[Cryptography] A lot to learn from "Business Records FISA NSA Review"

Thu Sep 19 13:02:35 EDT 2013

On 09/16/2013 07:58 AM, Perry E. Metzger wrote:

> Well, we do know they created things like the (not very usable)
> seLinux MAC (Multilevel Access Control) system, so clearly they do
> some hacking on security infrastructure.

SeLinux seems to be targeted mostly at organizational security,
whereas the primary need these days is not organizational, but
uniform.

That is to say, we don't in practice see many situations where
different levels and departments of an organization have complex
and different rules for how and whether they can access each
other's information and complex requirements for audit trails.

What we see is simpler; we see systems used by people who have
more or less uniform requirements and don't much need routine
auditing, except for one or two administrators.

More useful than the complexity of SeLinux would be a relatively
simple system in which ordinary Unix file permissions were
cryptographically enforced.  If for example read permissions on
a file are exclusive to some user or some group, then that file
should be encrypted so that no one else, even if the bytes are
accessible to them by some means, should be able to make sense
of it, and the configuration options should include not storing
the key to it anywhere in the system -- let the user plug a
USB stick in to give the key for his session, and let the user
remove it to take that key away again whenever he's not using it,
rather than leave it around on the hard drive somewhere potentially
to be accessed by someone else at some other time.

We have spent years learning to protect the operating system from
damage by casual mistakes and even from most actual attacks,
because for years control of the computer itself was the only
notable asset that needed to be protected.  It is still true that
control of the computer is always at least as valuable as
everything else that it could be used to compromise, but with
unencrypted files it can compromise far too much.  And the value
of what is stored in individual accounts has gotten far too high
to *NOT* give protecting them at least as much thought as
protecting root's access rights. Photographs, banking records,
schedules, archived mail going back for years, browser histories,
"wallets" that contain many other keys, etc, etc.  This is far
different from old days when what was on a user's account
was basically a few programs the user used and some text or
code that the user had written.  We need to catch up.

Bear