Friday security sessions

Two of the Friday sessions I attended were focused on the security. The first was a guru session on SELinux led by Dan Walsh, Red Hat's lead SELinux developer. SELinux is a labeling and enforcement engine developed by the NSA and released to the public. It has developed a reputation among many sysadmins for being a hassle and is often turned off quickly. In addition to Rik Farrow's training session earlier in the week (covered in the LISA 10 blog), Dan's guru session was a chance for admins to learn how to coexist with SELinux.

Dan reviewed the way SELinux labeling works, and how to build SELinux policy by searching for errors in logs and piping the output through the audit2allow program. For example, to find the Booleans that allow the access being denied to an FTP server:

grep ftp /var/log/audit/audit.log | audit2allow

Of course, it's important to be judicious in adding allows. SELinux is an intrusion prevention system, not an intrusion detection system. As a result, it's not very good at alerting you that you've been compromised. One sign is when a process is looking for access that is unusual.

After taking Rik's training last year, and attending Dan's guru session on Friday, I've resolved to enable SELinux on my desktop and laptop. We'll see how it goes.

In the afternoon, Susan Landau gave a talk entitled "Surveillance or Security? The Risks Posed by New Wiretapping Technologies". Unlike most other sessions, this talk was policy-based instead of technical. In the last decade, especially in the United States, wiretapping has been a widely-discussed issue, making the talk very relevant.

Susan began with a discussion of the challenges imposed on wiretapping mobile phones compared to their wireline counterparts. Wiretapping began almost as soon as the first telegraph lines were strung. General J.E.B. Stuart used wiretapping to learn the movements of opposing armies during the Civil War. Law enforcement use began in earnest during the Prohibition Era.

Relevant laws and judicial rulings from the 20th century were presented as a base to discuss the last 20 years, when wiretapping has been most prevalent. The Communications Assistance for Law Enforcement Act (CALEA) greatly expanded the scope of wiretapping in the U.S., including a requirement that phone switching equipment have wiretap support built in.

As international fiber lines were built in the 1990s, it changed the way many foreign-to-foreign calls were routed, bringing them through the United States. The Foreign Intelligence Surveillance Act (FISA) did not require a warrant for wiretap when one end of the communication was outside the United States, so the NSA lobbied to have this extended to fiber.

Sold initially to aid in kidnapping investigations and later in anti-terrorism efforts, wiretaps have been broadly used (though still, perhaps, not as widely used as during J. Edgar Hoover's tenure as the FBI Director). Simply understanding the transactional history of phone calls has led to the capture of Khalid Sheikh Mohammed and the London subway bombers. The U.S. Marshals, by locating suspects' mobile phones, have been able to reduce apprehension times from 42 days to 2 days.

These benefits don't mean that wiretaps are unequivocally good. Building wiretapping support into infrastructure exposes tapping capability to parties who can compromise the equipment, and reduces the cost of collection such that overcollection becomes a civil liberties concern. Although Susan says the real national security threats are cyberexploitation, she maintains that it's important for freedom, especially press freedom, remain unrestricted.