Re: NSA software in Debian

To: debian-security@lists.debian.org
Subject: Re: NSA software in Debian
From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
Date: Sat, 25 Jan 2014 00:17:58 +1100
Message-id: <[🔎] 52E26806.80807@affinityvision.com.au>
In-reply-to: <[🔎] 87000BDF-320B-403F-AC8C-E0BCC89DA622@yahoo.de>
References: <[🔎] 87000BDF-320B-403F-AC8C-E0BCC89DA622@yahoo.de>

Hi,

On 19/01/2014 6:30 AM, Marco Saller wrote:
> i am not sure if this question has been asked or answered yet, please do not mind if i would ask it again.
> Is it possible that the NSA or other services included investigative software in some Debian packages?

I've read all the posts so far in this and related threads (each tree of
this top thread actually).

It is definitely not beyond the realms of possibility that hardware is
compromised WORLDWIDE, from hardware additions to firmware
/adjustments/. It might not be cheap to compromise as many machines as
you want, but it might be cheaper to consider every machine a possible
target, so the NSA could modify every single machine they could get
their hands on and many that they can remotely access via other means.

There are problems at every level, including hard drive firmwares,
ordinary looking USB cables, tricked VGA leads ... and these
revaluations come from a document with a date of 2008.

Also, it is not impossible for *any* organization to have a /ghosted/
version; we might be installing Debian from a ghost version of Debian
that is compromised and for all intents and purposes, it appears 100% to
be Debian. DNS can be taken over at any point to allow the /ghost/
version to be *the* version that any one of us sees.

Every single machine on the Internet can be impersonated, particularly
if you have the budget of the NSA and the right access possibilities.
Heck, as I understand it, even the NSA can return DNS results more
quickly than official sources due to placement of their own /black/
boxes to subvert any DNS request on the planet and point people to a
ghosted version of anything...

There is no definitive answer other than, the NSA has screwed so many
that it is impossible to have trust; even when the likes of Google
outwardly show rage and disgust over NSA actions, there is nothing to
give us total faith in Google either, heck they can be ghosted too.

However, given all the very real possibilities, I would like to believe
that "in Debian, we can trust", but OTOH it just might be misplaced
through no fault of anyone [at all] involved with official Debian
activities in any way. It's virtually impossible to know one way or
another, we just have to have some faith and trust (perhaps too much of
one or both).

Cheers
A.

Reply to:

Follow-Ups:
- Re: NSA software in Debian
  - From: Peter Lawler <debian-security@bleeter.id.au>
- Re: NSA software in Debian
  - From: Emmanuel Thierry <ml@sekil.fr>

References:
- NSA software in Debian
  - From: Marco Saller <marcosaller@yahoo.de>

Prev by Date: Re: NSA software in Debian
Next by Date: Re: NSA software in Debian
Previous by thread: Re: NSA software in Debian
Next by thread: Re: NSA software in Debian
Index(es):
- Date
- Thread