Re: How secure is an installation with with no non-free packages?
On Fri, Sep 13, 2013 at 8:42 AM, adrelanos <adrelanos@riseup.net> wrote:
> adrelanos:
>> How secure is a Debian installation packages installed only from main,
>> none from contrib or non-free?
>>
>> It will lack for example the firmware-linux-nonfree package and the
>> intel-microcode / amd-microcode package. At least the microcode one is
>> security relevant? Are there any other packages which might be important
>> to have installed for security reasons?
>>
>> I mean, how secure is it in comparison with those packages installed vs
>> not having them installed?
>>
>>
>
> I apologize, I didn't want to start a discussion of Open Source vs
> closed source. (Feel free to have it, I am delighted to read your
> thoughts on it, but I'd be also happy about an answer to the question I
> meant to ask but failed to properly state.) Sorry for not asking clear
> in the first place.
>
> To rephrase my original question:
>
> How vulnerable is Debian installation without intel-microcode /
> amd-microcode package?
No one knows.
We can only guess. Our guess includes an assumption that Intel or AMD
would or would not deliberately sabotage their products at the
instigation of an organization like the Chinese/Taiwanese government
or the NSA or some similar equivalent or not-so-equivalent secret
organization.
Ken Thompson gave us the archetype response on this question when he
described a way to grandfather a backdoor password into (the libraries
used by) a C compiler such that it would not show in the source but
would be present in the object. I assume you have read his essay on
trusting trust?
(1) All we can say for sure is that anything that is open is
inherently more open than anything that is closed.
(2) Anything we didn't build ourselves may be deliberately sabotaged.
(3) Anything we do build ourselves will have accidental gaping holes.
(4) When we work with friends, we can do more than when we work alone.
None of that tells us how bad Intel and AMD are screwing up, and which
directions they are running with the ball in the hardware camp. They
are primarily concerned with features that sell or otherwise obviously
make them money. Until sometime in the future (closer now than a year
ago), security does not sell, does not obviously make them money.
<rant-mode>
That's the short-sightedness of capital based economy when
interest-holders are not well-versed in the technological details of a
company's products or of the impact that product has in the market and
where it gets used. I hate to bring up the G-word again, but we humans
work beyond the edge of our abilities, we end up depending on someone
being more than human. And we refuse to accept the limitations of
working within our abilities, just like we refuse to believe we are as
limited as we are. Fortunately, G?? (or the universe) seems to have
given us room to make mistakes in this way, up to a point. Our next
big mistake is to hope that the natural consequences (or punishments
of G??) will never catch up to us.
</rant-mode>
> Are there other contrib and/or non-free packages, similar to the
> microcode package, which make the system vulnerable, if not installed?
Depends on what you're using the system for.
Wish I could say more, but we are really just barely beginning to
scratch the surface of building a stable computer technology. And the
big boys are all about intellectual property right now, and as long as
they are playing those games, we aren't going to get any further on
what you need to be able to answer that question, essentially a
database of function vs. package vs. target use, and the interplay
thereof.
--
Joel Rees
Be careful where you see conspiracy.
Look first in your own heart.
Reply to: