These questions are addressed to the Tails Team. Everyone is welcome to discuss, but I am particularly interested in the devs' opinions, so if you are a member of the Tails Team replying to these questions, please identify yourself as such.
These questions were originally posted in private support lists. First in [email protected] on 2016-02-24, but no reply of any kind was given. They were then posted in [email protected] on 2016-03-06, and no reply of any kind was given. Now I am using this public list on the assumption that my prior attempts simply did not reach any Tails Team members. Each time I edit the questions for clarity, but they remain essentially the same. ------------------------------------------------------------------- Dear Tails team, I really hope you will take time to think about my questions, since I cannot be the only one asking them. I am rather convinced that many of your users are wondering about these things as well. I sincerely hope that nothing in this email will be perceived as offensive or disrespectful, and that includes my tone. Whatever comes next, I am personally grateful to you for your ongoing effort to build an operating system tailored to provide its users with elevated levels of privacy and security. ------------------------------------------------------------------- What do you think are the chances that Tails distributes malware along with the Linux kernel? Before you answer, please consider the following points. Linux kernel contains megabytes of just the closed source network card firmware, which would not need any access to a main CPU in order to be effective spyware. It also contains many more megabytes of other firmware, and all of that code is actually capable of gaining the access to the main RAM and the main CPU via the DMA mechanism. http://www.stewin.org/papers/dimvap15-stewin.pdf Any closed source firmware distributor can insert spyware and/or backdoors at any time, virtually without consequences, do you agree? The examples are many, so let's take one of the most recent ones, involving Juniper Networks. They basically declared themselves heroes after removing a backdoor, which they themselves were in the best position to insert. They faced no repercussions of legal nature. In general, the "respected" software vendors can't get arrested in this town. Starting with SONY rootkit case, and to this day, the law enforcement seems to be just fine with computer crimes of absolutely any magnitude, as long as they are committed by large corporations, rather than individual basement-dwellers. The law enforcement is also openly warm towards the firms which are willing to work with them on making a panopticon society a reality by depriving all computer users of privacy and security. In this legal climate, no "respected" network card manufacturer would get in trouble if malware was suddenly discovered inside a reverse-engineered blob, do you agree? Big firms have done so in the past, every single time. They could get away with any of the following excuses: (1) We were compelled by law enforcement (2) We were cracked by Russian/Jewish/Chinese/Iranian/... criminals (3) We were sabotaged by an employee we are now unable to id (4) It's a feature inserted in good faith, never meant to be abused (The last one is my absolute favorite :) At any rate, they would just issue a "fixed" blob, just like Juniper. Scary quotes because there would be no way to see whether a "fixed" blob contains malware. So here's another sub-question: in this hypothetical situation, and if the blob was OKayed by the Linux project, would you then redistribute the "fixed" blob too? Of course, it is far more likely they'll never have to explain anything, as long as the malware is well designed. So once again, the biggest question I have is: How would you quantify the chances of you currently redistributing malware, and more specifically spyware along with the Linux kernel? ------------------------------------------------------------------- Here is a related question, Tails claims: Tails is a live system that aims to preserve your privacy and anonymity. How is this claim compatible with distributing the absolute mystery code, which runs within users' network cards? To be more specific, what is the point of supporting network interfaces and other peripherals, when each one of them offers an unprecedented attack surface, virtually rendering all of your privacy-related achievements worthless? ------------------------------------------------------------------- My final barrage of questions concerns your claims about free software. Your front page claims with really big letters: FREE SOFTWARE Tails is Free Software. Your statements on a linked page seem to directly contradict each other: Tails is Free Software released under the GNU/GPL (version 3 or above). However, Tails includes non-free firmware in order to work on as much hardware as possible. What do you mean by "free software"? It cannot possibly be what FSF calls "free software", or what OSI calls "open source software", since what you call "firmware" is software in every sense of the word, and you admit you distribute non-free firmware as a part of Tails. Are you claiming that firmware is not software, even though it runs on users' CPU and RAM (albeit auxiliary ones)? The first one of these statements, "Tails is Free Software...", links to an FSF page, implying that here you use the term "free software" in the same sense as they do, and yet FSF does not consider Tails to be free software, a fact you must be aware of: [ http://www.gnu.org/distros/common-distros.en.html ] How would you characterize your statement "Tails is Free Software"? An honest mistake, a defiant lie, or something else entirely? _______________________________________________ tails-support mailing list [email protected] https://mailman.boum.org/listinfo/tails-support To unsubscribe from this list, send an empty email to [email protected].
