EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

01.17.14

For Real Security, Use CentOS — Never RHEL — and Run Neither on Amazon’s Servers

Posted in GNU/Linux, Red Hat, Security at 9:27 am by Dr. Roy Schestowitz

Red Hat logo

Summary: Never run Red Hat’s “Enterprise Linux”, which cannot be trusted because of NSA involvement; Amazon, which pays Microsoft for RHEL and works with the CIA, should never be used for hosting

SEVERAL years ago CentOS almost died; now it’s being embraced by Red Hat and one pundit from tech tabloid ZDNet is moving to CentOS Linux on the desktop [1,2].

CentOS is still in the news [3], with the CentOS project leader (Karanbir Singh) giving an interview to the Linux Foundation [4]. We trust CentOS, whereas trusting Red Hat is hard. RHEL is binary and based on news from half a decade ago, the NSA is said to be involved in the building process, as well as SUSE’s, whereas CentOS is built from source (publicly visible). Microsoft and the NSA do the same thing with Windows and it’s now confirmed that Windows has NSA backdoors.

Earlier this month vulnerabilities in RHEL’s openssl and RHEL’s gnupg [5,6], contributed even less to trust. RHEL is so standard in the industry that it would probably be simpler than other distributions to exploit; the NSA may as well have off-the-shelf exploits for all major RHEL releases, which are deployed in many countries’ servers (even so-called ‘rogue’ countries). Based on the NSA leaks, Fedora — not RHEL — is being used by the NSA itself to run its spying operations (e.g. collecting radio signals from afar). Fedora is not truly binary-compatible and its source code makes secrets hard to keep.

Lastly, mind the latest of Red Hat’s Fog Computing hype [7,8], including the CIA’s partner Amazon that’s lumped onto Red Hat [9,10] as part of a conference [11,12]. Avoid Amazon at all costs. It’s a malicious trap for many reasons. Amazon also pays Microsoft for RHEL after a patent deal with Microsoft, as we pointed out years ago. Suffice to say, Microsoft's servers are as bad as Amazon's for privacy.

RHEL and its derivatives continue to be deployed in many large networks of systems [13], so it’s clear why the NSA would drool over the possibility of back doors in RHEL. Watch out for that. Given the way NSA infiltrated standards bodies and other institutions, it’s not impossible that there are even moles at Red Hat or Fedora. There used to be some at Microsoft (we know about those who got caught).

Red Hat’s CEO is now telling his story in a Red Hat site [14] and one needs to remember who he used to work for (close to Boeing, which is primarily an army company), not just the country he is based on (hence the rules that apply to him, especially when he wishes to appeal to government contractors, DoD/Pentagon etc. which are the most lucrative contracts).

It should be noted that my Web sites are mostly running CentOS and the same goes for the host of Techrights, who focuses on security. With CentOS you can get the source code and redistribute; with Red Hat’s RHEL you can’t (it’s sold as binary).

There is definitely a good reason to trust CentOS security more than RHEL security. As for Oracle (“Unbreakable”), well… just read Ellison’s public statements in support of the NSA (never mind the company’s roots and the CIA). That tells a lot.

The bottom line is, blind faith in binary distributions is a bad thing. Blind faith in NSA partners (Red Hat collaborates with the NSA not just in SELinux) is even worse.

Related/contextual items from the news:

  1. Taking the long view: Why I’m moving to CentOS Linux on the desktop
  2. Is CentOS ready for the Linux desktop?

    CentOS is a very interesting and different choice for a desktop distribution. I haven’t heard of many people using it that way. Whenever somebody brings it up it’s usually within the context of running a server.

  3. Fedora and CentOS Updates, Linux for Security, and Top Seven
  4. CentOS Project Leader Karanbir Singh Opens Up on Red Hat Deal

    In the 10 years since the CentOS project was launched there has been no board of directors, or legal team, or commercial backing. The developers who labored to build the community-led version of Red Hat Enterprise Linux (RHEL) worked largely unpaid (though some took a few consulting gigs on the side.) They had a few hundred dollars in their bank account to pay for event t-shirts and that was it. And the project’s direction was decided based on the developers’ immediate needs, not a grand vision of future technology.

  5. Red Hat: 2014:0015-01: openssl: Important Advisory
  6. Red Hat: 2014:0016-01: gnupg: Moderate Advisory
  7. Red Hat Invests in Open Source IaaS, Cloud Talent
  8. Red Hat Academy Expands Training, Includes OpenStack Coursework
  9. Red Hat Launches Test Drives on AWS

    At its annual Partner conference in Scottsdale, Arizona this week Red Hat (RHT) announced new Test Drives on Amazon Web Services (AWS) with three Red Hat partners – CITYTECH, Shadow-Soft, and Vizuri. Through the AWS Test Drive program, users can quickly and easily explore and deploy ready-made solutions built on Red Hat technologies.

  10. Why Red Hat Needs OpenStack … And AWS

    OpenStack, the cloud’s community darling, desperately needs leadership, and Red Hat seems the ideal leader. But OpenStack isn’t the only needy party here. As good as Red Hat’s growth has been over the last decade, it pales in comparison to that of VMware, a later entrant that has grown much faster than Red Hat. And the open source leader still trails well behind Microsoft.

  11. Google, Amazon Clouds Invade Red Hat Partner Conference

    Google Cloud Platform and Amazon Web Services executives are set to address Red Hat Partner Conference attendees on Jan. 13 in Arizona. No doubt, the keynotes will seek to ensure Linux resellers understand how to move customer workloads into the Google and AWS public clouds, respectively.

  12. 7 Surprises At Red Hat Partner Conference 2014
  13. How to deploy OSSEC across a large network of systems from RPMs
  14. Teens and their first job: How to get on the path to a happy career

    I grew up in the 1980s in Columbus, Georgia. You needed a car to get around, so I did not work until I could drive. Within months of getting my driver’s license, I got my first job as a part-time computer programmer for a stockbroker.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

7 Comments

  1. AdamW said,

    January 17, 2014 at 7:44 pm

    Gravatar

    The RHEL 6 source – yes, RHEL is built “from source”, amazing, I know! – is right here:

    http://ftp.redhat.com/redhat/linux/enterprise/6Server/en/os/SRPMS/

    do feel free to peruse it at your leisure.

    Dr. Roy Schestowitz Reply:

    That’s a bit of a straw man response; I know there’s source code for RHEL, but if one was to built it from source, would it be identical to the binaries distributed by Red Hat? We need to check the build process, too. It’s about trusting trust and we already know what the NSA has been doing with corporate or squsi-corporate partners like RSA, NIST, Microsoft, etc.

    richardon Reply:

    I’m sorry but this is a loda of cr*p.

    If RedHat’s binaries differ from the published source, then they’re violating the GPL.

    If the binaries don’t differ the backdoors would be public, and CentOS (and other derivatives) would be as insecure as RedHat.

    About the openssl and gnupg vulnerabilities: CentOS was afected too, so as insecure as RH.

    Qoute:
    “There is definitely a good reason to trust CentOS security more than RHEL security.”

    Which reason is that?
    You don’t provide it so you shouldn’t trust CentOS either, according to your rules.

  2. DanseM said,

    January 20, 2014 at 11:06 am

    Gravatar

    > I know there’s source code for RHEL
    Then you should mention this in the article. You really should, otherwise it is not fair.

    You can build RHEL from SRPMs and compare binaries. Guess what, CentOS is doing exacly this to determine build environment (i.e. gcc version). CentOS build their distro as a “RHEL clone”, 100% API and ABI compatibile. You can even compare single file diffs from RHEL and CentOS. Guess what, we do that.
    You should try some builds yourself :)

    Red Hat could have placed some backdoor in RHEL but it would easy detectable. It is an issue in closed source products and this is why we should be aware of them.

    As a homework, plz check whether your truecrypt binaries are build from source without modifications. Not an easy task, but you can verify this with 100% certanity. Otherwise how could you tell your drive is really encrypted?

    PS. I am not an employee of Red Hat etc.

    Dr. Roy Schestowitz Reply:

    Hi DanseM,

    I have already exchanged almost a dozen E-mails about this analysis (E-mails with Red Hat staff). They could not find factual errors, but they were unhappy with the article, for reasons they could not, IMHO, defend or at least convince me of.

    I know one can build RHEL from source code (given some privileged access, which is similar to SUSE’s with SLE*). Then there’s patching, too (lots of packages updated, so keeping track of source code becomes even more impractical).

    I did not argue that assessment of the code is feasible given limited human resources (distributions are vast). I also did not argue that back doors are undetectable. Au contraire; Because these validation phases are infeasible we are left having to choose who to trust. I’m also in the business of validating builds, so I have some understanding of this.

    Let’s look at some other news from recent days:

    • Red Hat and CentOS become Voltron, build free operating system together

      “In retaliation, Red Hat started shipping Linux kernel source code in a big tarball with the patches already applied, making it more difficult to build Linux distributions from the RHEL source,” we noted in a feature on Red Hat’s history.

    • OpenShift Welcomes CentOS to the Red Hat Family–Origin Adds CentOS Support
    • CentOS Now Supported By OpenShift

      Hot on the heels of the news that CentOS was officially joining the RedHat family, the OpenShift project has announced that OpenShift Origin would now be officially supported for CentOS, which joins Fedora and Red Hat Enterprise Linux. OpenShift is Red Hat’s Platform as a Service (PaaS) offering. OpenShift has three flavors: the Red Hat hosted Online version, the self hosted and supported Enterprise version, and Origin, the community-driven upstream version of OpenShift.

    This joining of the two is not encouraging; in fact, we will now struggle to compare two potential sources of trust (acting as a sort of peer review). They’re conjoined now. I guess Scientific and other more deprecated clones of RHEL might be of use here.

    Lastly, you mentioned truecrypt. Well, truecrypt is proprietary software (pretending to be “open”), so it deserves zero trust anyway. It’s not relevant to this analysis in the way you contextually interject it.

  3. DanseM said,

    January 20, 2014 at 5:32 pm

    Gravatar

    > [about RHEL and CentOS] This joining of the two is not encouraging; in fact, we will now struggle to compare two potential sources of trust (acting as a sort of peer review). They’re conjoined now. I guess Scientific and other more deprecated clones of RHEL might be of use here.
    That’s 100% truth. Undoubtedly CentOS take over is a sound reason to watch your own back.

    My conclusion is to start watching RH’s hands although I do not feel thrilled. These days closed sourced system are real threat.

    BTW that’s quite wierd that RH folks are dropping you emails but not comments under the article.

    Dr. Roy Schestowitz Reply:

    The communications taught me two important things:

    1) NSA is a Red Hat client. I already knew DoD (Pentagon) was a client, as that had been announced years ago. I didn’t know about the NSA.

    2. NSA submits code through Red Hat, and not just SELinux code. In November I cited a Slashdot comment where a Red Hat employee (I cannot verify this affilation in Slashdot) wrote: “I work for Red Hat…. The NSA asks me to put code in the Linux kernel and I pass it to Linus.”

    Now I have this confirmed by one whose identity is verified, so I need not rely on Slashdot comments.

    For those who are eager to accuse me of being anti-Red Hat, I am sorry to disappoint, but this smear would not work. I defended Red Hat’s position for many years and Red Hat even let me interview their CEO.

    Red Hat is doing well despite the NSA scandals which harm some US companies, but if people peel off some onion layers and realise that Red Hat works with the NSA it won’t be good for business. Red Hat should make formal, publicly-accessible build processes to assure us NSA cannot compromise the system. Right now there’s secrecy (the above details are not public knowledge) which does nothing to appease the “paranoid”.

What Else is New


  1. Patents Roundup: Software Patents, Patenting Loopholes, PTAB, Patent Trolls, and Software Patents Propagandists

    A digest of recent news about (primarily) software patents and people who oppose or promote them in the United States



  2. Links 13/2/2016: Debian 6.0 EOL

    Links for the day



  3. The European Patent Office, Aloof/Apathetic to Inventors and Human Rights, Simply Cannot be Trusted With the Unitary Patent (UPC)

    The European Patent Office (EPO), once a source of great pride for increasingly-unified Europeans, not only wants to enjoy impunity but also wants to attain new powers, despite demonstrating that its interests are anything but European and are often detrimental to Europeans, not just to European inventors



  4. Feedback About Battistelli's 'Meet the President' Event in Rijswijk (4th of February, 2016)

    President of the EPO, the self-absorbed Battistelli, as described by those who attended his self-glorification event earlier this month



  5. Microsoft Continua Usando Patentes de Software para Extorsionar/Chantajear Incluso Más Compañías que Usan Linux, Forzandolas/Coerciendoles a PreInstallar Basura de Microsoft

    Acer es el último gran OEM que se ha convertido en la caza de brujas por parte de Microsoft contra preinstalladores de Android/Linux, a quienes esta coerciendo en convertirse en transportistas de Microsoft (o enfrentarse a litigaciones sobre patentes de software, con altos costos legales sino bloqueos con altísimos costos por arreglos secretos).



  6. Nuevas Protestas Contra La Vil OEP en Medio de Crisis Nerviosa de su Empleado Español (Después del Matoneo Institucional de Los Chacales de Battistelli), España Rechaza la Patente Unitaria UPC

    Enfrentando enorme presión de no-tecnicos Eurocráticos como Battistelli, España permanece FUERTE y RESISTE la Corte Unitaria de Patentes (UPC), que pone más poder en las manos de un cuerpo ABUSIVO que grotescamente discrimina contra los Españoles.



  7. Sólo Media Docena de Patentes Cubana Registradas en la OEP, Pero el Trístemente Célebre Battistelli Va a Cuba a Acumular Apoyo Baráto

    Ahora que España esta antagonizando a la OEP (y especialmente la UPC) el Presidente de la OEP ayuda a crear piezas de hojaldre en español cuando visitó Cuba y sus vecinos hispano-hablanetes que históricamente son renombrados por su gobernabilidad desaparecida así como su ilegalidad (como la OEP misma)



  8. In Lawyerland, Simulated UPC 'Trials' and More Extraordinary EPO Propaganda for Change That Would Harm Europe to Help Patent Lawyers and Their Big Clients

    A look at the latest wave of lobbying for the Unitary Patent Court (UPC), courtesy of patent lawyers who profit from patent disputes, and the utterly shameless marketing from the European Patent Office (EPO)



  9. Apple and Microsoft Cannot Keep Up With Android (Linux), More Layoffs Reported

    Having failed to grow (in the operating systems market share sense), proprietary software giants lose loyalty, try to attack the winner (Android/Linux) with software patents, and inevitably make their staff redundant



  10. Links 12/2/2016: Russian's Government With GNU/Linux, India's Wants FOSS

    Links for the day



  11. New EPO Protests Amid Nervous Breakdowns of Spanish EPO Employee (After Institutional Bullying by Battistelli's Goons), Spain Rejects the Unitary Patent (UPC)

    In the face of enormous pressure from non-technical Eurocrats like Battistelli, Spain remains strong and resists the Unitary Patent Court (UPC), which puts more power in the hands of an abusive body that grossly discriminates against Spaniards



  12. Only Half a Dozen Cuban Patents Filed at EPO, But Hugely Unpopular Battistelli Goes to Cuba to Garner Cheap Support

    Now that Spain is antagonising the EPO (and especially the UPC) the President of the EPO helps create some puff pieces in Spanish as he visits Cuba and neighbouring Spanish-speaking nations which are historically renowned for defunct governance and lawlessness (like the EPO itself)



  13. Nepotismo de la UPC, Abusos Políticos, y el Envolvimiento en la UPC de la Firma ¨Legal¨ que la OEP Contrato para Matonear a Techrights

    La Corte Unitaria de Patentes UPC, un sistema arregaldo esta siendo embestida por la gargant de Europa por la OEP. (Nos están metiendo la yuca). Sus grandes clientes (incluso extranjeros), con sus abogados de patentes para que todo el mundo los vea.



  14. Miembro del Parlamente Europe Resalta ¨Las Continuas Violaciones de los Fundamentales Derechos de los Empleados de la OEP¨

    Pregunta a la Comisión Europea de parte de la MEP Portuguesa Ana Gomes, publicado en el sitio del Parlamente Europeo.



  15. Links 11/2/2016: LibreOffice 5.1, HMRC and FOSS

    Links for the day



  16. Microsoft Continues to Use Software Patents to Extort/Blackmail Even More Companies That Use Linux, Forcing/Coercing Them Into Preinstalling Microsoft

    Acer is the latest large OEM to have become a victim of Microsoft's witch-hunt against Android/Linux preloaders, whom Microsoft is coercing into becoming Microsoft's carriers (or face litigation over software patents, with high legal fees if not injunctions or high damages upon secret settlements)



  17. EPO Brain Drain (Even Directors Fed Up With Team Battistelli) and Rumours About Battistelli Becoming President of the UPC

    Words heard through the grapevine of the European Patent Office (EPO), where staff is overwhelmingly against the managers and some people, including high-profile staff, add to the exodus



  18. More Than 20 Years in the Line: European Patent Office and Claims of European Convention on Human Rights Infringement Against Applicants/Stakeholders

    Gross incompetence and potentially an infringement of the European Convention on Human Rights at the European Patent Office (EPO), this time impacting an applicant (one of many in a similar position)



  19. UPC Nepotism, Political Abuses, and UPC Involvement From the Legal Firm That EPO Hired to Bully Techrights

    The Unitary Patent Court (UPC), a rigged system that is being rammed down Europe's throat by the EPO, its big clients (even foreign), and their patent lawyers laid bear for people to see



  20. Member of European Parliament Brings Up “Ongoing Violations of the Fundamental and Employment Rights of the Staff of EPO”

    Question to the European Commission from Portuguese MEP Ana Gomes, as published in the site of the European Parliament



  21. La Oficina Europea de Patentes Pretende que No Pasa Nada y Prepara una Feria de Vanidad

    La estrategia de relaciones públicas de la OEP cuya destructiva estrategia de patentes continua sin disminución (por ahora), se engancha en Colombia y se esfuerza en manufacturar el mito donde el público, examinadores de patentes, y aplicantes de patentes todos estan muy felices con la OEP.



  22. La ‘Internacional’ Commisión de Comercio Impone/Reenfuerza Patentes de Software para Establecer Otro Embargo

    La Comisión Internacional (sic) de Comercio se esta entrometiendo en competición de nuevo permitiendo a un gigante de los Estados Unidos Ciso en este caso, a potencialmente bloquear rivales (no importaciones del extranjero) usando patentes de software.



  23. Links 9/2/2016: Linux in Robotics, Hyperledger Project

    Links for the day



  24. Besieged Benoît Battistelli Mimics 'Damage Control' Tactics of FIFA or Blatter as More Judges Start Getting Involved in EPO Scandals

    Rumours and a new rant from Battistelli reinforce suspicions that actions are being organised behind the scenes, possibly as part of an upcoming, high-level campaign to unseat/dethrone Battistelli, who has become a reputational disaster to the European Patent Office (EPO), much like Sepp Blatter at FIFA



  25. Several Political Parties Directly Challenge the European Patent Office for Ignoring the Law, Not Obeying Court Orders

    Politicians make it crystal clear that the EPO, despite its unique status, cannot just raise its nose at the rulings of courts of law, definitely not in Dutch territory where the EPO operates



  26. Even the Legal Community is Upset at Benoît Battistelli for the Damage He Did to the EPO

    A recent article from lawyers' media (in German) speaks of the great damage (or mess) left by its current president, who has become somewhat of a laughing stock and growingly synonymous with farcical trials even in the circles of stakeholders, not just his own staff



  27. EPO Union (SUEPO) Getting Busted: “More and More People are Joining the Union, but Fewer and Fewer People Dare to Take on Leading Positions There.”

    The union-busting actions taken by EPO management in collaboration with Control Risks (for weak accusations against staff representatives) and FTI Consulting (for 'damage control') as described in a recent article, in the words of SUEPO lawyer Liesbeth Zegveld



  28. Microsoft's Copyrights- and Patents-Based Attacks on GNU/Linux Carry on

    The SCO case is still going on and Microsoft has just signed a patent deal with GoPro over its FOSS-based software, relating to “certain file storage and other system technologies”



  29. The EPO's Benoît Battistelli is the Dictator Who Can No Longer Dictate Like He Used to

    The European Patent Office's mechanism of oversight is starting to work just a little because, based on a new report from Juve, Battistelli is now reluctant to make proposals that would prove unpopular among delegates



  30. La Más Detallada Explicación (hasta ahora) de ¿Qué esta mal con la OEP?

    La insistencia de la OEP que permanece arriba de la ley no sólo est bajo fuego en los medios pero también esta siendo desafiada basado en personas familiares con la aplicabilidad de la ley a organizaciones internacionales.


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts