01.17.14

For Real Security, Use CentOS — Never RHEL — and Run Neither on Amazon’s Servers

Posted in GNU/Linux, Red Hat, Security at 9:27 am by Dr. Roy Schestowitz

Red Hat logo

Summary: Never run Red Hat’s “Enterprise Linux”, which cannot be trusted because of NSA involvement; Amazon, which pays Microsoft for RHEL and works with the CIA, should never be used for hosting

SEVERAL years ago CentOS almost died; now it’s being embraced by Red Hat and one pundit from tech tabloid ZDNet is moving to CentOS Linux on the desktop [1,2].

CentOS is still in the news [3], with the CentOS project leader (Karanbir Singh) giving an interview to the Linux Foundation [4]. We trust CentOS, whereas trusting Red Hat is hard. RHEL is binary and based on news from half a decade ago, the NSA is said to be involved in the building process, as well as SUSE’s, whereas CentOS is built from source (publicly visible). Microsoft and the NSA do the same thing with Windows and it’s now confirmed that Windows has NSA backdoors.

Earlier this month vulnerabilities in RHEL’s openssl and RHEL’s gnupg [5,6], contributed even less to trust. RHEL is so standard in the industry that it would probably be simpler than other distributions to exploit; the NSA may as well have off-the-shelf exploits for all major RHEL releases, which are deployed in many countries’ servers (even so-called ‘rogue’ countries). Based on the NSA leaks, Fedora — not RHEL — is being used by the NSA itself to run its spying operations (e.g. collecting radio signals from afar). Fedora is not truly binary-compatible and its source code makes secrets hard to keep.

Lastly, mind the latest of Red Hat’s Fog Computing hype [7,8], including the CIA’s partner Amazon that’s lumped onto Red Hat [9,10] as part of a conference [11,12]. Avoid Amazon at all costs. It’s a malicious trap for many reasons. Amazon also pays Microsoft for RHEL after a patent deal with Microsoft, as we pointed out years ago. Suffice to say, Microsoft's servers are as bad as Amazon's for privacy.

RHEL and its derivatives continue to be deployed in many large networks of systems [13], so it’s clear why the NSA would drool over the possibility of back doors in RHEL. Watch out for that. Given the way NSA infiltrated standards bodies and other institutions, it’s not impossible that there are even moles at Red Hat or Fedora. There used to be some at Microsoft (we know about those who got caught).

Red Hat’s CEO is now telling his story in a Red Hat site [14] and one needs to remember who he used to work for (close to Boeing, which is primarily an army company), not just the country he is based on (hence the rules that apply to him, especially when he wishes to appeal to government contractors, DoD/Pentagon etc. which are the most lucrative contracts).

It should be noted that my Web sites are mostly running CentOS and the same goes for the host of Techrights, who focuses on security. With CentOS you can get the source code and redistribute; with Red Hat’s RHEL you can’t (it’s sold as binary).

There is definitely a good reason to trust CentOS security more than RHEL security. As for Oracle (“Unbreakable”), well… just read Ellison’s public statements in support of the NSA (never mind the company’s roots and the CIA). That tells a lot.

The bottom line is, blind faith in binary distributions is a bad thing. Blind faith in NSA partners (Red Hat collaborates with the NSA not just in SELinux) is even worse. █

Related/contextual items from the news:

Taking the long view: Why I’m moving to CentOS Linux on the desktop
Is CentOS ready for the Linux desktop?

CentOS is a very interesting and different choice for a desktop distribution. I haven’t heard of many people using it that way. Whenever somebody brings it up it’s usually within the context of running a server.
Fedora and CentOS Updates, Linux for Security, and Top Seven
CentOS Project Leader Karanbir Singh Opens Up on Red Hat Deal

In the 10 years since the CentOS project was launched there has been no board of directors, or legal team, or commercial backing. The developers who labored to build the community-led version of Red Hat Enterprise Linux (RHEL) worked largely unpaid (though some took a few consulting gigs on the side.) They had a few hundred dollars in their bank account to pay for event t-shirts and that was it. And the project’s direction was decided based on the developers’ immediate needs, not a grand vision of future technology.
Red Hat: 2014:0015-01: openssl: Important Advisory
Red Hat: 2014:0016-01: gnupg: Moderate Advisory
Red Hat Invests in Open Source IaaS, Cloud Talent
Red Hat Academy Expands Training, Includes OpenStack Coursework
Red Hat Launches Test Drives on AWS

At its annual Partner conference in Scottsdale, Arizona this week Red Hat (RHT) announced new Test Drives on Amazon Web Services (AWS) with three Red Hat partners – CITYTECH, Shadow-Soft, and Vizuri. Through the AWS Test Drive program, users can quickly and easily explore and deploy ready-made solutions built on Red Hat technologies.
Why Red Hat Needs OpenStack … And AWS

OpenStack, the cloud’s community darling, desperately needs leadership, and Red Hat seems the ideal leader. But OpenStack isn’t the only needy party here. As good as Red Hat’s growth has been over the last decade, it pales in comparison to that of VMware, a later entrant that has grown much faster than Red Hat. And the open source leader still trails well behind Microsoft.
Google, Amazon Clouds Invade Red Hat Partner Conference

Google Cloud Platform and Amazon Web Services executives are set to address Red Hat Partner Conference attendees on Jan. 13 in Arizona. No doubt, the keynotes will seek to ensure Linux resellers understand how to move customer workloads into the Google and AWS public clouds, respectively.
7 Surprises At Red Hat Partner Conference 2014
How to deploy OSSEC across a large network of systems from RPMs
Teens and their first job: How to get on the path to a happy career

I grew up in the 1980s in Columbus, Georgia. You needed a car to get around, so I did not work until I could drive. Within months of getting my driver’s license, I got my first job as a part-time computer programmer for a stockbroker.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.

Permalink Mail Send this to a friend

This post is also available in Gemini over at:

gemini://gemini.techrights.org/2014/01/17/rhel-security/

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

7 Comments

AdamW said,

January 17, 2014 at 7:44 pm

The RHEL 6 source – yes, RHEL is built “from source”, amazing, I know! – is right here:

http://ftp.redhat.com/redhat/linux/enterprise/6Server/en/os/SRPMS/

do feel free to peruse it at your leisure.

Dr. Roy Schestowitz Reply:
January 17th, 2014 at 7:52 pm
That’s a bit of a straw man response; I know there’s source code for RHEL, but if one was to built it from source, would it be identical to the binaries distributed by Red Hat? We need to check the build process, too. It’s about trusting trust and we already know what the NSA has been doing with corporate or squsi-corporate partners like RSA, NIST, Microsoft, etc.

richardon Reply:
January 20th, 2014 at 10:33 am
I’m sorry but this is a loda of cr*p.

If RedHat’s binaries differ from the published source, then they’re violating the GPL.

If the binaries don’t differ the backdoors would be public, and CentOS (and other derivatives) would be as insecure as RedHat.

About the openssl and gnupg vulnerabilities: CentOS was afected too, so as insecure as RH.

Qoute:
“There is definitely a good reason to trust CentOS security more than RHEL security.”

Which reason is that?
You don’t provide it so you shouldn’t trust CentOS either, according to your rules.
DanseM said,

January 20, 2014 at 11:06 am

> I know there’s source code for RHEL
Then you should mention this in the article. You really should, otherwise it is not fair.

You can build RHEL from SRPMs and compare binaries. Guess what, CentOS is doing exacly this to determine build environment (i.e. gcc version). CentOS build their distro as a “RHEL clone”, 100% API and ABI compatibile. You can even compare single file diffs from RHEL and CentOS. Guess what, we do that.
You should try some builds yourself

Red Hat could have placed some backdoor in RHEL but it would easy detectable. It is an issue in closed source products and this is why we should be aware of them.

As a homework, plz check whether your truecrypt binaries are build from source without modifications. Not an easy task, but you can verify this with 100% certanity. Otherwise how could you tell your drive is really encrypted?

PS. I am not an employee of Red Hat etc.
Dr. Roy Schestowitz Reply:
January 20th, 2014 at 4:54 pm
Hi DanseM,

I have already exchanged almost a dozen E-mails about this analysis (E-mails with Red Hat staff). They could not find factual errors, but they were unhappy with the article, for reasons they could not, IMHO, defend or at least convince me of.

I know one can build RHEL from source code (given some privileged access, which is similar to SUSE’s with SLE*). Then there’s patching, too (lots of packages updated, so keeping track of source code becomes even more impractical).

I did not argue that assessment of the code is feasible given limited human resources (distributions are vast). I also did not argue that back doors are undetectable. Au contraire; Because these validation phases are infeasible we are left having to choose who to trust. I’m also in the business of validating builds, so I have some understanding of this.

Let’s look at some other news from recent days:
- Red Hat and CentOS become Voltron, build free operating system together
  
  “In retaliation, Red Hat started shipping Linux kernel source code in a big tarball with the patches already applied, making it more difficult to build Linux distributions from the RHEL source,” we noted in a feature on Red Hat’s history.
- OpenShift Welcomes CentOS to the Red Hat Family–Origin Adds CentOS Support
- CentOS Now Supported By OpenShift
  
  Hot on the heels of the news that CentOS was officially joining the RedHat family, the OpenShift project has announced that OpenShift Origin would now be officially supported for CentOS, which joins Fedora and Red Hat Enterprise Linux. OpenShift is Red Hat’s Platform as a Service (PaaS) offering. OpenShift has three flavors: the Red Hat hosted Online version, the self hosted and supported Enterprise version, and Origin, the community-driven upstream version of OpenShift.
This joining of the two is not encouraging; in fact, we will now struggle to compare two potential sources of trust (acting as a sort of peer review). They’re conjoined now. I guess Scientific and other more deprecated clones of RHEL might be of use here.

Lastly, you mentioned truecrypt. Well, truecrypt is proprietary software (pretending to be “open”), so it deserves zero trust anyway. It’s not relevant to this analysis in the way you contextually interject it.
DanseM said,

January 20, 2014 at 5:32 pm

> [about RHEL and CentOS] This joining of the two is not encouraging; in fact, we will now struggle to compare two potential sources of trust (acting as a sort of peer review). They’re conjoined now. I guess Scientific and other more deprecated clones of RHEL might be of use here.
That’s 100% truth. Undoubtedly CentOS take over is a sound reason to watch your own back.

My conclusion is to start watching RH’s hands although I do not feel thrilled. These days closed sourced system are real threat.

BTW that’s quite wierd that RH folks are dropping you emails but not comments under the article.

Dr. Roy Schestowitz Reply:
January 20th, 2014 at 5:47 pm
The communications taught me two important things:

1) NSA is a Red Hat client. I already knew DoD (Pentagon) was a client, as that had been announced years ago. I didn’t know about the NSA.

2. NSA submits code through Red Hat, and not just SELinux code. In November I cited a Slashdot comment where a Red Hat employee (I cannot verify this affilation in Slashdot) wrote: “I work for Red Hat…. The NSA asks me to put code in the Linux kernel and I pass it to Linus.”

Now I have this confirmed by one whose identity is verified, so I need not rely on Slashdot comments.

For those who are eager to accuse me of being anti-Red Hat, I am sorry to disappoint, but this smear would not work. I defended Red Hat’s position for many years and Red Hat even let me interview their CEO.

Red Hat is doing well despite the NSA scandals which harm some US companies, but if people peel off some onion layers and realise that Red Hat works with the NSA it won’t be good for business. Red Hat should make formal, publicly-accessible build processes to assure us NSA cannot compromise the system. Right now there’s secrecy (the above details are not public knowledge) which does nothing to appease the “paranoid”.

What Else is New

[Meme] Nobody and Nothing Harms Europe's Reputation Like the EPO Does

Europe’s second-largest institution, the EPO, has caused severe harm/damage to Europe’s economy and reputation; its attacks on the courts and on justice itself (even on constitutions in the case of UPC — another attempt to override the law and introduce European software patents) won’t be easily forgotten; SUEPO has meanwhile (on Saturday, link at the bottom in German) reminded people that Benoît Battistelli and António Campinos have driven away the EPO’s most valuable workers or moral compass
IRC Proceedings: Saturday, July 31, 2021

IRC logs for Saturday, July 31, 2021
[Meme] When it Comes to Server Share, Microsoft Azure is Minuscule (But Faking It)

Don't believe the lies told by Microsoft's charlatans and frauds; Azure has been a total failure and that's why there are layoffs as well
[Meme] Mozilla Has Turned From Technical to Marketing

Way back, long before Mozilla and Firefox got hijacked by politics (turning Mozilla into a VPN reseller that lies about its stance on privacy), geeks were driving the company, not corporate lawyers and spying/marketing people
Over 1,500 (Known/Unorphaned) Gemini Capsules and Over 160,000 Page Requests in gemini.techrights.org During July

Techrights is expanding at gemini:// (Gemini space) and over 1,500 capsules are reported to have been found (less than 4 months ago it was about 1,000)
Links 31/7/2021: Kernel Additions and Linux Mint 20.3 Release Date

Links for the day
Microsoft Azure Stagnating

Reprinted with permission from Mitchel Lewis, former Microsoft employee
For 17 Days (and Counting) António Campinos Has Failed to Respond to Call for Compliance With the Law

Team Campinos has been so arrogant and so evasive that there’s no indication (yet) that it will follow court orders (Willy ‘Guillaume’ Minnoye openly bragged about ignoring court orders and he's still cheering for the EPO's abuses); therefore, staff of the EPO takes collective action
Raw: Elodie Bergot Breaking the Law by Threatening Against the Exercise of Fundamental Rights

Over the years we saw a number of rude letters from Elodie Bergot, the grossly under-qualified spouse of a friend of Vichyite Benoît Battistelli; most of these we never published (we already have these and can always publish if the need arises), but those paranoid and insecure “Mafia”-like ‘cabal’ need to be exposed for the mobsters they are; for nearly a decade they’ve illegally bullied EPO staff in clear violation of the law (and for over 3 years António Campinos has kept those bullies on board); why does Europe do nothing and why is it never holding high-profile abusers accountable (only low-level facilitators)? Is it because the EU too is being infiltrated by them?
Linspire Should Be Avoided in 2021 Just Like It Was Avoided 14 Years Ago

The brand "Linspire" was brought back, but the agenda seems to be more or less the same, namely pushing proprietary software and serving Microsoft's commercial agenda (in 'Linux' clothing)
The Death of Freenode Would Be Freenode's Own Fault

Freenode is going dark and now it’s asking people to create accounts at IRC.com (just to get back into the network that they may have already occupied for decades) as if Freenode owns “IRC” as a whole
Links 31/7/2021: KDE Progress and Activision Catastrophe

Links for the day
IRC Proceedings: Friday, July 30, 2021

IRC logs for Friday, July 30, 2021
The Smartest Meter of All

Yesterday a lady came over to take our power readings (electric/gas meter); secure these people's jobs as they help protect people's privacy (dignity) at home
[Meme] A Web of False Dichotomies

A reminder that Techrights is fully available (all blog posts and wiki pages) in gemini://
Freenode Shrinks by Another Quarter and Gemini Continues to Grow (For Techrights at Least)

Freenode continues to perish faster than we've imagined; it's a good thing that we've had contingencies set up; regarding the monopolised and increasingly centralised Web, we're still making baby steps towards weaning ourselves off it
Links 31/7/2021: Wine 6.14 and Chrome 93 Beta

Links for the day
European Media Does Not Care About Europe's Second-Largest Institution Crushing Basic Laws and Fundamental Rights

New video about the latest publication from SUEPO (the EPO’s staff union); it was published yesterday, seeing that the “Mafia” (what EPO staff actually calls the management!) hasn’t done anything to comply with a wide-ranging set of court rulings from ILO-AT; why has the media said nothing about this and what does that say about today’s media? The material is all in the public domain, in widely understood languages, and SUEPO spoke about it more than 3 weeks ago.
Links 30/7/2021: Distro Comparisons and Tootle Introduced

Links for the day
[Meme] Enforcing ILO-AT Rulings...

We’re still waiting for a statement — any statement (direct or indirect) — from EPO management, seeing that almost a month has passed
'Open Source' as a Failed Initiative

A closer look at the dire state of the Open Source Initiative, or OSI, which no longer protects Open Source (let alone software freedom) but instead helps openwashing, Microsoft entrapment, and a coup against the FSF
[Meme] Rowan and António Sittin' on a Tree...

How much longer can Team Campinos keep issuing tons of noisy and self-congratulatory puff pieces to (perhaps) distract from the elephant in the 10th floor of the Isar building (EPO HQ)? Staff won't wait for eternity.
IRC Proceedings: Thursday, July 29, 2021

IRC logs for Thursday, July 29, 2021
Half the People in This Letter Are IBM Employees

IBM seems to be continuing its war on the FSF because IBM wants to own everything (CentOS being ‘canned’ was just part of the plan)
The OSI Song

The sad demise of OSI, which has become little but a front group of proprietary software companies in pursuit of openwashing services (and outsourcing to proprietary disservices looking to eradicate copyleft)
[Meme] OSI is Doing Just Fine

So what if OSI is run by someone who raised money from Microsoft (to sell Microsoft a keynote slot in a copyleft event — the thing that Microsoft attacks through GitHub!) while funnelling the OSI's funds to a serial GPL violator?
The OSI's Defunct Elections (Privacy Breach), Conflict of Interest (Nicholson), and Other Lingering Problems

The above, together with an email from the OSI below, serves to show they’re re-running a bad election and — yet worse! — there appears to be a conflict of interest implicating the OSI’s sole member of staff!
Links 30/7/2021: Audacity 3.0.3 and KD Chart 2.8.0

Links for the day
Links 29/7/2021: siduction 2021.2 and Xubuntu 21.10 Dev Update

Links for the day
GitHub is Racism

Microsoft has the world's most racist code hosting repository; it wasn't like this when Microsoft took over as the racist policies were added to impress Donald Trump, who would later rig a procurement/tendering process to bail out Microsoft (10 billion dollars from the Pentagon, i.e. taxpayers)