# gentoo on Schneiers Blog as security measure against NSA

## Benjamin1

In a comment, on Bruce Schneiers blog on security related questions, gentoo was mentioned as a security measure against NSA spying:

https://www.schneier.com/blog/archives/2014/01/feedtrough_nsa.html#c3386263

 *Quote:*   

> The NSA's nightmare world:
> 
> The kernel and the more complex applications are built on-the-fly for every installation, a la Gentoo.
> 
> Instead of the current "packaged" desktop environments, all of the various desktop functionality would be mix-and-match, and the user would be actively encouraged to try out the various alternatives.

 

----------

## Voltago

That's all fine and dandy, but Gentoo is

a) not for the average user; 99% of the users will not want to configure a source distro, even if that means that their pr0n playlist ends up on a desk at homeland security.

b) as vulnerable as anything else if some basic component's source is compromised.

Out of the box, Gentoo's only thing going for it is security-by-obscurity, for anything beyond that some extra work and time has to be invested (hardened, se-linux which was co-developed by the NSA now that I come to think of it, app-armor, ...).

----------

## N8Fear

 *Voltago wrote:*   

> Out of the box, Gentoo's only thing going for it is security-by-obscurity, for anything beyond that some extra work and time has to be invested (hardened, se-linux which was co-developed by the NSA now that I come to think of it, app-armor, ...).

 

This is not entirely correct: custom CFLAGS, USE-flags etc. add much to entropy and therefore where which part of a program is located in memory. This is not unbreakable but tremendously increases the work required to exploit a box via ROP. I'd say that this really increases the cost of an attack because everything needs to be tailored to your installation - and that not in the sense of get the right "default exploit" but in the sense of manual labor.

For a targeted attack (i.e. if the NSA wants something from exactly YOU badly) this won't help that much, but against the default "dragnet-exploitation" this will likely help.

----------

## 1clue

There's a lot wrong with the OP's quote.

First, on the box:

How many of us read every line of code on their Gentoo system before compiling it?  

How many of those who do analyze that code to see if it does what's advertised and nothing more?

Face it, most of us (me, obviously) just follow the Handbook, pick our favorites and install them.  I've never code reviewed anything that it wasn't my job to code review.

Second, The Outside:

Since it was already brought up by Voltago, nothing you do on your Gentoo box can keep a government agency (or your ISP) from knowing what kind of pr0n you look at.  Anyone who has access to a choke point (your ISP for example) will know that you made some sort of connection to an IP address.  They'll know that IP address, and if it's a pr0n site they'll probably be able to figure out that you're not watching Agents of Shield.

You can use an identity-shielding proxy, but frankly that stuff sucks and you spend more time trying to get the page to work than you spend getting anything done on it.

How many of you guys have put a packet sniffer on your cable modem?  Especially if you have a non-nerd spouse or kids?  There's so much going through that wire that's unencrypted, you have no more secrets to give.  Do you look at Facebook?  I swore it off until I found out my wife was posting every little thing on there, not just of us but of all her friends, our neighbors, somebody at the park, somebody at the mall, somebody at the restaurant...and she's not even CLOSE to as bad as some of her friends.

The only way you won't be spied on is if you live in an abandoned coal mine a hundred miles from the nearest Internet connection.  The moment you step out into the open light, somebody's gonna have you on Facebook.  They'll have a motion activated wildlife camera pointed at you, and it's going to automatically send your pictures to the world.

The idea of preventing somebody from adding spyware to your system, it's noble and all that but are you really sure something you do with your computer doesn't have exactly the same effect as the spyware would?  You can be paranoid for yourself, but can you be paranoid for the rest of the world?

Don't get me wrong. I am trying to make my home network as secure as I can, just because I work at home and my customers want the best security they can get, and it's in the contract.  But let's be real about it.

----------

## 666threesixes666

you've got to attack them on moral grounds, and financially....  like the post above says, nothing stops them from man in the middle attacks @ the isp end.

http://3.bp.blogspot.com/-QxFdIiHhml4/UqIXmnfhltI/AAAAAAAABBc/53VH6mR8RV4/s1600/NROL-39+is+Hydra.jpg

----------

## 1clue

At either end.  Certainly if there's a web site with lots of material of questionable legality on it, pick-your-favorite-government will have hooks in the router of their ISP.

That's not just the USA government, it's pretty much any government who has computer people and is curious about wrongdoing.

Moral?  Financial?  I don't see it.  FWIW I don't give a rat's rear what my government tries to do, they're at least bound by the appearance of legality.  What scares me are the endless devices I've bought that seem to show up on my wifi active devices list.  I have no idea what's in there.  About half of the TV sets, all of the Blu-Ray devices, the phones, the printer, a stupid speaker system.  MagicJack.  That's about all I can think of right now, but last I looked there were 37 active devices, and only half of them were what I would have thought as needing a network connection.  That's for 2 people and a dog.

Where were these things made?  I'll give you 3 guesses.  The stuff I buy comes from Intel and a few other favorite manufacturers.  I buy all the components, so at least I know who the manufacturer is.  Toys, TV sets, cable TV boxes, I can be pretty sure those have some sort of report-back-to-the-manufacturer action going on, or why would they want a connection?

So what does China want with what I have in my house?  What does some guy from Nigeria or Georgia (the country) or Afghanistan want, who keeps spamming me with long lost dead relatives who want to give me money?

What about "automatic update?"  What about your router?  If there's one company that <insert your favorite government> wants to get hooks into, it's Cisco.  Does your Linksys router automatically get updates?

Got IPMI on any of your boxes?

PS: Oh yeah, back to the point:  What does Gentoo on your desktop/laptop do to stop any of that?  If you can't trust the people who make your router firmware, you're screwed.  If you can't trust all the digital cockroaches in your home, you're screwed.

----------

## ogenos

 :Very Happy:   well written 1clue! Isn't this like a cybernetic telepathy of humanity?

----------

## Navar

 *1clue wrote:*   

> Got IPMI on any of your boxes?

 

No.  I consider it a definite security risk, particularly via brute force attacks.  Even with the newer specification.  I'm certainly not alone in that, see Schneier, et al.  They've covered it before and again now.  Particularly after some things pointed out with regards to Cisco.

As far as consumer routers go, most are treated like printers.  You maybe get a few firmware upgrades that may address known vulnerabilities.  After that the manufacturer has already entirely abandoned them (often less than a year).  The much larger threat remains your ISP's network out.

The biggest problem I see is GSM.  'Effective' key bits of 54.  That and overall how pathetic any security or control of such exists on mobile devices, particularly smartphones.

----------

