, or even peer review, is done over the core of Gentoo? Now that new users are being pushed to use the Stage3 tarball and genkernel, is seems to me that much of the core of the Gentoo system is a "just trust me" package. What I love about the Stage 1 approach is you get all the benefits of compiling the system as you go, essentially from scratch and customized for your system, and all the benefits of the scrutiny Duncan mentioned applying to ebuilds is applied. There is much more control in the hands of the person using Stage 1, and it's a smaller footprint for someone to independently validate malicious code didn't get introduced into it. Should someone have been manipulated to put something malicious into the stage3 tarball it could much more easily give a permanent foothold over your system to a malicious 3rd party (think rootkit) then stage 1 would allow. Thanks to anyone who can provide light on the topic, Max