[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Possibly moving Debian services to a CDN

Tollef Fog Heen writes ("Re: Possibly moving Debian services to a CDN"):
> I'm fundamentally of the opinion that if the NSA or a similar
> organisation wants to track you and is willing to expend that effort on
> tracking you in particular, there is just about nothing you can do about
> it.

This is true, but largely irrelevant.  That the NSA can get something
if they really want to is true - but the question is how much of a
price they want to pay.  By making things more difficult for them, we
reduce the effectiveness of their surveillance capability.  They
then have to be more selective in their targeting, or divert resources
from other projects, etc.

>  As you note, we can't actually control it, just like we can't do it
> today, so the difference becomes «lots of mirrors, vulnerable to smaller
> attackers, but hard to coordinate MITM-ing» vs «fewer mirrors/CDN nodes,
> requires more effort from attackers, easier to MITM».  I don't think it
> makes that much of a difference in terms of cost if the attacker has
> that many resources and is willing to expend the effort.  It seems you
> disagree, and I don't really see us agreeing here, as it's a question of
> tradeoffs and you weigh your tradeoffs differently than I do.

In my view the important question is not whether an attacker like the
NSA has the capability to get what it wants when it really cares.  The
important question for Debian in this context is how much attacks
would cost (not just in money but also in risk, effort, political
clout, etc.).

It seems to me that obtaining blanket logs about Debian users from a
commercial CDN (or small set of CDNs) would be easy and cheap for the
NSA and give significant and valuable information (what packages are
installed and what security updates are done) about the vast majority
of Debian users.  Indeed I would be amazed if the NSA don't already
routinely collect or scan all traffic to the big CDNs.

In contrast, some parts of our current mirror networks are weak
against monitoring but it is very easy for a user to (for example)
select a mirror they think will be more trustworthy, and attacking our
current mirror network in that way would involve strong-arming,
subverting or hacking a much greater set of organisations and systems.
I imagine the NSA would want to confine such compromises to those
mirrors where they think they're not likely to get caught.

I share Ingo's privacy concerns.

I don't see a clear explanation of what the motivation is to switch to
a commercial CDN.  Can you clarify ?  That will help us understand
what we would be giving up if we decline to make this change.

Ian.
Reply to: