SELinux and the NSA - should we be worried?
A friend of mine years ago said, "Just because I'm paranoid doesn't mean people really aren't out to get me."
I just read yet another article about the US National Security Agency and the company named RSA. The NSA apparently paid $10 million to the RSA to subvert one of RSA's security algorithms. And the NSA subverted it further by working with RSA later to "improve" it.
Here is a link to the Reuters article:
http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331
That's one of the things the NSA does - they work with private companies to improve overall security. Except, at least with RSA, the NSA got caught inserting back doors and subverting the very security systems they were supposed to enhance.
And that leads to the Linux community. SELinux is an implementation of mandatory access control. Apply labels to objects and only subjects with matching labels can access those objects. Don't we tell the world that the open source community developed SELinux with assistance from the NSA?
Given the recent sensational disclosures about the NSA, I wonder if the SELinux experts are digging for similar back doors to what the NSA introduced to RSA? I like to tell open source skeptics that such things as NSA shenanigans can't happen with open source because too many people from too many organizations have their fingers in the development and the development process is transparent. But wouldn't it be awful if we find out the NSA figured out a way to introduce some sort of back door with SELinux? But if so, would it not also be better if the community found and fixed such problems before they show up in the next sensational revelation?
- Greg