-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 * I was advised in private e-mail by @mig5 about this new law before it took effect beforehand, and @mig5 offered to step aside because of it. It was my decision to not to change anything. Below I will explain why.
* I might have reacted in a better way by protectively discussing this subject in public but that is really hard without nonproductive discussions and without badmouthing @mig5 in unintended ways. * @mig5 doesn't moderate Whonix's forums. That thread wasn't deleted by @mig5. * I've not researched that Australian law. And I like to avoid it. If I had to bet, I guess their interpretation is reasonable. For practical purposes explained below it wouldn't matter. * From a security enthusiast perspective it's a reasonable question. No one or only a few have the complete picture. * The issue with one asking this question are the hidden presuppositions . * The presupposition is that the server location is somehow secure. ** That's not true. ** Assume a regular commercial server host. ** I don't know any people working there. ** I couldn't even find the place without navigation software. ** Just because it's from the Whonix project, doesn't mean server security magically is a lot better than server security of let's say, facebook. (And these are even known to have a front- and backdoor.) * Regarding the server, it's easy to demand better security. Easy to demand, that I pay for it rather than using a sponsored server, or to demand other security enhancements. I'd be happy to do all of this, but then please also provide reliable funding for it. * We have a wiki page dedicated explaining all the attack vectors that are related to the risks introduced since we are forced to trust humans. [1] * Whonix, same as Qubes, operates already on the assumption that the infrastructure is compromised. ** The wiki page has a chapter "Should I Trust This Website?". [2] The short answer is "no". ** Similarly the Qubes project has a chapter "What does it mean to “distrust the infrastructure”?" [3] ** If a server administrator (such as mig5) were compelled to replace an Whonix download, the OpenPGP verification of the file (iso, ova or libvirt image) would fail (when using the project OpenPGP signing key for OpenPGP signature verification). ** If a server administrator was compelled to also replace the OpenPGP signature of that file, all the usual rules would apply: users should verify the validity of the OpenPGP key by looking for it published in different places, etc. The same advice provided by the Qubes project for their isos. ** The Whonix server doesn't host the source code. A server administrator cannot "insert code" into the Whonix project. ** Github is an organization with many Australian engineers. The same threat applies there - perhaps even more so, in that Australian engineers could be coerced into modifying git repository data directly - - not just of Whonix, but Qubes too - and be unable to even tell their boss. ** In such a situation, the threat of coercion or interference is indeed real. The protection against that, seems to be all the usual things: cryptography, ‘many eyes’, etc. ** The same argument could be made against developers, server administrator or similar from USA and perhaps other countries as well? ** UK has Investigatory Powers Act, similar? ** Tor Project might have Australian developers and/or server administrators, too? The point is that if you go down that road, there really is no end. Whonix not special in this regard. * As bad as that new law might be, I don't see that anything relevant changed. ** Whatever circumstances do apply to @mig5 now, might have applied to @mig5 before that new law as well. ** Even without that law directly applying to me, and while I've never been in any territory of the USA, and while their laws may formally not apply worldwide, yet USA laws are enforced worldwide. And as a non-USA citizen even outside of USA, legal defense is even more difficult than for USA citizen inside USA. * What I witnessed over time is, that many users assume that security focused projects are already very mature in all aspects and nothing much needs to be done. This assumption is wrong. ** We don't have reproducible / deterministic builds; we don't have automatic verification of deterministic builds; our repositories aren't using multisig. ** We could use more code reviewers, auditors, unit tests, automated tests, and whatnot. ** We don't have a volunteer server admin. [6] ** port Whonix package build process to Qubes package build process [7] ** See also our FAQ entry "Is the Linux User Experience Comparable to Commercial Operating Systems?" [4] ** I'd like to tackle all of these issues. * I am not really eager to build Whonix packages, Non-Qubes-Whonix downloads, maintain whonix.org server, hold Whonix signing keys. ** Fun: development, source code, testing, design, answering good questions ** Not so much fun but necessary: legal, funding, server, releases, uploads, signing keys, announcements Meaning: Please contribute - then everything can be improved. I'd be happy to hand over upload rights / package builds / server administration to a more qualified organization that is strong in legal defense, computer security and reliable funding. But at the moment, I don't see anything like that emerging. Cheers, Patrick [1] https://www.whonix.org/wiki/Trust [2] https://www.whonix.org/wiki/Trust#Should_I_Trust_This_Website.3F [3] https://www.qubes-os.org/faq/#what-does-it-mean-to-distrust-the-infrastr ucture [4] https://www.whonix.org/wiki/FAQ#Is_the_Linux_User_Experience_Comparable_ to_Commercial_Operating_Systems.3F [5] Some US laws apparently apply worldwide. * Kim Dotcom, a German/Finish dual national, permanent resident of and physically present in New Zealand at the time of the alleged copyright infringement by USA had his assets seized, worldwide bank accounts frozen, arrested and may be extradited to USA, ongoing legal proceedings . * US sanctions laws apparently apply worldwide. Including non-US citizen outside of US territory. Chinese citizen arrested during flight layover in Canada by Canadian authorities to be extradited to USA. - https://edition.cnn.com/2018/12/11/business/huawei-cfo-arrest-details/in dex.html * Ulrich Wippermann, German citizen, apparently resident in Germany at the time, employed by a company did not break any German laws. Nevertheless, he got put on an US restricted persons blacklist, in resul t: * lost his job in a leading position, * could not find a new job in a leading position because employers feared repercussions, * got his bank accounts and credit cards terminated, * got denied an Apple phone from its mobile carrier, * got denied shipping services. * Sources: [FAZ](https://www.faz.net/aktuell/politik/deutscher-auf-usa-terrorliste- wegen-exporten-nach-iran-14552747.html), [NDR](https://daserste.ndr.de/panorama/archiv/2016/Imperiales-Gehabe-der - -lange-Arm-der-US-Gesetze,wirtschaftskrieg100.html) * Comment: Given the public available information. He had a higher income than most people. Yet, he unfortunately did neither not attempt or failed to defend himself using the legal system from harassment inside Germany. Rather, he unfortunately did neither attempt, or failed, it didn't have any option, to use the legal system to force his removal from the blacklist. This is not a criticism of his person. This is a criticism of the unfairness of the legal system. If he can't defend himself using the legal system, what are the chances that people with less income can. [6] https://forums.whonix.org/t/new-sysadmin-saying-hello/5446/12?u=patrick [7] https://phabricator.whonix.org/T709 -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEbpebKKbzfEO+MK+hy41Qu3e7PEgFAlxmdfVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDZF OTc5QjI4QTZGMzdDNDNCRTMwQUZBMUNCOEQ1MEJCNzdCQjNDNDgACgkQy41Qu3e7 PEgl6RAAj/vtGm3ZgqPOX+oHPuuOLHUdtviI7spaSUU0v1fvmHRTTJPsGzRaXazi fv64+Ux7CR2MqkF79viCzmib7ixnGU4K0l2b21D/eFgYuNVMedZ6hqLilPcXKIH2 AKqzk77ba/cjX9NEm0qlk0mLxWItTUALNcThIefgjpXF3R7tB61sR8/es6Z8G8wf fcsY1I5m51O2ejnTWSRbNX17clZVaGi//sJ2Ceb0mbNW+kldUGWO1QBf/2R2/rAu H7A7RzOPP/ub6qofheAsCz0RblsaRWJ3VQUdhlmkS8Jm6pyUWJaqOcrx6TDov0hN 3VZTNxgqPU6L8VcZ2ut6jVBGToZg4hqVVgnNH3IcSB6hbCd87/thZlSJYeM2td5w wF3/xLTCwEBPHFwEZwAebgfyr8QF6SHeY4g/Vj8MWAzp9oavJbDEKxNZhr1O+xpg fOfDxGXGtwWa62uuxwTS2OcrYTdJncp7jyurDcfva5WI/G/GyBxKayuuXXB1jDSl Xyp60oJJwJ0Gr2U83cN50sOFU7JWeVqqs9iTxXhBJ4BNIHkSd34r8Mv/urYVp0TO Ljhus0QU6TvZGrAZEYlH2xokwgqxHo9zBtJGZiD+LaLIwsojgjaIuLDiQ8V1z85N hq51CnYYvKBv/eaxSg6AXpsIW67Bl5ViUTtqglJrbVpR0gFI8ug= =ZJwd -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1b4baf85-bbff-541a-c97c-2c489381fc12%40whonix.org. For more options, visit https://groups.google.com/d/optout.