What I Would Like to Ask SCO

Friday, July 04 2003 @ 03:44 PM EDT

Contributed by: PJ

Is NSA's Security-Enhanced Linux also guilty of using SCO's code or derivatives thereof? If so, what is SCO planning on doing about it? And if Linux is truly a security hazard, because of its international source distribution, wouldn't the NSA have noticed this back in 2001 when it released its own version of Linux? In short, is the NSA guilty of software piracy? Hmm....or, is this all a joke? Or a redefining of the past? What? SCO has tried to portray Linux users as unpatriotic, hippie, music-downloading pirate equivalents, which as a Linux user myself I find offensive, but if it were true, what, then, is the NSA? They not only use it, they helped write it. Does that make them unpatriotic? That is for sure laughable. Pirates? Abusers of others' IP? Puh-lease.

Here is part of what the NSA says about Security-Enhanced Linux on its web site:

"The results of several previous research projects in this area have been incorporated in a security-enhanced Linux system. This version of Linux has a strong, flexible mandatory access control architecture incorporated into the major subsystems of the kernel. The system provides a mechanism to enforce the separation of information based on confidentiality and integrity requirements. This allows threats of tampering and bypassing of application security mechanisms to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications.

"Linux was chosen as the platform for this work because its growing success and open development environment provided an opportunity to demonstrate that this functionality can be successful in a mainstream operating system and, at the same time, contribute to the security of a widely used system. Additionally, the integration of these security research results into Linux may encourage additional operating system security research that may lead to additional improvement in system security."

Here is the NSA press release put out on January 2, 2001:


   "Recognizing the critical role of operating system security mechanisms in supporting security for critical and sensitive applications, National Security Agency (NSA) researchers have been investigating an operating system architecture that can provide the necessary security functionality in a manner that can meet the security needs of a wide range of computing environments. The NSA is pleased to announce that it has developed, and is making available to the public, a prototype version of a security-enhanced Linux system. The prototype includes enhancements to Linux that provide new, stronger protection against tampering and bypassing of application security mechanisms and greater limits on the damage that can be caused by malicious or flawed applications.

    "The security mechanisms implemented in the system provide flexible support for a wide range of security policies. The currently implemented access controls are a combination of type enforcement and role-based access control. The specific policy enforced by the kernel is dictated by security policy configuration files which include type enforcement and role-based access control components. This release includes a set of sample security policy configuration files designed to meet common, general-purpose security goals.

    "Both the President's National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism and the President's Information Technology Advisory Committee have recently called for increasing the federal government's role as both user and contributor to open source software. "Open source software plays an increasingly important role in federal IT systems. I'm delighted the NSA's security experts are making this valuable contribution to the open source community," said Jeffery Hunker, Senior Director for Critical Infrastructure at the White House National Security Council.

    "Since this system is a prototype, there is still much work to be done to develop a complete security solution. Anyone interested in experimenting with the system or getting more information about it, should visit the project web site at http://www.nsa.gov/selinux. This site contains the source to the system as well as some technical documentation about it.

    "NSA is presenting this system under the terms of the GNU General Public License with the intention to work with the Linux community to refine these enhancements for eventual inclusion into Linux. The system is not intended to be a complete security solution for Linux, nor does it correct any flaws that may currently exist in Linux.

    "The Information Assurance Research Office of the NSA is responsible for conducting research and advance development of technologies needed to enable the NSA to provide the Solutions, Products, and Services to achieve Information Assurance for information infrastructures critical to U.S. National Security interests. The security-enhanced Linux prototype was developed in conjunction with research partners from NAI Labs, Secure Computing Corporation (SCC), and MITRE Corporation. Researchers at the NSA implemented the security architecture in the major subsystems of the Linux kernel with some refinements provided by NAI Labs. SCC, MITRE, and NAI Labs also assisted the NSA in developing application security policies and enhanced utilities for the system."

EEK. It's released under the GPL.Here's what it says on the FAQ page:

"What does your distribution include?
"Security-enhanced Linux includes patches to the Linux kernel and patches to a number of standard tools and utilities. It also includes a number of new utilities, support files, and documentation. By far the easiest way to build and install Security-enhanced Linux currently is to duplicate our source trees (lsm-2.4 and selinux) and follow the instructions in selinux/README. We have provided compressed archives of our source trees, as well as several ways to build it by acquiring only our modifications from our web site ( http://www.nsa.gov/selinux/ ). As time permits, we intend to create or modify the RPM spec files as appropriate and provide SRPM format files.

Can I install Security-enhanced Linux on an existing Linux system?
"Yes. You actually need to have an existing Linux system. The Security-enhanced Linux distribution is source code for a modified Linux kernel and some utilities. You must have the ability to compile a kernel and also have necessary, but unmodified system packages. Our distribution is known to install on the Red Hat distribution, and has not been tested with others."

You can download it here after you read the disclaimers on the page. At least, the NSA page says you can. I assume they know whether their own product is legal or not. I am not advising you personally, because we are now in Alice-in-Wonderland upside-downness, where you can't be sure who is who and what is what any more.

Their "Linux 2.5 Kernel Summit Presentation on SELinux" is available in Postscript or PDF on this page at the bottom of the page. I do believe 2.5 is a version of the kernel SCO claims is in question. So, what is the deal? Is the government itself guilty of misappropriation of SCO IP? Heavens to Betsy! If so, it must mean it's "Off with their heads!"

If the NSA didn't notice a problem, is Linus responsible for not noticing the same alleged problem? And who is the one responsible for policing its own IP in this picture? If SCO, as Caldera, for nearly a decade released under the GPL, wouldn't you think they would have done their own due diligence and noticed a problem back when it allegedly happened? It's not like the code was hidden away. Anyone could read it any time they liked. So, if SCO/Caldera didn't notice back then either, how can they sue others for not noticing?

I admit, my head is about to explode trying to parse out the logic of this mad hatter's tea party argument. But it seemed like these would be appropriate questions to ask on this July 4, 2003.