Hi, On 19/01/2014 6:30 AM, Marco Saller wrote: > i am not sure if this question has been asked or answered yet, please do not > mind if i would ask it again. > Is it possible that the NSA or other services included investigative software > in some Debian packages?
I've read all the posts so far in this and related threads (each tree of this top thread actually). It is definitely not beyond the realms of possibility that hardware is compromised WORLDWIDE, from hardware additions to firmware /adjustments/. It might not be cheap to compromise as many machines as you want, but it might be cheaper to consider every machine a possible target, so the NSA could modify every single machine they could get their hands on and many that they can remotely access via other means. There are problems at every level, including hard drive firmwares, ordinary looking USB cables, tricked VGA leads ... and these revaluations come from a document with a date of 2008. Also, it is not impossible for *any* organization to have a /ghosted/ version; we might be installing Debian from a ghost version of Debian that is compromised and for all intents and purposes, it appears 100% to be Debian. DNS can be taken over at any point to allow the /ghost/ version to be *the* version that any one of us sees. Every single machine on the Internet can be impersonated, particularly if you have the budget of the NSA and the right access possibilities. Heck, as I understand it, even the NSA can return DNS results more quickly than official sources due to placement of their own /black/ boxes to subvert any DNS request on the planet and point people to a ghosted version of anything... There is no definitive answer other than, the NSA has screwed so many that it is impossible to have trust; even when the likes of Google outwardly show rage and disgust over NSA actions, there is nothing to give us total faith in Google either, heck they can be ghosted too. However, given all the very real possibilities, I would like to believe that "in Debian, we can trust", but OTOH it just might be misplaced through no fault of anyone [at all] involved with official Debian activities in any way. It's virtually impossible to know one way or another, we just have to have some faith and trust (perhaps too much of one or both). Cheers A. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
