dguth...@posteo.net wrote:
Tails concerns itself with offensive attacks against Tor browser and making programs use Tor safely; its threat model does not concern (what would have to be quite advanced) attacks from the firmware.
Software can be conveyed through Tor which would leverage an insecurity in the firmware or insecurity in the non-free software that comes with Tails. This is not Tor's fault; Tor's job is not to filter out what data one gets via a network. One such means of acquiring and running malware is Javascript, another are add-ons many people use when browsing the web.
Thus non-free software in Tails (be it firmware, drivers, or anything else) is asking the user to blindly accept that Tails is safe. If Tails is a GNU/Linux system, Tails hackers should look into using the GNU Linux-libre kernel which is purposefully deblobbed of non-free software. Tails won't run on as many computers as it does now, but for those it does run users will be able to say they are using a kernel they may completely run, inspect, share, and modify. This strikes me as a big step toward increasing the security of Tails, which I'd imagine is something that ought to interest them because (as I understand it) one of Tails' goals is to supply an OS users can use to preserve their privacy.
(Furthermore, free software firmware can be buggy too, it should be noted, which is crucial in the case of wireless cards. Even the cards with free loadable wireless firmware still handle 802.11n frames with proprietary embedded firmware, on a DSP most likely. Handling those frames doesn't come out of thin air.).
The issue here has nothing to do with what software is buggy and not; all complex software has bugs. The issue has to do with what freedom the user has to run, inspect, share, and modify the software they use. Non-free software can't be fixed by the user regardless of how technically minded the user is or if the user hires out the code hacking work to someone they trust.
_______________________________________________ Discussion mailing list Discussion@lists.fsfe.org https://lists.fsfe.org/mailman/listinfo/discussion
