On Wed, Jun 19, 2013 at 10:44:12PM -0400, Greg wrote: > Does anyone think that debian could participate in any programs like > PRISM? Or could a lone (or group of) sympathetic DD or DM slip a > backdoor or something that could collect private info in the binary > packages distributed by debian?
There was an interesting post on this the other day on the liberationtech mailing list by Mike Perry from the Tor Project: Deterministic builds and software trust https://mailman.stanford.edu/pipermail/liberationtech/2013-June/009257.html To quote: > For the past several years, we've been seeing a steady increase in the > weaponization, stockpiling, and the use of exploits by multiple > governments, and by multiple *areas* of multiple governments. This > includes weaponized exploits specifically designed to "bridge the air > gap", by attacking software/hardware USB stacks, disconnected Bluetooth > interfaces, disconnected Wifi interfaces, etc. Even if these exploits > themselves don't leak (ha!), the fact that they are known to exist means > that other parties can begin looking for them. > In this brave new world, without the benefit of anonymity to protect > oneself from such targeted attacks, I don't believe it is possible to > keep a software-based GPG key secure anymore, nor do I believe it is > possible to keep even an offline build machine secure from malware > injection anymore, especially against the types of adversaries that Tor > has to contend with. > This means that software development has to evolve beyond the simple > models of "Trust my gpg-signed apt archive from my trusted build > machine", or even projects like Debian going to end up distributing > state-sponsored malware in short order. > This is where deterministic builds come in... He goes on to explain what "deterministc builds" are, how Tor has started using them, and how hopefully Linux distros will as well. Also related, Bruce Scheier just wrote an interesting piece on weaponized exploits, on how the NSA is planting logic bombs and backdoors in machines and routers around the world: Has U.S. started an Internet war? www.cnn.com/2013/06/18/opinion/schneier-cyberwar-policy -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130620073240.GA29135@tuzo
