On Tue, Mar 22, 2016 at 3:10 AM, intrigeri <[email protected]> wrote:
> > I have hard time > > figuring out which of the following scenarios is taking place in > > Tails dev forum: > > > (1) You, the developers, never tried to quantify the risk of > > having malware within Linux kernel firmware. Or may be you tried, > > and you concluded that you cannot put any number or a confidence > > interval on it. Either way, you decided to go ahead with it, so > > now you are distributing software which you either never > > evaluated for privacy/security purposes, or which you concluded > > was not possible to evaluate. And it's important to note, > > evaluation of risk is so hard here because the software supplier > > keeps the code obfuscated on purpose. > > > (2) You concluded that the risk was very low: on par with having > > backdoors inside free software, so nearly zero. This is > > despite the fact that we have a long history of malware and > > spyware distributed within blobs, a long history of legal > > immunity of "legitimate" non-free software vendors, and a long > > history of spyware being explicitly legal within operating > > systems such as MS Windows, OS X, and commercial Android > > deployments. > > I guess it's something from (1) and something from (2). > > I'm curious about your references wrt. backdoors in device firmware > (e.g. shipped with Linux). > Like I said before, I am not here to argue. But for what it's worth, I am yet more puzzled by your request for references. First of all, I am not claiming Linux firmware has anything in particular. I could provide references for malware found within other blobs, which is what I was alluding to, but I am sure you could locate those easily yourself. I personally do believe there is a very high (nearly 1.0) probability of malware being inside the Linux kernel. To substantiate this claim, I would not need a smoking gun, because I am making a probabilistic claim having to do with the intentions of the parties that keep the source code closed and make the audit impossible. All I need to argue my point is the preponderance of circumstantial and historical evidence, which I think we have. But you, the developers, you go around the world claiming that Tails OS is suitable for private communications. In order to substantiate this claim, you must furnish at least some evidence that the code you distribute is benign. You claim Tails does not spy on users, yes or no? Where are your references for that? For the free portion of Tails, you can refer your users to the source code. Where are your references for the non-free portion, starting with the network card firmware? These are rhetorical questions, of course, because we all know you got nothing for evidence. And I completely understand your very reasonable answer above, which I will paraphrase with your permission: to the extent that you explored this issue, you have concluded that the probability of spyware hiding within the Linux kernel is very close to zero. You haven't given me any supporting arguments. That is, I am at loss when I try to figure out why you tend to believe the claims of the companies involved. After all, spying on users is both very profitable and very legal, and lying about it is very safe, since it's hard to get caught, and even then there are no repercussions. But in the end, I am completely satisfied with the way this discussion went. All I wanted was to see what is going through your heads, and I got it. As for the claims you are making and the lack of support for those claims, that's between you and your users. I just wish more developers pitched in and offered their opinions. Thank you once again, keep up the good work, and no hard feelings :) _______________________________________________ tails-support mailing list [email protected] https://mailman.boum.org/listinfo/tails-support To unsubscribe from this list, send an empty email to [email protected].
