# NSA SELinux inclusion into FreeBSD Kernel



## betzalelmaggid (Aug 18, 2018)

Hi, i am making a transition to slackware and FreeBSD, due to trying to get away from the NSA SELinux module, and SystemD. i was doing some research to see if the NSA had tinkered with the FreeBSD Kernel as well, and from what i found, it seems like they in fact have.
it seems that the version or name of this module in FreeBSD, is called the Flask module / daemon. and they have embedded it in the FreeBSD Kernel as well as Mac OS X... here is a PDF document talking about it back in 2006:

http://selinuxsymposium.org/2006/slides/02-vance-bsd.pdf

heres a wikipedia article on it..
https://en.wikipedia.org/wiki/FLASK

*[FONT=Arial][FONT=Arial][FONT=Arial]Flask: Flux Advanced Security Kernel[/FONT][/FONT][/FONT]*
http://www.cs.utah.edu/flux/fluke/html/flask.html

The Flask Security Architecture: System Support for Diverse Security Policies
https://www.cs.cmu.edu/~dga/papers/flask-usenixsec99.pdf

So i had met an Ex-NSA person, and asked them directly "Is there a back door in the SELinux security module?" his response was "I cannot talk about that..." which indicates to me that there is a pretty good chance that there is....  so if FreeBSD ALSO has this via the Flask module just like redhat it makes me hesitant to use it, as that was part of the reason for getting away from RHEL in the first place....
can anyone here confirm whether or not, it is currently being implemented in FreeBSD 11.2? or in the plans of being implemented in 12?
thanks
- Betzalel Maggid


----------



## ShelLuser (Aug 18, 2018)

For starters: just because some group or organization wrote a kernel module for FreeBSD doesn't automatically imply that it has also become part of the base system. If you're _really_ this concerned about security aspects then you out of all people should realize that going on assumptions isn't the brightest of ideas.

```
peter@zefiris:/home/peter $ kldstat -v | grep flask
peter@zefiris:/home/peter $
```

I also can't help wonder if you actually read your own comments. I mean... that project dates back from 2006, so it should already have easily made it into FreeBSD (and been documented) by now. Obviously it hasn't.



betzalelmaggid said:


> So i had met an Ex-NSA person, and asked them directly "Is there a back door in the SELinux security module?" his response was "I cannot talk about that..." which indicates to me that there is a pretty good chance that there is....


You should consider a career as comedian.


----------



## Maelstorm (Aug 18, 2018)

Well, in FreeBSD as in Linux, the source code is available for inspection.  Considering the number of eyes on both projects, it's hard to imagine that some backdoor has gone undetected for...12 years now...although not inconceivable.

Besides, I wonder if the OP is trying to troll people.


----------



## betzalelmaggid (Aug 18, 2018)

@Maelstrom - the thing is, apparently the OpenSSH package had a NSA backdoor in it that went unchecked for quite some time. this was and obfuscated hack that used system checks and wait cycles for the hack to be hidden in. it was eventually found, but not until it was already running in major production systems - some of which can take 6 months to a year to patch depending on the method that a companies PROD team uses for patch cycles. i know it may sound a little paranoid, but then again, we all said that people who thought the NSA /CIA was listening in on their phone calls and thought their computer monitors were crazy, and look what happened #EdwardSnoden. I know that the NSA has a direct feed to the fiberoptic backbone and they scan all communications through the traffic, but still having something like that sitting in my server in my own home, i don't really like that.


----------



## rigoletto@ (Aug 18, 2018)

It is pretty ridiculous to think OpenBSD people would add a NSA backdoor in OpenSSH, just someone who don't know OpenBSD and the people behind it would believe in something like that without a real proof.


----------



## alexseitsinger (Aug 19, 2018)

betzalelmaggid said:


> *this was and obfuscated hack that used system checks and wait cycles for the hack to be hidden in.*



Unfortunately, its quite unlikely that this kind of information would be openly shared if it were true. I would suggest doing some digging into the FreeBSD sources on your own if you're suspicious. I would find the SELinux implementation and use that as a reference to search in other places.


----------



## ShelLuser (Aug 19, 2018)

Maelstorm said:


> Besides, I wonder if the OP is trying to troll people.


I'm pretty convinced of that right now to be honest.


----------



## Maelstorm (Aug 19, 2018)

Well, the main personality behind OpenBSD is Theo da Raadt.  Knowing him, he wouldn't go for the NSA having a backdoor anywhere in OpenBSD.  Because of his anal retentive policies dealing with security, OpenBSD is widely regarded and the most secure OS out there.  They have had...what...two...remote holes in the default install in what...25 years?  Now that's quite impressive.


----------



## rigoletto@ (Aug 19, 2018)

Maelstorm said:


> Well, the main personality behind OpenBSD is Theo da Raadt. Knowing him, he wouldn't go for the NSA having a backdoor anywhere in OpenBSD. Because of his anal retentive policies dealing with security, OpenBSD is widely regarded and the most secure OS out there. They have had...what...two...remote holes in the default install in what...25 years? Now that's quite impressive.



Not to say OpenBSD is based in Canada and they do not allow US Citizens to work on their cryptographic code, see HERE.


----------



## Maelstorm (Aug 19, 2018)

lebarondemerde said:


> Not to say OpenBSD is based in Canada and they do not allow US Citizens to work on their cryptographic code, see HERE.



Oh, I know because the US has strict export regulations concerning cryptography.  In fact, the US considers strong cryptography to be in the same category as munitions.  Just ask Phil Zimmerman of PGP fame.  The US government raked him over the coals because PGP (at the time) is considered to be high grade crypto and it made it out of the US without the government's permission.


----------



## kpa (Aug 19, 2018)

Maelstorm said:


> Oh, I know because the US has strict export regulations concerning cryptography.  In fact, the US considers strong cryptography to be in the same category as munitions.  Just ask Phil Zimmerman of PGP fame.  The US government raked him over the coals because PGP (at the time) is considered to be high grade crypto and it made it out of the US without the government's permission.



It did and it didn't. It was exported out of the country but it was printed on paper and books are treated differently when it comes to export regulations.

https://en.wikipedia.org/wiki/Pretty_Good_Privacy#Criminal_investigation


----------



## Crivens (Aug 19, 2018)

The US tried to label the booping _Enigma_ to be unfit for export. They should not have imported it then in the first place.

Other than that,  there is no need to shout around here, so no more all-caps or all-bold messages. 

This thread seems to head into tinfoil hat territory. That is not necessarily a bad thing, but one or two bits of proof would be good.


----------



## Maelstorm (Aug 19, 2018)

Crivens said:


> The US tried to label the booping _Enigma_ to be unfit for export. They should not have imported it then in the first place.



Say what?  Enigma was broken by the British during WWII by a team lead by British mathematician Alan Turing.  Heck, there's even a recent movie about it called The Imitation Game starring Benedict Cumberpatch.



Crivens said:


> Other than that, there is no need to shout around here, so no more all-caps or all-bold messages.



Eh....  I just ignore it.



Crivens said:


> This thread seems to head into tinfoil hat territory. That is not necessarily a bad thing, but one or two bits of proof would be good.



When it comes to security, a little paranoia is a good thing.  However, the whole tin-foil hat conspiracy theory that the NSA has planted backdoors in our open source operating systems is in the realm of little green men from Mars, a secret military base on the far side of the moon, and that 9/11 was an experiment in controlled demolition.  But hey, what do I know?


----------



## Crivens (Aug 19, 2018)

We all know who has a secret moon base, and they _come in peace_. (Interesting, my US build spell checker flags that word  )

Maelstorm the grunt work of cracking the enigma was done by some polish guys. This should by no means take credit from Allan Touring. A brilliant mind, and a shame what was done to him.

I can also only point to "to protect and infect" on youtube. Watch it and raise your hand if unsurprised (I did). So much for tinfoil headgear. Good night gentlemen, I'll call it a day.


----------

