[gentoo-amd64] "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?)

[gentoo-amd64] "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?)

[Mark Knecht]

[-- Attachment #1: Type: text/plain, Size: 1863 bytes --]

As the line in that favorite song goes "Paranoia strikes deep"...

<NOTE>
I am NOT trying to start ANY political discussion here. I hope no one will
go too far down that path, at least here on this list. There are better
places to do that.

I am also NOT suggesting anything like what I ask next has happened, either
here or elsewhere. It's just a question.

Thanks in advance.
</NOTE>

I'm currently reading a new book by Glen Greenwald called "No Place To
Hide" which is about Greenwald's introduction to Edward Snowden and the
release of all of the confidential NSA documents Snowden acquired. This got
me wondering about Gentoo, or even just Linux in general. If the underlying
issue in all of that Snowden stuff is that the NSA has the ability to
intercept and hack into whatever they please, then how do I know that the
source code I build on my Gentoo machines hasn't been modified by someone
to provide access to my machine, networks, etc.?

Essentially, what is the security model for all this source code and how do
I verify that it hasn't been tampered with in some manner?

1) That the code I build is exactly as written and accepted by the OS
community?

2) That the compilers and interpreters don't do anything except build the
code?

There's certainly lots of other issues about security, like protecting
passwords, protecting physical access to the network and machines, root
kits and the like, etc., but assuming none of that is in question (I don't
have any reason to think the NSA has been in my home!) ;-) I'm looking for
info on how the code is protected from the time it's signed off until it's
built and running here.

If someone knows of a good web site to read on this subject let me know.
I've gone through my Linux life more or less like most everyone went
through life 20 years ago, but paranoia strikes deep.

Thanks in advance,
Mark

[-- Attachment #2: Type: text/html, Size: 2283 bytes --]

Re: [gentoo-amd64] "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?)

[Rich Freeman]

On Mon, Aug 4, 2014 at 6:04 PM, Mark Knecht <markknecht@gmail.com> wrote:
>
> Essentially, what is the security model for all this source code and how do
> I verify that it hasn't been tampered with in some manner?

Duncan already gave a fairly comprehensive response.  I believe the
intent is to refactor and generally improve things when we move to
git.  Even today there aren't a lot of avenues for slipping code in
without compromising a gentoo server or manipulating your rsync data
transfer (if it isn't secured).

But...

> There's certainly lots of other issues about security, like protecting
> passwords, protecting physical access to the network and machines, root kits
> and the like, etc., but assuming none of that is in question (I don't have
> any reason to think the NSA has been in my home!) ;-) I'm looking for info
> on how the code is protected from the time it's signed off until it's built
> and running here.

You may very well be underestimating the NSA here.  It has already
come out that they hack into peoples systems just to get their ssh
keys to hack into other people's systems, even if the admins that
they're targeting aren't of any interest otherwise.  That is, you
don't have to be a suspected terrorist/etc to be on their list.

I run a relay-only tor node (which doesn't seem to keep everybody and
their uncle from blocking me as if I'm an exit node it seems).  I'd be
surprised if the NSA hasn't rooted my server just so that they can
monitor my tor traffic - if they did this to all the tor relays they
could monitor the entire network, so I would think that this would be
a priority for them.

To root your system the NSA doesn't have to compromise some Gentoo
server, or even tamper with your rsync feed.  The simplest solution
would be to just target a zero-day vulnerability in some software
you're running.  They might use a zero-day in some daemon that runs as
root, maybe a zero-day in the kernel network stack, or a zero-day in
your browser (those certainly exist) combined with a priv escalation
attack.  If they're just after your ssh keys they don't even need priv
escalation.  Those attacks don't require targeting Gentoo in
particular.

If your goal is to be safe from "the NSA" then I think you need to
fundamentally rethink your approach to security.  I'd recommend
verifying, signing, and verifying all code that runs (think iOS).  I
doubt that any linux distro is going to suit your needs unless you
just use it as a starting point for a fork.

However, I do think that Gentoo can do a better job of securing code
than it does today, and that is a worthwhile goal.  I doubt it would
stop the NSA, but we certainly can do something about lesser threats
that don't:
1.  Have a 12-figure budget.
2.  Have complete immunity from prosecution.
3.  Have an army of the best cryptographers in the world, etc.
4.  Have privileged access to the routers virtually all of your
traffic travels over.
5.  Have the ability to obtain things like trusted SSL certs at will
(though I don't think anybody has caught them doing this one).

In the early post-Snowden days I was more paranoid, but these days
I've basically given up worrying about the NSA.  After the ssh key
revelations I just assume they have root on my box - I just wish
they'd be nice enough to close up any other vulnerabilities they find
so that others don't get root, and maybe let me access whatever
backups they've made if for some reason I lose access to my own
backups.  I still try to keep things as secure as I can to keep
everybody else out, but hiding from the NSA is a tall order.

Oh yeah, if they have compromised my box you can assume they have my
Gentoo ssh key and password and gpg key if they actually want them...
:)

Rich

Re: [gentoo-amd64] "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?)

[Mark Knecht]

[-- Attachment #1: Type: text/plain, Size: 5555 bytes --]

Hi Rich,
   Thanks for the response. I'll likely respond over the next few hours &
days in dribs and drabs...


On Tue, Aug 5, 2014 at 4:36 AM, Rich Freeman <rich0@gentoo.org> wrote:
>
> On Mon, Aug 4, 2014 at 6:04 PM, Mark Knecht <markknecht@gmail.com> wrote:
> >
> > Essentially, what is the security model for all this source code and
how do
> > I verify that it hasn't been tampered with in some manner?
>
> Duncan already gave a fairly comprehensive response.  I believe the
> intent is to refactor and generally improve things when we move to
> git.  Even today there aren't a lot of avenues for slipping code in
> without compromising a gentoo server or manipulating your rsync data
> transfer (if it isn't secured).
>
> But...
>
> > There's certainly lots of other issues about security, like protecting
> > passwords, protecting physical access to the network and machines, root
kits
> > and the like, etc., but assuming none of that is in question (I don't
have
> > any reason to think the NSA has been in my home!) ;-) I'm looking for
info
> > on how the code is protected from the time it's signed off until it's
built
> > and running here.
>
> You may very well be underestimating the NSA here.  It has already
> come out that they hack into peoples systems just to get their ssh
> keys to hack into other people's systems, even if the admins that
> they're targeting aren't of any interest otherwise.  That is, you
> don't have to be a suspected terrorist/etc to be on their list.
>

Yeah, I've read that. It's my basic POV at this time that if the NSA
(or any other organization) wants something I have then they have
it already. However a good portion of my original thoughts are
along the line of your zero-day point below.

> I run a relay-only tor node (which doesn't seem to keep everybody and
> their uncle from blocking me as if I'm an exit node it seems).  I'd be
> surprised if the NSA hasn't rooted my server just so that they can
> monitor my tor traffic - if they did this to all the tor relays they
> could monitor the entire network, so I would think that this would be
> a priority for them.

The book I referenced made it clear that the NSA has a whole specific
program & toolset to target tor so I suspect you're correct, or even
underestimating yourself. That said, running tor is legal so more power
to you. I ran it a little to play with and found all the 2-level security
stuff
at GMail and YahooMail too much trouble to deal with.

>
> To root your system the NSA doesn't have to compromise some Gentoo
> server, or even tamper with your rsync feed.  The simplest solution
> would be to just target a zero-day vulnerability in some software
> you're running.  They might use a zero-day in some daemon that runs as
> root, maybe a zero-day in the kernel network stack, or a zero-day in
> your browser (those certainly exist) combined with a priv escalation
> attack.  If they're just after your ssh keys they don't even need priv
> escalation.  Those attacks don't require targeting Gentoo in
> particular.
>

Yep, and it's the sort of thing I was thinking about when I wrote this
yesterday:

I'm sitting here writing R code. I do it in R-Studio. How do I
know that every bit of code I run in that tool isn't being sent out to some
server? Most likely no one has done an audit of that GUI so I'm trusting
that the company isn't nefarious in nature.

I use Chrome. How do I know Chrome isn't scanning my local drives
and sending stuff somewhere? I don't.

In the limit, how would I even know if the Linux kernel was doing this? I
got source through emerge, built code using gcc, installed it by hand,
but I don't know what's really there and never will. I suspect the kernel
is likely one of the safer things on my box.

In the news yesterday was this story about some pedophile sending
child porn using GMail and then getting arrested because Google scans
'certain' attachments for known hashes. Well, that's the public story (so
far) but it seems to me that Google isn't likely creating those hashes but
getting them from the FBI, but the point is it's all being watched.

I think one way you might not be as John Le Carre-oriented as me is
that if I was the NSA and wanted inside of Linux (or M$FT or Apple) in
general, then I would simply pay people to be inside of those entities and
to do my bidding. Basic spycraft. Those folks would already be in the
kernel development area, or in KDE, or in the facilities that host the
code,
or where ever making whatever changes they want. They would have
already hacked how iOS does signing, or M$FT does updates, etc.

When it comes to security, choose whatever type you want, but how
do I as a user know that my sha-1 or pgp or whatever is what the
developers thought they were making publicly available. I don't and
probably never will.

> If your goal is to be safe from "the NSA"

It's not. Nor do I think I'll ever know if I am so I have to assume
I'm not. Life in the modern era...

<SNIP>
>
> In the early post-Snowden days I was more paranoid, but these days
> I've basically given up worrying about the NSA.

Similar for me, although reading this book, or watching the 2-episode
Frontline story, or (fill in whatever) raises the question, but more in a
general sense. I'm far less worried about the NSA and more worried
about things like general hackers after financial info or people looking
for code I'm writing.

Thanks for all the info, and thanks to Duncan also who I will write more
too when I've checked out all the technical stuff he posted.

Cheers,
Mark

[-- Attachment #2: Type: text/html, Size: 7039 bytes --]

Re: [gentoo-amd64] "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?)

[Frank Peters]

On Mon, 4 Aug 2014 15:04:12 -0700
Mark Knecht <markknecht@gmail.com> wrote:

>
> then how do I know that the
> source code I build on my Gentoo machines hasn't been modified by someone
> to provide access to my machine, networks, etc.?
> 

There are two approaches to system development that tend to mitigate
all security concerns:

1) Highly distributed development

2) Simplicity of design

If the component pieces of a system are independently developed
by widely scattered and unrelated development teams then there
is much less chance for any integrated security attacks.

Also, if the overall system remains simple and each component is
narrowly focused then the result is better transparency for the user
which insures less opportunity for attack.

Linux _used_ to adhere to these two principles, but currently it
is more and more moving toward monolithic development and much
reduced simplicity.  I refer especially to the Freedesktop
project, which is slowly becoming the centralized headquarters
for everything graphical.  I also mention systemd, with its plethora
of system daemons that obscure all system transparency.

From the beginning, Linux, due to its faithfulness to the above
two principles, allowed the user to fully control and easily understand
the operation of his system.  This situation is now being threatened
with freedesktop, systemd, etc., and security attacks can only become
more feasible.

We, as a community of Linux users, have to adamantly oppose these
monolithic projects that attempt to destroy choice and transform
Linux into another Microsoft Windows.

Re: [gentoo-amd64] "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?)

[Rich Freeman]

On Tue, Aug 5, 2014 at 3:16 PM, Frank Peters <frank.peters@comcast.net> wrote:
> Linux _used_ to adhere to these two principles, but currently it
> is more and more moving toward monolithic development and much
> reduced simplicity.  I refer especially to the Freedesktop
> project, which is slowly becoming the centralized headquarters
> for everything graphical.  I also mention systemd, with its plethora
> of system daemons that obscure all system transparency.

Everybody loves to argue about which design is "simpler," the "unix way," etc.

The fact is that while systemd does bundle a fairly end-to-end
solution, many of its components are modular.  I can run systemd
without running networkd, or resolved, etc.  The modular components
have interfaces, though they aren't really intended to work with
anything other than systemd.

Honestly, I think the main differences are that it doesn't do things
the traditional way.  Nothing prevents you from talking to daemons via
DBus, or inspecting their traffic.

Also, a set of modular components engineered to work together is less
likely to have integration-related bugs than a bunch of components
designed to operate on their own.

SystemD also allows some security-oriented optimizations, like private
tmpdirs, making the filesystem read-only, reduced capabilities/etc.
That isn't to say that you can't do this with traditional service
scripts, but there are more barriers to doing it.

Ultimately it is a lot more functional than a traditional init, so I
do agree that the attack surface is larger.  Still, most of the stuff
that is incorporated into systemd is going to be running in some
process on a typical server - much of it as root.

The use of DBus also means that you can use policies to control who
can do what more granularly.  If you want a user to be able to shut
down the system, I imagine that is just a DBus message to systemd and
you could probably give an otherwise-nonprivileged user the ability to
send that message without having to create suid helpers with their own
private rules.  The ability to further secure message-passing in this
way is one of the reasons for kdbus, and Linus endorses that (but not
some of the practices of its maintainers).

I do suggest that you try using systemd in a VM just to see what it is
about.  If nothing else you might appreciate some of the things it
attempts to solve just so that you can come up with better ways of
solving them.  :)

Rich

Re: [gentoo-amd64] "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?)

[Frank Peters]

On Tue, 5 Aug 2014 10:50:35 -0700
Mark Knecht <markknecht@gmail.com> wrote:

> 
> I use Chrome. How do I know Chrome isn't scanning my local drives
> and sending stuff somewhere? I don't.
> 

It wouldn't have to scan your local drives.  It would only have
to scan the very few directories named "MY DOCUMENTS" and
"MY VIDEOS" and "MY EMAIL" which have conveniently been established
by the omnipotent and omniscient desktop environment.  Within
these universal and standardized storage areas can be found
everything that snooping software would need to find.

I am only being partly facetious. This does represent the trend.
We have standardized locations that are shared across many different
programs.  But the programs aren't really different because they
are produced by the same desktop conglomerate or because they
must employ the toolkits and widgets of said conglomerate.

The job of the NSA is getting easier.  Those terrorist documents
will no longer be buried within terabytes of disjoint hard drive
space.  They will all be nicely tucked into an "ALL DOCUMENTS ARE HERE"
standardized directory that nobody had better modify because
the entire system will crash.

[gentoo-amd64] Re: "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?)

[Duncan]

Frank Peters posted on Tue, 05 Aug 2014 16:36:57 -0400 as excerpted:

> It wouldn't have to scan your local drives.  It would only have to scan
> the very few directories named "MY DOCUMENTS" and "MY VIDEOS" and "MY
> EMAIL" which have conveniently been established by the omnipotent and
> omniscient desktop environment.  Within these universal and standardized
> storage areas can be found everything that snooping software would need
> to find.

Hmm...  Some people (me) don't use those standardized locations.  I have 
a dedicated media partition -- large, still on spinning rust when most of 
the system in terms of filenames (but not size) is on SSD, and where it's 
mounted isn't standard and is unlikely to /be/ standard, simply because I 
have my own rather nonconformist ideas of where I want stuff located and 
how it should be organized.

OTOH, consider ~/.thumbnails/.  Somebody already mentioned that google 
case and the hashes they apparently scan for.  ~/.thumbnails will 
normally have thumbnails for anything in the system visited by normal 
graphics programs, including both still images and video, and I think pdf 
too unless that's always generated dynamically as is the case with txt 
files, via various video-thumbnail addons.  Those thumbnails are all 
going to be standardized to one of a few standard sizes, and can either 
be used effectively as (large) hashes directly, or smaller hashes of them 
could be generated...

Tho some images programs (gwenview) have an option to wipe the thumbnails 
dir when they're shutdown, but given the time creating those thumbnails 
on any reasonably large collection takes, most people aren't going to 
want to enable wiping...

Meanwhile, one of the things that has come out is that the NSA 
effectively already considers anyone running a Linux desktop a radical, 
likely on their watch-list already, just as is anyone running TOR, or 
even simply visiting the TOR site or an article linking to them.

I guess I must be on their list several times over, what with the sigs I 
use, etc, the security/privacy-related articles I read, the OS I run, and 
the various lists I participate on...

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

Re: [gentoo-amd64] Re: "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?)

[james.a.elian]

E
Sent via BlackBerry from Vodafone Romania

-----Original Message-----
From: Duncan <1i5t5.duncan@cox.net>
Date: Tue, 5 Aug 2014 23:20:26 
To: <gentoo-amd64@lists.gentoo.org>
Reply-to: gentoo-amd64@lists.gentoo.org
Subject: [gentoo-amd64] Re: "For What It's Worth" (or How do I know my Gentoo source code
 hasn't been messed with?)

Frank Peters posted on Tue, 05 Aug 2014 16:36:57 -0400 as excerpted:

> It wouldn't have to scan your local drives.  It would only have to scan
> the very few directories named "MY DOCUMENTS" and "MY VIDEOS" and "MY
> EMAIL" which have conveniently been established by the omnipotent and
> omniscient desktop environment.  Within these universal and standardized
> storage areas can be found everything that snooping software would need
> to find.

Hmm...  Some people (me) don't use those standardized locations.  I have 
a dedicated media partition -- large, still on spinning rust when most of 
the system in terms of filenames (but not size) is on SSD, and where it's 
mounted isn't standard and is unlikely to /be/ standard, simply because I 
have my own rather nonconformist ideas of where I want stuff located and 
how it should be organized.

OTOH, consider ~/.thumbnails/.  Somebody already mentioned that google 
case and the hashes they apparently scan for.  ~/.thumbnails will 
normally have thumbnails for anything in the system visited by normal 
graphics programs, including both still images and video, and I think pdf 
too unless that's always generated dynamically as is the case with txt 
files, via various video-thumbnail addons.  Those thumbnails are all 
going to be standardized to one of a few standard sizes, and can either 
be used effectively as (large) hashes directly, or smaller hashes of them 
could be generated...

Tho some images programs (gwenview) have an option to wipe the thumbnails 
dir when they're shutdown, but given the time creating those thumbnails 
on any reasonably large collection takes, most people aren't going to 
want to enable wiping...

Meanwhile, one of the things that has come out is that the NSA 
effectively already considers anyone running a Linux desktop a radical, 
likely on their watch-list already, just as is anyone running TOR, or 
even simply visiting the TOR site or an article linking to them.

I guess I must be on their list several times over, what with the sigs I 
use, etc, the security/privacy-related articles I read, the OS I run, and 
the various lists I participate on...

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

Re: [gentoo-amd64] Re: "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?)

[james.a.elian]

E
Sent via BlackBerry from Vodafone Romania

-----Original Message-----
From: Duncan <1i5t5.duncan@cox.net>
Date: Tue, 5 Aug 2014 23:20:26 
To: <gentoo-amd64@lists.gentoo.org>
Reply-to: gentoo-amd64@lists.gentoo.org
Subject: [gentoo-amd64] Re: "For What It's Worth" (or How do I know my Gentoo source code
 hasn't been messed with?)

Frank Peters posted on Tue, 05 Aug 2014 16:36:57 -0400 as excerpted:

> It wouldn't have to scan your local drives.  It would only have to scan
> the very few directories named "MY DOCUMENTS" and "MY VIDEOS" and "MY
> EMAIL" which have conveniently been established by the omnipotent and
> omniscient desktop environment.  Within these universal and standardized
> storage areas can be found everything that snooping software would need
> to find.

Hmm...  Some people (me) don't use those standardized locations.  I have 
a dedicated media partition -- large, still on spinning rust when most of 
the system in terms of filenames (but not size) is on SSD, and where it's 
mounted isn't standard and is unlikely to /be/ standard, simply because I 
have my own rather nonconformist ideas of where I want stuff located and 
how it should be organized.

OTOH, consider ~/.thumbnails/.  Somebody already mentioned that google 
case and the hashes they apparently scan for.  ~/.thumbnails will 
normally have thumbnails for anything in the system visited by normal 
graphics programs, including both still images and video, and I think pdf 
too unless that's always generated dynamically as is the case with txt 
files, via various video-thumbnail addons.  Those thumbnails are all 
going to be standardized to one of a few standard sizes, and can either 
be used effectively as (large) hashes directly, or smaller hashes of them 
could be generated...

Tho some images programs (gwenview) have an option to wipe the thumbnails 
dir when they're shutdown, but given the time creating those thumbnails 
on any reasonably large collection takes, most people aren't going to 
want to enable wiping...

Meanwhile, one of the things that has come out is that the NSA 
effectively already considers anyone running a Linux desktop a radical, 
likely on their watch-list already, just as is anyone running TOR, or 
even simply visiting the TOR site or an article linking to them.

I guess I must be on their list several times over, what with the sigs I 
use, etc, the security/privacy-related articles I read, the OS I run, and 
the various lists I participate on...

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

Re: [gentoo-amd64] "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?)

[Max Cizauskas]

Hello all,

I've been very interested in this topic myself, so I'll pile on my 
question after answering one of Mark's

<Snip>
On 05/08/2014 1:50 PM, Mark Knecht wrote:
> I'm sitting here writing R code. I do it in R-Studio. How do I
> know that every bit of code I run in that tool isn't being sent out to 
> some
> server? Most likely no one has done an audit of that GUI so I'm trusting
> that the company isn't nefarious in nature.
>
> I use Chrome. How do I know Chrome isn't scanning my local drives
> and sending stuff somewhere? I don't.
>
> In the limit, how would I even know if the Linux kernel was doing this? I
> got source through emerge, built code using gcc, installed it by hand,
> but I don't know what's really there and never will. I suspect the kernel
> is likely one of the safer things on my box.
>

The answer to most things security related seems to be independent 
verification. If you're going to be the person to do that verification 
because you don't trust others to do it or can't find proof that it's 
been done, then there are two factors at play; time and money.

Where you're only running your own traffic through your system (unlike 
Duncan's TOR example) this is relatively easy and cheap to accomplish. 
For ~$100 you can buy a consumer grade switch with a configurable 
mirroring port which will effectively passively sniff all the traffic 
going through the switch. You then connect this mirrored port to a spare 
junker computer running optimally a different distro of linux like 
Security Onion or anything else with TCPDump capturing full packet 
captures which you can do analytics on. I do the same for my home 
network to detect compromised hosts and to see if I'm under attack for 
any reason. Things I find useful for getting a finger on the pulse are:

  - DNS Query monitoring to see who my home network is reaching out to
  - GeoIPLookup mappings against bandwidth usage to see if lots of data 
is being slurped out of my environment
  - BroIDS, Snorby and Squert (security onion suite of tools) for at a 
glance view of things going wrong and the ability to dig into events quickly

My question is what kind of independent validation, or even peer review, 
is done over the core of Gentoo? Now that new users are being pushed to 
use the Stage3 tarball and genkernel, is seems to me that much of the 
core of the Gentoo system is a "just trust me" package. What I love 
about the Stage 1 approach is you get all the benefits of compiling the 
system as you go, essentially from scratch and customized for your 
system, and all the benefits of the scrutiny Duncan mentioned applying 
to ebuilds is applied. There is much more control in the hands of the 
person using Stage 1, and it's a smaller footprint for someone to 
independently validate malicious code didn't get introduced into it. 
Should someone have been manipulated to put something malicious into the 
stage3 tarball it could much more easily give a permanent foothold over 
your system to a malicious 3rd party (think rootkit) then stage 1 would 
allow.

Thanks to anyone who can provide light on the topic,
Max

Re: [gentoo-amd64] "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?)

[Lie Ryan]

[-- Attachment #1: Type: text/plain, Size: 845 bytes --]

With you having to compile thousands of stuffs if you build from stage 1, I
doubt that you will be able to verify every single thing you compile and
detect if something is actually doing sneaky stuff AND still have the time
to enjoy your system. Also, even if you build from stage 1 and manage to
verify all the source code, you still need to download a precompiled
compiler which could possibly inject the malicious code into the programs
it compiles, and which can also inject itself if you try to compile another
compiler from source. If there is a single software that is worth a gold
mine to inject with malware to gain illicit access to all Linux system,
then it would be gcc. Once you infect a compiler, you're invincible.

Also, did you apply the same level of scrutiny to your hardware?

For the truly paranoid, I recommend unplugging.

[-- Attachment #2: Type: text/html, Size: 936 bytes --]

[gentoo-amd64] Re: "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?)

[Duncan]

Lie Ryan posted on Fri, 08 Aug 2014 02:06:14 +1000 as excerpted:

> With you having to compile thousands of stuffs if you build from stage
> 1, I doubt that you will be able to verify every single thing you
> compile and detect if something is actually doing sneaky stuff AND still
> have the time to enjoy your system. Also, even if you build from stage 1
> and manage to verify all the source code, you still need to download a
> precompiled compiler which could possibly inject the malicious code into
> the programs it compiles, and which can also inject itself if you try to
> compile another compiler from source. If there is a single software that
> is worth a gold mine to inject with malware to gain illicit access to
> all Linux system, then it would be gcc. Once you infect a compiler,
> you're invincible.

Actually, that brings up a good question.  The art of compiling is 
certainly somewhat magic to me tho I guess I somewhat understand the 
concept in a vague, handwavy way, but...

From my understanding, that's one reason why the gcc build is multi-stage 
and uses simpler (and thus easier to audit) tools such as lex and bison 
in its bootstrapping process.  I'm not actually sure whether gcc actually 
requires a previous gcc (or other full compiler) to build or not, but I 
do know it goes to quite some lengths to bootstrap in multiple stages, 
building things up from the simple to the complex as it goes and testing 
each stage in the process so that if something goes wrong, there's some 
idea /where/ it went wrong.

Clearly one major reason for that is proving functionality at each step 
such that if the process goes wrong, there's some place to start as to 
why and how, but it certainly doesn't hurt in helping to prove or at 
least somewhat establish the basic security situation either, tho as 
we've already established, it's basically impossible to prove both the 
hardware and the software back thru all the multiple generations.

Of course the simpler tools, lex, bison, etc, must have been built from 
something, but because they /are/ simpler, they're also easier to audit 
and prove basic functionality, including disassembly and analysis of 
individual machine instructions for a fuller audit.

So anyway, to the gcc experts that know, and to non-gcc CS folks who have 
actually built their own simple compilers and can at least address the 
concept, is a previous gcc or other full compiler actually required to 
build a new gcc, or does it sufficiently bootstrap itself from the more 
basic tools such that unlike most code, it doesn't actually need a full 
compiler to build and reasonably optimize at all?  That's a question I've 
had brewing in the back of my mind for some time, and this seemed the 
perfect opportunity to ask it. =:^)

Meanwhile, I suppose it must be possible at least at some level, else how 
would new hardware archs come to be supported.  Gotta start /somewhere/ 
on the toolchain, and "simpler" stuff like lex and bison can I believe 
run on a previous arch, generating the basic executable building blocks 
that ultimately become the first executable code actually run by the new 
target arch.

And of course gcc has long been one of the most widely arch-supporting 
compilers, precisely because it /is/ open source and /is/ designed to be 
bootstrapped in stages like that.  I guess clang/llvm is giving gcc some 
competition in that area now, in part because it's more modern and 
modular and in part because unlike gcc it /can/ legally be taken private 
and supplied to others without offering sources and some companies are 
evil that way, but gcc's the one with the long history in that area, and 
given that history I'd guess it'll be some time before clang/llvm catches 
up, even if it's getting most of the new platforms right now, which I've 
no idea whether it's the case or not.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

Re: [gentoo-amd64] "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?)

[Mark Knecht]

On Thu, Aug 7, 2014 at 9:06 AM, Lie Ryan <lie.1296@gmail.com> wrote:
<SNIP>
>
> Also, did you apply the same level of scrutiny to your hardware?
>

That's the basis of the now well known NSA hack on Cisco routers.
Intercept the box, modify the hardware, send the box onto some foreign
land and the router lets them in. No hacking required.

> For the truly paranoid, I recommend unplugging.
>

 In the aforementioned book that's pretty much exactly what Snowden
required of the reporter & documentary film maker he started out
disclosing the info to. They had to buy new laptops and never attach
them to the net. He apparently used PGP encryption to chat & transfer
files over normal nets but (as I understand it) the encrypted files
are never opened on anything other than your off-the-net machine.

Of course, according to Snowden the NSA can enable the microphone on
my cell phone and listen to me talking in the house. He required
batteries be removed or cell phones be placed in a freezer.

I recently saw a similar story about new TVs having built in cameras
(for game interfaces I suppose) which could be enabled over the net to
watch what's going on in my living room. If the TV has power applied,
even if I'm not using it, what do I know really about what it's doing?

All of that argues for Max's suggestion about sniffing the network
full time, assuming I can relay on the sniffer not being hacked... ;-)

Re: [gentoo-amd64] Re: "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?)

[Mark Knecht]

On Thu, Aug 7, 2014 at 10:20 AM, Duncan <1i5t5.duncan@cox.net> wrote:
> Lie Ryan posted on Fri, 08 Aug 2014 02:06:14 +1000 as excerpted:
>
>> With you having to compile thousands of stuffs if you build from stage
>> 1, I doubt that you will be able to verify every single thing you
>> compile and detect if something is actually doing sneaky stuff AND still
>> have the time to enjoy your system. Also, even if you build from stage 1
>> and manage to verify all the source code, you still need to download a
>> precompiled compiler which could possibly inject the malicious code into
>> the programs it compiles, and which can also inject itself if you try to
>> compile another compiler from source. If there is a single software that
>> is worth a gold mine to inject with malware to gain illicit access to
>> all Linux system, then it would be gcc. Once you infect a compiler,
>> you're invincible.
>
> Actually, that brings up a good question.  The art of compiling is
> certainly somewhat magic to me tho I guess I somewhat understand the
> concept in a vague, handwavy way, but...

<SNIP>
>
> So anyway, to the gcc experts that know, and to non-gcc CS folks who have
> actually built their own simple compilers and can at least address the
> concept, is a previous gcc or other full compiler actually required to
> build a new gcc, or does it sufficiently bootstrap itself from the more
> basic tools such that unlike most code, it doesn't actually need a full
> compiler to build and reasonably optimize at all?  That's a question I've
> had brewing in the back of my mind for some time, and this seemed the
> perfect opportunity to ask it. =:^)
>

And beyond Duncan's question (good question!) if I try to rebuild gcc
like it was an empty box using my current machine I see this sort of thing
where gcc is about the 350th of 385 packages getting built. It seems to
me that _any_ package that has programs running at the same or higher
level as emerge could be hacked and control what's actually placed on the
machine.

It's an endless problem if you cannot trust anything, and for most people,
and certainly for me, unverifiable the ways the tools work today.

c2RAID6 ~ # emerge -pve gcc

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] app-arch/xz-utils-5.0.5-r1  USE="nls threads
-static-libs" ABI_X86="(64) (-32) (-x32)" 1,276 kB
[ebuild   R    ] virtual/libintl-0-r1  ABI_X86="(64) -32 (-x32)" 0 kB
[ebuild   R    ] app-arch/bzip2-1.0.6-r6  USE="-static -static-libs"
ABI_X86="(64) (-32) (-x32)" 0 kB
[ebuild   R    ] dev-libs/expat-2.1.0-r3  USE="unicode -examples
-static-libs" ABI_X86="(64) (-32) (-x32)" 550 kB
[ebuild   R    ] virtual/libiconv-0-r1  ABI_X86="(64) (-32) (-x32)" 0 kB
[ebuild   R    ] dev-lang/python-exec-2.0.1-r1:2
PYTHON_TARGETS="(jython2_5) (jython2_7) (pypy) (python2_7) (python3_2)
(python3_3) (-python3_4)" 0 kB
[ebuild   R    ] sys-devel/gnuconfig-20140212  0 kB
[ebuild   R    ] media-libs/libogg-1.3.1  USE="-static-libs"
ABI_X86="(64) (-32) (-x32)" 0 kB
[ebuild   R    ] app-misc/mime-types-9  16 kB
[ebuild   R    ] sys-apps/baselayout-2.2  USE="-build" 40 kB
[ebuild   R    ] sys-devel/gcc-config-1.7.3  15 kB

<SNIP, SNIP, SNIP>

[ebuild   R    ] media-libs/phonon-4.6.0-r1  USE="gstreamer (-aqua)
-debug -pulseaudio -vlc (-zeitgeist)" 275 kB
[ebuild   R    ] sys-libs/glibc-2.19-r1:2.2  USE="(multilib) -debug
-gd (-hardened) -nscd -profile (-selinux) -suid -systemtap -vanilla" 0
kB
[ebuild   R    ] sys-devel/gcc-4.7.3-r1:4.7  USE="cxx fortran
(multilib) nls nptl openmp (-altivec) -awt -doc (-fixed-point) -gcj
-go -graphite (-hardened) (-libssp) -mudflap (-multislot) -nopie
-nossp -objc -objc++ -objc-gc -regression-test -vanilla" 81,022 kB
[ebuild   R    ] sys-libs/pam-1.1.8-r2  USE="berkdb cracklib nls
-audit -debug -nis (-selinux) {-test} -vim-syntax" ABI_X86="(64) (-32)
(-x32)" 0 kB
[ebuild   R    ] dev-db/mysql-5.1.70  USE="community perl ssl
-big-tables -cluster -debug -embedded -extraengine -latin1
-max-idx-128 -minimal -pbxt -profiling (-selinux) -static {-test}
-xtradb" 24,865 kB
[ebuild   R    ] sys-devel/llvm-3.3-r3:0/3.3  USE="libffi
static-analyzer xml -clang -debug -doc -gold -multitarget -ocaml
-python {-test} -udis86" ABI_X86="(64) (-32) (-x32)"
PYTHON_TARGETS="python2_7 (-pypy) (-pypy2_0%) (-python2_6%)"
VIDEO_CARDS="-radeon" 0 kB
[ebuild   R    ] media-libs/mesa-10.0.4  USE="classic egl gallium llvm
nptl vdpau xvmc -bindist -debug -gbm -gles1 -gles2 -llvm-shared-libs
-opencl -openvg -osmesa -pax_kernel -pic -r600-llvm-compiler
(-selinux) -wayland -xa" ABI_X86="(64) (-32) (-x32)"
VIDEO_CARDS="(-freedreno) -i915 -i965 -ilo -intel -nouveau -r100 -r200
-r300 -r600 -radeon -radeonsi -vmware" 0 kB
[ebuild   R    ] x11-libs/cairo-1.12.16  USE="X glib opengl svg xcb
(-aqua) -debug -directfb -doc (-drm) (-gallium) (-gles2)
-legacy-drivers -openvg (-qt4) -static-libs -valgrind -xlib-xcb" 0 kB
[ebuild   R    ] app-text/poppler-0.24.5:0/44  USE="cairo cxx
introspection jpeg jpeg2k lcms png qt4 tiff utils -cjk -curl -debug
-doc" 0 kB
[ebuild   R    ] media-libs/harfbuzz-0.9.28:0/0.9.18  USE="cairo glib
graphite introspection truetype -icu -static-libs {-test}"
ABI_X86="(64) (-32) (-x32)" 0 kB
[ebuild   R    ] x11-libs/pango-1.36.5  USE="X introspection -debug"
ABI_X86="(64) (-32) (-x32)" 0 kB
[ebuild   R    ] x11-libs/gtk+-2.24.24:2  USE="introspection xinerama
(-aqua) -cups -debug -examples {-test} -vim-syntax" ABI_X86="(64)
(-32) (-x32)" 0 kB
[ebuild   R    ] x11-libs/gtk+-3.12.2:3  USE="X introspection xinerama
(-aqua) -cloudprint -colord -cups -debug -examples {-test} -vim-syntax
-wayland" 0 kB
[ebuild   R    ] dev-db/libiodbc-3.52.7  USE="gtk" 1,015 kB
[ebuild   R    ] app-crypt/pinentry-0.8.2  USE="gtk ncurses qt4 -caps
-static" 419 kB
[ebuild   R    ] dev-java/icedtea-bin-6.1.13.3-r3:6  USE="X alsa -cjk
-cups -doc -examples -nsplugin (-selinux) -source -webstart" 0 kB
[ebuild   R    ] dev-libs/soprano-2.9.4  USE="dbus raptor redland
virtuoso -debug -doc {-test}" 1,913 kB
[ebuild   R    ] app-crypt/gnupg-2.0.25  USE="bzip2 ldap nls readline
usb -adns -doc -mta (-selinux) -smartcard -static" 0 kB
[ebuild   R    ] gnome-extra/polkit-gnome-0.105  304 kB
[ebuild   R    ] kde-base/kdelibs-4.12.5-r2:4/4.12  USE="acl alsa
bzip2 fam handbook jpeg2k mmx nls opengl (policykit) semantic-desktop
spell sse sse2 ssl udev udisks upower -3dnow (-altivec) (-aqua) -debug
-doc -kerberos -lzma -openexr {-test} -zeroconf" 0 kB
[ebuild   R    ] sys-auth/polkit-kde-agent-0.99.0-r1:4  USE="(-aqua)
-debug" LINGUAS="-ca -ca@valencia -cs -da -de -en_GB -eo -es -et -fi
-fr -ga -gl -hr -hu -is -it -ja -km -lt -mai -ms -nb -nds -nl -pa -pt
-pt_BR -ro -ru -sk -sr -sr@ijekavian -sr@ijekavianlatin -sr@latin -sv
-th -tr -uk -zh_TW" 34 kB
[ebuild   R    ] kde-base/nepomuk-core-4.12.5:4/4.12  USE="exif pdf
(-aqua) -debug -epub -ffmpeg -taglib" 0 kB
[ebuild   R    ] kde-base/katepart-4.12.5:4/4.12  USE="handbook
(-aqua) -debug" 0 kB
[ebuild   R    ] kde-base/kdesu-4.12.5:4/4.12  USE="handbook (-aqua)
-debug" 0 kB
[ebuild   R    ] net-libs/libproxy-0.4.11-r2  USE="kde -gnome -mono
-networkmanager -perl -python -spidermonkey {-test} -webkit"
ABI_X86="(64) (-32) (-x32)" PYTHON_TARGETS="python2_7" 0 kB
[ebuild   R    ] kde-base/nepomuk-widgets-4.12.5:4/4.12  USE="(-aqua)
-debug" 0 kB
[ebuild   R    ] kde-base/khelpcenter-4.12.5:4/4.12  USE="(-aqua) -debug" 0 kB
[ebuild   R    ] net-libs/glib-networking-2.40.1-r1  USE="gnome
libproxy ssl -smartcard {-test}" ABI_X86="(64) (-32) (-x32)" 0 kB
[ebuild   R    ] net-libs/libsoup-2.46.0-r1:2.4  USE="introspection
ssl -debug -samba {-test}" ABI_X86="(64) (-32) (-x32)" 0 kB
[ebuild   R    ] media-plugins/gst-plugins-soup-0.10.31-r1:0.10
ABI_X86="(64) (-32) (-x32)" 0 kB
[ebuild   R    ] media-libs/phonon-gstreamer-4.6.3  USE="alsa network
-debug" 71 kB

Total: 385 packages (385 reinstalls), Size of downloads: 355,030 kB
c2RAID6 ~ #