[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: NSA software in Debian

Hash: SHA1

On 2014-01-18 21:04, Noah Meyerhans wrote:
> On Sat, Jan 18, 2014 at 08:30:49PM +0100, Marco Saller wrote:
>> i am not sure if this question has been asked or answered yet, 
>> please do not mind if i would ask it again. Is it possible that 
>> the NSA or other services included investigative software in
>> some Debian packages?
> That line of thinking leads to madness. The only rational 
> conclusion, once you start down that path, is to turn off your 
> computers and move to a remote cabin in the wilderness. It will 
> never be possible to prove that there is no malicious software in 
> Debian or in any other OS. Beyond that, it will never be possible 
> to prove that there is no malicious *hardware* running executing 
> your OS.

I guess this is what the Kremlin did when they famously announced they
are moving to typewriters (call them mad if you like), or as Frank
Rieger put it at 30c3, a yearly talk titled Security Nightmares:
"All the time that we have done this show, it has never been the case
as much as this year that we thought: well, actually a job growing
flowers or gardening or perhaps something with wood would actually not
be such a bad idea." [While showing a picture of a white flag.]

We can not refrain from drawing conclusions because of their
implications, if they indeed are correct, that would be self
deception. The answer to the question is: Yes, it is indeed possible
that an organisation with the NSA's budget and determination could
have compromised a component of Debian, or any other open source
software. Has there been any evidence to suggest this is the case? No.
At least, not yet. (Remember, the publishing of the leaks are not
random, and Greenwald has signed up for the owner of Paypal.)
The task we have been reluctantly assigned is enormous, but is it also
utterly hopeless? We have seen through the leaks that if there is an
easy way in the NSA will already have it codenamed.

The more productive questions are: Where is the lowest bar and what
could we do to raise it? There is good work ongoing here, for example
deterministic builds [1], a vector of attack that can be provably
eliminated [2]. But at the same time, let's not kid our selves. Let's
step back and reflect on on the feasibility of the open source model
in the face of adversaries like the NSA and their cohorts. When we
trust the software, what are the presumptions upon which our trust
rests and how easily can they be broken?

The worst case from a "future of free software" sort of perspective
would be a leak confirming our worst fears that a trusted person
within free software was compromised. I can only hope that any such
person leaves now, quietly, while leaving the full details about the
hole[s] with someone to fix it before taking us all down RSA-style.
And no, least there be speculation, I have no information to this
effect, and from what I've learned of the open source community I
don't think this is likely, for many of us it's a kind of moral
calling that brought us here in the first place, however the NSA only
needs one person.

JK Abrams

[1] https://wiki.debian.org/ReproducibleBuilds
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


Reply to: