Re: [gentoo-hardened] Hard Disk Encryption

Re: [gentoo-hardened] Hard Disk Encryption

[Joshua Brindle]

I'll top post since this is fairly long.

You are right, it is a huge issue for physical security and something
that many of us think about all the time. 

For those who have not seen the project homepage 
(http://www.gentoo.org/proj/en/hardened) I suggest you go, in
the 'planned subprojects' list I have mentioned both cryptoapi
and FiST (the link is there for more information). I know that selinux
has gotten the most attention within the project and also on this
list but there are some things to consider. 

First, we've been working on other things like propolice integration 
and grsecurity acl's. Solar, a new hardened developer has put
 together a really nice system for installing grsecurity acl's for installed
 software. 

Second, we have many projects that we'd like to do (see list on the page)
but as we are a fairly new project we don't have a huge amount of 
manpower to make it happen. If you are interested in putting together
a very solid implementation for this sort of thing then by all means
drop by #gentoo-hardened on irc.freenode.net and chat with us :) .

Third, SELinux was the first subproject we actually started working
on so naturally it's ahead of everything else.

I hope that everyone would look at the webpage and speak up if
they are capable of doing anything that we have planned or even 
security related projects which we haven't thought of.

Thank you, and I would love to have strong crypto block support 
in Gentoo, and I'm sure many others would as well :)

Joshua Brindle

>One aspect of computer data security that has become important to me
>is the obfuscation of data on the computer hard disk. This will slow
>down data retrieval by unauthorized people who manage to gain
>unrestricted physical access to the computer.
>
>Such a scenario is becoming more likely with the rise in popularity of
>laptop computers as primary workstation platforms. (I am writing this
>on a laptop that is the only machine I use.) If someone walks off with
>your laptop computer, then a robust access-control-list (ACL) policy
>is not going to do you any good; one may simply mount the hard disk
>via a less-secure system and have unrestricted access to the data.
>
>I decided to encrypt the entire disk on my computer: not just per-user
>partitions, but the entire root (and swap, too). The reason for this
>is that I could not think of a straightforward way to prevent
>important security tokens from landing in non-user areas, such as /etc
>or /var/lib.
>
>Critics of whole-disk encryption claim that it's a waste of time to
>encrypt common files, such as the ~2GB of files that comprise the
>libraries and binaries of a typical Linux installation. Or worse, that
>such an approach can lead to known-plaintext attacks. Well: I don't
>see a significant performance penalty, and cipher-block-chaining mode
>can make known-plaintext attacks more difficult.
>
>I have been using an encrypted root hard disk for a year. I back up my
>data to other encrypted volumes. No data loss so far. I use the
>kerneli CryptoAPI with 2.4.20.
>
>This thread on Gentoo Forums has seen recent activity, discussing the
>use of loop-AES for hard disk encryption with 2.4.x kernels:
>http://forums.gentoo.org/viewtopic.php?t=31363 
>
>My recent efforts have focused on deployment of encrypted hard disks
>in the 2.5.x kernels. The CryptoAPI is now part of the mainline Linux
>tree, but loop device encryption is not.
>
>An encrypted loopback block device driver has been implemented by
>CryptoAPI developers as a thin layer on top of the new Linux 2.5 block
>device system. I believe this approach may be best for the long term,
>but there is relatively little discussion of this on the
>cryptoapi-devel mailing list. And using this driver requires patches
>to util-linux that have not yet been incorporated into the standard
>util-linux distribution.
>
>In contrast, the loop-AES implementation has been ported to the 2.5.x
>kernels; this is a simple port of the 2.4.x block device to the 2.5
>kernel. It may not be able to take advantage of the scatterlist
>blockdev optimizations that the cryptoAPI incorporates. But it has a
>responsive developer, and it seems to work better with recent versions
>of util-linux (2.11z).
>
>I have not yet been able to tweak my init RAMdisks that I used for
>2.4.x root encryption so that they will successfully boot a 2.5
>system. But I think I am close to doing so: another week or two at the
>most.
>
>I believe that block-level encryption is a far better approach for
>on-the-disk data protection than a stacked filesystem such as
>FiST. Creation of a FiST encryption layer would be upside-down, I
>think: a standard filesystem such as e2fs that "hosts" encrypted
>data. With FiST, the atomic units exposed to the encryption layer are
>file-system units: file names, dirents, etc. With block-level
>encryption, you encrypt blocks: opaque chunks of bytes. (FiST might be
>very powerful for implementing policy-based access, though...)
>
>I am very pleased by the Gentoo-Hardened effort. I think that the
>current focus on learning about SELinux is vital: since security is a
>_process_ rather than a _technology_, we need to learn how to
>implement meaningful security policies on our Gentoo boxes.
>
>I think that this Disk Encryption is completely orthogonal to this
>effort: advances in this arena will not interfere with whatever
>security policies are developed by the SELinux initiative. Block-level
>encryption is (almost) completely transparent to a running system, so
>ACLs and SELinux PSMs can run on top of such with *no* modification.
>
>I think that other enabling technologies like token-based access
>control (smart cards, USB dongles) fall somewhere in the middle: the
>technology (device drivers) needs to be developed, but security
>policies should be likewise developed to take advantage of these.
>
>So:
>I am working on block-level encryption. I think it is particluarly
>important for laptop users. I would like to co-ordinate my efforts
>with the Gentoo-Hardened project.
>
>Cheers!
>
>-- boyd
>watersb on Gentoo Forums
>
>
>
>
>--
>gentoo-hardened@gentoo.org mailing list
>


--
gentoo-hardened@gentoo.org mailing list

[gentoo-hardened] Marketing Hardened Gentoo ..

[Gavin Vess]

I believe marketing hardened Gentoo (e.g. by increasing popularity and awareness) is critical to the success of this project, so, here is a suggestion for marketing material .. and a strong justification.

http://www.theinquirer.net/?article=9845

Linux security breaches at all time high
Windows stood up better, company claims

By INQUIRER staff: Wednesday 04 June 2003, 11:47
A UK BASED security firm claimed today that digital attacks on Web sites using the Linux operating system have reached an all-time high over the last three months.British firm mi2g claimed that Windows based servers were more resilient from March to May for corporate and government systems.
It issued figures saying that the reason for the vulnerabilities was down to improperly configured systems, lack of a "trustworthy" computing initiative, and corporations choosing Linux because of its cost but not costing in technical support overheads.
In May this year, 19,208 successful breaches were recorded against Linux based systems, compared to 3,801 against MS Windows based systems, it claimed. Both the USA and the UK were most attacked during the three months which included the Iraq war.

--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Marketing Hardened Gentoo ..

[Boyd Waters]

Gavin Vess wrote:

> I believe marketing hardened Gentoo (e.g. by increasing popularity and
 > awareness) is critical to the success of this project, so, here is a
 > suggestion for marketing material .. and a strong justification.
> 
> http://www.theinquirer.net/?article=9845
> 
> Linux security breaches at all time high...


Hmmm....

I suppose that security products are attractive because people are 
afraid. Playing on those fears, however, does not provide security...

I'm not suggesting that you intend to do so, but marketing a Gentoo 
security initiative as if it is in response to media attention is a 
slippery slope, I think.

Rather than becoming a high-visibility project that reacts to media and 
industry concerns, I would prefer to be invisible: I would prefer that 
we made best-practices security techniques as easy to use as the rest of 
Gentoo.

Almost automatic. Just automatic enough, actually.

That is to say, not so easy as to expect no thought from the user -- but 
the genius of the Portage system is that it exposes enough of the way 
that software is actually created -- the source code, the config files 
-- that people can learn from it, while avoiding (in most cases) the 
despair of being thrown into the deep end with no automated tools to 
guide them. Gentoo does not pretend that code does not exist. That there 
is no command-line. [footnote 1]

So witness the real magic of Gentoo: we have newbies posting on the 
forums, and pretty soon they are asking sophisticated questions, and can 
deal with installing new packages from source or even applying a patch 
themselves.

I don't care much about the particulars of the technology that we adopt, 
as long as we can continue creating happily-linux-savvy people out of 
such new-comers!

They learn that using a computer is a process, just like security is a 
process. And computer risk management is something that they can learn 
to do, anyone can learn to do this.

My 0.0169 euros (two cents)...

-- boyd



IMHO, when the project is ready, I think that an appropriate place to 
direct media attention would be to the Gentoo Project -- the overall 
distro -- which will have all this security policy stuff sorted out. You 
could point out the security features, or put a base-install Gentoo box 
on the net for crackers to pound on, whatever...

Gentoo users will react to such a media announcement the way they've 
always reacted to such attention: "Um, yeah, of course it's secure, 
that's how it told me to set it up... what's the big deal?"



[footnote 1] "..there is no command line."
Ironically, the same distro that makes users compile everything from 
source is the disto that turns a computer into a no-brainer games console!

How did that happen?

Well, Gentoo exposes the internals of the Linux system, while at the 
same time delivering reliability by providing tools for configuration 
manangement (the package dependencies, package cleaning, very nice init 
scripts etc). It's a development platform that one can actually use.

So it's a great starting point for linux-based repackaging efforts.


Jeez, enough already.... another long post from /me...

============ EOF




--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Marketing Hardened Gentoo ..

[John Robinson]

Wow. That was a great highlight of Gentoo's strong points. I'm serious
when I say that your post should probably be put in a "What are our
customers saying about us?" section on a Gentoo website-- I don't think
I've seen a better written description of the things you touched on
anywhere else. You're right about what makes Gentoo great, especially
its effects on new users of Linux.

The points at which I have to differ with you are the meaning of the
email you're responding to, and the posture you feel the Gentoo staff
will take if the email's suggestion is carried out:

> ...marketing a Gentoo security initiative as if it is in response to
> media attention is a slippery slope, I think.

While I agree with you, I don't think that this was the intent of the
previous email's suggestion. The Gentoo Hardened effort was started
before the article in question was released, and so I don't think the
email's author (feel free to correct me) meant that Gentoo should market
itself as a response to the facts presented in it (or to the article
itself, or the media trend into which the article falls), but merely as
a good answer to them, which (when it's complete) it will be. Hardened
Gentoo will (if I understand its aims) allow Gentoo systems to be more
secure with less work, resulting in fewer "improperly configured
systems" and "technical support overhead" -- the very things the article
addresses as the main security problems on the Linux systems polled.

> Rather than becoming a high-visibility project that reacts to media and 
> industry concerns, I would prefer to be invisible: I would prefer that 
> we made best-practices security techniques as easy to use as the rest of 
> Gentoo.

I don't think that marketing Hardened Gentoo by referencing a set of
facts supporting the use of such a distribution is equivalent to
becoming a high-visibility project. Unless the marketing campaign was
also stepped up, this wouldn't be a problem, it doesn't seem to me.
Having a fair amount of visibility, however, is important to any
software project, and having some facts to underscore the importance of
such a project is usually pretty... well, important.

Lastly, although I don't work for Gentoo, I find myself a little
bothered at the suggestion that (given enough media attention) those in
charge would shift their focus from providing a good,
best-practices-based security initiative to providing what must be an
inferior product which will (in the end) provide them more headaches and
work. Although the Hardened effort must be at some level a reaction to
industry concerns, because security concerns the computing industry, I
don't think it is (or will become) a media-driven, looks-but-not-guts
oriented effort.

I'd like to see Hardened Gentoo become a more popular and
well-recognized distribution, partially because it's such a cool idea,
but mostly because it's a good response to the concerns of a lot of
security people out there, and deserves recognition. The more it's used,
if it meets its goals, the more secure the Linux-based servers of the
net will be, and I consider that a plus as well. I'm all for seeing the
Hardened effort marketed well, and I think the use of the article Gavin
mentioned (and others) might be key to that endeavor.

Sincerely,

John Robinson

-- 

Love justice; desire mercy.


--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Marketing Hardened Gentoo ..

[Boyd Waters]

John Robinson wrote:

>  Although the Hardened effort must be at some level a reaction to
> industry concerns, because security concerns the computing industry, I
> don't think it is (or will become) a media-driven, looks-but-not-guts
> oriented effort.
> 
> I'm all for seeing the
> Hardened effort marketed well, and I think the use of the article Gavin
> mentioned (and others) might be key to that endeavor.

John (and Gavin!):

Thanks very much for this response to my post. After I sent it I 
realized that it might have spoken too strongly against Gavin's 
suggestion...

Duh. Increased visibility of the Gentoo Hardened effort will help. And 
as Gavin correctly points out, the effort is a timely response to a 
pressing industry need.

I am perhaps a bit media-shy wrt "computer security" -- I think that 
heightened awareness of computer risk management is a Good Thing, better 
than not caring at all. But I think that media attention to computer 
security focuses on technology wars: Windows is better than Linux, Linux 
is more secure than blah blah blah whatever. I don't want us to get into 
that game -- "Gentoo is more secure than FooBar" -- no, thanks. Such 
statements are meaningless (without considerable context, and the 
context does NOT get repeated in the media).

> Hardened
> Gentoo will (if I understand its aims) allow Gentoo systems to be more
> secure with less work, resulting in fewer "improperly configured
> systems" and "technical support overhead" -- the very things the article
> addresses as the main security problems on the Linux systems polled.

This is an excellent precis of the real story behind the article that 
Gavin brings to our attention.

Advocacy is a good and necessary thing. And it is good that people are 
excited about the Gentoo Hardened effort. Spreading the word won't hurt. 
I have posted my share of :Gentoo Rocks!: messages on various forums, 
and have seriously considered whining to LinuxJournal for more Gentoo 
awareness... 'nuff said!

Cheers!
-- boyd



--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Marketing Hardened Gentoo ..

[Jeffrey Lim]

while everybody is still talking about marketing gentoo, has anybody
actually detected the FUD-like stink of the article?

for one, the "UK based security firm" is not even named, and ... the
phrase "lack of a trustworthy computing initiative"?? oh please.

-jf

On Fri, 6 Jun 2003 13:46:56 -0700, "Gavin Vess" <Gavin@Vess.com> said:
> I believe marketing hardened Gentoo (e.g. by increasing popularity and
> awareness) is critical to the success of this project, so, here is a
> suggestion for marketing material .. and a strong justification.
> 
> http://www.theinquirer.net/?article=9845
> 
> Linux security breaches at all time high
> Windows stood up better, company claims
> 
> By INQUIRER staff: Wednesday 04 June 2003, 11:47
> A UK BASED security firm claimed today that digital attacks on Web sites
> using the Linux operating system have reached an all-time high over the
> last three months.British firm mi2g claimed that Windows based servers
> were more resilient from March to May for corporate and government
> systems.
> It issued figures saying that the reason for the vulnerabilities was down
> to improperly configured systems, lack of a "trustworthy" computing
> initiative, and corporations choosing Linux because of its cost but not
> costing in technical support overheads.
> In May this year, 19,208 successful breaches were recorded against Linux
> based systems, compared to 3,801 against MS Windows based systems, it
> claimed. Both the USA and the UK were most attacked during the three
> months which included the Iraq war.
> 
> --
> gentoo-hardened@gentoo.org mailing list
> 
> 
 
--
  "It's an extraordinary world!" - jfsworld <at> fastmail.fm
 
 

--
gentoo-hardened@gentoo.org mailing list

[gentoo-hardened] Marketing Hardened Gentoo ..

[Gavin Vess]

Greetings,

I see merits to all the points mentioned, especially our stated purpose "Hardened Gentoo's purpose is to make Gentoo viable for high security, high stability production server environments." [ http://www.gentoo.org/proj/en/hardened/ ]  By definition, successful marketing ought to further this goal and project.

Although we may question the credibility of the aforementioned article and UK security company, the underlying problem of increasing attacks (and security failures) for Linux-based systems remains.  The article demonstrates the likelihood of increasing public awareness.  This need translates into consumer demand for secure operating systems in production server environments.  There are a finite number of products competing to address this need, and competing for finite developer resources (e.g. the Gentoo team, package authors, original product developers, system administrators, etc.).  For example, John Doe may choose to develop, install, administrate, tune, or customize OpenBSD or Yellow Dog Linux or a custom-crafted environment built on WOLK .. or hardened Gentoo.

For several reasons, I would like to eventually see people asserting that hardened Gentoo is the #1 Linux-based choice in the world for a hardened server platform.  1st place might convey an order-of-magnitude greater "benefits" to the "vendors" than 2nd place.  "Increased visibility of the Gentoo Hardened effort will help."  If the right things are marketed to the right groups at the right time, then consumers will use the product and developers will support and enhance it.  On the other hand, as Boyd pointed out, attracting the wrong people to the wrong places at the wrong time might prove a significant hindrance to progress.

I suggest targetting two sets of audiences (at a minimum). Boyd's awesome summary of [hardened] Gentoo, combined with a clear justification of the increasing need, might help increase awareness.  Perhaps not just yet, but soon, consumers need to realize that an alternative exists to other secure versions of Linux (and non-Linux OS), and developers need to know that they might find hardened Gentoo satisfies their security needs with less effort (Boyd's principle of relative "invisibility").  In a few weeks (months?), when we're ready, I also suggest recruiting some time from a true marketer for the project.

Another 2 cents,
Gavin

--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Marketing Hardened Gentoo ..

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 1849 bytes --]

On Sat, 2003-06-07 at 14:04, Gavin Vess wrote:
> For several reasons, I would like to eventually see people asserting
> that hardened Gentoo is the #1 Linux-based choice in the world for a
> hardened server platform.

Well, we're trying to make hardened as good as we can :)

> I suggest targetting two sets of audiences (at a minimum).

Well the hardened team is trying to do what all Gentoo does; we give
options.  For those options, we try to have a good default
configuration, which users can modify to suit their needs.  SELinux is
certainly not the only thing we're working on, it just happens to be the
first thing that we started working on.  We're working on other things
such as grsecurity and propolice.  Work on secure auditing is starting
up.  For those who don't have high security needs, there is also
systrace.

As for getting a marketing person, I disagree.  With little effort over
the last week, we've gotten a lot of interest just from Gentoo users on
the mail lists.  The SELinux demo box already has appeared on
osnews.com.  There will be a release about the machine in the GWN which
has some 5400 subscribers plus the people that read it on the web.  I
think we can do well enough feeding off of the credibility that Gentoo
already has.  We don't need a big marketing blitz, or a marketing guy. 
That may work for desktops, but I doubt many people choose their secure
OS based on some marketing gimmick.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer, SELinux
Hardened Gentoo Linux
 
"Engineering does not require science. Science helps
a lot, but people built perfectly good brick walls
long before they knew why cement works."-Alan Cox

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-hardened] Marketing Hardened Gentoo ..

[Boyd Waters]

Chris PeBenito wrote:

 > As for getting a marketing person, I disagree. ..
 > We don't need a big marketing blitz, or a marketing guy.
 > That may work for desktops, but I doubt many people choose their secure
 > OS based on some marketing gimmick.


Well... of coure, "marketing" does not necessarily mean "gimmick".

There is vailidity to Gavin's assertion that open-source projects
benefit from mind-share, so it would be good to have people aware of
our effort so that they could evaluate it and make some informed
decisions.

Gentoo is indeed about choice -- but many savvy Linux sysadmins are
not aware that the Gentoo option exists. There should be a niche in
the project for motivated people to get the message out, at the
appropriate time. If we fail to engage such people, will lose an
opportuntiy: evangelizers need a solid working knowledge of the issues
-- and security is a particularly tough one -- and so it is beneficial
to have someone _on the team_ (rather than someone less familiar with
the project) who wants to coordinate sort of thing.

That said, security is complex, and almost no one understands the
interplay between "security" and "technology". In the
computer-risk-management arena, it is easy to confuse people, it is
almost impossible not to be mis-quoted. So I think that evangelism is
the _wrong_ approach for marketing a security project.

Rather, we should encourage people who are (justifiably, IMHO) excited
about Gentoo's benefits to evangelize Gentoo-the-distro,
Gentoo-the-portage system. Good evangelism has compassion for the
audience, and the audience most germane to security efforts is system
administrators. So one could emphasize the configuration-management
benefits, or the fact that it helps teach linux internals, while
listening to them and responding to their concerns. This is necessary
for mind-share benefits stated above, and is completely OK.

To raise awareness of the _security_ efforts, I would stick to very
pragmatic and skeptical inquiry. I would write substantive articles in
LinuxJournal and engage people interested in Linux security via the
methods that Chris mentioned. I would try, wherever possible, to get
any innovations that are developed folded back into the mainstream, so
that we benefit all of Linux. I think that this "engagement by
engineering" approach builds far more goodwill and credibility in the
community than a "server shoot-out".


See, you're not trying to "win customers", you're trying to attract
more people who are willing to work _with_ you. It's peer-to-peer, not
top-down. If you take all that management-speak about partnering with
your customer seriously, then the customer concept vanishes. There is
nothing to "win" so that someone else "loses"...

We don't _want_ to have a "competitive advantage", it's not a
competition -- we want to raise the expectations for standard,
best-practices linux security. Everywhere. All distros. Ideally, all
computers. That's what we want. We recognize that we are doing this on
Linux because it's open-source, it's possible to innovate, it has lots
of nice features already, and lots of people are using it, it's
possible to make a difference. We recognize that we're doing this with
the Gentoo distro because it is flexible enough to accomodate
system-level innovation without breaking, it's a good platform for
development. Plus it's got a cool logo.

I don't think that a "marketing person" would get this.



SO to summarize:

1) Grass-roots, user-base evangelism works well to engage and to
    motivate people, to maintain the mind-share that keeps a project
    thriving.

    Since it is about what people _want_ and _believe_ rather than
    about technology and measuring things, it is best to stay away from
    confusing issues like security when evangelizing. Talk about "cool"
    or "easy" or "standard" or "time saver" or "fun". But you _need_
    this sort of thing. "Marketing people" efforts likely go
    here. Engineers are not particularly good at this.


2) The Gentoo Hardened team is already performing the "engagement by
    engineering" -- the best approach for a security development effort
    that will require cooperation from other communities, and thus
    will require significant technical credibility.


3) A way to bridge these two domains would be to leverage the Gentoo
    Way to make the best-practices that are developed part of the
    default and easy path for Gentoo users. (This is consistent with
    other Gentoo-isms such as the seperate /boot partition, devfs,
    bsd-init, and advanced filesystem support.) Once it becomes accepted
    as the standard Gentoo Way for a while, then it can become a talking
    point for the folks in summary item #1 --- but it will never be easy
    to "evangelize" security.


-- boyd




--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Marketing Hardened Gentoo ..

[stephen white]

On Monday, June 9, 2003, at 06:46 AM, Boyd Waters wrote:
> Rather, we should encourage people who are (justifiably, IMHO) excited
> about Gentoo's benefits to evangelize Gentoo-the-distro,
> Gentoo-the-portage system.

I'm only interested in Gentoo-the-hardened because of Gentoo-the-distro 
and Gentoo-the-portage. This project may save me some time, but Gentoo 
itself already offers what I want.

Just another perspective from the great unwashed, who would be one of 
the targets for these marketing efforts. :)

--
   steve@cs.adelaide.edu.au


--
gentoo-hardened@gentoo.org mailing list