Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Sorry, I'm a bit paranoid with all this NSA scandal.
Recently I've come across a news article where it is described how the FBI tried to hunt down a computer in an unknown location and its owner. The article goes on how they tried to compromise the users PC by posting a link in his yahoo email account to a server controlled by feds that's serving malicious code. While I'm guessing this user was using windows on his laptop, I can't stop asking myself how would a government agency like NSA, FBI, DoD, etc try to compromise a linux machine. So I was wondering... besides the obvious ways of tricking a user to download a malicious component, what's the chance that a repository gets hit by a national security letter or an equivalent?
I mean can the software downloaded from official repositories really be trusted? What's the chance a goventment orders a company like Canonical or maybe an admin of the Arch linux repository to upload and serve an OS update with an infected component to some of its users? Since the component would be signed by the admin's private key, the OS would simply install it without question. How can such an intrusion into a repository be detected? Can a government even force a repository admin to upload malware.. and sign it with his private key?
Please keep the conversation constructive, I'm asking this question for the purpose of learning more about linux security landscape.
Distribution: Debian Wheezy, Jessie, Sid/Experimental, playing with LFS.
Posts: 2,900
Rep:
A government, as we have found out and history shows us time and again, can do whatever it wants. The important thing is not the government rather the important thing is the people. Are the people, or corporations, trustworthy and do they have their users as their highest priority. If the answer is yes then you'll be ok, if the answer is no then choose a distro that does.
Depends on how thick a person wants to make a hat out of tinfoil I guess. One could say that that repositories might not really be the worst offender - if I was the government I would affect things like actual algorithms used for encryption, hashing and of course I'd probably go after the hardware itself.
Ultimately, a user can choose to be extremely paranoid and cause themselves harm or be cautious and go with a distribution that chooses the user first (which still excludes the actual code authors and contributors).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.