This might seem a little bit naive but a big part of tails use cases need internet connectivity. Now if we start with the premise that there IS malware in a blob (this is an hypothesis expressed for the sake of the argument) this malware, to do anything useful, should satisfy some properties:
-to be able to identify itself and the machine on which it runs, mac, and geographical location or at least provide a way to find out its current ip address -to be able to retrieve data -to be able to communicate with its creators. Now barring a physical access scenario where opfor just walks in this is going to take place over the wire. I would think that with the amount of network debugging and packet sniffing taking place around tails (to identify leaks and for configuration purposes) a strange packet would be quickly detected. The juniper example you gave is, iirc, about a backdoored rng that would allow easy cracking of vpn encryption. It's not quite the same thing, is it? Now even if said malware were to completely compromise the operating system it still would need to communicate about what it found. just my 2 cents. On 25/03/16 19:53, john smith wrote: > On Fri, Mar 25, 2016 at 10:25 AM, intrigeri <[email protected]> wrote: > >> john smith wrote (25 Mar 2016 16:25:28 GMT) : >>> And I completely understand your >>> very reasonable answer above, which I will paraphrase with your >>> permission: to the extent that you explored this issue, you have >>> concluded that the probability of spyware hiding within the Linux >>> kernel is very close to zero. >> >> No, I have not said any such thing. This is not paraphrasing. >> >> I'm giving up this discussion at this point. >> > > The last thing I want to do is to put words in your mouth. > I am just trying to understand what you are saying, but your > responses are so glib, I have a hard time, and so I had to > ask you for a clarification, by paraphrasing them. > > I am referring to your response to my query: > >>> I have hard time figuring out which of the following scenarios >>> is taking place in Tails dev forum: >>> >>> (1) You, the developers, never tried to quantify the risk of >>> having malware within Linux kernel firmware. Or may be you >>> tried, and you concluded that you cannot put any number or a >>> confidence interval on it. Either way, you decided to go ahead >>> with it, so now you are distributing software which you either >>> never evaluated for privacy/security purposes, or which you >>> concluded was not possible to evaluate. And it's important to >>> note, evaluation of risk is so hard here because the software >>> supplier keeps the code obfuscated on purpose. >>> >>> (2) You concluded that the risk was very low: on par with >>> having backdoors inside free software, so nearly zero. This is >>> despite the fact that we have a long history of malware and >>> spyware distributed within blobs, a long history of legal >>> immunity of "legitimate" non-free software vendors, and a long >>> history of spyware being explicitly legal within operating >>> systems such as MS Windows, OS X, and commercial Android >>> deployments. > >> I guess it's something from (1) and something from (2). > > There is only one thing in (2): you concluded the risk of spyware > included in Tails was very low. There is only one thing in (1): you > didn't conclude anything about the risk, either because you haven't > tried or because you tried and gave up. So I stand by my (failed) > attempt to paraphrase your very evasive, noncommittal statement: > you haven't really attempted to quantify the risk much (something > from 1), but to the extent that you did, you've concluded it was > almost nonexistent (something from 2). > > I do however believe you really mean what you say, so I won't > pretend you told me anything, if now you say you didn't. I did my best > to make my queries clear, and I really tried to understand what your > replies meant, but after all that it looks like you are leaving me with > absolutely nothing specific, and refuse to discuss the issue any > further. Please note once more, I am not making claims, I am not > making arguments, I am only asking you (developers) a very simple > question regarding your methodology in making Tails suitable > for privacy applications, and no matter how hard I try, I can't seem > to get any meaningful answers out of you all. Nada. The one answer > I thought I understood (the one above), turns out I didn't. > > But don't think twice, it's alright, and thanks once again. > _______________________________________________ > tails-support mailing list > [email protected] > https://mailman.boum.org/listinfo/tails-support > To unsubscribe from this list, send an empty email to > [email protected]. > _______________________________________________ tails-support mailing list [email protected] https://mailman.boum.org/listinfo/tails-support To unsubscribe from this list, send an empty email to [email protected].
