LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
LinkBack Search this Thread
Old 06-13-2013, 05:44 PM   #1
DavidLee1A
Member
 
Registered: Dec 2012
Distribution: Debian Wheezy amd64
Posts: 121
Blog Entries: 12

Rep: Reputation: 5
The Fundamental Security Question


Can we really consider a system secure if the Linux kernel is not blob free? If so, then how do we determine which kernels are blob free? It's certainly not obvious from https://www.kernel.org/ . If the foundation of your operating system is not secure then how can you consider your computer secure?
 
Old 06-13-2013, 07:09 PM   #2
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 1,702

Rep: Reputation: 426Reputation: 426Reputation: 426Reputation: 426Reputation: 426
The blobs are there to make certain devices actually work. It isn't exactly a security issue as the blobs are proprietary software that is loaded into the device to make it work. Sometimes these are just patches to the default load, but not always. From a security standpoint, they are undesirable... but that means not using the hardware which may be built into the motherboard. Not using the hardware sometimes also means that the motherboard is useless.

If you don't want the blobs, don't use the devices that need them. At that point, the drivers will not be loaded, and without the drivers, neither are the blobs.

This is the same issue with using a BIOS or UEFI software to boot the system. They too are "blobs" that you don't usually get to examine (especially the UEFI code).
 
Old 06-13-2013, 07:46 PM   #3
jefro
Guru
 
Registered: Mar 2008
Posts: 10,255

Rep: Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256
I never suggested Linux or any other OS to be a secure system.

What OS do you think is secure?
 
Old 06-13-2013, 10:04 PM   #4
DavidLee1A
Member
 
Registered: Dec 2012
Distribution: Debian Wheezy amd64
Posts: 121
Blog Entries: 12

Original Poster
Rep: Reputation: 5
How would we know what devices were not dependent on propietary "blob only" drivers? This would be useful since a chain is only as strong as it"s weakest link ... and kernel's with alien blobs are a security weakness.
On the other hand:
Quote:
1. Terrorists do want to murder us. If the NSA is halfway competent, Big Data should help detect plots.
based on https://www.youtube.com/watch?v=qBp-1Br_OEs it is questionable if the governments accumulated data is being used ethically
Quote:
2. My electronic privacy has already been utterly shredded by Google, Amazon, YouTube and so on.
You are partially correct as current news verifies: the NSA program is called prism as seen https://blog.torproject.org/blog/prism-vs-tor and https://www.eff.org/search/site/prism but you can protect your privacy in many ways as seen: (1) surveillance self defense: https://ssd.eff.org/ , (2) anonymous web use: via TOR browser https://www.torproject.org/download/...d-easy.html.en , and an operating system set up for anonymity using TOR is https://tails.boum.org/download/index.en.html
 
Old 06-14-2013, 03:03 AM   #5
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266
I think that firmware is, in general, not a security vulnerability. I would say that compiled blobs like Nvidia and ATI blobs are much more of a risk.

There is only so much you can do in firmware, as it is very low level. Also, it usually cannot be readily replaced by a C program.

I wouldn't worry too much about the firmware that comes with the kernel.

As for Tor + HTTPS, like I've said before, all the NSA need to do is generate or obtain a fake SSL certificate. Check the diagram the EFF posted and see for yourself. Tor was likely designed with the help of the NSA, and that's why they are pushing it.
 
Old 06-14-2013, 07:58 AM   #6
DavidLee1A
Member
 
Registered: Dec 2012
Distribution: Debian Wheezy amd64
Posts: 121
Blog Entries: 12

Original Poster
Rep: Reputation: 5
Quote:
I wouldn't worry too much about the firmware that comes with the kernel.
It would still be nice to have a blob free recipe.
Quote:
Check the diagram the EFF posted and see for yourself
I did a quick look at their website and didn't see the diagram. Do you mean the TOR diagrams?: https://www.torproject.org/about/overview.html.en
Are you referring to the issue with exit nodes on the TOR network?
Quote:
Tor was likely designed with the help of the NSA, and that's why they are pushing it.
"Tor is free and open source for Windows, Mac, Linux/Unix, and Android" <-- from the TOR website. It doesn't matter who started it ... if it works and is community developed then it will evolve, we hope

Diaspora ( https://en.wikipedia.org/wiki/Diaspo...ial_network%29 ) and Freenet ( https://en.wikipedia.org/wiki/Freenet ) are examples of projects working towards privacy, free speech, personal security, and freedom from having the government misprofile / persecute innocent people.
 
Old 06-14-2013, 08:39 AM   #7
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266
The link is on the prism vs tor site, it's a bit hidden because every word is a link, much like a blog:
https://www.eff.org/pages/tor-and-https

Freenet is better, but it runs on Java

I'm not sure if a blob-free kernel is possible without major breakage. Firmware being as low level as it is, it is very difficult to replace. Would it even be different from the original firmware ... it would have to be pretty close if you want the same functionality.

The firmware that is most dangerous, and can possibly pose a security threat is the BIOS, especially now that they have EFI, which can do a lot more than older ones. That is one thing I would like to be FLOSS.

Last edited by H_TeXMeX_H; 06-14-2013 at 08:41 AM.
 
Old 06-14-2013, 08:50 AM   #8
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 1,702

Rep: Reputation: 426Reputation: 426Reputation: 426Reputation: 426Reputation: 426
From a DoD standpoint (now historical, as I no longer work there), EFI would be MUCH MUCH worse than the old BIOS from a security perspective.

There was nearly nothing the standard BIOS could do. The worst effect is the sometimes possibility to burn a new BIOS into the eprom.

Why? simple. A classified system used to be declassified by removing the disk, and turning it off for 10 minutes, and removing the battery.

With current BIOS systems that gets tougher as EPROMS retain information even after the battery is removed.

With EFI it gets even worse. The memory records activity of the system.

So now, declassifying a system comes down to destroying the motherboard.

May as well as melt the entire system.

A very expensive situation.
 
Old 06-14-2013, 09:33 AM   #9
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266
There is coreboot:
http://www.coreboot.org/Welcome_to_coreboot
But the list of supported mobos/chipsets is not very long.
 
Old 06-14-2013, 02:43 PM   #10
jefro
Guru
 
Registered: Mar 2008
Posts: 10,255

Rep: Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256
The bottom part of my messages have a signature. It is not meant to be part of the original poster's issue.


Maybe I ought to highlight that better?

The NSA may be (is) less capable than some other governments efforts to decrypt. Other governments may be funding this work to gain military advantages or corporate gain but they may also be using this for data Pearl Harbor.

Last edited by jefro; 06-14-2013 at 02:48 PM.
 
Old 06-14-2013, 06:12 PM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
Quote:
Originally Posted by H_TeXMeX_H View Post
Tor was likely designed with the help of the NSA, and that's why they are pushing it.
Please get your facts straight: TOR sponsoring is no secret but it was the NRL and not the NSA.
And please get your incessant urge to turn everything into a conspiracy under control for once.
 
Old 06-14-2013, 09:32 PM   #12
DavidLee1A
Member
 
Registered: Dec 2012
Distribution: Debian Wheezy amd64
Posts: 121
Blog Entries: 12

Original Poster
Rep: Reputation: 5
On the other hand, it would be a bit of ignorance to assume the government is populated entirely by people who will deal without bias with essentially private information on everyone. In my youtube reference it was put forth by an x-NSA individual how the government could set parameters on desired information. In fact the government already has the tools according to the video of the three witnesses. They could discard the majority of information by computer without any human access thereby protecting the large part of the population. This would better preserve the right to privacy without really sacrificing national security (and keep the government from violating the requirement for a warrant, which they are doing).

H_TeXMeX_H gave a nice link: http://www.coreboot.org/Welcome_to_coreboot , I'm not sure there is a blob free linux to go along with coreboot BIOS (and associated hardware) ... it would be a perfect marriage.
 
Old 06-15-2013, 03:17 AM   #13
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266
Quote:
Originally Posted by unSpawn View Post
Please get your facts straight: TOR sponsoring is no secret but it was the NRL and not the NSA.
And please get your incessant urge to turn everything into a conspiracy under control for once.
NRL ? National Rugby League ?
 
Old 06-15-2013, 04:20 AM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
No and not the Nuclear Rocket scientists League either, the other NRL, the Naval Research Laboratory.
 
Old 06-15-2013, 05:09 AM   #15
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266
Well, either way, the design of Tor be it intentional or non-intentional, allows for spying at the ISP level. HTTPS cannot protect against this, because generating an SSL certificate isn't that difficult with plenty of computing power, and extremely easy when you have a three letter agency badge.
 
  


Reply

Tags
kernel, linux, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Fundamental VM Question Kato Linux - Newbie 2 06-03-2012 03:12 PM
[SOLVED] Fundamental question re patching gxw Red Hat 2 10-12-2011 01:11 AM
I got a fundamental question about ip addresses trist007 Linux - Newbie 11 06-02-2008 12:38 AM
fundamental open-mosix question TomalakBORG Linux - General 2 08-04-2006 05:28 PM
Fundamental Question in C and C++ linux_ub Programming 5 07-28-2004 11:26 AM


All times are GMT -5. The time now is 09:04 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration